Security Guide for Cisco Unity Release 5.x (With Microsoft Exchange)
Password and Account Policy Management
Downloads: This chapterpdf (PDF - 149.0KB) The complete bookPDF (PDF - 2.41MB) | Feedback

Password and Account Policy Management

Table Of Contents

Password and Account Policy Management

About the Passwords That Subscribers Use to Access Cisco Unity Applications

Securing Passwords On Default Accounts That Are Created by Cisco Unity

Ensuring That Subscribers Are Initially Assigned Unique and Secure Windows Passwords

Ensuring That Subscribers Are Initially Assigned Unique and Secure Phone Passwords

Changing Passwords That Are Used to Access the Cisco Unity Administrator

Changing Cisco PCA Passwords

Changing Cisco Unity Phone Passwords

Defining Account Policies for Accessing the Cisco Unity Administrator

Defining Account Policies for Accessing the Cisco PCA

Defining Account Policies for Phone Access to Cisco Unity

Setting Phone Password Restrictions

Setting Account Lockout Restrictions


Password and Account Policy Management


Your first steps in helping prevent unauthorized access to Cisco Unity applications are to secure the passwords that are associated with the default Cisco Unity accounts and to ensure that the passwords initially assigned to subscribers are unique. We also recommend that you define Cisco Unity account policies to require that subscribers change their passwords often and continue to use passwords that are unique and not easy to guess. A well-considered account policy can also thwart unauthorized access to Cisco Unity applications by locking out users who enter invalid passwords too many times.

In this chapter, you will find information on completing the above tasks and on other issues related to password security and account policy management. To help you understand the scope of Cisco Unity password management, the first section in this chapter describes the different passwords required to access the Cisco Unity Administrator, the Cisco Personal Communications Assistant (PCA), and the Cisco Unity conversation (the "TUI"). Each of the sections that follow offer information on actions you need to take; recommendations that will help you make decisions; discussion of the ramifications of the decisions you make; and in many cases, best practices.

For information that will guide you through the process of securing Cisco Unity passwords and defining account policies, see the following sections:

Understanding Which Passwords Subscribers Use

About the Passwords That Subscribers Use to Access Cisco Unity Applications

Securing Passwords for Default Cisco Unity Accounts

Securing Passwords On Default Accounts That Are Created by Cisco Unity

Understanding Which Passwords Are Required and How to Initially Secure Them

Ensuring That Subscribers Are Initially Assigned Unique and Secure Windows Passwords

Ensuring That Subscribers Are Initially Assigned Unique and Secure Phone Passwords

How to Change Subscriber Passwords

Changing Passwords That Are Used to Access the Cisco Unity Administrator

Changing Cisco PCA Passwords

Changing Cisco Unity Phone Passwords

How to Define Account Policies

Defining Account Policies for Accessing the Cisco Unity Administrator

Defining Account Policies for Accessing the Cisco PCA

Defining Account Policies for Phone Access to Cisco Unity

About the Passwords That Subscribers Use to Access Cisco Unity Applications

Cisco Unity subscribers use different passwords to access Cisco Unity applications. Knowing which passwords are required for each application is important in understanding the scope of Cisco Unity password management.

Cisco Unity Administrator

When IIS is configured so that the Cisco Unity Administrator uses Anonymous authentication, Cisco Unity prompts subscribers to enter the user name and password for their Active Directory account on the Cisco Unity Log On page.

When IIS is configured so that the Cisco Unity Administrator uses Integrated Windows authentication, subscribers enter the user name, password, and domain for the administration account that was selected when Cisco Unity was installed, or an applicable Active Directory account.

Cisco PCA

Subscribers are prompted to enter the user name and password for their Active Directory accounts on the Cisco PCA Log On page.

Cisco Unity Conversation

Subscribers use the phone keypad to enter a password, consisting entirely of digits.

Securing Passwords On Default Accounts That Are Created by Cisco Unity

During installation, Cisco Unity creates several default accounts. Some of the default accounts have phone and/or Windows passwords assigned to them that are not considered secure.

Best Practice: Secure Phone Passwords by Changing Them

You can change phone passwords on the Subscribers > Subscribers > Phone Password page in the Cisco Unity Administrator. Specify a long—20 or more digits—and non-trivial password for the following default accounts:

Example Administrator—The Cisco Unity Installation and Configuration Assistant prompts for a phone password for the Default Administrator template, which is used for this account. If the system was upgraded from Cisco Unity version 4.0(3) or earlier, the Cisco Unity Example Administrator subscriber account may still have a phone password that needs to be changed.

Example Subscriber—If you upgraded from a version of Cisco Unity prior to 4.0(3), you may have an automatically-created Example Subscriber account. If you have an Example Subscriber account and you do not use it, delete it. (Delete both the Cisco Unity subscriber account and the corresponding Active Directory account.) Otherwise, you should change the phone password.

Best Practice: Secure Active Directory Passwords by Changing Them

The default Cisco Unity accounts listed in Table 9-1 are associated with Active Directory accounts whose passwords should be changed using Active Directory Users and Computers. Specify a password that meets the following specifications:

Is at least eight characters long.

Includes at least one character from at least three of the following categories:

Upper-case letters

Lower-case letters

Numbers 0 to 9

Special characters: ~ ! @ # $ % ^ * " ` , . : ; ? - _ ( ) [ ] < > { } + = / \ |

Does not consecutively repeat any character more than twice (for example, do not use "aaaB1*C9").

Does not match the current logon name, either forward or backward.

Table 9-1 Cisco Unity Default Accounts Whose Active Directory Account Passwords Should Be Changed 

Cisco Unity Default Account
Considerations

Example Administrator

The account name is EAdministrator.

The Cisco Unity Installation and Configuration Assistant prompts for a password for the Default Administrator template, which is used to create the Example Administrator account and the corresponding Active Directory account. If the system was upgraded from Cisco Unity version 4.0(3) or earlier, the Active Directory Example Administrator account may still have the default password, which should be changed.

Example Subscriber

The account name is ESubscriber.

If the system was upgraded from Cisco Unity version 4.0(2) or earlier, you may have an automatically-created Example Subscriber account, and the account may still have the default password.

If you have an Example Subscriber account and you do not use it, delete it. (Delete both the Cisco Unity subscriber account and the corresponding Active Directory account.) Otherwise, change the password.

Unity Messaging System

The account name is Unity_<servername>.

Note that the account is not visible in the Cisco Unity Administrator. If the system was upgraded from Cisco Unity version 4.0(4) or earlier, the Active Directory Example Administrator account may be enabled and may still have the default password, which should be changed.

None

The account name is UAmis_<servername>.

The Cisco Unity Installation and Configuration Assistant prompts for a password for the Default Subscriber template, which is used to create the UAmis Active Directory account. If the system was upgraded from Cisco Unity version 4.0(3) or earlier, the UAmis account may still have the default password, which should be changed. This account is disabled by default.

None

The account name is UOmni_<servername>.

The Cisco Unity Installation and Configuration Assistant prompts for a password for the Default Subscriber template, which is used to create the UOmni Active Directory account. If the system was upgraded from Cisco Unity version 4.0(3) or earlier, the UOmni account may still have the default password, which should be changed. This account is disabled by default.


For additional information on managing default accounts, see the "Best Practices for Securing Default Accounts" section on page 7-5.

Ensuring That Subscribers Are Initially Assigned Unique and Secure Windows Passwords

Subscribers use an Active Directory password to access the Cisco Unity Administrator (when it is configured to use Anonymous authentication) and the Cisco PCA. To protect Cisco Unity from unauthorized access, each subscriber should be assigned a unique Active Directory password. Additionally, each password should be eight or more characters long and non-trivial.

Simply changing the Active Directory password on the Subscribers > Subscriber Template > Passwords page in the Cisco Unity Administrator before you create subscriber accounts does not ensure that subscribers are assigned unique passwords. This is because the template might not be used to assign passwords, and when it is used, each subscriber account that you create will be assigned the same password.

Consider the following options to ensure that each subscriber is assigned a unique and secure password at the time that you create the account, or immediately thereafter.

Assigning Unique and Secure Active Directory Passwords When You Create Subscriber Accounts

Use one of the following methods to assign a unique and secure Active Directory password to each subscriber account that you create:

Do not use the Cisco Unity Administrator or the Cisco Unity Bulk Import wizard to create new Active Directory accounts. Instead, first create an Active Directory account for each subscriber by using Active Directory Users and Computers, and assign each user a unique and secure password as you go. You can then use the Cisco Unity Administrator or the Cisco Unity Bulk Import wizard to create Cisco Unity subscriber accounts.

Use the Cisco Unity Administrator to add subscribers one at a time. Use a different template for each subscriber that you create, specifying a unique and secure Active Directory password in each template. Alternatively, you can use one template for all subscribers, but specify a unique and secure password before each subscriber account that you add. If you use the same template for all subscribers, you will need to record the passwords that you assign to each subscriber in a secure place so that you can distribute them later. (Cisco Unity stores only the last value saved.)

Before you specify a template password, review the password policy for the Active Directory domain to make sure that the minimum length and complexity requirements do not conflict with the password that you specify in the template. Cisco Unity will not add a subscriber account when the length of the password on the subscriber template is less than the minimum length for passwords in the Active Directory domain.

Assigning Unique and Secure Active Directory Passwords After Subscriber Accounts Have Been Created

After you have created subscriber accounts, use one of the following methods to assign each account a unique and secure Active Directory password:

Use Active Directory Users and Computers to change the existing password for each user.

Ask subscribers to change their own passwords. Subscribers can change their Cisco PCA passwords in Windows by pressing Ctrl-Alt-Delete and then clicking Change Password. (If the Cisco Unity server is on a different domain than the one that subscribers typically access, subscribers will also need to specify the domain name for the Cisco Unity server.)

Note that subscribers may assume that their phone and Cisco PCA passwords are the same. As a result, they may think that they are changing both passwords when Cisco Unity prompts them to change their phone password during first-time enrollment. For this reason, you may find that many subscribers do not change their Cisco PCA passwords in Windows, even though you request that they do so.

Ensuring That Subscribers Are Initially Assigned Unique and Secure Phone Passwords

To help protect Cisco Unity from unauthorized access and toll fraud, every subscriber should be assigned a unique phone password. Additionally, each password should be eight or more characters long and non-trivial.

Simply changing the phone password on the Subscribers > Subscriber Template > Passwords page in the Cisco Unity Administrator before you create subscriber accounts does not ensure that subscribers are assigned unique passwords. This is because the template might not be used to assign passwords, and when it is used, each subscriber account that you create is assigned the same password.

Consider the following options to ensure that each subscriber is assigned a unique and secure password at the time that you create the account, or immediately thereafter.

Assigning Unique and Secure Phone Passwords When You Create Subscriber Accounts

Use one of the following methods to assign a unique and secure phone password to each subscriber account that you create:

Use the Cisco Unity Bulk Import wizard to import user data contained in a CSV file. Include the optional column header DTMF_PASSWORD in the CSV file to overwrite the template password for each subscriber.

Use the Cisco Unity Administrator to add a subscriber one at a time. Use a different template for each subscriber that you create, specifying a unique and secure phone password in each template. Alternatively, you can use one template for all subscribers, but specify a unique and secure password before each subscriber account that you add. To avoid recording and distributing the passwords, tell subscribers to use the Cisco Unity Assistant to change their initial phone passwords. (The Cisco Unity Assistant does not require that subscribers enter the old phone password to change it.)

Assigning Unique and Secure Phone Passwords After Creating Subscriber Accounts

After you have created subscriber accounts by using either the Cisco Unity Administrator or the Cisco Unity Bulk Import wizard, use the Cisco Unity Bulk Import wizard to assign a unique phone password to each subscriber account that you created. To avoid recording and distributing the passwords, tell subscribers to use the Cisco Unity Assistant to change their initial phone passwords. (The Cisco Unity Assistant does not require that subscribers enter the old phone password to change it.)

Changing Passwords That Are Used to Access the Cisco Unity Administrator

Cisco Unity administrators can change their passwords in Windows by pressing Ctrl-Alt-Delete and then clicking Change Password. If the Cisco Unity server is in a different domain than the one that subscribers typically access with their Windows passwords, subscribers will also need to specify the domain name for the Cisco Unity server.

Best Practice

When you change a password used to access the Cisco Unity Administrator, specify a long—eight or more characters—and non-trivial password. Set up your account policy to require it. Passwords that are used to access the Cisco Unity Administrator should be changed every six months.

Changing Cisco PCA Passwords

You can change subscriber passwords by using Windows Active Directory for Users and Computers after you create subscriber accounts. Each subscriber should be assigned a unique Windows password. Subscribers cannot use the Cisco Unity phone conversation or the Cisco Unity Assistant to change their Cisco PCA passwords, nor can administrators change them in the Cisco Unity Administrator. Instead, subscribers change their Cisco PCA passwords only in Windows by pressing Ctrl-Alt-Delete and then clicking Change Password. (If the Cisco Unity server is in a different domain than the one that subscribers typically access with their Windows passwords, subscribers will also need to specify the domain name for the Cisco Unity server.)

Best Practice

Specify a long—eight or more characters—and non-trivial password. Encourage subscribers to follow the same practice whenever they change their Windows passwords, or set your domain account policy in Windows to require them to do so. Cisco PCA passwords should be changed every six months.

Changing Cisco Unity Phone Passwords

You can change the phone password for an individual subscriber on the Subscribers > Subscribers > Phone Password pages in the Cisco Unity Administrator at any time. Alternatively, you can use the Cisco Unity Bulk Import wizard to change the phone passwords for multiple subscribers at the same time. (See the Cisco Unity Bulk Import Help for details.)

As a best practice, each subscriber should be assigned a unique password that is eight or more digits long and non-trivial. If you allow subscribers to set their own passwords, encourage them to follow the same practice or use the settings on the Subscribers > Account Policy > Phone Password Restrictions page in the Cisco Unity Administrator to require them to do so.

When their accounts are configured to allow them, subscribers can use the Cisco Unity phone conversation or the Cisco Unity Assistant to set their phone passwords. Neither the Cisco Unity conversation nor the Cisco Unity Assistant require subscribers to enter their old phone passwords to reset them.

Note that AMIS, Bridge, Internet, and VPIM subscribers cannot log on to Cisco Unity by phone, use the Cisco Unity Assistant, or use the Cisco Unity Inbox.

Phone passwords should be changed every 30 days.

Best Practice: Train Subscribers to Protect Their Phone Passwords

Because subscribers can use the Cisco Unity Assistant to change their phone passwords, they should take appropriate measures to keep their Cisco PCA passwords secure. Subscribers need to understand that the phone and Cisco PCA passwords are not synchronized. While first-time enrollment prompts them to change their initial phone passwords, it does not let them change the password that they use to log on to the Cisco PCA website.

Best Practice: Check for Trivial Subscriber Passwords

After subscriber have set their passwords, confirm that the passwords are non-trivial. To create a report of subscribers who have trivial passwords, use the Subscriber Information Dump, which is in the Cisco Unity Tools Depot, and check the Trivial PW Check check box. The Subscriber Information Dump report will give one of six values for each subscriber account, as described in the Subscriber Information Dump Help. Subscribers with weak passwords can then be identified and trained to use stronger passwords for their Cisco Unity accounts.

Defining Account Policies for Accessing the Cisco Unity Administrator

How you set up an account policy depends on the authentication method used by the Cisco Unity Administrator. When the Cisco Unity Administrator uses the Integrated Windows authentication method (which is the default), the account policy that is specified for each Active Directory account determines the following:

How Windows handles situations when users attempt to log on to Windows and repeatedly enter incorrect passwords

The number of failed logon attempts that Windows allows before the user account cannot be used to access Windows

The length of time that a user remains locked out

If the Cisco Unity Administrator uses Anonymous authentication, you can use the settings on the Authentication page in the Cisco Unity Administrator to customize the logon, password, and lockout policies that Cisco Unity applies when subscribers use the Cisco Unity Administrator to access Cisco Unity.

Best Practices

For increased security, prohibit the use of blank passwords, a restriction that Cisco Unity honors even when an Active Directory account allows them.

With either authentication method, the Active Directory account policies that you define should also require that subscribers change their Cisco Unity passwords at least once every six months and that when changed, the passwords are long—eight or more characters—and non-trivial.

Defining Account Policies for Accessing the Cisco PCA

The account policy that you specify on the Authentication page in the Cisco Unity Administrator determines how Cisco Unity handles situations when subscribers attempt to log on to the Cisco PCA and repeatedly enter incorrect passwords; whether subscribers can use blank passwords; the number of failed logon attempts that Cisco Unity allows before the subscriber account cannot be used to access the Cisco PCA; and the length of time that a user remains locked out.

In addition, you can use the settings on the Authentication page to specify whether the Log On page for the Cisco PCA offers subscribers the following options:

Remember User Name

Remember Password

Remember Domain

When subscribers specify that Cisco Unity will remember their user name, password, or domain, subscribers will not have to enter them the next time that they log on to the Cisco PCA. Instead, the fields are automatically populated in the Log On page. Allowing subscribers to specify whether Cisco Unity will remember their credentials may reduce support desk requests for the information. However, you may not want the Log On page to offer subscribers the above options for security reasons. If this is the case, you can uncheck the Remember Logons for __ Days check box on the Authentication page to prevent the options from appearing on the Cisco PCA Log On page, and to require that subscribers enter their user name, password, and domain each time that they log on to the Cisco PCA.

Defining Account Policies for Phone Access to Cisco Unity

The account policy settings on the Phone Password Restrictions page and the Cisco Unity Account Lockout page in the Cisco Unity Administrator apply when subscribers access Cisco Unity by phone. Changes to settings in the account policy affect all existing subscribers.

See the following sections for more information:

Setting Phone Password Restrictions

Setting Account Lockout Restrictions

Setting Phone Password Restrictions

Phone password restriction settings allow you to define a system-wide password policy that applies when subscribers access Cisco Unity by phone. For greater security, establish rules that prevent passwords from being easy to guess and from being used for a long time. At the same time, is also best to avoid requiring passwords that are so complicated or that must be changed so often that subscribers have to write them down to remember them.

Use the following guidelines as you specify a password policy on the Phone Password Restrictions page in the Cisco Unity Administrator:

Maximum Phone Password Age

As a best practice, do not enable the Password Never Expires option. Instead, confirm that the Days Until Password Expires field is selected so that subscribers are prompted to change their passwords every X days (X is the value specified in the adjacent box). We recommend that you set a maximum phone password age of 30 days.

Phone Password Length

As a best practice, do not enable the Permit Blank Password option. Instead, confirm that the Minimum Number of Characters in Password field is selected so that subscribers are required to create a password at least X characters long (X is the value specified in the adjacent box). When you change the minimum password length, subscribers will be required to use the new length the next time they change their passwords.

We recommend that you require subscribers to use a long—eight or more digits—password when you specify phone password length.

Phone Password Uniqueness

As a best practice, disable the Do Not Keep Password History option (it is enabled by default). Instead, specify a number in the Number of Passwords to Remember field. By doing so, you enable Cisco Unity to enforce password uniqueness by storing a specified number of previous passwords for each subscriber and then, comparing new passwords with those stored in the password history. Cisco Unity rejects any password that matches a password stored in the history.

As a best practice, specify that Cisco Unity store between 10 and 24 passwords in password history.

Check Against Trivial Passwords for Extra Security

As a best practice, do not enable the Permit Blank Password option. Instead, confirm that the Check Against Trivial Passwords for Extra Security field is enabled so that subscribers must use non-trivial passwords.

Cisco Unity applications reject phone passwords that contain the trivial characteristics shown in Table 9-2.

Table 9-2 Trivial Phone Password Characteristics Rejected by Application 

Trivial Password Characteristic
Cisco Unity Conversation (TUI) 1
Cisco Unity Assistant 1
Cisco Unity Administrator 1
Cisco Unity Bulk Import
Password Hardening Wizard

Consists entirely of repeated numbers, such as 44444

Yes

Yes

Yes

Yes

Yes

Contains at least one group of repeated numbers, such as 11579

No

No

Yes

No

Yes

Contains consecutive ascending numbers, such as 12345

Yes

Yes

Yes

Yes

Yes

Contains consecutive descending numbers, such as 87654

Yes

Yes

Yes

Yes

Yes

Matches the subscriber primary extension

Yes

Yes

Yes

No

Not applicable

1 Only when you enable the Check Against Trivial Passwords for Extra Security field.


Setting Account Lockout Restrictions

Cisco Unity account lockout settings allow you to specify whether you want Cisco Unity to use an account lockout policy that applies to all subscribers who access Cisco Unity by phone. You cannot change account policy settings for individual subscriber accounts, though you can lock individual subscriber accounts to prevent those subscribers from using the phone to access Cisco Unity (you lock out individual subscriber accounts on the applicable Subscribers > Subscribers > Account page in the Cisco Unity Administrator).

To specify an account lockout policy on the Account Lockout page, confirm that the Account Lockout field is selected. Then, use the following guidelines as you indicate how you want Cisco Unity to handle failed logon attempts, and if they occur, how long account lockouts last.

Lock Account After __ Invalid Attempts

Use this field to indicate how Cisco Unity handles situations when a caller attempts to log on to a subscriber account and repeatedly enters an incorrect password. We recommend that you change the default to specify that Cisco Unity blocks phone access to the subscriber account after three failed logon attempts.

Reset Count After __ Minutes

Use this field to specify the number of minutes after which Cisco Unity will clear the count of failed logon attempts (unless the failed logon limit is already reached and the account is locked).

Lockout Duration

Specify the length of time that a subscriber who is locked out must wait before attempting to access Cisco Unity by phone again. We recommend that you change the default value to 1440 minutes so that Cisco Unity will reset the count after one day. For even tighter security, you can select Forever, which prevents subscribers from accessing their accounts until a system administrator unlocks them on the applicable Subscribers > Subscribers > Account page. Set the lockout duration to Forever only if a system administrator is readily available to assist subscribers or if the system is prone to unauthorized access and toll fraud.