Cisco Unity System Administration Guide (With IBM Lotus Domino), Release 4.0(5)
Account Policy Settings

Table Of Contents

Account Policy Settings

Overview: Account Settings

Phone Password Restriction Settings

Account Lockout Settings


Account Policy Settings


Overview: Account Settings

The account policy settings on the Phone Password Restrictions Page and the Cisco Unity Account Lockout Page in the Cisco Unity Administrator apply when subscribers access Cisco Unity by phone. Changes to settings in the account policy affect all existing subscribers.

Note that the settings on the Account Policy pages represent a different account policy from the one that applies when subscribers use web applications to access Cisco Unity. For information on specifying an account policy for the Cisco Personal Communications Assistant (PCA) and the Cisco Unity Administrator, see the "Authentication Settings" section on page 25-15.

See the following sections in this chapter for more information:

Phone Password Restriction Settings

Account Lockout Settings

Phone Password Restriction Settings

Phone password restriction settings allow you to define a systemwide password policy that applies when subscribers access Cisco Unity by phone. For greater security, establish rules that prevent passwords from being easy to guess and from being used for a long time. At the same time, is also best to avoid requiring passwords that are so complicated or that must be changed so often that subscribers have to write them down to remember them. Consider requiring that subscribers use a long—eight or more digits—and non-trivial password when you specify phone password restrictions.

Phone password restrictions cannot be changed for individual subscriber accounts. However, you can use the password settings on the template and individual subscriber pages in the Cisco Unity Administrator to govern the passwords that subscribers initially use to log on to Cisco Unity by phone, and to define whether and when subscribers can change their own phone passwords. You can also use the Cisco Unity Bulk Import wizard to set phone passwords for multiple subscriber accounts at the same time. (Refer to the Cisco Unity Bulk Import Help for details.)

Use the following table to learn more about phone password settings.

Table 16-1 Subscribers > Account Policy > Phone Password Restrictions Page 

Field
Considerations
Maximum Phone Password Age

Select one of the following settings:

Password Never Expires—Subscribers are never prompted to change their passwords, although they are able to change passwords any time.

Days Until Password Expires—Subscribers are prompted to change their passwords every X days. X is the value specified in the adjacent box.

Phone Password Length

Select one of the following settings:

Permit Blank Password—Subscribers are able to log on without entering a password. Note that this leaves subscriber messages vulnerable to unauthorized access and toll fraud.

Minimum Number of Characters—Subscribers are required to create a password at least X characters long. X is the value specified in the adjacent box. In general, shorter passwords are easier to use, but longer passwords are more secure. Eight or more digits is recommended.

When you change the minimum password length, subscribers will be required to use the new length the next time they change their passwords.

Phone Password Uniqueness

Select one of the following settings:

Do Not Keep Password History—Cisco Unity does not compare a new password with previous passwords; thus a subscriber can reuse passwords.

Number of Passwords to Remember—Cisco Unity stores the specified number of previous passwords for a subscriber and compares a new password with them. Cisco Unity rejects the new password if it matches a password in the history.

If the Permit Blank Password box is selected, the Phone Password Uniqueness fields are disabled.

Check Against Trivial Passwords for Extra Security

Check this check box to have Cisco Unity verify that a new password meets the following criteria when subscriber phone passwords are changed by using the Cisco Unity Administrator, the Cisco Unity Assistant, or the Cisco Unity conversation:

The digits are not all the same (for example, 9999).

The digits are not consecutive (for example, 1234 or 4321).

The password is not the same as the primary extension assigned to the subscriber.

In addition to checking this check box, consider providing subscribers with a password policy that advises them to avoid specifying a password that:

Spells their first or last name, their organization or company name, or any other obvious words.

Contains their primary extension.

Is the reverse of their primary extension or contains the reverse of their primary extension.

Uses the same digits more than twice in a row (for example, 900012).

Is a 1-digit increment of a previous password (for example, 20185 to 20186).

Contains fewer than three different digits (for example, 18181).

If Permit Blank Password has been selected, the Check Against Trivial Passwords for Extra Security field is disabled.


Account Lockout Settings

Cisco Unity account lockout settings allow you to specify whether you want Cisco Unity to use an account lockout policy that applies to all subscribers who access Cisco Unity by phone. To customize the account lockout policy for your organization, you can use the settings on the Cisco Unity Account Lockout page to dictate:

How Cisco Unity handles situations when subscribers attempt to log on to Cisco Unity by phone and repeatedly enter incorrect phone passwords.

The number of failed logon attempts that are allowed before Cisco Unity prohibits the subscriber from accessing Cisco Unity by phone.

The length of time that a subscriber who is locked out must wait before attempting to access Cisco Unity by phone again.

Changes to account policy settings affect all Cisco Unity subscribers. You cannot change account policy settings for individual subscriber accounts, though you can lock individual subscriber accounts to prevent subscribers from using the phone to access Cisco Unity. (For details, see the "Subscriber Account Settings" section on page 14-6.)

Use the following table to learn more about account lockout settings.

Table 16-2 Subscribers > Account Policy > Unity Account Lockout Page 

Field
Considerations
No Account Lockout

Click this option if you do not want to specify an account lockout policy for subscribers who use the phone to access Cisco Unity. When this option is selected, Cisco Unity allows unlimited logon attempts to a subscriber account.

Account Lockout

Click this option if you want to specify an account lockout policy for subscribers who use the phone to access Cisco Unity. When this option is selected, enter the applicable values in the following fields:

Lock Account After __ Invalid Attempts

Reset Count After __ Minutes

Lockout Duration

Lock Account After __ Invalid Attempts

Enter the number of failed logon attempts after which subscribers cannot access Cisco Unity by phone.

This option is unavailable when the No Account Lockout option is selected.

Reset Count After __ Minutes

Enter the number of minutes after which Cisco Unity will clear the count of failed logon attempts to Cisco Unity by phone (unless the failed logon limit is already reached and the account is locked).

This option is unavailable when the No Account Lockout option is selected.

Lockout Duration

Select one of the following settings:

Forever—When you select this option, Cisco Unity will prevent subscribers from accessing Cisco Unity by phone until a system administrator unlocks the subscriber account on the Subscribers > Subscribers > Account Page for an individual subscriber. Use this setting only if a system administrator is readily available to assist subscribers or if the system is prone to unauthorized access and toll fraud.

Minutes—When you select this option, enter the number of minutes that Cisco Unity will prevent subscribers from accessing Cisco Unity by phone. Cisco Unity allows subscribers to access Cisco Unity by phone after the specified number of minutes has elapsed. Use this setting if a system administrator may not be available to assist subscribers; avoid using if the system is prone to unauthorized access and toll fraud.

This option is unavailable when the No Account Lockout option is selected.