Cisco Unity Security Guide (With IBM Lotus Domino), Release 4.x
Password and Account Policy Management

Table Of Contents

Password and Account Policy Management

About the Passwords That Subscribers Use to Access Cisco Unity Applications

Securing Passwords On Default Accounts That Are Created by Cisco Unity

Ensuring That Subscribers Are Initially Assigned Unique and Secure Phone Passwords

Changing Passwords That Are Used to Access the Cisco Unity Administrator

Changing Cisco PCA Passwords

Changing Cisco Unity Phone Passwords

Defining Account Policies for Accessing the Cisco Unity Administrator

Defining Account Policies for Accessing the Cisco PCA

Defining Account Policies for Phone Access to Cisco Unity

Setting Phone Password Restrictions

Setting Account Lockout Restrictions


Password and Account Policy Management


Your first steps in helping prevent unauthorized access to Cisco Unity applications are to secure the passwords that are associated with the default Cisco Unity accounts and to ensure that the passwords initially assigned to subscribers are unique. We also recommend that you define Cisco Unity account policies to require that subscribers change their passwords often and continue to use passwords that are unique and not easy to guess. A well-considered account policy can also thwart unauthorized access to Cisco Unity applications by locking out users who enter invalid passwords too many times.

In this chapter, you will find information on completing the above tasks and on other issues related to password security and account policy management. To help you understand the scope of Cisco Unity password management, the first section in this chapter describes the different passwords required to access the Cisco Unity Administrator, the Cisco Personal Communications Assistant (PCA), and the Cisco Unity conversation (the "TUI"). Each of the sections that follow offer information on actions you need to take; recommendations that will help you make decisions; discussion of the ramifications of the decisions you make; and in many cases, best practices.

For information that will guide you through the process of securing Cisco Unity passwords and defining account policies, see the following sections:

Understanding Which Passwords Subscribers Use

About the Passwords That Subscribers Use to Access Cisco Unity Applications

Securing Passwords for Default Cisco Unity Accounts

Securing Passwords On Default Accounts That Are Created by Cisco Unity

Understanding Which Passwords Are Required and How to Initially Secure Them

Ensuring That Subscribers Are Initially Assigned Unique and Secure Phone Passwords

How to Change Subscriber Passwords

Changing Passwords That Are Used to Access the Cisco Unity Administrator

Changing Cisco PCA Passwords

Changing Cisco Unity Phone Passwords

How to Define Account Policies

Defining Account Policies for Accessing the Cisco Unity Administrator

Defining Account Policies for Accessing the Cisco PCA

Defining Account Policies for Phone Access to Cisco Unity


Note The Cisco PCA is a website that subscribers use to access the Cisco Unity Assistant. In version 3.1(x) and earlier, the Cisco Unity Assistant was known as the ActiveAssistant, or AA.


About the Passwords That Subscribers Use to Access Cisco Unity Applications

Cisco Unity subscribers use different passwords to access Cisco Unity applications. Knowing which passwords are required for each application is important in understanding the scope of Cisco Unity password management.

Cisco Unity Administrator

When IIS is configured so that the Cisco Unity Administrator uses Anonymous authentication, Cisco Unity prompts subscribers to enter their credentials on the Cisco Unity Log On page. Subscribers can choose whether to enter Domino or Windows credentials. The password for accessing the Cisco Unity Administrator is inherited from the password settings in Domino and Windows (if the subscriber has a Windows domain account).

When IIS is configured so that the Cisco Unity Administrator uses Integrated Windows authentication, subscribers enter the user name, password, and domain for the administration account that was selected when Cisco Unity was installed, or an applicable Windows domain account.

Cisco PCA

Subscribers are prompted to enter their IBM Lotus Notes user names and the Internet passwords for their Domino user accounts on the Cisco PCA Log On page.

Cisco Unity Conversation

Subscribers use the phone keypad to enter a password, consisting entirely of digits.

Securing Passwords On Default Accounts That Are Created by Cisco Unity

During installation, Cisco Unity creates several default accounts. Some of the default accounts have phone and/or Windows passwords assigned to them that are not considered secure.

Best Practice: Secure Phone Passwords by Changing Them

The Example Subscriber is the only default Cisco Unity account with a phone password. Note that beginning with Cisco Unity 4.0(3), Cisco Unity no longer created an Example Subscriber account. However, upgrading to Cisco Unity 4.0(3) or later does not automatically delete the Example Subscriber account. If have an Example Subscriber account and you do not use it, delete it. (Delete both the Cisco Unity subscriber account and the corresponding Active Directory or Windows NT account.) Otherwise, you should change the phone password.

You can change phone passwords on the Subscribers > Subscribers > Phone Password page in the Cisco Unity Administrator. Specify a long—20 or more digits—and non-trivial password.

Ensuring That Subscribers Are Initially Assigned Unique and Secure Phone Passwords

To help protect Cisco Unity from unauthorized access and toll fraud, every subscriber should be assigned a unique phone password. Additionally, each password should be eight or more characters long and non-trivial.

Simply changing the phone password on the Subscribers > Subscriber Template > Passwords page in the Cisco Unity Administrator before you create subscriber accounts does not ensure that subscribers are assigned unique passwords. This is because the template might not be used to assign passwords, and when it is used, each subscriber account that you create is assigned the same password.

Consider the following options to ensure that each subscriber is assigned a unique and secure password at the time that you create the account, or immediately thereafter.

Assigning Unique and Secure Phone Passwords When You Create Subscriber Accounts

Use one of the following methods to assign a unique and secure phone password to each subscriber account that you create:

Use the Cisco Unity Bulk Import wizard to import user data contained in a CSV file. Include the optional column header DTMF_PASSWORD in the CSV file to overwrite the template password for each subscriber.

Use the Cisco Unity Administrator to add a subscriber one at a time. Use a different template for each subscriber that you create, specifying a unique and secure phone password in each template. Alternatively, you can use one template for all subscribers, but specify a unique and secure password before each subscriber account that you add. To avoid recording and distributing the passwords, tell subscribers to use the Cisco Unity Assistant to change their initial phone passwords. (The Cisco Unity Assistant does not require that subscribers enter the old phone password to change it.)

Assigning Unique and Secure Phone Passwords After Creating Subscriber Accounts

After you have created subscriber accounts by using either the Cisco Unity Administrator or the Cisco Unity Bulk Import wizard, use the Cisco Unity Bulk Import wizard to assign a unique phone password to each subscriber account that you created. To avoid recording and distributing the passwords, tell subscribers to use the Cisco Unity Assistant to change their initial phone passwords. (The Cisco Unity Assistant does not require that subscribers enter the old phone password to change it.)

Changing Passwords That Are Used to Access the Cisco Unity Administrator

Depending on whether IIS is configured so that the Cisco Unity Administrator uses Anonymous authentication and whether the subscriber has a Windows domain account, subscribers can either change their passwords in Domino or in Windows, as applicable.

Best Practice

When you change a password used to access the Cisco Unity Administrator, specify a long—eight or more characters—and non-trivial password. Set up your account policy to require it. Passwords that are used to access the Cisco Unity Administrator should be changed every six months.

Changing Cisco PCA Passwords

Subscribers cannot use the Cisco Unity phone conversation or the Cisco Unity Assistant to change their Cisco PCA passwords, nor can administrators change them in the Cisco Unity Administrator. Instead, subscribers change their Cisco PCA passwords only in Lotus Notes.

Best Practice

Cisco PCA passwords should be changed every six months.

Changing Cisco Unity Phone Passwords

You can change the phone password for an individual subscriber on the Subscribers > Subscribers > Phone Password pages in the Cisco Unity Administrator at any time. Alternatively, you can use the Cisco Unity Bulk Import wizard to change the phone passwords for multiple subscribers at the same time. (Refer to the Cisco Unity Bulk Import Help for details.)

As a best practice, each subscriber should be assigned a unique password that is eight or more digits long and non-trivial. If you allow subscribers to set their own passwords, encourage them to follow the same practice or use the settings on the Subscribers > Account Policy > Phone Password Restrictions page in the Cisco Unity Administrator to require them to do so.

When their accounts are configured to allow them, subscribers can use the Cisco Unity phone conversation or the Cisco Unity Assistant to set their phone passwords. Neither the Cisco Unity conversation nor the Cisco Unity Assistant require subscribers to enter their old phone passwords to reset them.

Note that AMIS, Bridge, Internet, and VPIM subscribers cannot log on to Cisco Unity by phone or use the Cisco Unity Assistant. 

Phone passwords should be changed every 30 days.

Best Practice: Train Subscribers to Protect Their Phone Passwords

Because subscribers can use the Cisco Unity Assistant to change their phone passwords, they should take appropriate measures to keep their Cisco PCA passwords secure. Subscribers need to understand that the phone and Cisco PCA passwords are not synchronized. While first-time enrollment prompts them to change their initial phone passwords, it does not let them change the password that they use to log on to the Cisco PCA website.

Best Practice: Check for Trivial Subscriber Passwords

After subscriber have set their passwords, confirm that the passwords are non-trivial. To create a report of subscribers who have trivial passwords, use the Subscriber Information Dump, which is in the Cisco Unity Tools Depot, and check the Trivial PW Check check box. The Subscriber Information Dump report will give one of six values for each subscriber account, as described in the Subscriber Information Dump Help. Subscribers with weak passwords can then be identified and trained to use stronger passwords for their Cisco Unity accounts.

Defining Account Policies for Accessing the Cisco Unity Administrator

How you set up an account policy depends on the authentication method used by the Cisco Unity Administrator. When the Cisco Unity Administrator uses the Integrated Windows authentication method (which is the default), the account policy that is specified for each Windows domain account determines the following:

How Windows handles situations when users attempt to log on to Windows and repeatedly enter incorrect passwords

The number of failed logon attempts that Windows allows before the user account cannot be used to access Windows

The length of time that a user remains locked out

If the Cisco Unity Administrator uses Anonymous authentication, you can use the settings on the Authentication page in the Cisco Unity Administrator to customize the logon, password, and lockout policies that Cisco Unity applies when subscribers use the Cisco Unity Administrator to access Cisco Unity.

Best Practices

Because subscribers can use either Domino or Windows credentials to log on to the Cisco Unity Administrator, you can specify two logon and lockout policies on the Authentication pages: one that applies when subscribers use their Windows domain credentials, and another that applies when subscribers use their Domino credentials. For increased security, prohibit the use of blank passwords, a restriction that Cisco Unity honors even when the Domino or Windows account allows them. As applicable, use the password policy settings in Domino or Windows to require that subscribers specify a non-trivial password that is a minimum of eight characters whenever they change their password.

With either authentication method, the account policies that you define in Domino and/or Windows should also require that subscribers change their Cisco Unity passwords at least once every six months and that when changed, the passwords are long—eight or more characters—and non-trivial.

Defining Account Policies for Accessing the Cisco PCA

The account policy that you specify on the Authentication page in the Cisco Unity Administrator determines how Cisco Unity handles situations when subscribers attempt to log on to the Cisco PCA and repeatedly enter incorrect passwords; whether subscribers can use blank passwords; the number of failed logon attempts that Cisco Unity allows before the subscriber account cannot be used to access the Cisco PCA; and the length of time that a user remains locked out.

In addition, you can use the settings on the Authentication page to specify whether the Log On page for the Cisco PCA offers subscribers the following options:

Remember User Name

Remember Password

Remember Domain

When subscribers specify that Cisco Unity will remember their user name, password, or domain, subscribers will not have to enter them the next time that they log on to the Cisco PCA. Instead, the fields are automatically populated in the Log On page. Allowing subscribers to specify whether Cisco Unity will remember their credentials may reduce support desk requests for the information. However, you may not want the Log On page to offer subscribers the above options for security reasons. If this is the case, you can uncheck the Remember Logons for __ Days check box on the Authentication page to prevent the options from appearing on the Cisco PCA Log On page, and to require that subscribers enter their user name, password, and domain each time that they log on to the Cisco PCA.


Caution If you want to use the Upgrade to More Secure Internet Password Format option that is available in the Domino Administrator, you must install Notes version 5.0.11 or later on the Cisco Unity server. Otherwise, Cisco Unity subscribers will not be able to log on to Cisco PCA.

Defining Account Policies for Phone Access to Cisco Unity

The account policy settings on the Phone Password Restrictions page and the Cisco Unity Account Lockout page in the Cisco Unity Administrator apply when subscribers access Cisco Unity by phone. Changes to settings in the account policy affect all existing subscribers.

See the following sections for more information:

Setting Phone Password Restrictions

Setting Account Lockout Restrictions

Setting Phone Password Restrictions

Phone password restriction settings allow you to define a systemwide password policy that applies when subscribers access Cisco Unity by phone. For greater security, establish rules that prevent passwords from being easy to guess and from being used for a long time. At the same time, is also best to avoid requiring passwords that are so complicated or that must be changed so often that subscribers have to write them down to remember them.

Use the following guidelines as you specify a password policy on the Phone Password Restrictions page in the Cisco Unity Administrator:

Maximum Phone Password Age

As a best practice, do not enable the Password Never Expires option. Instead, confirm that the Days Until Password Expires field is selected so that subscribers are prompted to change their passwords every X days (X is the value specified in the adjacent box). We recommend that you set a maximum phone password age of 30 days.

Phone Password Length

As a best practice, do not enable the Permit Blank Password option. Instead, confirm that the Minimum Number of Characters in Password field is selected so that subscribers are required to create a password at least X characters long (X is the value specified in the adjacent box). When you change the minimum password length, subscribers will be required to use the new length the next time they change their passwords.

We recommend that you require subscribers to use a long—eight or more digits—password when you specify phone password length.

Phone Password Uniqueness

As a best practice, disable the Do Not Keep Password History option (it is enabled by default). Instead, specify a number in the Number of Passwords to Remember field. By doing so, you enable Cisco Unity to enforce password uniqueness by storing a specified number of previous passwords for each subscriber and then, comparing new passwords with those stored in the password history. Cisco Unity rejects any password that matches a password stored in the history.

As a best practice, specify that Cisco Unity store between 10 and 24 passwords in password history.

Check Against Trivial Passwords for Extra Security

As a best practice, do not enable the Permit Blank Password option. Instead, confirm that the Check Against Trivial Passwords for Extra Security field is enabled so that subscribers must use non-trivial passwords.

Cisco Unity applications reject phone passwords that contain the trivial characteristics shown in Table 8-1.

Table 8-1 Trivial Phone Password Characteristics Rejected by Application 

Trivial Password Characteristic
Cisco Unity Conversation (TUI)1
Cisco Unity Assistant1
Cisco Unity Administrator1
Cisco Unity Bulk Import
Password Hardening Wizard2

Consists entirely of repeated numbers, such as 44444

Yes

Yes

Yes

Yes

Yes

Contains at least one group of repeated numbers, such as 11579

No

No

Yes

No

Yes

Contains consecutive ascending numbers, such as 12345

Yes

Yes

Yes

Yes

Yes

Contains consecutive descending numbers, such as 87654

Yes

Yes

Yes

Yes

Yes

Matches the subscriber primary extension

Yes

Yes3

Yes

No

Not applicable

1 Only when you enable the Check Against Trivial Passwords for Extra Security field.

2 The Password Hardening wizard was added to the Cisco Unity Installation and Configuration Assistant for Cisco Unity 4.0(4). The wizard prompts the installer to specify Active Directory and phone passwords for the default administrator template and for the default subscriber template, and the phone password for the Cisco Unity administration account.

3 In Cisco Unity version 4.0(4) and earlier, when the Check Against Trivial Passwords for Extra Security check box is checked in the Cisco Unity Administrator, the Cisco Unity Assistant does not prevent subscribers from entering phone passwords that match their extensions.


Setting Account Lockout Restrictions

Cisco Unity account lockout settings allow you to specify whether you want Cisco Unity to use an account lockout policy that applies to all subscribers who access Cisco Unity by phone. You cannot change account policy settings for individual subscriber accounts, though you can lock individual subscriber accounts to prevent those subscribers from using the phone to access Cisco Unity (you lock out individual subscriber accounts on the applicable Subscribers > Subscribers > Account page in the Cisco Unity Administrator).

To specify an account lockout policy on the Account Lockout page, confirm that the Account Lockout field is selected. Then, use the following guidelines as you indicate how you want Cisco Unity to handle failed logon attempts, and if they occur, how long account lockouts last.

Lock Account After __ Invalid Attempts

Use this field to indicate how Cisco Unity handles situations when a caller attempts to log on to a subscriber account and repeatedly enters an incorrect password. We recommend that you change the default to specify that Cisco Unity blocks phone access to the subscriber account after three failed logon attempts.

Reset Count After __ Minutes

Use this field to specify the number of minutes after which Cisco Unity will clear the count of failed logon attempts (unless the failed logon limit is already reached and the account is locked).

Lockout Duration

Specify the length of time that a subscriber who is locked out must wait before attempting to access Cisco Unity by phone again. We recommend that you change the default value to 1440 minutes so that Cisco Unity will reset the count after one day. For even tighter security, you can select Forever, which prevents subscribers from accessing their accounts until a system administrator unlocks them on the applicable Subscribers > Subscribers > Account page. Set the lockout duration to Forever only if a system administrator is readily available to assist subscribers or if the system is prone to unauthorized access and toll fraud.