Cisco Unity Security Guide (With Microsoft Exchange), Release 4.x - Password and Account Policy Management [Cisco Unity]

Table Of Contents

Password and Account Policy Management

About the Passwords That Subscribers Use to Access Cisco Unity Applications

Securing Passwords On Default Accounts That Are Created by Cisco Unity

Ensuring That Subscribers Are Initially Assigned Unique and Secure Windows Passwords

Ensuring That Subscribers Are Initially Assigned Unique and Secure Phone Passwords

Changing Passwords That Are Used to Access the Cisco Unity Administrator

Changing Cisco PCA Passwords

Changing Cisco Unity Phone Passwords

Defining Account Policies for Accessing the Cisco Unity Administrator

Defining Account Policies for Accessing the Cisco PCA

Defining Account Policies for Phone Access to Cisco Unity

Setting Phone Password Restrictions

Setting Account Lockout Restrictions

Password and Account Policy Management

Your first steps in helping prevent unauthorized access to Cisco Unity applications are to secure the passwords that are associated with the default Cisco Unity accounts and to ensure that the passwords initially assigned to subscribers are unique. We also recommend that you define Cisco Unity account policies to require that subscribers change their passwords often and continue to use passwords that are unique and not easy to guess. A well-considered account policy can also thwart unauthorized access to Cisco Unity applications by locking out users who enter invalid passwords too many times.

In this chapter, you will find information on completing the above tasks and on other issues related to password security and account policy management. To help you understand the scope of Cisco Unity password management, the first section in this chapter describes the different passwords required to access the Cisco Unity Administrator, the Cisco Personal Communications Assistant (PCA), and the Cisco Unity conversation (the "TUI"). Each of the sections that follow offer information on actions you need to take; recommendations that will help you make decisions; discussion of the ramifications of the decisions you make; and in many cases, best practices.

For information that will guide you through the process of securing Cisco Unity passwords and defining account policies, see the following sections:

Understanding Which Passwords Subscribers Use

About the Passwords That Subscribers Use to Access Cisco Unity Applications

Securing Passwords for Default Cisco Unity Accounts

Securing Passwords On Default Accounts That Are Created by Cisco Unity

Understanding Which Passwords Are Required and How to Initially Secure Them

•Ensuring That Subscribers Are Initially Assigned Unique and Secure Windows Passwords

•Ensuring That Subscribers Are Initially Assigned Unique and Secure Phone Passwords

How to Change Subscriber Passwords

•Changing Passwords That Are Used to Access the Cisco Unity Administrator

•Changing Cisco PCA Passwords

•Changing Cisco Unity Phone Passwords

How to Define Account Policies

•Defining Account Policies for Accessing the Cisco Unity Administrator

•Defining Account Policies for Accessing the Cisco PCA

•Defining Account Policies for Phone Access to Cisco Unity

Note The Cisco PCA is a website that subscribers use to access the Cisco Unity Assistant and the Cisco Unity Inbox. In version 3.1(x) and earlier, the Cisco Unity Assistant was known as the ActiveAssistant, or AA; the Cisco Unity Inbox was known as the Visual Messaging Interface, or VMI.

About the Passwords That Subscribers Use to Access Cisco Unity Applications

Cisco Unity subscribers use different passwords to access Cisco Unity applications. Knowing which passwords are required for each application is important in understanding the scope of Cisco Unity password management.

Cisco Unity Administrator

When IIS is configured so that the Cisco Unity Administrator uses Anonymous authentication, Cisco Unity prompts subscribers to enter the user name and password for their Windows domain account on the Cisco Unity Log On page.

When IIS is configured so that the Cisco Unity Administrator uses Integrated Windows authentication, subscribers enter the user name, password, and domain for the administration account that was selected when Cisco Unity was installed, or an applicable Windows domain account.

Cisco PCA

Subscribers are prompted to enter the user name and password for their Windows domain accounts on the Cisco PCA Log On page.

Cisco Unity Conversation

Subscribers use the phone keypad to enter a password, consisting entirely of digits.

Securing Passwords On Default Accounts That Are Created by Cisco Unity

During installation, Cisco Unity creates several default accounts. Some of the default accounts have phone and/or Windows passwords assigned to them that are not considered secure.

Best Practice: Secure Phone Passwords by Changing Them

You can change phone passwords on the Subscribers > Subscribers > Phone Password page in the Cisco Unity Administrator. Specify a long—20 or more digits—and non-trivial password for the following default accounts:

•Example Administrator—In Cisco Unity 4.0(3) and earlier, there was a default phone password. In Cisco Unity 4.0(4) and later, the Cisco Unity Installation and Configuration Assistant prompts for a phone password for the Default Administrator template, which is used for this account. If a Cisco Unity 4.0(4) or later system was upgraded from version 4.0(3) or earlier, the Cisco Unity Example Administrator subscriber account may still have a phone password that needs to be changed.

•Example Subscriber—Note that beginning with Cisco Unity 4.0(3), Cisco Unity no longer created an Example Subscriber account. However, upgrading to Cisco Unity 4.0(3) or later does not automatically delete the Example Subscriber account. If you have an Example Subscriber account and you do not use it, delete it. (Delete both the Cisco Unity subscriber account and the corresponding Active Directory or Windows NT account.) Otherwise, you should change the phone password.

Best Practice: Secure Active Directory/Windows NT Passwords by Changing Them

The default Cisco Unity accounts listed in Table 8-1 have Active Directory or Windows NT accounts associated with them that should be changed. If the Cisco Unity server is a domain controller or a member server in an Active Directory domain, you can do so by changing the default Active Directory password by using Active Directory Users and Computers. If the Cisco Unity server is a member server in a Windows NT domain, change the default Windows NT password by using User Manager for Domains. Specify a password that meets the following specifications:

•Is at least eight characters long.

•Includes at least one character from at least three of the following categories:

–Upper-case letters

–Lower-case letters

–Numbers 0 to 9

–Special characters: ~ ! @ # $ % ^ * " ` , . : ; ? - _ ( ) [ ] < > { } + = / \ |

•Does not consecutively repeat any character more than twice (for example, do not use "aaaB1*C9").

•Does not match the current logon name, either forward or backward.

Table 8-1 Cisco Unity Default Accounts with Active Directory or Windows NT Passwords That Should Be Changed

Cisco Unity Default Account

Considerations

Example Administrator

The account name is EAdministrator.

In Cisco Unity 4.0(3) and earlier, there was a default password for this account. In Cisco Unity 4.0(4) and later, the Cisco Unity Installation and Configuration Assistant prompts for a password for the Default Administrator template, which is used to create the Example Administrator account and the corresponding Active Directory or Windows NT account. If a Cisco Unity 4.0(4) or later system was upgraded from version 4.0(3) or earlier, the Active Directory or Windows NT Example Administrator account may still have the default password, which should be changed.

Example Subscriber

The account name is ESubscriber.

In Cisco Unity 4.0(2) and earlier, there was a default password for this account. Beginning with Cisco Unity 4.0(3), Cisco Unity no longer created an Example Subscriber account. If a Cisco Unity 4.0(3) or later system was upgraded from version 4.0(2) or earlier, the Active Directory or Windows NT Example Subscriber account may still have the default password.

If you have an Example Subscriber account and you do not use it, delete it. (Delete both the Cisco Unity subscriber account and the corresponding Active Directory or Windows NT account.) Otherwise, change the password.

Unity Messaging System

The account name is Unity_<servername>.

Note that the account is not visible in the Cisco Unity Administrator. Also, as of Cisco Unity 4.0(5), there is still a default password for this account. However, beginning with Cisco Unity 4.0(5), the account is disabled by default. If a Cisco Unity 4.0(5) or later system was upgraded from version 4.0(4) or earlier, the Active Directory or Windows NT Example Administrator account may be enabled and may still have the default password, which should be changed.

None

The account name is UAmis_<servername>.

In Cisco Unity 4.0(3) and earlier, there was a default password for this account. In Cisco Unity 4.0(4) and later, the Cisco Unity Installation and Configuration Assistant prompts for a password for the Default Subscriber template, which is used to create the UAmis Active Directory or Windows NT account. If a Cisco Unity 4.0(4) or later system was upgraded from version 4.0(3) or earlier, the UAmis account may still have the default password, which should be changed. Beginning with Cisco Unity 4.0(5), this account is disabled by default.

None

The account name is UOmni_<servername>.

In Cisco Unity 4.0(3) and earlier, there was a default password for this account. In Cisco Unity 4.0(4) and later, the Cisco Unity Installation and Configuration Assistant prompts for a password for the Default Subscriber template, which is used to create the UOmni Active Directory or Windows NT account. If a Cisco Unity 4.0(4) or later system was upgraded from version 4.0(3) or earlier, the UOmni account may still have the default password, which should be changed. Beginning with Cisco Unity 4.0(5), this account is disabled by default.

For additional information on managing default accounts, see the "Best Practices for Securing Default Accounts" section on page 6-5.

Ensuring That Subscribers Are Initially Assigned Unique and Secure Windows Passwords

Subscribers use a Windows password to access the Cisco Unity Administrator (when it is configured to use Anonymous authentication) and the Cisco PCA. To protect Cisco Unity from unauthorized access, each subscriber should be assigned a unique Windows password. Additionally, each password should be eight or more characters long and non-trivial.

Simply changing the Windows password on the Subscribers > Subscriber Template > Passwords page in the Cisco Unity Administrator before you create subscriber accounts does not ensure that subscribers are assigned unique passwords. This is because the template might not be used to assign passwords, and when it is used, each subscriber account that you create will be assigned the same password.

Consider the following options to ensure that each subscriber is assigned a unique and secure password at the time that you create the account, or immediately thereafter.

Assigning Unique and Secure Windows Passwords When You Create Subscriber Accounts

Use one of the following methods to assign a unique and secure Windows password to each subscriber account that you create:

•Do not use the Cisco Unity Administrator or the Cisco Unity Bulk Import wizard to create new Windows domain accounts. Instead, first create the Windows domain accounts for each subscriber by using Windows Active Directory for Users and Computers, and assign each user a unique and secure password as you go. You can then use the Cisco Unity Administrator or the Cisco Unity Bulk Import wizard to create Cisco Unity subscriber accounts.

•Use the Cisco Unity Administrator to add a subscriber one at a time. Use a different template for each subscriber that you create, specifying a unique and secure Windows password in each template. Alternatively, you can use one template for all subscribers, but specify a unique and secure password before each subscriber account that you add. If you use the same template for all subscribers, you will need to record the passwords that you assign to each subscriber in a secure place so that you can distribute them later. (Cisco Unity stores only the last value saved.)

Before you specify a template password, review the password policy for the Windows domain to make sure that the minimum length and complexity requirements do not conflict with the password that you specify in the template. Cisco Unity will not add a subscriber account when the length of the password on the subscriber template is less than the minimum length for passwords in the Windows domain.

Assigning Unique and Secure Windows Passwords After Subscriber Accounts Have Been Created

After you have created subscriber accounts, use one of the following methods to assign each account a unique and secure Windows password:

•Use Windows Active Directory for Users and Computers to change the existing password for each user.

•Ask subscribers to change their own passwords. Subscribers can change their Cisco PCA passwords in Windows by pressing Ctrl-Alt-Delete and then clicking Change Password. (If the Cisco Unity server is on a different domain than the one that subscribers typically access with their Windows passwords, subscribers will also need to specify the domain name for the Cisco Unity server.)

Note that subscribers may assume that their phone and Cisco PCA passwords are the same. As a result, they may think that they are changing both passwords when Cisco Unity prompts them to change their phone password during first-time enrollment. For this reason, you may find that many subscribers do not change their Cisco PCA passwords in Windows, even though you request that they do so.

Ensuring That Subscribers Are Initially Assigned Unique and Secure Phone Passwords

To help protect Cisco Unity from unauthorized access and toll fraud, every subscriber should be assigned a unique phone password. Additionally, each password should be eight or more characters long and non-trivial.

Simply changing the phone password on the Subscribers > Subscriber Template > Passwords page in the Cisco Unity Administrator before you create subscriber accounts does not ensure that subscribers are assigned unique passwords. This is because the template might not be used to assign passwords, and when it is used, each subscriber account that you create is assigned the same password.

Consider the following options to ensure that each subscriber is assigned a unique and secure password at the time that you create the account, or immediately thereafter.

Assigning Unique and Secure Phone Passwords When You Create Subscriber Accounts

Use one of the following methods to assign a unique and secure phone password to each subscriber account that you create:

•Use the Cisco Unity Bulk Import wizard to import user data contained in a CSV file. Include the optional column header DTMF_PASSWORD in the CSV file to overwrite the template password for each subscriber.

•Use the Cisco Unity Administrator to add a subscriber one at a time. Use a different template for each subscriber that you create, specifying a unique and secure phone password in each template. Alternatively, you can use one template for all subscribers, but specify a unique and secure password before each subscriber account that you add. To avoid recording and distributing the passwords, tell subscribers to use the Cisco Unity Assistant to change their initial phone passwords. (The Cisco Unity Assistant does not require that subscribers enter the old phone password to change it.)

Assigning Unique and Secure Phone Passwords After Creating Subscriber Accounts

After you have created subscriber accounts by using either the Cisco Unity Administrator or the Cisco Unity Bulk Import wizard, use the Cisco Unity Bulk Import wizard to assign a unique phone password to each subscriber account that you created. To avoid recording and distributing the passwords, tell subscribers to use the Cisco Unity Assistant to change their initial phone passwords. (The Cisco Unity Assistant does not require that subscribers enter the old phone password to change it.)

Changing Passwords That Are Used to Access the Cisco Unity Administrator

Cisco Unity administrators can change their passwords in Windows by pressing Ctrl-Alt-Delete and then clicking Change Password. If the Cisco Unity server is in a different domain than the one that subscribers typically access with their Windows passwords, subscribers will also need to specify the domain name for the Cisco Unity server.

Best Practice

When you change a password used to access the Cisco Unity Administrator, specify a long—eight or more characters—and non-trivial password. Set up your account policy to require it. Passwords that are used to access the Cisco Unity Administrator should be changed every six months.

Changing Cisco PCA Passwords

You can change subscriber passwords by using Windows Active Directory for Users and Computers after you create subscriber accounts. Each subscriber should be assigned a unique Windows password. Subscribers cannot use the Cisco Unity phone conversation or the Cisco Unity Assistant to change their Cisco PCA passwords, nor can administrators change them in the Cisco Unity Administrator. Instead, subscribers change their Cisco PCA passwords only in Windows by pressing Ctrl-Alt-Delete and then clicking Change Password. (If the Cisco Unity server is in a different domain than the one that subscribers typically access with their Windows passwords, subscribers will also need to specify the domain name for the Cisco Unity server.)

Best Practice

Specify a long—eight or more characters—and non-trivial password. Encourage subscribers to follow the same practice whenever they change their Windows passwords, or set your domain account policy in Windows to require them to do so. Cisco PCA passwords should be changed every six months.

Changing Cisco Unity Phone Passwords

You can change the phone password for an individual subscriber on the Subscribers > Subscribers > Phone Password pages in the Cisco Unity Administrator at any time. Alternatively, you can use the Cisco Unity Bulk Import wizard to change the phone passwords for multiple subscribers at the same time. (Refer to the Cisco Unity Bulk Import Help for details.)

As a best practice, each subscriber should be assigned a unique password that is eight or more digits long and non-trivial. If you allow subscribers to set their own passwords, encourage them to follow the same practice or use the settings on the Subscribers > Account Policy > Phone Password Restrictions page in the Cisco Unity Administrator to require them to do so.

When their accounts are configured to allow them, subscribers can use the Cisco Unity phone conversation or the Cisco Unity Assistant to set their phone passwords. Neither the Cisco Unity conversation nor the Cisco Unity Assistant require subscribers to enter their old phone passwords to reset them.

Note that AMIS, Bridge, Internet, and VPIM subscribers cannot log on to Cisco Unity by phone, use the Cisco Unity Assistant, or use the Cisco Unity Inbox.

Phone passwords should be changed every 30 days.

Best Practice: Train Subscribers to Protect Their Phone Passwords

Because subscribers can use the Cisco Unity Assistant to change their phone passwords, they should take appropriate measures to keep their Cisco PCA passwords secure. Subscribers need to understand that the phone and Cisco PCA passwords are not synchronized. While first-time enrollment prompts them to change their initial phone passwords, it does not let them change the password that they use to log on to the Cisco PCA website.

Best Practice: Check for Trivial Subscriber Passwords

After subscriber have set their passwords, confirm that the passwords are non-trivial. To create a report of subscribers who have trivial passwords, use the Subscriber Information Dump, which is in the Cisco Unity Tools Depot, and check the Trivial PW Check check box. The Subscriber Information Dump report will give one of six values for each subscriber account, as described in the Subscriber Information Dump Help. Subscribers with weak passwords can then be identified and trained to use stronger passwords for their Cisco Unity accounts.

Defining Account Policies for Accessing the Cisco Unity Administrator

How you set up an account policy depends on the authentication method used by the Cisco Unity Administrator. When the Cisco Unity Administrator uses the Integrated Windows authentication method (which is the default), the account policy that is specified for each Windows domain account determines the following:

•How Windows handles situations when users attempt to log on to Windows and repeatedly enter incorrect passwords

•The number of failed logon attempts that Windows allows before the user account cannot be used to access Windows

•The length of time that a user remains locked out

If the Cisco Unity Administrator uses Anonymous authentication, you can use the settings on the Authentication page in the Cisco Unity Administrator to customize the logon, password, and lockout policies that Cisco Unity applies when subscribers use the Cisco Unity Administrator to access Cisco Unity.

Best Practices

For increased security, prohibit the use of blank passwords, a restriction that Cisco Unity honors even when a Windows account allows them.

With either authentication method, the Windows account policies that you define should also require that subscribers change their Cisco Unity passwords at least once every six months and that when changed, the passwords are long—eight or more characters—and non-trivial.

Defining Account Policies for Accessing the Cisco PCA

The account policy that you specify on the Authentication page in the Cisco Unity Administrator determines how Cisco Unity handles situations when subscribers attempt to log on to the Cisco PCA and repeatedly enter incorrect passwords; whether subscribers can use blank passwords; the number of failed logon attempts that Cisco Unity allows before the subscriber account cannot be used to access the Cisco PCA; and the length of time that a user remains locked out.

In addition, you can use the settings on the Authentication page to specify whether the Log On page for the Cisco PCA offers subscribers the following options:

•Remember User Name

•Remember Password

•Remember Domain

When subscribers specify that Cisco Unity will remember their user name, password, or domain, subscribers will not have to enter them the next time that they log on to the Cisco PCA. Instead, the fields are automatically populated in the Log On page. Allowing subscribers to specify whether Cisco Unity will remember their credentials may reduce support desk requests for the information. However, you may not want the Log On page to offer subscribers the above options for security reasons. If this is the case, you can uncheck the Remember Logons for __ Days check box on the Authentication page to prevent the options from appearing on the Cisco PCA Log On page, and to require that subscribers enter their user name, password, and domain each time that they log on to the Cisco PCA.

Defining Account Policies for Phone Access to Cisco Unity

The account policy settings on the Phone Password Restrictions page and the Cisco Unity Account Lockout page in the Cisco Unity Administrator apply when subscribers access Cisco Unity by phone. Changes to settings in the account policy affect all existing subscribers.

See the following sections for more information:

•Setting Phone Password Restrictions

•Setting Account Lockout Restrictions

Setting Phone Password Restrictions

Phone password restriction settings allow you to define a systemwide password policy that applies when subscribers access Cisco Unity by phone. For greater security, establish rules that prevent passwords from being easy to guess and from being used for a long time. At the same time, is also best to avoid requiring passwords that are so complicated or that must be changed so often that subscribers have to write them down to remember them.

Use the following guidelines as you specify a password policy on the Phone Password Restrictions page in the Cisco Unity Administrator:

Maximum Phone Password Age

As a best practice, do not enable the Password Never Expires option. Instead, confirm that the Days Until Password Expires field is selected so that subscribers are prompted to change their passwords every X days (X is the value specified in the adjacent box). We recommend that you set a maximum phone password age of 30 days.

Phone Password Length

As a best practice, do not enable the Permit Blank Password option. Instead, confirm that the Minimum Number of Characters in Password field is selected so that subscribers are required to create a password at least X characters long (X is the value specified in the adjacent box). When you change the minimum password length, subscribers will be required to use the new length the next time they change their passwords.

We recommend that you require subscribers to use a long—eight or more digits—password when you specify phone password length.

Phone Password Uniqueness

As a best practice, disable the Do Not Keep Password History option (it is enabled by default). Instead, specify a number in the Number of Passwords to Remember field. By doing so, you enable Cisco Unity to enforce password uniqueness by storing a specified number of previous passwords for each subscriber and then, comparing new passwords with those stored in the password history. Cisco Unity rejects any password that matches a password stored in the history.

As a best practice, specify that Cisco Unity store between 10 and 24 passwords in password history.

Check Against Trivial Passwords for Extra Security

As a best practice, do not enable the Permit Blank Password option. Instead, confirm that the Check Against Trivial Passwords for Extra Security field is enabled so that subscribers must use non-trivial passwords.

Cisco Unity applications reject phone passwords that contain the trivial characteristics shown in Table 8-2.

Table 8-2 Trivial Phone Password Characteristics Rejected by Application

Trivial Password Characteristic

Cisco Unity Conversation (TUI)^¹

Cisco Unity Assistant¹

Cisco Unity Administrator¹

Cisco Unity Bulk Import

Password Hardening Wizard²

Consists entirely of repeated numbers, such as 44444

Yes

Yes

Yes

Yes

Yes

Contains at least one group of repeated numbers, such as 11579

No

No

Yes

No

Yes

Contains consecutive ascending numbers, such as 12345

Yes

Yes

Yes

Yes

Yes

Contains consecutive descending numbers, such as 87654

Yes

Yes

Yes

Yes

Yes

Matches the subscriber primary extension

Yes

Yes³

Yes

No

Not applicable

¹Only when you enable the Check Against Trivial Passwords for Extra Security field.

²The Password Hardening wizard was added to the Cisco Unity Installation and Configuration Assistant for Cisco Unity 4.0(4). The wizard prompts the installer to specify Active Directory and phone passwords for the default administrator template and for the default subscriber template, and the phone password for the Cisco Unity administration account.

³In Cisco Unity version 4.0(4) and earlier, when the Check Against Trivial Passwords for Extra Security check box is checked in the Cisco Unity Administrator, the Cisco Unity Assistant does not prevent subscribers from entering phone passwords that match their extensions.

Setting Account Lockout Restrictions

Cisco Unity account lockout settings allow you to specify whether you want Cisco Unity to use an account lockout policy that applies to all subscribers who access Cisco Unity by phone. You cannot change account policy settings for individual subscriber accounts, though you can lock individual subscriber accounts to prevent those subscribers from using the phone to access Cisco Unity (you lock out individual subscriber accounts on the applicable Subscribers > Subscribers > Account page in the Cisco Unity Administrator).

To specify an account lockout policy on the Account Lockout page, confirm that the Account Lockout field is selected. Then, use the following guidelines as you indicate how you want Cisco Unity to handle failed logon attempts, and if they occur, how long account lockouts last.

Lock Account After __ Invalid Attempts

Use this field to indicate how Cisco Unity handles situations when a caller attempts to log on to a subscriber account and repeatedly enters an incorrect password. We recommend that you change the default to specify that Cisco Unity blocks phone access to the subscriber account after three failed logon attempts.

Reset Count After __ Minutes

Use this field to specify the number of minutes after which Cisco Unity will clear the count of failed logon attempts (unless the failed logon limit is already reached and the account is locked).

Lockout Duration

Specify the length of time that a subscriber who is locked out must wait before attempting to access Cisco Unity by phone again. We recommend that you change the default value to 1440 minutes so that Cisco Unity will reset the count after one day. For even tighter security, you can select Forever, which prevents subscribers from accessing their accounts until a system administrator unlocks them on the applicable Subscribers > Subscribers > Account page. Set the lockout duration to Forever only if a system administrator is readily available to assist subscribers or if the system is prone to unauthorized access and toll fraud.