logging: All system events, such as CLI logins and incorrect password
attempts are logged and saved.
Limit log-on: The
maximum number of concurrent sessions for an interface can be configured. Any
new session beyond the configured maximum limit gets disconnected. In
EnhancedSecurityMode, the default value of Maximum Concurrent Sessions for
Interface (Per User) is 2 and of
Concurrent Sessions for IMAP Interface (Per User) is 5. For more
PINs, and Authentication Rule Management
Inactive Users: The number of days for user inactivity timeout can be
configured. If a user does not login to the voicemail account for the
configured numbers of days, the account is disabled and further access is
In EnhancedSecurityMode , a new
privilege "Super Custom Administrator" is added to the privilege list on the
Custom Roles page. With the help of the "Super Custom Administrator" privilege,
a system administrator can create two levels of administrator hierarchies in
EnhancedSecurityMode is enabled, a stringent credential policy for new
passwords and password changes can be implemented for platform administrator.
This policy enforces the following default requirements for passwords:
Credential Length should
be between 14 to 127 characters.
Password should contain at
least 1 lowercase, 1 uppercase, 1 digit and 1 special character.
Stored Number of Previous
Credentials are 24, any of the previous 24 passwords cannot be reused.
Credential Expires After
minimum limit of 1 day and maximum limit is 60 days.
Minimum Number of
Character Changes between Successive Credentials must be at least 4.
After enabling the
EnhancedSecurityMode , the administrator can use the Authentication Rules to
modify any of the password requirements to enforce stringent password policy
for all password changes. For information on credential policies, see the
PINs, and Authentication Rule Management " chapter.
To comply with the security
requirements, you must configure remote audit logging in Unity Connection.
In EnhancedSecurityMode , the system uses TCP as the default protocol
to send audit events and alarms to the remote syslog server. Unlike UDP, which
is used while the system is in normal operating mode, TCP contains mechanisms
to guarantee delivery of all packets. However, if you prefer, you can
reconfigure the system to use UDP while in this mode.
If a transfer failure occurs, the TCPRemoteSyslogDeliveryFailed alarm
and alert are triggered to notify administrator about the TCP transfer failure.
A throttling mechanism ensures that not more than one alarm and one alert are
sent per hour. This ensures that administrator is not flooded with identical
alarms and alerts. Administrator can use the local audit logs as a backup while
communications are reestablished.
FIPS 140-2 Mode
Setup: FIPS mode must be enabled before you enable the EnhancedSecurityMode .
If FIPS mode is not already enabled, you will be prompted to enable FIPS mode
when you attempt to enable EnhancedSecurityMode .
Set up a remote
syslog server and configure IPSec between Unity Connection and the remote
server, including the gateways in between.
Audit Framework for the mode.
Set up the
audit logging framework for Unity Connection, which includes setting up remote
syslog servers for all audit logs and alarms. See the
Configuring Audit Frameworksection.
Use the following
procedure to enable or disable the
EnhancedSecurityMode. However, FIPS mode must be enabled
before enabling the
Log in to the
Command Line Interface.
command to confirm whether the status of the mode status is set
to enabled or disabled.
following command to enable the
EnhancedSecurityMode if the mode is disabled:
utils EnhancedSecurityMode enable
you can run the
EnhancedSecurityMode disable command to disable the mode.
procedure for all nodes of Cisco Unity Connection.
Use the following
procedure to update the system credential policies.