Note |
Cisco Unity Connection authentication rules are not applicable
to managing user passwords in Cisco Unified Communications Manager Business
Edition (CMBE), or when LDAP authentication is enabled, because authentication
is not handled by Unity Connection in those cases.
|
Use authentication rules to customize the sign-in, password, and
lockout policies that Cisco Unity Connection applies when users access Unity
Connection by phone, and how users access Cisco Unity Connection
Administration, the Cisco PCA, and other applications such as IMAP clients.
The settings that you specify on the Edit Authentication Rule
page in Connection Administration determine:
-
The number of failed sign-in attempts to the Unity Connection
phone interface, the Cisco PCA, or Connection Administration that are allowed
before an account is locked.
-
The number of minutes an account remains locked before it is
reset.
-
Whether a locked account must be unlocked manually by an
administrator.
-
The minimum length allowed for passwords and PINs.
-
The number of days before a password or PIN expires.
Best Practices:
For increased security, we recommend the following best
practices when defining authentication rules:
-
Require that users change their Unity Connection passwords and
PINs at least once every six months.
-
Require web application passwords to be eight or more characters
and non-trivial.
-
Require voicemail PINs to be six or more characters and
non-trivial.
For greater security, establish authentication rules that
prevent PINs and passwords from being easy to guess and from being used for a
long time. At the same time, is also best to avoid requiring PINs and passwords
that are so complicated or that must be changed so often that users have to
write them down to remember them.
In addition, use the following guidelines as you specify
authentication rules in the following fields:
Failed Sign-In __
Attempts:
Use this field to indicate how Unity Connection handles
situations when a user repeatedly enters an incorrect PIN or password. We
recommend that you set the field to lock user accounts after three failed
sign-in attempts.
Reset Failed Sign-In
Attempts Every __ Minutes:
Use this field to specify the number of minutes after which
Unity Connection clear the count of failed sign-in attempts (unless the failed
sign-in limit is already reached and the account is locked). We recommend that
you set the field to clear the count of failed sign-in attempts after 30
minutes.
Lockout Duration:
Use this field to specify the length of time that a user who is
locked out must wait before attempting to sign in again.
For even tighter security, you can check the Administrator Must
Unlock check box, which prevents users from accessing their accounts until an
administrator unlocks them on the applicable User > Password Settings page.
Check the Administrator Must Unlock check box only if an administrator is
readily available to assist users or if the system is prone to unauthorized
access and toll fraud.
Credential Expires After __
Days:
As a best practice, do not enable the Never Expires option.
Instead, confirm that this field has a value greater than zero so that users
are prompted to change their passwords every X days (X is the value specified
in the Credential Expires After field).
We recommend that you configure web passwords to expire after
120 days and phone PINs to expire after 180 days.
Minimum Credential
Length:
As a best practice, set this field to six or higher.
For authentication rules that are used for web application
passwords, we recommend that you require users to use passwords that are eight
or more characters in length.
For authentication rules that are used for phone PINs, we
recommend that you require users to use PINs that are six or more digits in
length.
When you change the minimum credential length, users are
required to use the new length the next time that they change their PINs and
passwords.
Minimum Number of
Character Changes between Successive Credentials:
Use this field to
specify the number of characters that a user must change while updating the web
application password.(not applicable for PIN)
The value of this
field should be less than or equal to the value of Minimum Credential Length.
By default, the
value of this field is set to 1, which means that the user must change at least
one character between old password and new password.
Stored
Number of Previous Credentials:
As a best practice, specify a number in this field. By doing so,
you enable Unity Connection to enforce password uniqueness by storing a
specified number of previous passwords or PINs for each user. When users change
passwords and PINs, Unity Connection compares the new password or PIN with
those stored in the credential history. Unity Connection rejects any password
or PIN that matches a password or PIN stored in the history.
By default, Unity Connection stores 5 passwords or PINs in
credential history.
Check For Trivial
Passwords:
As a best practice, confirm that this field is enabled so that
users must use non-trivial PINs and passwords.
A non-trivial phone PIN has the following attributes:
-
The PIN cannot match the numeric representation of the first or
last name of the user.
-
The PIN cannot contain the primary extension or alternate
extensions of the user.
-
The PIN cannot contain the reverse of the primary extension or
alternate extensions of the user.
-
The PIN cannot contain groups of repeated digits, such as
“408408” or “123123.”
-
The PIN cannot contain only two different digits, such as
“121212.”
-
A digit cannot be used more than two times consecutively (for
example, “28883”).
-
The PIN cannot be an ascending or descending group of digits
(for example, “012345” or “987654”).
-
The PIN cannot contain a group of numbers that are dialed in a
straight line on the keypad when the group of digits equals the minimum
credential length that is allowed (for example, if 3 digits is allowed, the
user could not use “123,” “456,” or “789” as a PIN).
A non-trivial web application password has the following
attributes:
-
The password must contain at least three of the following four
characters: an uppercase character, a lowercase character, a number, or a
symbol.
-
The password cannot contain the user alias or its reverse.
-
The password cannot contain the primary extension or any
alternate extensions.
-
A character cannot be used more than three times consecutively
(for example, !Cooool).
-
The characters cannot all be consecutive, in ascending or
descending order (for example, abcdef or fedcba).