Table Of Contents
Securing Accounts
Introduction
Understanding Accounts
Best Practices for Accounts That Are Used to Access the Cisco Unity Administrator
Best Practices for Accounts That Are Used to Access the Cisco Unity Server
Best Practices When Deleting Cisco Unity Subscriber Accounts
Best Practices for Securing Default Accounts
Securing Accounts
Introduction
In this chapter, you will find descriptions of potential security issues related to securing accounts; information on any actions you need to take; recommendations that will help you make decisions; ramifications of the decisions you make; and in many cases, best practices.
See the following sections:
•Understanding Accounts
•Best Practices for Accounts That Are Used to Access the Cisco Unity Administrator
•Best Practices for Accounts That Are Used to Access the Cisco Unity Server
•Best Practices When Deleting Cisco Unity Subscriber Accounts
•Best Practices for Securing Default Accounts
For the latest requirements for Cisco Unity service accounts and permissions, refer to the applicable Cisco Unity installation guide, available at http://www.cisco.com/en/US/products/sw/voicesw/ps2237/prod_installation_guides_list.html.
Understanding Accounts
Each regular Cisco Unity subscriber account is associated with a Domino Person document. When you use either the Cisco Unity Bulk Import wizard or the Cisco Unity Administrator to create a subscriber account, note that Cisco Unity does not:
•Import Active Directory or Windows NT account information.
•Enable an Active Directory domain account if it is disabled.
•Create an Active Directory domain account or Windows NT user account for a person if an account does not already exist.
To access the Cisco Unity Administrator and the Status Monitor, administrators may or may not require an enabled Active Directory account or Windows NT account, as follows:
•When the Cisco Unity Administrator and the Status Monitor use Integrated Windows authentication, administrators require an Active Directory or Windows NT account to access either application.
•When the Cisco Unity Administrator and the Status Monitor use the Anonymous authentication method and administrators will use their Active Directory or Windows NT credentials to access the applications, they need an Active Directory or Windows NT account.
•When the Cisco Unity Administrator and the Status Monitor use Anonymous authentication and administrators will use their Domino credentials to access the applications, they do not need Active Directory or Windows NT accounts to access either application.
If an Active Directory or Windows NT account is required, after you create a subscriber account that will be used to administer Cisco Unity, you must then use the GrantUnityAccess utility to associate the subscriber account with an Active Directory or Windows NT account that will allow the subscriber to access the Cisco Unity Administrator. For details, see the "Best Practices for Accounts That Are Used to Access the Cisco Unity Administrator" section.
Best Practices for Accounts That Are Used to Access the Cisco Unity Administrator
The Cisco Unity Administrator is a website that you use to do most administrative tasks. Depending on the associated class of service rights, accounts that can be used to access the Cisco Unity Administrator can offer access to settings used to define how Cisco Unity works for individual subscribers (or for a group of subscribers), system schedules, call management options, and other important data. If your site is comprised of multiple Cisco Unity servers, an account used to access one Cisco Unity Administrator may be able to gain access to the other Cisco Unity Administrators as well. To secure access to the Cisco Unity Administrator, consider the following best practices.
Best Practice: Limit the Use of the Administration Account
Until you create a Cisco Unity subscriber account specifically for the purpose of administering Cisco Unity, you log on to the Cisco Unity Administrator by using the Active Directory or Windows NT credentials that are associated with the administration account that was selected when Cisco Unity was installed. The administration account is automatically associated with a class of service that offers full system access rights to the Cisco Unity Administrator. This means that not only can the administration account access all pages in the Cisco Unity Administrator, but it also has read, edit, add, and delete privileges for all Cisco Unity Administrator pages. For this reason, you should limit the use of this highly privileged account to only one or to very few individuals.
As an alternative to the administration account, you can create additional accounts that have class of service rights to access the Cisco Unity Administrator, but offer fewer privileges. If your organization depends on more than person to administer Cisco Unity, you can modify the class of service rights for each account so that access to the Cisco Unity Administrator is appropriate to the administrative tasks that each person performs. By creating additional accounts, you also ensure that additional accounts are available to access the Cisco Unity Administrator in the event that the administration account is deleted or corrupted.
To learn about the ways in which you create additional accounts or grant administrative rights to existing accounts so that they can be used to access the Cisco Unity Administrator, refer to the "Cisco Unity Administrator Accounts" section in the "Accessing the Cisco Unity Administrator" chapter of the Cisco Unity System Administration Guide. The guide is available at http://www.cisco.com/en/US/products/sw/voicesw/ps2237/prod_maintenance_guides_list.html.
Best Practices: Use Class of Service to Restrict Access to the Cisco Unity Administrator
When modifying class of service settings and assignments to secure access to the Cisco Unity Administrator, consider the following best practices:
•Do not modify the system access settings for the Default Administrator class of service. Instead, reassign subscriber accounts to a new class of service that offers an appropriate level of access to the Cisco Unity Administrator. For example, you may want to associate an account with a class of service that offers read-only access to the Cisco Unity Administrator, or only offers access of specific pages in the Cisco Unity Administrator for the purpose of unlocking accounts or changing passwords.
•Verify that at least one subscriber account is assigned to the Default Administrator class of service. If administrators will use their Windows domain account credentials to access the Cisco Unity Administrator, verify that you have at least one Windows domain account with class of service rights to access the Cisco Unity Administrator. Otherwise, you may lose the ability to administer Cisco Unity, and be required to reinstall.
•By default, the Default Subscriber class of service prohibits access to the Cisco Unity Administrator, and should not be changed to allow it. Instead, use it to offer access to Cisco Unity features and applications that are more appropriate to end users.
To learn how to create and modify classes of service, refer to the "Class of Service Settings" chapter of the Cisco Unity System Administration Guide. The guide is available at http://www.cisco.com/en/US/products/sw/voicesw/ps2237/prod_maintenance_guides_list.html.
Best Practice: Do Not Use Other Accounts to Access the Cisco Unity Administrator
Cisco Unity administrators should not use the same account to access the Cisco Unity Administrator that they use to log on to the Cisco Personal Communications Assistant (PCA). In addition, administrators should not use Cisco Unity service accounts to access the Cisco Unity Administrator.
Best Practices for Accounts That Are Used to Access the Cisco Unity Server
When you install Cisco Unity, you can choose the drive and directory where it is installed. By default, it is installed in the CommServer directory.
By default, the Active Directory accounts that Cisco Unity services log on as have Full Control access to the CommServer directory because they belong either to the local Administrators group (when the Cisco Unity server is a member server) or the Domain Admins group (when the Cisco Unity server is a domain controller). However, we recommend that you not use these accounts as administration accounts. Instead, we recommend that you designate a highly privileged account for use by a system administrator, and grant Full Control permissions to the Cisco Unity directories and files so that the account can be used for administration and troubleshooting.
Best Practice
Verify that other domain accounts used by Cisco Unity system administrators are restricted to read-only access, and verify that all Cisco Unity subscribers and any other domain accounts and groups have no access rights to the directories or files on the Cisco Unity server. To restrict access, exclude the System Group Everyone from the default user permissions for C:\ or the root of any other drive on the Cisco Unity server. Instead, as applicable, assign authenticated users. Finally, verify that no explicitly privileged assignments have been made to individual groups or accounts.
Best Practices When Deleting Cisco Unity Subscriber Accounts
Deleting a Cisco Unity subscriber account does not delete the Active Directory or Windows NT account (if there is one) or the Domino Person document for that subscriber. You can delete the Active Directory or Windows NT account and Domino Person document separately after you delete the subscriber account in the Cisco Unity Administrator.
Best Practices for Securing Default Accounts
Table 6-1 lists the Cisco Unity subscriber accounts and the Domino Person documents and mail files that are created by Cisco Unity, when they are created, and best practices for securing them.
Table 6-1 Considerations for Securing Default Cisco Unity Accounts, Domino Person Documents, or Domino Mail Files
Cisco Unity Subscriber Account
|
Domino Person Document and Domino Mail File
|
When Created
|
Best Practice
|
Example Administrator
|
Example Administrator, eadmin<systemid>.nsf
|
At installation
|
For versions of Cisco Unity prior to 4.0(5), or for systems that were upgraded from a version prior to 4.0(5):
•Change the phone password.
•Change the class of service to remove administration rights.
Do not delete this account or the associated Person document or mail file.
|
Example Subscriber
|
ESubscriber
|
At installation (on Cisco Unity 4.0(2) and earlier systems only)
|
If present, delete this subscriber account.
|
None
|
Unity Amis, UAmis_<servername>.nsf
|
When configuring AMIS (Cisco Unity 4.0(5) and later only)
|
Do not delete this Person document or mail file, even if AMIS is no longer in use.
|
Unity Messaging System (not visible in the Cisco Unity Administrator)
|
Unity Messaging System, Unity_<servername>.nsf
|
At installation
|
Do not delete this account or the associated Person document or mail file.
|
None
|
Unity Omni, UOmni_<servername>.nsf
|
When configuring the Cisco Unity Bridge (Cisco Unity 4.0(5) and later only)
|
Do not delete this Person document or mail file, even if Bridge Networking is no longer in use.
|
None
|
UnityBroadcast <servername>, USbms_<servername>.nsf
|
At installation (Cisco Unity 4.0(5) and later only)
|
Do not delete this Person document or mail file, even if broadcast messaging is not in use.
|