Cisco Unity Security Guide (With Microsoft Exchange), Release 4.x
Securing Accounts

Table Of Contents

Securing Accounts

Introduction

Understanding Accounts

Best Practices for Accounts That Are Used to Access the Cisco Unity Administrator

Best Practices for Accounts That Are Used to Access the Cisco Unity Server

Best Practices When Deleting Cisco Unity Subscriber Accounts

Securing the Account That Was Used to Install Cisco Unity

Best Practices for Securing Default Accounts


Securing Accounts


Introduction

In this chapter, you will find descriptions of potential security issues related to securing accounts; information on any actions you need to take; recommendations that will help you make decisions; ramifications of the decisions you make; and in many cases, best practices.

See the following sections:

Understanding Accounts

Best Practices for Accounts That Are Used to Access the Cisco Unity Administrator

Best Practices for Accounts That Are Used to Access the Cisco Unity Server

Best Practices When Deleting Cisco Unity Subscriber Accounts

Securing the Account That Was Used to Install Cisco Unity

Best Practices for Securing Default Accounts

For the latest requirements for Cisco Unity service accounts and permissions, refer to the applicable Cisco Unity installation guide, available at http://www.cisco.com/en/US/products/sw/voicesw/ps2237/prod_installation_guides_list.html.

Understanding Accounts

Each Cisco Unity subscriber account generally has a corresponding Active Directory domain account or a Windows NT user account:

When the partner Exchange server is running Exchange 2003 or Exchange 2000, every regular Cisco Unity subscriber account is associated with an Active Directory domain account.

When the partner Exchange server is running Exchange 5.5 and the Cisco Unity server is a member server or a domain controller in an Active Directory domain, every regular Cisco Unity subscriber is associated with an Active Directory domain account.

When the partner Exchange server is running Exchange 5.5 and the Cisco Unity server is a member server in a Windows NT domain, regular Cisco Unity subscribers may or may not have a Windows NT user account. (Exchange 5.5 allows a user to have a mailbox without having a corresponding Windows NT account.)

Depending on the method you use to create Cisco Unity subscriber accounts, the corresponding Active Directory or Windows NT account may be created automatically.

Subscribers who have an Active Directory domain account that has been disabled, or who do not have either an Active Directory domain account or a Windows NT user account:

Cannot access the Cisco Personal Communications Assistant (PCA).

Cannot access the Cisco Unity Administrator.

Cannot use the phone as a recording and playback device for the Media Master.


Note The Cisco PCA is a website that subscribers use to access the Cisco Unity Assistant and the Cisco Unity Inbox. In version 3.1(x) and earlier, the Cisco Unity Assistant was known as the ActiveAssistant, or AA; the Cisco Unity Inbox was known as the Visual Messaging Interface, or VMI.


Best Practices

On Cisco Unity systems configured for Voice Messaging, if you do not want subscribers to have access to the Cisco PCA, the Cisco Unity Administrator, or the Media Master, we recommend that you disable Active Directory accounts or not create Windows NT accounts for the subscribers.

Depending on how subscriber accounts are created, all of the corresponding Active Directory domain accounts may be created with the same default password. We recommend that you change these passwords immediately—before subscribers start to use Cisco Unity—to prevent subscribers from accessing accounts other than their own.

For information on Active Directory passwords, see the "Ensuring That Subscribers Are Initially Assigned Unique and Secure Windows Passwords" section on page 8-4.

Best Practices for Accounts That Are Used to Access the Cisco Unity Administrator

The Cisco Unity Administrator is a website that you use to do most administrative tasks. Depending on the associated class of service rights, accounts that can be used to access the Cisco Unity Administrator can offer access to settings used to define how Cisco Unity works for individual subscribers (or for a group of subscribers), system schedules, call management options, and other important data. If your site is comprised of multiple Cisco Unity servers, an account used to access one Cisco Unity Administrator may be able to gain access to the other Cisco Unity Administrators as well. To secure access to the Cisco Unity Administrator, consider the following best practices.

Best Practice: Limit the Use of the Administration Account

Until you create a Cisco Unity subscriber account specifically for the purpose of administering Cisco Unity, you log on to the Cisco Unity Administrator by using the Active Directory or Windows NT credentials that are associated with the administration account that was selected when Cisco Unity was installed. The administration account is automatically associated with a class of service that offers full system access rights to the Cisco Unity Administrator. This means that not only can the administration account access all pages in the Cisco Unity Administrator, but it also has read, edit, add, and delete privileges for all Cisco Unity Administrator pages. For this reason, you should limit the use of this highly privileged account to only one or to very few individuals.

As an alternative to the administration account, you can create additional accounts that have class of service rights to access the Cisco Unity Administrator, but offer fewer privileges. If your organization depends on more than person to administer Cisco Unity, you can modify the class of service rights for each account so that access to the Cisco Unity Administrator is appropriate to the administrative tasks that each person performs. By creating additional accounts, you also ensure that additional accounts are available to access the Cisco Unity Administrator in the event that the administration account is deleted or corrupted.

To learn about the ways in which you create additional accounts or grant administrative rights to existing accounts so that they can be used to access the Cisco Unity Administrator, refer to the "Cisco Unity Administrator Accounts" section in the "Accessing the Cisco Unity Administrator" chapter of the Cisco Unity System Administration Guide. The guide is available at http://www.cisco.com/en/US/products/sw/voicesw/ps2237/prod_maintenance_guides_list.html.

Best Practices: Use Class of Service to Restrict Access to the Cisco Unity Administrator

When modifying class of service settings and assignments to secure access to the Cisco Unity Administrator, consider the following best practices:

Do not modify the system access settings for the Default Administrator class of service. Instead, reassign subscriber accounts to a new class of service that offers an appropriate level of access to the Cisco Unity Administrator. For example, you may want to associate an account with a class of service that offers read-only access to the Cisco Unity Administrator, or only offers access of specific pages in the Cisco Unity Administrator for the purpose of unlocking accounts or changing passwords.

Verify that at least one subscriber account is assigned to the Default Administrator class of service. If you do not have at least one Windows domain account with class of service rights to access the Cisco Unity Administrator, you may lose the ability to administer Cisco Unity, and be required to reinstall.

By default, the Default Subscriber class of service prohibits access to the Cisco Unity Administrator, and should not be changed to allow it. Instead, use it to offer access to Cisco Unity features and applications that are more appropriate to end users.

To learn how to create and modify classes of service, refer to the "Class of Service Settings" chapter of the Cisco Unity System Administration Guide. The guide is available at http://www.cisco.com/en/US/products/sw/voicesw/ps2237/prod_maintenance_guides_list.html.

Best Practice: Do Not Use Other Accounts to Access the Cisco Unity Administrator

Cisco Unity administrators should not use the same account to access the Cisco Unity Administrator that they use to log on to the Cisco Personal Communications Assistant (PCA). In addition, administrators should not use Cisco Unity service accounts to access the Cisco Unity Administrator.

Best Practices for Accounts That Are Used to Access the Cisco Unity Server

When you install Cisco Unity, you can choose the drive and directory where it is installed. By default, it is installed in the CommServer directory.

By default, the Active Directory accounts that Cisco Unity services log on as have Full Control access to the CommServer directory because they belong either to the local Administrators group (when the Cisco Unity server is a member server) or the Domain Admins group (when the Cisco Unity server is a domain controller). However, we recommend that you not use these accounts as administration accounts. Instead, we recommend that you designate a highly privileged account for use by a system administrator, and grant Full Control permissions to the Cisco Unity directories and files so that the account can be used for administration and troubleshooting.

Best Practice

Verify that other domain accounts used by Cisco Unity system administrators are restricted to read-only access, and verify that all Cisco Unity subscribers and any other domain accounts and groups have no access rights to the directories or files on the Cisco Unity server. To restrict access, exclude the System Group Everyone from the default user permissions for C:\ or the root of any other drive on the Cisco Unity server. Instead, as applicable, assign authenticated users. Finally, verify that no explicitly privileged assignments have been made to individual groups or accounts.

Best Practices When Deleting Cisco Unity Subscriber Accounts

Deleting the Cisco Unity subscriber account does not delete the Active Directory or Windows NT account (if there is one) or the Exchange mailbox for that subscriber. You can delete the Active Directory or Windows NT account and Exchange mailbox separately after you delete the subscriber account in the Cisco Unity Administrator.

Securing the Account That Was Used to Install Cisco Unity

Cisco Unity Setup creates a variety of objects in Active Directory (if the Cisco Unity server is a member server or domain controller in an Active Directory domain) or in Windows NT (if the Cisco Unity server is a member server in a Windows NT domain), and also creates mailboxes in Exchange. As a result, the account that is used to install Cisco Unity requires a broad range of user rights, group memberships, and Active Directory or Windows NT permissions. If you are concerned that an account with so many permissions will be available after the Cisco Unity installation is complete, you can disable the account in Active Directory Users and Computers (for an Active Directory account) or in User Manager for Domains (for a Windows NT account).

We recommend that you not delete the account because when you upgrade to a later version of Cisco Unity you will again need an installation account with the same permissions. If you delete the current account, you will have to create another, re-run the Cisco Unity Permissions wizard to set the required permissions, and manually give the account Exchange Administrator permission (if the partner server is running Exchange 2003 or Exchange 2000) or Services Account Administration permission (if the partner Exchange server is running Exchange 5.5).

For more information on the permissions set by the Permissions wizard, refer to the Permissions Set by Permissions Wizard Help. For Cisco Unity 4.0(3) and later, this Help file is available at http://ciscounitytools.com/App_PW_403.htm. For Cisco Unity 4.0(1) and 4.0(2), it is available at http://ciscounitytools.com/App_Maven4x.htm.

Best Practices for Securing Default Accounts

Table 6-1 lists the Active Directory or Windows NT accounts and Exchange mailboxes that are created by Cisco Unity, when they are created, and best practices for securing them.

Table 6-1 Considerations for Securing Default Cisco Unity Accounts, Active Directory or Windows NT Accounts, or Exchange Mailboxes 

Cisco Unity Subscriber Account
Active Directory or Windows NT Account, and Exchange Mailbox
When Created
Best Practice

Example Administrator

EAdministrator

At installation

In Cisco Unity 4.0(3) and earlier, there was a default password for this account. In Cisco Unity 4.0(4) and later, the Cisco Unity Installation and Configuration Assistant prompts for a password for the Default Administrator template, which is used to create the Example Administrator account and the corresponding Active Directory or Windows NT account. If a Cisco Unity 4.0(4) or later system was upgraded from version 4.0(3) or earlier, the Active Directory or Windows NT Example Administrator account may still have the default password. This account is created in a disabled state when you install Cisco Unity version 4.0(5).

For versions of Cisco Unity prior to 4.0(5), or for systems that were upgraded from a version prior to 4.0(5):

Change the Active Directory or Windows NT password.

Change the phone password.

Change the class of service to remove administration rights.

Optionally, you can disable (but not delete) this account.

Example Subscriber

ESubscriber

At installation (on Cisco Unity 4.0(2) and earlier systems only)

If present, delete this subscriber account and the associated Active Directory or Windows NT account and Exchange mailbox.

Unity Messaging System (not visible in the Cisco Unity Administrator)

Unity_<servername>

At installation

For versions of Cisco Unity prior to 4.0(5), or for systems that were upgraded from a version prior to 4.0(5), change the Active Directory or Windows NT password.

Optionally, you can disable (but not delete) this account. This account is created in a disabled state when you install Cisco Unity version 4.0(5).

None

UAmis_<servername>

When configuring AMIS

In Cisco Unity 4.0(3) and earlier, there was a default password for this account. In Cisco Unity 4.0(4) and later, the Cisco Unity Installation and Configuration Assistant prompts for a password for the Default Subscriber template, which is used to create the UAmis Active Directory or Windows NT account. If a Cisco Unity 4.0(4) or later system was upgraded from version 4.0(3) or earlier, the UAmis account may still have the default password. Beginning with Cisco Unity 4.0(5), this account is disabled by default.

For versions of Cisco Unity prior to 4.0(5), or for systems that were upgraded from a version prior to 4.0(5), change the Active Directory or Windows NT password.

Optionally, you can disable this account. Do not hide this account from the Exchange address book if using the Cisco Unity Voice Connector for Microsoft Exchange 5.5. Do not hide this account from the Exchange address book if using the Voice Connector for Exchange 2000 or Exchange 2003 version 11.0(2) or earlier (shipped with Cisco Unity 4.0(4) or earlier). Doing so may prevent AMIS networking from working properly. Do not delete this account, even if AMIS is no longer in use.

None

UOmni_<servername>

When configuring the Cisco Unity Bridge

In Cisco Unity 4.0(3) and earlier, there was a default password for this account. In Cisco Unity 4.0(4) and later, the Cisco Unity Installation and Configuration Assistant prompts for a password for the Default Subscriber template, which is used to create the UOmni Active Directory or Windows NT account. If a Cisco Unity 4.0(4) or later system was upgraded from version 4.0(3) or earlier, the UOmni account may still have the default password. Beginning with Cisco Unity 4.0(5), by default this account is disabled, hidden from the Exchange address book, and configured to appear in AD Advanced View only.

For versions of Cisco Unity prior to 4.0(5), or for systems that were upgraded from a version prior to 4.0(5), change the Windows password.

Optionally, you can disable this account. Do not hide this account from the Exchange address book if using the Cisco Unity Voice Connector for Microsoft Exchange 2000 or Exchange 2003 version 11.0(2) or earlier (shipped with Cisco Unity 4.0(4) or earlier). Doing so may prevent Bridge networking from working properly. Do not delete this account, even if Bridge Networking is no longer in use.

None

USbms_<servername>

At installation (Cisco Unity 4.0(5) and later only)

The USbms Active Directory or Windows NT account was added in Cisco Unity 4.0(5). The Cisco Unity Installation and Configuration Assistant prompts for a password for the Default Subscriber template, which is used to create the account. By default, this account is disabled, hidden from the Exchange address book, and configured to appear in AD Advanced View only.

Do not delete this account, even if broadcast messaging is not in use.

None

UVpim_<servername>

When configuring VPIM (Cisco Unity 4.0(5) and later only)

The UVpim Active Directory or Windows NT account was added in Cisco Unity 4.0(5). The Cisco Unity Installation and Configuration Assistant prompts for a password for the Default Subscriber template, which is used to create the account. By default, this account is disabled, hidden from the Exchange address book, and configured to appear in AD Advanced View only.

Do not delete this account, even if VPIM is no longer in use.