Password and Mailbox administration

Voice mail fraud can occur when an unauthorized user obtains the subscriber mailbox password and gains unauthorized access to the system. The unauthorized user then misuses the system for various purposes. This type of activity can result in huge losses in terms of revenue, decreased employee productivity, service interruptions, and loss of business. It also compromises the security of your information resources. To minimize the threat of unauthorized use, you must closely monitor all the mailboxes and ensure that you follow the necessary security guidelines related to password and mailbox administration.

Mailbox Administration

When you administer the system and subscribers' mailboxes, do the following things to minimize unauthorized use:

• To block break-in attempts, administer your system so that the allowed number of consecutive unsuccessful attempts to log in to a mailbox is low. Administer this on the Subscriber Property screen.

• Do not create mailboxes before they are needed.

• Deactivate unassigned mailboxes. When an employee leaves the company, remove the subscriber profile and, if necessary, reassign the mailbox.

• Require long passwords. The minimum required length should be at least one digit greater than the number of digits in subscribers' extension numbers. Subscribers can have passwords up to 15 digits for maximum security.

• Force subscribers to change the default password the first time they log in to the system. This ensures that only subscribers have access to their own mailboxes thereby eliminating the possibility of an unauthorized person entering an extension and then entering #. To ensure that new subscribers change their passwords immediately, administer the default password to be fewer digits than the minimum password length.

• Administer password aging on the System Parameters Features screen. Password aging requires subscribers to change their password at a predefined interval. Password aging enhances overall system security and helps protect against toll fraud by making the system less vulnerable to break-ins.

• Avoid or closely monitor the use of mailboxes that are not allotted a physical extension (known as guest mailboxes). If you do not need the mailbox, deactivate it and assign it only after changing its password.

Access control lists

You can limit the number of people in a voice mail domain who have access to the administration applications and tools by editing two access control lists. The access control lists are the Windows ACLs and these lists follow the security mechanisms of the Windows domain users and groups. Windows 2000 security mechanisms are used to grant restricted rights to each ACL for accessing the Avaya MAS. These access control lists define the following types of administration:

• System administration. People listed on the system administration access control list can access and use all Modular Messaging administration applications and tools, except Modular Messaging Subscriber Administration.

• Subscriber administration. People listed on the subscriber administration access control list can use only the Modular Messaging Subscriber Administration tool to enable subscribers to use Modular Messaging.

An account or group name can appear in both the access control lists. The default system administration access control list has a single entry containing the account under which the MAS was installed. The default subscriber administration access control list is empty. To enable subscribers to use Modular Messaging, at least one account or group must be added to this list. See Configuring voice mail domain security for more information on administering access control lists in Modular Messaging.

Generally, it is a very bad practice to use a well-known name such as sa for system administrator, for a given role. Never use sa or vm as login name. Avaya strongly recommends that you delete the well-known Administrator account. Instead create an equivalent account for the administrator login. It is important to create user names and passwords that are hard to guess.

Passwords

When your system is installed, please make sure that you change the system administrator (sa), voice messaging administrator (vm), and craft login passwords immediately. Modular Messaging administrators who log in with the vm login can change the password for the vm login only. System administrators who log in with the sa login can change the password for both the sa login and vm login. You also must administer the trusted server passwords, Modular Messaging logon passwords (such as mmacct), administrator passwords (such as dom-admin), remote login passwords (PPP logins), subscriber default passwords, and the passwords for the required services (such as root and tsc).

There are certain minimum standards that passwords must follow. Additionally, you can administer several parameters of the password aging feature that enhance the security levels that the system maintains. Password aging ensures that administration passwords are changed at reasonable intervals as passwords expire after a set period of time. When password aging is in place, people who would rather remember only one password are likely to change the password when required and then immediately change back to the familiar password. The Minimum Age Before Changes setting prevents a subscriber from immediately changing back to the previous password. Use password aging for administrative logins to reduce the danger of unauthorized system access. Also, ensure that you communicate to the appropriate administrators the change of passwords. Both system administrators and Modular Messaging administrators can change passwords. You can change these settings by starting at the Administration main menu and selecting Password Administration. The items and their operation are described in Setting Administrator Password Aging.

You can also use the extended password security feature. Extended password security requires subscribers to press pound (#) after entering their passwords to access their mailboxes. If subscribers do not press pound (#), the system pauses before allowing mailbox access. The Enable Extended Password Security parameter in the Subscriber Properties screen determines whether the system waits for the subscriber to press pound (#) or allows immediate mailbox access after successful password entry. This parameter helps prevent unauthorized users from determining the number of digits in system mailbox passwords. Avaya recommends that this feature be enabled.

Top of page

Guidelines for Passwords

To minimize the risk of unauthorized people using your system, follow these guidelines for system passwords:

• Change the passwords for the system administrator (sa), the voice mail administrator (vm), and the craft logins.

• Change the administrator account name and password on the MAS.

• Establish a new password as soon as the Modular Messaging system is installed.

• Use 6–11 alphanumeric characters. The password must include at least one numeric character and two alpha characters.

• All passwords must comply with the minimum password length.

• Never use obvious passwords, such as a telephone extension, room number, employee identification number, social security number, or easily guessed numeric or letter combinations. Good password selection significantly decreases the possibility of the system being hacked.

• Do not post, share, print, or write down passwords. Do not store passwords as part of a connection script.

• Do not put the password on a programmable function key.

• Administer the system to disallow users from using the previous passwords again.

• Change the password at least once every month. You can administer your system to age the password and notify you that a new password is required.

• Keep a record of all the passwords and account names and store them in a secure location.

Subscriber Password Security

Modular Messaging subscribers gain access to the message server from either a desktop computer or the telephone user interface. Access through these methods is controlled by subscriber passwords. To minimize the risk of unauthorized access to mailboxes, ensure that your subscribers follow these guidelines for passwords:

• Use desktop clients that support SSL encryption. Modular Messaging provides native support for SSL versions of IMAP4 and POP3.

• Never allow a personal greeting that states that the called extension will accept collect calls or third-party billed calls. If someone at your company has a greeting like this, require that they change the greeting immediately.

• Never use obvious or trivial passwords, such as a room number, employee identification number, social security number, or easily guessed numeric combinations.

• Discourage the practice of writing down passwords, storing them, or sharing them with others. If a subscriber insists on writing down a password, advise the subscriber to keep the password in a secure place and never discard it while it is active.

• Never program passwords onto telephone auto dial buttons.

• If a subscriber receives any suspicious messages, or tells you that a personal greeting was changed, or if for any other reason you suspect that your Modular Messaging system is being used by someone else, contact Avaya Corporate Computer and Network Security.

• Subscriber passwords for the telephone user interface can vary from 0 to 32 digits in length. Administrators can and should administer the minimum password length. Increasing the minimum password length decreases the probability of an unauthorized user guessing the password.

• Administrators must use the password expiration feature, which forces subscribers to change passwords at regular intervals. Changing passwords regularly reduces the chances of an unauthorized user gaining access to a subscriber's mailbox.

Top of page