|
This section discusses security in Modular Messaging systems with the Avaya Messaging Application
Server (MAS) or Modular Messaging with Microsoft Exchange.
The section describes the MAS features that help reduce the risk of fraudulent
long-distance charges and unintended disclosure of confidential information. It also describes how to improve the performance of the voice servers.
Topics in this section include:
Access to voice mail domain administration
You must create and maintain voice mail domains. You must also configure the
Voice Servers. The Voice Mail System Configuration (VMSC) application provides property pages to perform these tasks. For more
information on VMSC, see VMSC - VMD - Telephone User Interface Dialog Box, VMSC - Voice Mail Domain (VMD) Configuration, and VMSC - Voice Mail Domain Configuration.
The MAS runs on Microsoft Windows 2003. The Windows 2003 domain security mechanism mediates access to the servers. Access to the VMSC application is controlled through
the VMSC Security component. Administrators use the component to maintain lists of users and groups that can administer the voice mail domain.
Access to subscriber account administration
The MAS administrators create and configure voice mail accounts for subscribers. The MAS Subscriber Administrators access control list (ACL) can be configured in the security settings for the VMSC component. Only members of the MAS Subscriber Administrators ACL that is configured through the VMSC Security component can administer subscriber accounts.
To limit the number of people in a voice mail domain who have
access to administration applications and tools, edit two ACLs. The ACLs define the system administration and subscriber administration.
For more information, see VMSC - VMD - Security Configuration.
For more information on configuring security, see VMSC - Voice Mail Domain (VMD) Configuration.
Access to subscriber mailboxes
The MAS subscribers gain access to the features and messages from a desktop personal computer or through
the telephone user interface (TUI). The subscriber password controls access through the TUI. You set the password through MAS options
or the TUI. For more information, see "Security considerations " in the Installation and Upgrades guide (pdf).
The following MAS features help you minimize the risk of unauthorized
access to the MSS, messages, and long-distance lines.
Subscriber password for telephone user interface
The MAS subscribers maintain a password for the TUI to access their voice
mail. Subscribers can change their passwords through the TUI, Subscriber Options, and Web Subscriber Options.
The administrator enables a subscriber account for voice messaging
and determines the initial password for mailbox access. The initial
password can be a randomly generated number. Administrators configure the system to prompt TUI subscribers to change their passwords the first time they access
the voice mail system. Administrators can reset a subscriber password
at any time but cannot view the password.
Subscriber passwords for the TUI can be from
0 to 15 alphanumeric characters in length. The MAS administrator establishes the
minimum password length as a system-wide parameter. For the Avaya Message Storage Server (MSS), the password can be from 1 to 16 alphanumeric characters. For an Exchange message store, the minimum password length can be zero (0). A password of zero alphanumeric characters is the same as no password.
Increasing the
number of alphanumeric characters in a password lowers the probability that an unauthorized
user might guess the password. For example, with a 6-digit password, the probability
of guessing a password is 1 in 900,001. Passwords in the range of 000000 through 099999 are invalid because a password cannot start with a zero (0).
The administrator can
enable password expiration that forces subscribers to change passwords
at predetermined intervals. Changing the password reduces the chance that an unauthorized user can access a
subscriber mailbox.
The administrator can also activate a feature that prevents reuse of the past N passwords. The N is a number between 1 and 10 that identifies the number of previous passwords that is not allowed.
Recipient name confirmation
The TUI confirms the name of the intended recipient after the subscriber enters a name or telephone number when the subscriber addresses a message. This feature ensures that the system delivers the voice messages to the intended destination.
Disconnecting callers who enter incorrect
passwords
If a caller enters an incorrect password to a subscriber
account, the MAS informs the caller of the error and requests the correct password. The caller can enter the password
more than once for the following reasons:
- The caller pressed keys quickly, inadvertently missing
alphanumeric characters.
- The caller recently changed his or her password and
accidentally entered the old password. You can configure the MAS to
disconnect after one, two, or three attempts. The default value is three attempts. If a caller does not enter the correct password in the
permitted number of attempts, the system disconnects the caller.
This feature prevents unauthorized users from trying various numbers
in an attempt to discover a password.
The system locks a mailbox after consecutive login failures that occur during a series of calls. The default value is 18 failed logins. When the system locks a mailbox, the caller cannot access the mailbox even if the user enters a correct password.
Handling callers who make too many
errors
The MAS can disconnect or transfer callers who make too many errors
while trying to navigate through the system. The number of errors —
from 0 to 9 — can be configured on a system-wide basis.
Monitoring system usage reports
The MAS provides two standard reports that administrators
use to monitor the system for misuse. Administrators can generate the reports with the MAS Reporting Tool.
- The Port Statistics report shows the number of calls coming
into the ports. Substantial activity occurring at unusual times
of the day can indicate unauthorized system usage.
- The Log-in Failures report records information about unsuccessful
telephone logins caused by entering an incorrect password or mailbox number. Numerous log-in failures can indicate that
unauthorized users are trying to access the MAS.
Other security precautions
Additional security measures can be implemented on private branch exchange (PBX) or Centrex
systems. Toll restriction can limit access to
the lines that the MAS uses.
Long-distance carriers also have security services available to
help control unauthorized users. They can monitor normal use and
provide immediate notification of unusually high long-distance call
activity. For more information about these services, contact your long distance carrier.
Top of page
|
