Avaya

Modular Messaging Help

Home | Search | Site Index
Print | Back | Fwd | Legal | Close

 Getting Started 
 Installation 
 Administration 
 Maintenance 
 Reference 
Home > Getting started > Modular Messaging and security > Password and mailbox administration

Password and mailbox administration

Voice mail fraud can occur when an unauthorized user obtains the subscriber mailbox password and gains unauthorized access to the system. The unauthorized user then misuses the system for various purposes. This type of activity can result in huge losses of revenue, employee productivity, and business. It also interrupts service and compromises the security of your information resources.

To minimize the threat of unauthorized use, you must closely monitor all the mailboxes. Ensure that you follow the necessary security guidelines related to password and mailbox administration.

Topics in this section include:

Mailbox administration

When you administer the system and subscriber mailboxes, do the following to minimize unauthorized use:

  • Block break-in attempts. On the Subscriber Property screen, set a low number of consecutive unsuccessful attempts to log in to a mailbox.

  • Do not create mailboxes before they are needed.

  • Deactivate unassigned mailboxes. When an employee leaves the company, remove the subscriber profile and, if necessary, reassign the mailbox.

  • Require unique passwords. Set the minimum required length to be one digit greater than the number of alphanumeric characters in the subscriber extension number. For maximum security, a subscriber password can have up to 15 alphanumeric characters.

  • Force subscribers to change the default password the first time they log in to the system. A custom password ensures that only subscribers have access to their own mailboxes. Custom passwords also prevent an unauthorized person to enter an extension followed by pound key (#). To ensure that new subscribers change their passwords immediately, administer the default password to be fewer alphanumeric characters than the minimum password length.

  • Administer password aging on the System Parameters Features screen. Password aging requires subscribers to change their password at a predefined interval. Password aging enhances overall system security and helps protect against toll fraud by making the system less vulnerable to break-ins.

  • Avoid or closely monitor the use of guest mailboxes. A guest mailbox is not allotted a physical extension. If you do not need the mailbox, deactivate it. Assign the mailbox only after changing its password.

Access control lists

You can limit the number of people in a voice mail domain who can use the administration applications and tools. Edit two Windows access control lists (ACLs) with the Voice Mail System Configuration (VMSC) utility. The ACLs can contain users and groups from the Modular Messaging Windows domain or customer domains trusted by it.

Access control lists follow the security mechanisms of the Windows domain users and groups. Windows 2000 security mechanisms grant restricted rights to each ACL for accessing the Avaya Messaging Application Server (MAS). These ACLs define the following types of administration:

  • System administration. People listed on the system administration ACL can access and use all Modular Messaging administration applications and tools, except Modular Messaging Subscriber Administration.

  • Subscriber administration. People listed on the subscriber administration ACL can use Subscriber Options in administrator mode. You can start the Subscriber Options on Windows from a Web page while editing subscriber properties with Message Storage Server (MSS) subscriber Web administration.

An account or group name can appear in both ACLs. The default system administration ACL has a single entry that contains the account under which the MAS was installed. The default subscriber administration ACL is empty. To enable subscribers to use Modular Messaging, add at least one account or group to this list. For more information about administering ACLs in Modular Messaging, see VMSC - VMD - Security Configuration.

Do not use a well-known name for a given role. Do not use obvious names as login names. Avaya recommends that you delete the well-known Administrator account. Instead create an equivalent account for the administrator login. Create user names and passwords that are hard to guess.

Passwords

When your system is installed, immediately change the system administrator (sa) and voice mail administrator (vm) login passwords on the MSS. Modular Messaging administrators who log in with the vm login can change the password for the vm login only. System administrators who log in with the sa login can change the password for both the sa login and the vm login. You also must administer the following passwords:

  • Trusted server passwords

  • Modular Messaging login passwords, such as mmacct

  • Administrator passwords, such as dom-admin

  • Remote login passwords (PPP logins)

  • Subscriber default passwords

Passwords must follow minimum standards. Additionally, you can administer several parameters of the password aging feature that enhance system security.

Password aging ensures that administration passwords are changed at reasonable intervals as passwords expire after a specific period of time. When password aging is not in place, people can change the password and change the password back to a familiar password. The Minimum Age Before Changes setting prevents a subscriber from immediately reverting back to the previous password.

Use password aging for administrative logins to reduce the danger of unauthorized system access. Also, ensure that you communicate to the appropriate administrators when passwords are changed.

You can also use the extended password security feature. Extended password security requires subscribers to press the pound key (#) after entering their passwords to access their mailboxes. If subscribers do not press the pound key (#), the system pauses before allowing mailbox access. Use the Enable Extended Password Security parameter in the Subscriber Properties screen to determine how a subscriber accesses the mailbox. The system can wait for the subscriber to press the pound key (#) or give the subscriber immediate mailbox access after a successful password entry. This parameter helps prevent unauthorized users from determining the number of alphanumeric characters in system mailbox passwords. Avaya recommends that you set the Enable Extended Password Security parameter.

Guidelines for passwords

Use the following system password guidelines to minimize unauthorized people access to your system:

  • Change the passwords for the system administrator (sa), the voice mail administrator (vm), and the craft logins (MSS only).

  • Change the administrator account name and password on the MAS.

  • Establish a new password as soon as the Modular Messaging system is installed.

  • Use at least six alphanumeric characters. The password must include at least one numeric character and two alphabetic characters.

  • All passwords must comply with the minimum password length, such as six alphanumeric characters.

  • Do not use obvious passwords, such as a telephone extension, employee identification number, or easily guessed numeric or letter combinations. Good password selection significantly protects the system from hackers.

  • Do not post, share, print, or write down passwords. Do not store passwords as part of a connection script.

  • Do not put the password on a programmable function key.

  • Administer the system to disallow users from using the previous passwords again.

  • Change the password each month. You can administer your system to age the password and notify you that a new password is required.

  • Keep a record of all the passwords and account names, and store them in a secure location.

Subscriber password security

Modular Messaging subscribers gain access to the message server from either a desktop computer or the telephone user interface (TUI). Subscriber passwords gain access through a computer or TUI. Ensure that your subscribers follow these password guidelines to minimize unauthorized access to mailboxes:

  • Use desktop clients that support Secure Sockets Layer (SSL) encryption. Modular Messaging provides native support for SSL versions of IMAP4 and POP3.

  • Never allow a personal greeting that states that the called extension accepts collect calls or third-party billed calls. If someone at your company has a similar greeting, require that they change the greeting immediately.

  • Never use obvious or unimportant passwords, such as an employee identification number, a social security number, or easily guessed numeric combinations. Modular Messaging does not assign a password that is similar to the mailbox number.

  • Do not assign a password that is the mailbox number in reverse order, a 1 followed by the mailbox number, or any similar pattern.

  • Do not assign a password to unused mailboxes.

  • Discourage the practice of writing down passwords, storing them, or sharing them with others. Advise the subscriber to keep any written password in a secure place and to discard an inactive password.

  • Never program passwords onto telephone automatic dial buttons.

  • Contact Avaya Corporate Computer and Network Security when the following occurs:

    • A subscriber receives suspicious messages.

    • A subscriber tells you that a personal greeting was changed.

    • You suspect that someone else used your Modular Messaging system.

  • Subscriber passwords for the TUI can vary from 0 to 15 alphanumeric characters in length. Administer the minimum password length. Increase the minimum password length to decrease the probability that an unauthorized user guessed the password.

  • Use the password expiration (password aging) feature to force subscribers to change passwords at regular intervals. Change passwords regularly to decrease the probability that an unauthorized user accessed a subscriber mailbox.

Top of page

Home | Search | Site Index | Print | Back | Fwd | Legal | Close

©2007 Avaya Inc. All rights reserved. Last modified: