Unity 5.0(1) Security enhancements

Answered Question
Feb 3rd, 2009

Is there a way to change the feature listed here

Improved Security for Accessing Cisco Unity

To enhance security, the Cisco Unity conversation no longer indicates whether the ID or password is invalid when subscribers log on by phone. Instead, when a subscriber enters an incorrect ID and/or password, Cisco Unity merely indicates that the subscriber entered an invalid combination, and then prompts the subscriber to re-enter both the ID and the password. In this way, it is not clear to an unauthorized user which part of the credentials is valid.

In addition, Cisco Unity no longer applies the prompt speed and volume that is specified for an individual subscriber until the subscriber enters both a valid ID and a valid password.

http://www.cisco.com/en/US/docs/voice_ip_comm/unity/42/release/notes/cu421rn.html#wp340106

I would like to change this feature back to the way it was in Unity 4.0(5). When you actually where told that your id isn't valid if you don't have a valid Unity account.

Any help is appreciated

I have this problem too.
0 votes
Correct Answer by lindborg about 7 years 10 months ago

There's no option to do that - we were forced to change this along the way a while back because it's required by many state/fed/millitary installs - by telling the caller their ID is invalid you give "fishers" a very easy way to construct a table of valid user extensions in your system and then they can set about cracking PWs for them at their leisure. For most sites its an unacceptable security hole. There's no configuration option to force it back to the old conversation flow.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
lindborg Tue, 02/03/2009 - 08:16

There's no option to do that - we were forced to change this along the way a while back because it's required by many state/fed/millitary installs - by telling the caller their ID is invalid you give "fishers" a very easy way to construct a table of valid user extensions in your system and then they can set about cracking PWs for them at their leisure. For most sites its an unacceptable security hole. There's no configuration option to force it back to the old conversation flow.

Christopher McAlpin Tue, 02/03/2009 - 14:00

Yes you can almost change this back to the old behavior. We kind of took a hybrid approach between the new behavior you are seeing and the old behavior. With the latest ES for your version of Unity and the latest Advanced Settings Tool from CiscoUnityTools.com, you can control the behavior. Basically, you will be able to keep it as it is now, or change it so that if the caller is calling from a phone that is associated with a Cisco Unity subscriber (meaning the caller id matches a mailbox id) and the caller foo bars their password, Cisco Unity will only ask them to enter their password. Note that if they are calling from a number that is not associated with a mailbox and they had to manually enter their ID, they will still be prompted for their ID if they mess up. So like I said, it is a hybrid.

See the following defect for a description of your problem.

When invalid password entered at known extension, do not prompt for ID

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsd16651

Install the latest 4.2 or 5.0 Engineering Special and download the latest Advanced Settings tool from CiscoUnityTools.com.

Here is a description of the setting in the AST:

Conversation - Prompt for ID on Wrong Password

When a subscriber calls the pilot number from a phone associated with the subscriber, Cisco Unity recognizes the calling number as the subscriber ID and does not prompt for it. By default, if the subscriber enters an incorrect password, Cisco Unity prompts the subscriber to re-enter only the password. Use this key to customize Cisco Unity so that when a subscriber enters an incorrect password, Cisco Unity prompts the subscriber for both the subscriber ID and password.

This setting only affects the prompts that are played when a subscriber logs in from an associated phone. The setting does not affect the prompts that play if the subscriber logs out of the mailbox after successfully logging in.

Values:

0 - Cisco Unity will not prompt the user to enter subscriber ID if password entered is incorrect. It will announce that the password is invalid and ask the user to re enter only the password (Default)

1 - Cisco Unity will prompt the user to enter subscriber ID if password entered is incorrect

lindborg Wed, 02/04/2009 - 08:18

cool... good to know. power of the Engineering Special! Hopefully this is "close enough" to the original behavior to make the customer happy.

Actions

This Discussion