Administrator Password Policy

One of the easiest and most frequently used attacks against Microsoft operating systems is to try to log in to the Administrator account, using various well-known passwords. To block that security hole, consider using strong password policies, renaming the Administrator account, and other mechanisms to protect the Administrator account.

The Windows operating system gives administrators the ability to assign restrictions to password and account policies, as shown in Figure 20-6.

Figure 20-6. Implementing Password Restrictions in Windows 2000

A general rule is not to create any user accounts on an IP telephony server. Only administrators and operators should have access to the server. Make sure that these accounts have complex passwords. If a password is too simple, not kept secret, or not changed for a long period, it can be discovered and misused by unauthorized people. The account policy settings should not be modified, because setting the lockout policies can adversely affect the system during the next upgrade (requiring a new installation from scratch). Consider these issues:

  • Setting the account policy is more important for servers with user accounts because otherwise the administrator has no control over the frequency of password changes by the users.
  • The Minimum Password Length parameter determines how short passwords can be. If it is set to zero, blank passwords are allowed. It is recommended that you set this value to at least eight characters.
  • The Passwords Must Meet Complexity Requirements parameter determines whether password complexity is enforced. If this setting is enabled, passwords must meet these requirements:

    - The password is at least six characters long.

    - The password contains characters from at least three of these categories:

    - English uppercase characters (A through Z)

    - English lowercase characters (a through z)

    - Base-10 digits (0 through 9)

    - Nonalphanumeric characters (For example: $, !, %, #, &)

    - The password does not contain three or more characters from the username.

To configure the password policy for an account, complete these steps:

Step 1.

From the Cisco CallManager server, click Start.

Step 2.

Choose Settings.

Step 3.

From the Settings menu, choose Control Panel.

Step 4.

When the Control Panel window opens, click Administrative Tools.

Step 5.

In the Administrative Tools window, click Local Security Policy.

Step 6.

When the Local Security Settings window opens, click Account Policy.

Step 7.

Click Password Policy.

You can configure the password policies to meet complexity requirements and set the minimum length of the password.


You should apply the password complexity settings before you install the Cisco CallManager application. If the passwords applied in the installation process do not fit the complexity requirements, the Cisco CallManager services will no longer be able to start.


Account and Password Considerations

When giving individual users the ability to log in to the Cisco IP Telephony Operating System as administrators, you should create a separate account for each user and put each into the Administrators group. Doing so enables tracking of changes made to the Cisco IP Telephony Operating System. In addition, you could change the default administrator account to a decoy Administrator account that has no rights but is strictly monitored (by enabling auditing of login attempts or usage of that account).


Cisco CallManager installations and upgrades currently require the Administrator account to be used. Before installing or upgrading Cisco CallManager, rename the decoy Administrator account and change the name of the real Administrator account back to "Administrator" on all Cisco CallManager servers in the cluster.

Some corporate security policies require separating the system auditors from the system administrators. To enable more accurate auditing information regarding the identity of an administrator, it is a good practice to create individual accounts for each administrator and make them members of the Administrator group. In addition, separate administration from auditing by creating separate auditor accounts. Auditor accounts should have full rights to logs but should not have any other administrative permission, whereas administrator accounts should have only read access to log files.

Follow general security guidelines for accounts and passwords, such as removing unnecessary accounts and requiring complex passwords, but also harden the server by applying password protection to complementary metal oxide semiconductor (CMOS) access, screen savers, and Hewlett-Packard Integrated Lights-Out (iLO) access (used for out-of-band server management).


More information on iLO can be found at

Part I: Cisco CallManager Fundamentals

Introduction to Cisco Unified Communications and Cisco Unified CallManager

Cisco Unified CallManager Clustering and Deployment Options

Cisco Unified CallManager Installation and Upgrades

Part II: IPT Devices and Users

Cisco IP Phones and Other User Devices

Configuring Cisco Unified CallManager to Support IP Phones

Cisco IP Telephony Users

Cisco Bulk Administration Tool

Part III: IPT Network Integration and Route Plan

Cisco Catalyst Switches

Configuring Cisco Gateways and Trunks

Cisco Unified CallManager Route Plan Basics

Cisco Unified CallManager Advanced Route Plans

Configuring Hunt Groups and Call Coverage

Implementing Telephony Call Restrictions and Control

Implementing Multiple-Site Deployments

Part IV: VoIP Features

Media Resources

Configuring User Features, Part 1

Configuring User Features, Part 2

Configuring Cisco Unified CallManager Attendant Console

Configuring Cisco IP Manager Assistant

Part V: IPT Security

Securing the Windows Operating System

Securing Cisco Unified CallManager Administration

Preventing Toll Fraud

Hardening the IP Phone

Understanding Cryptographic Fundamentals

Understanding the Public Key Infrastructure

Understanding Cisco IP Telephony Authentication and Encryption Fundamentals

Configuring Cisco IP Telephony Authentication and Encryption

Part VI: IP Video

Introducing IP Video Telephony

Configuring Cisco VT Advantage

Part VII: IPT Management

Introducing Database Tools and Cisco Unified CallManager Serviceability

Monitoring Performance

Configuring Alarms and Traces

Configuring CAR

Using Additional Management and Monitoring Tools

Part VIII: Appendix

Appendix A. Answers to Review Questions


Authorized Self-Study Guide Cisco IP Telephony (CIPT)
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
ISBN: 158705261X
EAN: 2147483647
Year: 2004
Pages: 329 © 2008-2020.
If you may any questions please contact us: