Cisco Cisco TelePresence MCU 4510 Maintenance Manual
Configuring security settings
Cisco TelePresence MCU Version 4.2 Printable online help
Page 179 of 252
Advanced account security mode
You can configure the MCU to use advanced account security mode. Advanced account security
mode has the following features:
mode has the following features:
The MCU will hash passwords before storing them in the configuration.xml file (see
The MCU will demand that passwords fullfil certain criteria, using a mixture of alphanumeric and
non-alphanumeric (special) characters (see
non-alphanumeric (special) characters (see
below
)
Passwords will expire after 60 days
A new password for an account must be different from the last ten passwords used with that
account
account
The MCU will disable a user's account if that user incorrectly enters a password three times
consecutively. If this is an admin account, it is disabled for 30 minutes; for any other account, it is
disabled indefinitely (or until you, the administrator, re-enable the account from the User page)
consecutively. If this is an admin account, it is disabled for 30 minutes; for any other account, it is
disabled indefinitely (or until you, the administrator, re-enable the account from the User page)
Non-administrator account holders are not allowed to change their password more than once in
any 24 hour period
any 24 hour period
Administrators can change any user account’s password and force any account to change its
password by selecting Force user to change password on next login on the User page.
Administrators can prevent any non-administrator account from changing its password by
selecting Lock password on the User page.
password by selecting Force user to change password on next login on the User page.
Administrators can prevent any non-administrator account from changing its password by
selecting Lock password on the User page.
The MCU will disable any non-administrator account after a 30 day period of account inactivity. To
re-enable the account, you must edit that account's settings on the User page
re-enable the account, you must edit that account's settings on the User page
If you enable advanced security, all current passwords (created when the MCU was not in advanced
account security mode) will expire and users must change them.
account security mode) will expire and users must change them.
When using Advanced account security mode, we recommend that you rename the default
administrator account. This is especially true where the MCU is connected to the public internet
because security attacks will often use “admin” when attempting to access a device with a public IP
address. Even on a secure network, if the default administrator account is “admin”, it is not
inconceivable that innocent attempts to log into the MCU will cause you to be locked out for 30
minutes.
administrator account. This is especially true where the MCU is connected to the public internet
because security attacks will often use “admin” when attempting to access a device with a public IP
address. Even on a secure network, if the default administrator account is “admin”, it is not
inconceivable that innocent attempts to log into the MCU will cause you to be locked out for 30
minutes.
We recommend that you create several accounts with administrator privileges. This will mean that you
will have an account through which you can access the MCU even if one administrator account has
been locked out.
will have an account through which you can access the MCU even if one administrator account has
been locked out.
If there are applications accessing the MCU, for example TMS, Conference Director, or any other API
application, we recommend that you create dedicated administrator accounts for each application.
application, we recommend that you create dedicated administrator accounts for each application.
In advanced account security mode, if a user logs in with a correct but expired password the MCU
asks that user to change the password. If the user chooses not to change it, that user is allowed two
more login attempts to change the password before the account gets disabled.
asks that user to change the password. If the user chooses not to change it, that user is allowed two
more login attempts to change the password before the account gets disabled.
Hashing passwords
In advanced account security mode, the MCU will hash passwords before storing them in the
configuration.xml file. The configuration.xml file is used for backing up and restoring the configuration
of the MCU (see
configuration.xml file. The configuration.xml file is used for backing up and restoring the configuration
of the MCU (see
). If you do not select to use advanced password
security, all user passwords are stored in plain text in the configuration.xml; this might be a security
issue. If you select to use advanced password security, they will not be stored anywhere on the MCU
in plain text; instead the passwords will be stored as hash sums. Note that hashing user passwords is
an irreversible process.
issue. If you select to use advanced password security, they will not be stored anywhere on the MCU
in plain text; instead the passwords will be stored as hash sums. Note that hashing user passwords is
an irreversible process.