Configuring PIN Security for a UM-Enabled User
Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
When a subscriber or a Microsoft Exchange Server 2010 Unified Messaging (UM) user uses a telephone to connect to a Unified Messaging server, the user uses Outlook Voice Access to navigate the Unified Messaging menu system. However, before users can access the Unified Messaging system, the system prompts them to input their PIN. As the administrator, you can configure PIN settings and requirements and perform PIN management tasks. After a user has been enabled for Unified Messaging and a PIN has been generated or created, a hash that's a mathematical computation of the user's PIN is stored in the user's mailbox. The checksum for the PIN is stored in Active Directory in an attribute called ExUMPINChecksum.
Subscribers must use touchtone or dual tone multi-frequency (DTMF) inputs to input their PIN to access their UM-enabled mailbox. Speech recognition is not enabled for PIN input.
Looking for other management tasks related to UM mailbox policies? Check out Managing UM Mailbox Policies.
Managing Unified Messaging PINs
A PIN is a numeric string that's used in certain systems, including Unified Messaging systems, so that a user can be authenticated and gain access. A PIN is a passcode that users enter on the telephone to access their Exchange Server mailbox. The strength of the PIN depends on its length, how well it's protected, and how difficult it's to guess.
PINs are most frequently used for automatic teller machines (ATMs). However, they are also used for Unified Messaging systems instead of alphanumeric passwords. In Exchange 2010 Unified Messaging, the PIN is entered over an analog, digital, or mobile telephone and is used to gain access to the user's mailbox that includes e-mail, voice mail, and calendaring information.
In Exchange 2010 Unified Messaging, PIN policies are defined and configured on a UM mailbox policy. Multiple UM mailbox policies can be created depending on your requirements. When you enable a user for Exchange 2010 Unified Messaging, you associate or link the user to an existing UM mailbox policy. The UM PIN policies that are configured on the UM mailbox policy should be based on the security requirements of your organization.
The following are several PIN configuration settings that you can set on a UM mailbox policy in Exchange 2010.
Minimum PIN Length
The Minimum PIN Length setting specifies the minimum number of digits that a mailbox PIN can be. The range is 4 through 24, and the default is 6. If you enter 0, users aren't required to enter a PIN.
Configuring this setting with zero isn't a recommended practice. By configuring this setting to zero, you greatly decrease the level of security for your network.
If you change the minimum password length to a higher value, existing subscribers are prompted to enter a new PIN that contains the new minimum number of digits before they can continue.
Increasing this number creates a more secure UM environment. However, setting it too high can result in users forgetting their PIN.
The PIN Lifetime setting controls the time interval, in days, from the date subscribers last changed their PIN to the date they'll be forced to change their PIN again. The range is 0 through 999, and the default is 60 days. If 0 is entered, the PIN won't expire.
Unified Messaging won't notify users when their PIN is about to expire.
Logon Failures Before PIN Reset
The Logon Failures Before PIN Reset setting specifies the number of sequential unsuccessful logon attempts before the mailbox PIN is automatically reset. To disable this feature, set this setting to unlimited. Otherwise, it must be set to a number lower than the Maximum Logon Attempts setting. The range is 1 through 998, and the default is 5.
To increase security for UM-enabled users, enter a number that's less than 5.
Maximum Logon Attempts
The Maximum Logon Attempts setting specifies how many PIN entry errors in successive calls subscribers can make before they're locked out of their mailbox. By default, after 5 attempts are made, the PIN is automatically reset. The range is 1 through 999, and the default is 15.
To increase security, decrease the number of failed attempts. But remember that decreasing it to a number much lower than the default may result in users being locked out unnecessarily. Unified Messaging will generate warning events that can be viewed using Event Viewer if PIN authentication fails for a UM-enabled user or the user is unsuccessful in trying to log on to the system.
Allow Common Patterns
The Allow Common Patterns setting is used to either enable or disable the use of common number patterns used in creating a PIN. By default, this setting is disabled and won't allow users to input the following number patterns in the following list:
Sequential numbers PIN values that consist completely of consecutive numbers. Examples of sequential numbers for a PIN are 1234 and 65432.
Repeated numbers PIN values that consist of repeated numbers. Examples of repeated numbers are 11111 and 22222.
Suffix of mailbox extension PIN values that consist of the suffix of your mailbox extension. If your mailbox extension is 36697, your PIN cannot be 6697.
PIN History Count
The PIN History Count setting configures the number of different PINs a user must use before any PINs that were previously used can be reused. The range is 1 through 20, and the default is 5.
Managing Unified Messaging PINs
When planning for UM PINs, you must make sure that you choose the appropriate levels of security for your organization. You must carefully consider the UM PIN requirements and how your PIN security settings meet or exceed your organization's security policy.
It's a security best practice to implement strong PIN requirements for Unified Messaging users. This can be enforced by creating Unified Messaging PIN policies that require six or more digits for PINs and increases the level of security for your network.
After you set the PIN requirements that meet the security requirements for your organization, you must create and configure a UM mailbox policy to enforce your organizational PIN requirements. For more information about how to create and manage a UM mailbox policy, see Managing UM Mailbox Policies.
After you create the UM mailbox policy, you must associate the UM-enabled user or users with the appropriate UM mailbox policy. You can perform this task by using the Enable-UMMailbox Exchange Management Shell command. For more information about the Exchange Management Shell command, see the Enable-UMMailbox reference topic.
There are situations in which UM users forget their PIN or are locked out of UM access to their mailbox. In either case, it may be necessary for you to reset a UM-enabled user's PIN. For more information about how to reset a user's PIN, see Reset a Unified Messaging PIN for a UM-Enabled User.
© 2010 Microsoft Corporation. All rights reserved.