Configuring PIN Security for UM-Enabled Users
Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3
When a subscriber or a Microsoft Exchange Server 2007 Unified Messaging (UM) user uses a telephone to connect to a computer that has the Unified Messaging server role is installed, the user uses Outlook Voice Access to navigate through the Unified Messaging menu system. However, before the user can access the Unified Messaging system, the system prompts them to input their PIN. As the administrator, you can configure PIN settings and requirements and perform PIN management tasks. After a user has been enabled for Unified Messaging and a PIN has been generated or created, a hash that is a mathematical computation of the user's PIN will be stored in the user's mailbox. The checksum for the PIN is stored in Active Directory in an attribute called ExUMPINChecksum.
A subscriber must use touchtone or dual tone multi-frequency (DTMF) inputs to input their PIN to access their UM-enabled mailbox. Speech recognition is not enabled for PIN input.
A PIN is a numeric string that is used in certain systems, including unified messaging systems, so that a user can be authenticated and gain access. A PIN is a pass code that a user enters on the telephone to access their Exchange Server mailbox. The strength of the PIN depends on its length, how well it is protected, and how difficult it is to guess.
PINs are most frequently used for automatic teller machines (ATMs). However, they are also used for unified messaging systems instead of alphanumeric passwords. In Microsoft Exchange 2007 Unified Messaging, the PIN is entered over an analog, digital, or cellular telephone and is used to gain access to the user's mailbox that includes e-mail, voice mail, and calendaring information.
In Exchange 2007 Unified Messaging, PIN policies are defined and configured on a UM mailbox policy. Multiple UM mailbox policies can be created depending on your requirements. When you enable a user for Exchange Server 2007 Unified Messaging, you associate or link the user to an existing UM mailbox policy. The UM PIN policies that are configured on the UM mailbox policy should be based on the security requirements of your organization.
The following are several PIN configuration settings that you can set on a UM mailbox policy in Exchange 2007.
Minimum PIN Length
The Minimum PIN Length setting specifies the minimum number of digits that a mailbox PIN can be. The range is 4 through 24, and the default is 6. If you enter 0, users are not required to enter a PIN.
Configuring this setting with zero is not a recommended practice. By configuring this setting to zero, you greatly decrease the level of security for your network.
If you change the minimum password length to a higher value, existing subscribers are prompted to enter a new PIN that contains the new minimum number of digits before they can continue.
Increasing this number creates a more secure UM environment. However, setting it too high can result in users forgetting their PIN.
The PIN Lifetime setting controls the time interval, in days, from the date subscribers last changed their PIN to the date they will be forced to change them again. The range is 0 through 999, and the default is 60 days. If 0 is entered, the PIN will not expire.
Unified Messaging will not notify the user when their PIN is about to expire.
Logon Failures Before PIN Reset
The Logon Failures Before PIN Reset setting specifies the number of sequential unsuccessful logon attempts before the mailbox PIN is automatically reset. To disable this feature, set this setting to unlimited. Otherwise, it must be set to a number lower than the Maximum Logon Attempts setting. The range is 1 through 998, and the default is 5.
To increase security for UM-enabled users, enter a number that is less than 5.
Maximum Logon Attempts
The Maximum Logon Attempts setting specifies how many PIN entry errors in successive calls subscribers can make before they are locked out of their mailbox. By default, after 5 attempts have been made, the PIN is automatically reset. The range is 1 through 999, and the default is 15.
To increase security, decrease the number of failed attempts. But remember that decreasing it to a number much lower than the default may result in users being locked out unnecessarily. Unified Messaging will generate warning events that can be viewed by using Event Viewer if PIN authentication fails for a UM-enabled user or the user is unsuccessful in attempting to log on to the system.
Allow Common Patterns
The Allow Common Patterns setting is used to either enable or disable the use of common number patterns used in creating a PIN. By default, this setting is disabled and will not allow users to input the following number patterns in the following list:
Sequential numbers PIN values that consist completely of consecutive numbers. Examples of sequential numbers for a PIN are 1234 and 65432.
Repeated numbers PIN values that consist of repeated numbers. Examples of repeated numbers are 11111 and 22222.
Suffix of mailbox extension PIN values that consist of the suffix of your mailbox extension. If your mailbox extension is 36697, your PIN cannot be 6697.
PIN History Count
The PIN History Count setting configures the number of different PINs a user must use before any PINs that were previously used can be reused. The range is 1 through 20, and the default is 5.
Managing Unified Messaging PINs
When planning for UM PINs, you must make sure that you choose the appropriate levels of security for your organization. You must give careful consideration to the UM PIN requirements and how your PIN security settings will meet or exceed your organization's security policy.
It is a security best practice to implement strong PIN requirements for Unified Messaging users. This can be enforced by creating Unified Messaging PIN policies that require six or more digits for PINs and increases the level of security for your network.
After you set the PIN requirements that meet the security requirements for your organization, you must create and configure a UM mailbox policy to enforce your organizational PIN requirements. For more information about how to create and manage a UM mailbox policy, see Managing Unified Messaging Mailbox Policies.
After you create the UM mailbox policy, you must associate the UM-enabled user or users with the appropriate UM mailbox policy. You can perform this task by using the Enable-UMMailbox Exchange Management Shell command. For more information about the Exchange Management Shell command, see the Enable-UMMailbox reference topic.
There are situations in which UM users forget their PIN or are locked out of UM access to their mailbox. In either case, it may be necessary for you to reset a UM-enabled user's PIN. For more information about how to reset a user's PIN, see How to Reset a User's Unified Messaging PIN.
For More Information
For more information about UM mailbox policies, see Understanding Unified Messaging Mailbox Policies.
For more information about how to associate a UM mailbox policy to a UM user, see How to Modify the Unified Messaging Properties for a User.
For more information about how to configure Unified Messaging PIN policies, see How to Set PIN Policies for Unified Messaging Users.