Advanced Account Security; Enabling Advanced Account Security; Prerequisites; Vcs Functionality: Changes And Limitations - Cisco TelePresence Administrator's Manual

Grey Headline (continued)

Advanced account security

The VCS's Advanced account security mode is used to configure
the VCS for use in highly secure environments.
Enabling advanced account security limits login access to
remotely authenticated users using the web interface only, and
also restricts access to some VCS features. To indicate that
the VCS is in secure mode, a Classification banner message is
displayed on every web page.
This functionality can only be enabled if the Advanced
account security option key is installed.

Prerequisites

Before advanced account security mode can be enabled, the
VCS must be configured to use remote account authentication
administrator accounts.
Ensure that the remote directory service is working
!
properly, as after advanced account security is enabled
you will not be able to log in to the VCS via the local
admin account or as root.
You are also recommended to configure your system so that:
•
SNMP is disabled
•
the session time out period is set to a non-zero value
•
HTTPS client certificate validation is enabled
•
login account LDAP server configuration uses TLS encryption
and has Certificate revocation list (CRL) checking set to All
•
remote logging is disabled
•
incident reporting is disabled
•
any connection to an external manager uses HTTPS and has
certificate checking enabled
Overview and System
Introduction
status configuration
D14049.08
November 2010
Overview

VCS functionality: changes and limitations

When in secure mode, the following changes and limitations to
standard VCS functionality apply:
•
access over SSH, Telnet, and through the serial port is
disabled and cannot be turned on
•
access over HTTPS is enabled and cannot be turned off
•
the command line interface (CLI) is unavailable
•
the root account, the admin account and any other local
administrator accounts are disabled
•
if there are three consecutive failed attempts to log in (by the
same or different users), login access to the VCS is blocked
for 60 seconds
•
immediately after logging in, the current user is shown
for
statistics of when they previously logged in and details of any
failed attempts to log in using that account
•
administrator accounts with Read-Only or Read-Write access
levels cannot view the Event Log and Configuration Log pages
(these pages can only be viewed by accounts with Auditor
access level)
•
the Upgrade page only displays the VCS platform component
•
downgrades to version X5.0 or below are not allowed
•
the classification banner is displayed on every web page
Cisco VCS Zones and Clustering and
configuration neighbors peers
Call Bandwidth
processing control
159
CISCO TELEPRESENCE VIDEO COMMUNICATION SERVER

Enabling advanced account security

To enable advanced account security using the web interface:
•
Maintenance > Advanced account security.
You are taken to the Advanced account security page.
To configure advanced account security using the CLI:
xConfiguration Certification
•
AdvancedAccountSecurity Mode
Advanced account security mode
The options for this setting are:
On: puts the VCS into secure mode.
Off: takes the VCS out of secure mode. Note that the Event Log,
Configuration Log, call history, search history and registration
history are cleared whenever the VCS is taken out of secure
mode.
Before advanced account security can be enabled the
system checks that all prerequisites are in place.
Warnings are also raised for any non-recommended
configuration settings.
A system reboot is required for changes to the Advanced
account security mode to take effect.
Classification banner
Text entered here is displayed as a banner on every page when
the VCS is in secure mode.
Firewall
Applications Maintenance
traversal
ADMINISTRATOR GUIDE
Appendices