Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1
Topic Last Modified: 2006-10-20

The Unified Messaging (UM) mailbox policies PIN Policies tab is used to configure PIN settings for users who are associated with a UM mailbox policy. Unified Messaging PINs enable users to access their Inboxes by using a telephone. By configuring settings on this page, you can specify the minimum number of digits for a UM PIN or the number of failed logon attempts before a user is locked out of their UM mailbox.

Make sure that you plan carefully for the UM PIN policies that you implement in your environment. If you do not plan and implement the appropriate UM PIN policies, you may introduce security threats and mistakenly allow unauthorized access to your network.

Use this page to configure the following settings for a UM mailbox policy:

Minimum PIN length
  • Use this text box to specify the minimum number of digits that a Unified Messaging user's PIN can contain.

  • Increasing the number of digits that are required for a PIN increases the level of security for your Unified Messaging system. Decreasing the number of digits required for a PIN reduces the level of security for your network. The fewer the digits that are required in a PIN, the easier it is for a potential attacker to guess a user's PIN.

  • If this setting is set too high, users might have problems remembering their PINs. However, if the setting is too low, you risk unauthorized access to the Unified Messaging system.

  • The default setting is six digits. The range is from 4 to 24 numeric digits. This setting cannot be disabled.

PIN lifetime (days)
  • Use this text box to configure the number of days until the UM-enabled user's PIN expires.

  • After the PIN expires, the user must create a new UM PIN.

  • The value of this setting can be between 0 and 999. If it is set to 0, PINs never expire. Setting this value too low can frustrate users because they are required to create and memorize new PINS too frequently.

  • For most organizations, this value should be set to the default of 60 days.

Failed logon attempts before automatic PIN reset
  • Use this text box to enter the number of sequential unsuccessful or failed logon attempts that can occur before the Unified Messaging system automatically resets a user's PIN.

  • The value of this setting can be between 0 and 999. If you set this setting to 0, this setting is disabled and the system will not automatically reset users' PINs. Setting this value too low can frustrate users; setting it too high it gives malicious users more attempts to determine the PIN.

  • For most organizations, this value should be set to the default of 5 attempts.

  • This setting must be set to a number that is lower than the number configured in the Failed logon attempts before lockout setting. This setting is designed to help prevent a brute force attack on user PINs.

Failed logon attempts before lockout
  • Use this text box to enter the maximum number of sequential unsuccessful or failed logon attempts before a user is locked out of their mailbox.

  • For example, if a user tries to log on to their mailbox unsuccessfully five times, based on the Failed logon attempts before automatic PIN reset setting, the system will reset the user's PIN. If the user tries to use their new PIN five more times unsuccessfully, the system will again reset their PIN. If the user tries to use this new PIN five more times unsuccessfully, the user is then locked out of their mailbox. After a user is locked out, an administrator must manually reset or unlock the mailbox for the user.

  • This value can be set between 1 and 999. Setting this value too low can frustrate users; setting it too high it gives malicious users more attempts to determine the PIN. For most organizations, this value should be set to the default of 15 attempts.

  • This number must be greater than the number that is set in the Failed logon attempts before automatic PIN reset This setting is designed to help prevent a brute force attack on user PINs.

Number of previous PINs to disallow
  • Use this setting to set the number of unique PINs that a user must use before they can reuse an old PIN.

  • You can set the value of this setting between 1 and 20. Setting this value too high can frustrate users because it can be difficult to memorize many PINs. Setting it too low may introduce a security threat to your network.

  • For most organizations, this value should be set to the default of 5 PINs that the system will remember. PIN history cannot be disabled.

Allow common patterns in PIN
  • Use this setting to set PIN complexity requirements for Unified Messaging. These complexity requirements are enforced on PIN changes or when new PINs are created.

  • As a security best practice, it is recommended that you enable this setting. If this setting is enabled, user PINs cannot contain the following:

    • Sequential numbers, such as 123456 or 456789.

    • Repeated numbers, such as 111111 or 8888888.

    • Suffix of the mailbox extension.

  • If this option is disabled, sequential and repeated numbers and the suffix of the mailbox extension will be rejected. If this option is enabled, only the suffix of the mailbox extension will be rejected.

For More Information