Lucent Technologies BCS Products Security Handbook

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Administering Features of the DEFINITY G3V3 and Later, Including DEFINITY ECS 
Page D-9 Administering the SVN Feature 
D
nAnnouncement Extension
Enter an extension that is assigned to an SVN authorization code 
announcement. The announcement must be recorded for the SVN 
referral call to be made. A repeating announcement is suggested, 
especially if the SVN referral call might go to an answering machine. 
3.Administer an “asvn-halt” button on any station/attendant console. The 
location of the SVN button can be determined by entering the display 
svn-button-location command. Activation of this button stops the 
placement of authorization code referral calls until the button is 
deactivated.
Administering the Station Security Code 
Component
Page 2 of the Security-Related System Parameters form allows the user to 
administer parameters relevant to Station Security Codes. This page appears only 
for Release 5 versions or later of G3. To administer parameters for Station 
Security Codes, do the following:
1. Access the Security-Related System Parameters form by entering the 
change system-parameters security command from the command line 
interface.
2. Populate the following fields:
nMinimum Station Security Code Length
Enter a minimum Station Security Code length (3 through 8). This 
value is used to verify all subsequent security code changes; 
however, any existing security codes are assumed to be valid. 
Default is 4.
nSVN Station Security Code Violation Notification Enabled?
Activate (by entering y) or deactivate (by entering n) the security 
violation notification for Station Security Codes. Default is n.
nOriginating Extension
This is a dynamic field that is displayed only whenever the “SVN 
Station Security Code Violation Enabled” field is set to y. Whenever 
a Station Security Code Security Violation Notification Referral call 
is made, the extension in this field is internally the originating 
extension. It has no other significance than that it is not available for 
use as a normal extension. Enter any unassigned extension 
containing five digits.
nReferral Destination
This is a dynamic field that is displayed only whenever the “SVN 
Station Security Code Violation Notification Enabled” field is set to y. 
Whenever a Station Security Code SVN Referral call is made, it is 
made either to the extension (if provided) in this field or to the  
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Administering Features of the DEFINITY G3V3 and Later, Including DEFINITY ECS 
Page D-10 Administering the SVN Feature 
D
attendant (if the field contains attd). If the destination is a station, 
and if the “Announcement Extension” field is set to blank, the 
destination must be equipped with a display module. Enter one of 
the following: an assigned extension containing 5 digits or attd for 
attendant.
nStation Security Code Threshold
This value in this field functions in conjunction with the value in the 
“Time Interval” field. The value in the former field indicates a 
noteworthy count of invalid attempts in using Station Security Codes 
which, if exceeded within the time period indicated in the latter field, 
constitutes a security violation. Whenever this occurs, a Station 
Security Code Violation Notification Referral call is made. Also, 
invalid attempts are logged, but they are ignored unless the count of 
such attempts exceeds the administered threshold. This is a 
dynamic field that is displayed only whenever the “SVN Station 
Security Code Violation Notification Enabled” field is set to y. Enter a 
number between 1 and 255. Default is 10.
nTime Interval
This value in this field functions in conjunction with the value in the 
“Station Security Code Threshold” field. The value in the latter field 
indicates a noteworthy count of invalid attempts in using Station 
Security Codes which, if exceeded within the time period indicated 
in the former field, constitutes a security violation. Whenever this 
occurs, a Station Security Code Violation Notification Referral call is 
made (unless this capability has been suppressed). This is a 
dynamic field that is displayed only whenever the “SVN Station 
Security Code Violation Notification Enabled” field is set to y. Enter a 
value from 0:01 to 7:59. The first digit represents the hour, and the 
second and third digits represent the minutes. Default is 0:03.
nAnnouncement Extension
This field contains an extension corresponding to a recorded 
announcement that is to be played whenever a Station Security 
Code SVN Referral call is made. This allows the referral destination 
to be a phone without a display. This is a dynamic field that is 
displayed whenever the corresponding “SVN Violation Notification 
Enabled” field is set to y. Enter a 5-digit extension to be assigned to 
the appropriate announcement. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Administering Features of the DEFINITY G3V3 and Later, Including DEFINITY ECS 
Page D-11 Administering Barrier Code Aging 
D
Administering Barrier Code Aging
To administer Barrier Code Aging, do the following:
1. Log in with the proper permissions and display the Remote Access form by 
entering the command change remote access. 
2. Once the Remote Access form is displayed, administer Remote 
Access/Barrier Code Aging by filling in the following fields: 
nRemote Access Extension 
Enter an extension number (not a VDN extension) for Remote 
Access. This extension is associated with each trunk that supports 
the Remote Access feature. The default for this field is blank.
The Remote Access extension is used as if it were a DID extension. 
Only one DID extension may be assigned as the Remote Access 
extension. Calls to that number are treated the same as calls on the 
Remote Access trunk.
When a trunk group is dedicated to Remote Access, the Remote 
Access extension number is administered on the trunk group’s 
incoming destination field.
nBarrier Code Length 
Enter the desired barrier code length (4 to 7 digits), or leave this field 
blank indicating that a barrier code is not required. Assigning a 
barrier code length of 7 provides maximum security.
nAuthorization Code Required 
Enter y if an authorization code must be dialed by Remote Access 
users to access the system’s Remote Access facilities. The default 
for this field is “n.” Use of an authorization code in conjunction with 
barrier codes increases the security of the Remote Access feature.
nRemote Access Dial Tone 
This field appears on the form if the Authorization Code Required 
field has been set to yes. Enter y in this field if Remote Access dial 
tone is required as a prompt to the user. For maximum security do 
not use Authorization Code dial tone.
nBarrier Code
Assign a barrier code that conforms to the number entered in the 
barrier code length field. All codes must be 4- to 7-digits. The code 
can be any combination of the digits 0 through 9. 
If the Barrier Code length field is blank, the first barrier code field 
must be specified as none. Duplicate entries are not allowed. The 
system default for this field is a blank. Assign a 7-digit number in this 
field for maximum security. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Administering Features of the DEFINITY G3V3 and Later, Including DEFINITY ECS 
Page D-12 Administering Barrier Code Aging 
D
nClass of Restriction (COR) 
Enter the COR (0 through 95) associated with the barrier code that 
defines the call restriction features. The default for this field is 1. 
Assigning the most restrictive COR that will provide only the level of 
service required will provided the maximum security.
nClass of Service (COS)
Enter the COS (0 through 15) associated with the barrier code that 
defines access permissions for call processing features. The system 
default for this field is 1. Assigning the most restrictive COS that will 
provide only the level of service required will provide the maximum 
security.
nExpiration Date
Assign an expiration date based on the expected length of time the 
barrier code will be needed. Enter the date the Remote Access 
barrier code will expire. Valid entries are a date greater than the 
current date or a blank. The default is the following day’s date. If you 
expect the barrier code to be used for a two-week period, assign a 
date two weeks from the current date. If the Expiration Date is 
assigned, a warning message will be displayed on the system 
copyright screen seven days prior to the expiration date, indicating 
that a barrier code is due to expire. The system administer may 
modify the expiration date to extend the time interval if needed.
nNo. of Calls
This field specifies the number of Remote Access calls that can be 
placed using the associated barrier code. Valid entries are any 
number from 1 to 9999, or a blank. The default is one call. The 
Expiration Date field and No. of Calls field can be used 
independently or, to provide maximum security, they can be used in 
conjunction with each other. If both the Expiration Date and No. of 
Calls fields are assigned, the corresponding barrier code will expire 
when the first of these criteria is satisfied.
nCalls Used
This field is a display-only field that specifies the number of calls that 
have been placed using the corresponding barrier code. The Calls 
Used field is incremented each time a barrier code is successfully 
used to access the Remote Access feature. 
NOTE:
A usage that exceeds the expected rate may indicate improper 
use.
nPermanently Disable
A y entered in this field will permanently disable the Remote Access 
feature. The Remote Access form will no longer be accessible. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Administering Features of the DEFINITY G3V3 and Later, Including DEFINITY ECS 
Page D-13 Administering Customer Logins and Forced Password Aging 
D
nDisable following a Security Violation? 
A y entered in this field will disable the Remote Access feature 
following a Remote Access security violation. The system 
administrator may re-enable Remote Access with the enable 
remote access command. 
Administering Customer Logins and
Forced Password Aging
This section contains the following subsections:
1. Adding Customer Logins and Assigning Initial Password
2.Changing a Login’s Attributes
3. Administering Login Command Permissions
Adding Customer Logins and Assigning Initial
Password
For DEFINITY G3V3 and later releases, which includes DEFINITY ECS, the two 
types of customer logins are:
nsuperuser—Provides access to the add, change, display, list, and 
remove commands for all customer logins and passwords. 
The superuser can administer any mix of superuser/nonsuperuser logins 
up to ten system logins.
nnonsuperuser—Limits permissions according to restrictions specified by 
the superuser when administering the nonsuperuser login. 
A nonsuperuser may change his/her password with permission set by the 
superuser; however, once a password has been changed, the 
nonsuperuser must wait 24 hours before changing the password again. 
The superuser may administer up to ten nonsuperuser logins.
To add a customer login you must be a superuser, have administrative 
permissions, and follow these steps:
NOTE:
Always use your own unique login — never a Lucent Technologies customer 
login or variation thereof (for example, “cust,” “rcust,” “cust1,” “rcust1,” etc.).
1. Access the Login Administration form by entering the add login  
command.
The 3- to 6-character login name (numbers 0 to 9, characters a to z or 
A to Z) you entered is displayed in the Login’s Name field. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Administering Features of the DEFINITY G3V3 and Later, Including DEFINITY ECS 
Page D-14 Administering Customer Logins and Forced Password Aging 
D
2. Enter your superuser password in the Password of Login Making Change 
field. 
3. Enter customer in the Login Type field. The system default for this field is 
customer. The maximum number of customer logins of all types is 11.
4. Enter superuser or nonsuperuser in the Service Level field. 
5. Enter y in the Disable Following a Security Violation field to disable a login 
following a login security threshold violation. This field is a dynamic field 
and only appears on the Login Administration form when the SVN Login 
Violation Notification feature is enabled. The system default for this field 
isy.
6. For G3V4 only, enter y or n in the Access to INADS Port? field to specify 
whether the customer login will be accessible through the INADS remote 
administration port. The system default for this field is n. This field is a 
dynamic field and only appears on the Login Administration form if the 
Login Type field is set to “customer,” and the Customer Access to INADS 
Port field (on the change system-parameters maintenance form) is 
set toy.
NOTE:
In DEFINITY G3V4, the Lucent Technologies login must be through 
the INADS port.
7. Enter a password for the new login in the Login’s Password field. A 
password must be 4 to 11 characters and contain at least one alphabetic 
and one numeric symbol; valid characters include numbers, and the 
following symbols: ! & * ? ; ’ ^ ( ) , : - @ # $ % .
The system does not echo the password to the screen as you type.
8. Re-enter the password in the Re-enter Login’s Password field. The system 
does not echo the password to the screen as you type.
9. In the Password Aging Cycle Length field, enter the number of days (from 
the current day) when you wish the password to expire. If a blank is 
entered in this field, password aging will not apply to the specified login. 
Valid entries are from 1 to 99 days or a blank. When a login password is 
within seven days or less from the expiration date, a warning message is 
displayed when the user logs in: 
WARNING: your password will expire in xx days.
10. For DEFINITY G3V4 only, enter y or n in the Facility Test Call Notification? 
field to specify whether this login will be notified in the event that Facility 
Test Call feature is used. The system default for this field is y.
11. If y was entered in step 12, enter y or n in the Acknowledgment Required? 
field to specify whether acknowledgment of the notification is required 
before logoff is permitted. The system default for this field is y. This field is 
a dynamic field and only appears on the Login Administration form if the 
Facility Test Call Notification? field is set to y. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Administering Features of the DEFINITY G3V3 and Later, Including DEFINITY ECS 
Page D-15 Administering Customer Logins and Forced Password Aging 
D
12. For DEFINITY G3V4 only, enter y or n in the Remote Access Notification? 
field to specify whether this login will be notified in the event that Remote 
Access is used. The system default for this field is y.
13. If y was entered in step 12, enter y or n in the Acknowledgment Required? 
field to specify whether acknowledgment of the notification is required 
before logoff is permitted. The system default for this field is y. This field is 
a dynamic field and only appears on the Login Administration form if the 
Remote Access Notification? field is set to y.
Changing a Login’s Attributes
To change a customer login’s attributes, you must be a superuser, have 
administrative permissions, and do the following:
1. Access the Login Administration form by entering the change login 
 command.
The 3- to 6-character login name (numbers 0 to 9, characters a to z or 
A to Z) you entered is displayed in the Login’s Name field.
2. Enter your superuser password in the Password of Login Making Change 
field. 
3. Enter customer in the Login Type field. The system default for this field is 
customer. The maximum number of customer logins of all types is 11.
4. Enter superuser or nonsuperuser in the Service Level field. 
5. Enter y in the Disable Following a Security Violation field to disable a login 
following a login security threshold violation. This field is a dynamic field 
and will only appear on the Login Administration form when the SVN Login 
Violation Notification feature is enabled. The system default for this field 
isy.
6. Enter a password for the new login in the Login’s Password field. A 
password must be 4 to 11 characters and contain at least 1 alphabetic and 
1 numeric symbol; valid characters include numbers, and the following 
symbols: ! & * ? ; ’ ^ ( ) , : - .
The system will not echo the password to the screen as you type.
7. Re-enter the password in the Re-enter Login’s Password field. The system 
will not echo the password to the screen as you type.
8. In the Password Aging Cycle Length field, enter the number of days (from 
the current day) when you wish the password to expire. If a blank is 
entered in this field, password aging will not apply to the specified login. 
Valid entries are from 1 to 99 days or a blank. When a login password is 
within seven days or less from the expiration date, a warning message is 
displayed when the user logs in:
WARNING: your password will expire in xx days. 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Administering Features of the DEFINITY G3V3 and Later, Including DEFINITY ECS 
Page D-16 Administering Customer Logins and Forced Password Aging 
D
Administering Login Command Permissions
Users with superuser permissions can set the permissions of the logins they 
create by means of the Command Permissions Categories form. The DEFINITY 
commands for G3V3 and later releases, which include the DEFINITY ECS, are 
divided into three categories:
1. Common Commands
2. Administration Commands
3. Maintenance Commands 
Each category has subcategories that, when set to y, give permission to use the 
commands sets associated with that category. When the Command Permissions 
Categories form is displayed for a login, the subcategory fields appear with the 
fields set to give the login full permissions for that login type. The superuser 
administering login permissions can set any fields to deny access to a command 
category for the specified login. 
To administer command permissions, log in as superuser and do the following:
1. Enter change permissions login  to access the Command 
Permissions Categories form. When the form is displayed for a login, the 
default permissions for that login type appear on the form. The superuser 
administering the login may change a y to an n for each subcategory field 
on the form.
2. Select a category for the login and enter y in each field where permission 
to perform an administrative or maintenance action is needed.
The command object you select must be within the permissions for the 
login type you are administering.
If the Maintenance option is set to y on the Customer Options form, the 
superuser may enter y in the Maintain Switch Circuit Packs or Maintain 
Process Circuit Packs fields.
3. A superuser with full superuser permissions can restrict additional 
administrative or maintenance actions for a specified login by entering y in 
the Additional Restrictions field on the Command Permission Categories 
form. (A superuser administering the login must not have the Additional 
Restrictions field set to y for his/her own login.)
4. Enter the additional restrictions for a login in the Restricted Object List field 
on the Command Permission Categories Restricted Object List form. You 
may enter up to 40 command names (object names) to block actions 
associated with a command category for a specified login. You may enter 
two pages of commands (objects) to be restricted (20 commands per page, 
for a total of 40 commands per login). 
						

							BCS Products
Security Handbook  
555-025-600  Issue 6
December 1997
Administering Features of the DEFINITY G3V3 and Later, Including DEFINITY ECS 
Page D-17 Administering the Security Violations Reports 
D
Display a Specified Login
To display a specified login, enter the command display login . 
The system displays the specified login’s service level, status, and password 
aging cycle length.
List Logins
To list all of the system logins and the status of each login, enter the command list 
login. The system displays a list of all current logins and their service level, 
status, and password aging cycle length.
Remove a Login
To remove a login from the system, enter the command remove login . The system displays the Login Administration form. Press   to 
remove the login, or select   to exit the remove login procedure without 
making a change.
Administering the Security Violations 
Reports
The Security Violations reports provide current status information for invalid login 
or Remote Access (barrier code) or authorization code attempts. The following 
Security Violations reports are available:
nLogin Violations
nRemote Access Barrier Code Violations
nAuthorization Code Violations
nStation Security Code (SSC) Violations
NOTE:
Station Security Codes are used with the Personal Station Access 
feature and the Extended User Administration of Redirected Calls 
feature.
The data displayed in these reports is updated at 30 second intervals. A total of 16 
entries are maintained for each type of violation. The oldest information is 
overwritten by the new entries at each 30-second update.
To access the Security Violations reports, enter the monitor security-violations 
 command, where 
report name is either login, remote-access, 
or authorization-code.
Return
Cancel