Exchange’s Unified Messaging server role controls access to the Outlook Voice Access interface in several ways. Today I want to talk about PIN authentication and how it works.
Every UM-enabled user will have an associated PIN. The PIN is stored as an encrypted string as an attribute of the user account object in Active Directory; the PIN is encrypted along with a salt, so it can’t easily be reversed. (Despite this protection it’s still a bad idea to choose your ATM PIN or AD password as a UM PIN, but of course you know better).
Administrators can set PIN policies that control the permissible length of the PINs and how long they remain valid. Users can reset their PINs at any time using OWA 2007 or Outlook 2007; when the PIN is reset, the user gets an e-mail containing the new PIN. This helps protect against denial-of-service attacks where user A logs in to user B’s voice mailbox and changes the PIN on the phone keypad. These policies are actually part of the UM mailbox policy objects, which you can use to specify some other settings as well- look for more details in a future post.
The UM role performs its own auditing of failed authentication attempts. When you call in to Outlook Voice Access, you get 3 tries to enter the PIN; if you fail, OVA hangs up and logs event ID 1013 to indicate the logon failure. If the failed authentication attempts continue, you’ll see event ID 1012, indicating that the user’s OVA access is locked. There’s also a perfmon counter that you can watch to see the number of failed logon attempts, but I’m in an airport and away from my UM server so I can’t post its exact name right now.
Paul's Down-Home Page 
This is interesting. In the past I have been worried about Email-to-Voice security. Many companies have complex password requirements including length, history, and diversity. It seems rediculous to simplify a 10 character password to a short PIN and get full access to email. Most phone systems and early Email-to-Voice systems don’t offer the lockout feature, so it could be easy to crack passwords and break into executive mailboxes. I typically setup a voicemail notification delivered by email. I still wonder how companies that use smartcards or other hard authentication methods would react. I guess you could use a PIN + RSA SecureID and you would be fine.
The Exchange UM system gives you a pretty flexible set of tools. First, it has PIN policies (including lockout). Second, you can give individual users or groups access to the telephone and voice user interfaces, or not. This lets you make UM access opt-in or opt-out, depending on the organization’s needs. I don’t see this as a huge additional security risk when it’s counterbalanced against the business benefits of providing ubiquitous inbox access, but I’m sure some customers will disagree.