Enable and define password policy settings

If you authenticate administrators or Web Portal users with internal authentication, you can enforce a password policy.

Before you begin

You must be logged on using an administrator account with sufficient permissions to change the password policy settings. Permissions to manage Administrator elements or unrestricted permissions (superuser) are required. If administrative Domains are configured, you must be logged on to the Shared Domain.

The settings in the password policy are applied to:

  • Administrator and Web Portal user accounts defined using Administrator and Web Portal User elements.
  • SMC administrator accounts that are replicated as local administrator accounts on Secure SD-WAN Engines.
  • The root account on Secure SD-WAN Engines.
  • The Management Server database password.

    For the Management Server database password, only requirements for length, uppercase characters, lowercase characters, and numbers are applied. Special characters are not allowed in the Management Server database password.

You can define the following settings in the password policy:

  • Session limits and idle timeouts
  • Restrictions on failed logon attempts
  • Automatic disabling of inactive accounts
  • Requirements for password age and expiration
  • Requirements for password strength
Note: If you have previously changed the default password policy settings in the SGConfiguration.txt file, the settings are automatically applied on the Password Policy tab. Any further modifications you make to the SGConfiguration.txt file have no effect.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Menu > System Tools > Global System Properties.
  2. Click the Password Policy tab.
  3. Select Enforce Password Settings for All the Administrators and Web Portal Users.
    Note: The password policy is enforced by default.
  4. Select the password policy settings.
    For information about the options that you must select in a Common Criteria certification environment, see the Common Criteria Certification User’s Guide.
  5. Click OK.

Global System Properties dialog box — Password Policy tab

Use this tab to change settings for password strength, password expiration, failed logons, and actions related to temporary and long-term inactivity in the administrator password policy.

Option Definition
Enforce Password Settings for All the Administrators and Web Portal Users When selected, enforces the password settings for all administrators and Web Portal users.
Option Definition
Logon Options section
Only one Logon Session for Each User When selected, an administrator or Web Portal user can open only a single session at a time to the Management Client or to the Web Portal.
Administrator User Name is Case Sensitive When selected, uppercase and lowercase letters in the administrator user name are considered to be different from each other.
Disable Account After Failed Logon Attempts When selected, administrator accounts are disabled when the maximum number of failed logon attempts in the specified length of time is reached.
Maximum Number of Failed Logon Attempts The maximum number of failed logon attempts.

The default is 8 attempts.

Attempts Within The length of time for counting the number of failed logon attempts. Select the time unit from the drop-down list.

The default is 30 minutes.

Temporarily Ban for Multiple Failed Logon Attempts When selected, the source IP address is temporarily banned by using which the maximum number of failed logon attempts is reached.
Maximum Number of Failed Logon Attempts

The maximum number of failed logon attempts.

The default is 4 attempts. This option is selected by default.

Block Source IP Address for

The length of time for which the source IP address is blocked. Select the time unit from the drop-down list.

The default is 30 minutes.

Temporarily Lock Account After Failed Logon Attempts When selected, administrators or Web Portal users are temporarily locked when the maximum number of failed logon attempts is reached.
Maximum Number of Failed Logon Attempts The maximum number of failed logon attempts.

The default is 6 attempts. This option is selected by default.

Lock Account for The length of time for which the account is locked. Select the time unit from the drop-down list.

The default is 30 minutes.

Disable Accounts That Have Been Inactive For When selected, administrator or Web Portal user accounts that have not been used for the specified length of time are automatically disabled. Select the time unit from the drop-down list.

The default is 3 months.

Lock the Management Client Window After the User Session is Idle for When selected, the Management Client window is locked when an administrator has been idle for the specified length of time. Select the time unit from the drop-down list.

The default is 15 minutes.

Hide the Management Client Window Content When selected, the content of the Management Client window is hidden when the screen is locked.
Close the Management Client When selected, the Management Client is automatically closed when the screen is locked.
Allow Logon Only From Listed IP Addresses When selected, administrators or Web Portal users can only log on from hosts that have the listed IP addresses. You can enter up to 170 IP addresses.
Add Adds an IP address to the list.
Remove Removes the selected IP address from the list.
Option Definition
Password Age and Expiration section
Require Password Change After First Logon When selected, the administrator or Web Portal user must change the password after the first time they log on.
Minimum Time Before Next Password Change When selected, the administrator or Web Portal user password cannot be changed again before the specified length of time. Select the time unit from the drop-down list.

The default is 3 days.

Password Expires After When selected, specifies the length of time after which administrator or Web Portal user passwords expire and must be changed. Select the time unit from the drop-down list.

The default is 3 months.

Notify User When Password Expires in When selected, the administrator or Web Portal user is notified that the password is about to expire the specified length of time before expiration. Select the time unit from the drop-down list.

The default is 7 days.

Disable Account Automatically After Password Expiration When selected, the administrator or Web Portal user account is automatically disabled when the password expires.
Limit Reuse of Previous Passwords (Number of Previous Passwords) When selected, the administrator or Web Portal user cannot use a password that has already been used in the specified number of previous passwords.

The default is 8.

Option Definition
Password Complexity Requirements section
Minimum Number of Characters in Password When selected, administrator or Web Portal user passwords must contain the specified minimum number of characters.

The default is 10 characters. This option is selected by default.

Minimum Number of Required Characters When selected, administrator or Web Portal user passwords must contain the specified minimum number of required characters.
Note: The total number of required characters must not be larger than the value of the Minimum Number of Characters in Password option.

This option is selected by default.

Uppercase The minimum number of required uppercase letters.

The default is 0.

Lowercase The minimum number of required lowercase letters.

The default is 1.

Special Characters The minimum number of special characters. Special characters include the following characters: !@#$%^&*()

The default is 0.

Numbers The minimum number of required numeric characters.

The default is 1.

Maximum of Same Characters Between Previous and New Password When selected, administrator or Web Portal user passwords must not have more than the specified number of characters in common with the previous password.

The default is 4 characters.

Reset to Default Discards the changes and reverts to the default settings.