Managing security policies

Many organizations enforce security policies on user access to their systems. BMC Atrium Discovery supports this by providing configurable security options and multiple authentication mechanisms. You can configure the following:

  • Accounts and Passwords
    • Password strength and expiry
    • Forced password change
    • Account blocking after authentication failures
    • Deactivation of unused accounts
  • Login Page
    • Appearance of the login page
    • Legal banner messages
    • Allow browser autocomplete
  • UI Security page
    • Prevent Cross Site Framing

Configuring these settings is described in the following sections.

Accounts and passwords

To configure the security options:

  1. Click Administration.
  2. From the Security section, click Security Policy.
    The options on the Security Policy page are described below:

    Field Name

    Details

    Account Blocking

    User accounts can be blocked after a number of unsuccessful login attempts. Select the number of attempts from the drop-down list. Choose from the following 1, 2, 3, 4, or 5 attempts. If you do not want accounts to be blocked, select Never. The default is 3.

    Automatically Unblock

    After a user account is blocked, it can be automatically unblocked after a specified period. Select the period from the drop-down list. Choose from the following 1, 2, 3, 4, 5, 10, 15, 20, 30, or 60 minutes. If you do not want accounts to be automatically unblocked, select Never. The default is 10 minutes.
    If you select Never, there is a chance that you could lock out the system account.
    See #Blocking of the System Account for more information.

    Account Deactivation

    Unused user accounts can be deactivated after a specified period of time. Select the period from the drop-down list. Choose from the following 15, 30, 45, 60, 75, 90, 105, and 120 days. If you do not want accounts to be deactivated, select Never. The default is that disabled accounts cannot be reactivated.

    Disabled Accounts can be reactivated

    Select Yes or No to allow user accounts to be reactivated. You will need an administrator to reactivate the account.

    Minimum Password Length

    You can specify a minimum length for passwords. Select a minimum length from the drop-down list.
    Choose a length from 1 to 32 characters. Select None to enforce no minimum length. The default is 8 characters.

    Password History

    You can specify a password history length to prevent users from recycling passwords too quickly. Select the password history length from the drop-down list. Choose from 3, 5, 10, or 20. Select None to enforce no restrictions on password reuse. The default is 10.

    Password constraints

    Select from the following checkboxes to apply constraints to the password contents. In general, the password quality improves with more selected checkboxes:
    • Must contain uppercase characters – for example AIV. The default is true.
    • Must contain lowercase characters – for example aiv. The default is true.
    • Must contain numeric characters – for example 174. The default is true.
    • Must contain special characters – for example ^£). The default is true.
    • Must not contain sequences – for example AAA, ppp, or 222. The default is true.

    Password Expiry Period

    You can specify a maximum length of time for passwords before they are automatically expired. Select an expiry period from the drop-down list. Choose from 30, 45, 60, 75, 90, 105, and 120 days. Select None to enforce no expiry period. The default is 90 days. When passwords expire, users must change them when they next log in.

    Password Expiry Warning

    Users can be warned that their password will expire soon when login into the user interface.
    The warning icon is displayed in the Dynamic Toolbox. Select a warning period from the drop-down list. Choose from 5, 10, and 15 days. Select Never to give users no warning of an expiring password. The default is 10 days. The expiry warning cannot be set to more than the expiry period.

Blocking of the system account

In the following scenario, the system user account may be locked.

  • Account blocking is enabled (the default).
  • Automatic account unblocking is disabled (not the default).
  • A user repeatedly attempts to login unsuccessfully to the UI as the system user.
    An administrator will be required to login to the system and unblock the account.

Login page

You can configure the appearance of the login page and add a legal notice to the login page.
To configure the login page:

  1. From the Security section of the Administration tab, select Login Page Options.
    The options on the The Security Options: Login page are described below:

    Field Name

    Details

    Plain login page

    Where security is a concern, you can choose to remove all banners and logos from the login page. Doing so reduces the risk of attack by hiding the nature of system from a would be attacker. Select Yes to do this. This option is not available in the BMC Atrium Discovery Community Edition.

    The BMC favicon (shown in browser tabs) remains visible when you use the plain login page. If you want to remove the favicon, you should rename the /var/www/html/favico.ico file. For example favico.ico.hidden.

    Legal Notice

    Enter an additional legal notice in the Legal Notice text field.

    Allow Browser Autocomplete

    You can specify whether to allow data stored in browsers to be used to autocomplete fields in the UI. Select Yes or No.

UI security page – new in 8.3 SP2

You can prevent cross site framing to defend against possible "clickjacking" attacks.
To configure the UI security page:

  1. From the Security section of the Administration tab, select UI Security.

    Field Name

    Details

    Prevent Cross Site Framing

    You can specify whether to allow the BMC Atrium Discovery UI to be incorporated as part of an umbrella UI. Select Yes or No.

Was this page helpful? Yes No Submitting... Thank you

Comments