Managing security policies
Many organizations enforce security policies on user access to their systems. BMC Atrium Discovery supports this by providing configurable security options and multiple authentication mechanisms. You can configure the following:
- Accounts and Passwords
- Password strength and expiry
- Forced password change
- Account blocking after authentication failures
- Deactivation of unused accounts
- Login Page
- Appearance of the login page
- Legal banner messages
- Allow browser autocomplete
- UI Security page
- Prevent Cross Site Framing
Configuring these settings is described in the following sections.
Accounts and passwords
To configure the security options:
- Click Administration.
From the Security section, click Security Policy.
The options on the Security Policy page are described below:
User accounts can be blocked after a number of unsuccessful login attempts. Select the number of attempts from the drop-down list. Choose from the following 1, 2, 3, 4, or 5 attempts. If you do not want accounts to be blocked, select Never. The default is 3.
After a user account is blocked, it can be automatically unblocked after a specified period. Select the period from the drop-down list. Choose from the following 1, 2, 3, 4, 5, 10, 15, 20, 30, or 60 minutes. If you do not want accounts to be automatically unblocked, select Never. The default is 10 minutes.
If you select Never, there is a chance that you could lock out the system account.
See #Blocking of the System Account for more information.
Unused user accounts can be deactivated after a specified period of time. Select the period from the drop-down list. Choose from the following 15, 30, 45, 60, 75, 90, 105, and 120 days. If you do not want accounts to be deactivated, select Never. The default is that disabled accounts cannot be reactivated.
Disabled Accounts can be reactivated
Select Yes or No to allow user accounts to be reactivated. You will need an administrator to reactivate the account.
Minimum Password Length
You can specify a minimum length for passwords. Select a minimum length from the drop-down list.
Choose a length from 1 to 32 characters. Select None to enforce no minimum length. The default is 8 characters.
You can specify a password history length to prevent users from recycling passwords too quickly. Select the password history length from the drop-down list. Choose from 3, 5, 10, or 20. Select None to enforce no restrictions on password reuse. The default is 10.
Select from the following checkboxes to apply constraints to the password contents. In general, the password quality improves with more selected checkboxes:
• Must contain uppercase characters – for example AIV. The default is true.
• Must contain lowercase characters – for example aiv. The default is true.
• Must contain numeric characters – for example 174. The default is true.
• Must contain special characters – for example ^£). The default is true.
• Must not contain sequences – for example AAA, ppp, or 222. The default is true.
Password Expiry Period
You can specify a maximum length of time for passwords before they are automatically expired. Select an expiry period from the drop-down list. Choose from 30, 45, 60, 75, 90, 105, and 120 days. Select None to enforce no expiry period. The default is 90 days. When passwords expire, users must change them when they next log in.
Password Expiry Warning
Users can be warned that their password will expire soon when login into the user interface.
The warning icon is displayed in the Dynamic Toolbox. Select a warning period from the drop-down list. Choose from 5, 10, and 15 days. Select Never to give users no warning of an expiring password. The default is 10 days. The expiry warning cannot be set to more than the expiry period.
Blocking of the system account
In the following scenario, the system user account may be locked.
- Account blocking is enabled (the default).
- Automatic account unblocking is disabled (not the default).
- A user repeatedly attempts to login unsuccessfully to the UI as the system user.
An administrator will be required to login to the system and unblock the account.
You can configure the appearance of the login page and add a legal notice to the login page.
To configure the login page:
From the Security section of the Administration tab, select Login Page Options.
The options on the The Security Options: Login page are described below:
Plain login page
Where security is a concern, you can choose to remove all banners and logos from the login page. Doing so reduces the risk of attack by hiding the nature of system from a would be attacker. Select Yes to do this. This option is not available in the BMC Atrium Discovery Community Edition.
The BMC favicon (shown in browser tabs) remains visible when you use the plain login page. If you want to remove the favicon, you should rename the
/var/www/html/favico.icofile. For example
Enter an additional legal notice in the Legal Notice text field.
Allow Browser Autocomplete
You can specify whether to allow data stored in browsers to be used to autocomplete fields in the UI. Select Yes or No.
UI security page – new in 8.3 SP2
You can prevent cross site framing to defend against possible "clickjacking" attacks.
To configure the UI security page:
From the Security section of the Administration tab, select UI Security.
Prevent Cross Site Framing
You can specify whether to allow the BMC Atrium Discovery UI to be incorporated as part of an umbrella UI. Select Yes or No.