Managing security policies
Many organizations enforce security policies on user access to their systems. BMC Discovery supports this by providing configurable security options and multiple authentication mechanisms. You can configure the following:
- Accounts and Passwords
- Password strength and expiry
- Forced password change
- Account blocking after authentication failures
- Deactivation of unused accounts
- Login Page
- Appearance of the login page
- Legal banner messages
- UI Security page
- Prevent Cross Site Framing
Configuring these settings is described in the following sections.
Accounts and passwords
To configure the security options:
- From the main menu, click the Administration icon. The Administration page displays.
In the Security section, click Security Policy.
The options on the Security Policy page are described in the following table:
User accounts can be blocked after a number of unsuccessful login attempts. Select the number of attempts from the list. Choose from the following 1, 2, 3, 4, or 5 attempts. If you do not want accounts to be blocked, select Never. The default is 3.
After a user account is blocked, it can be automatically unblocked after a specified period. Select the period from the list. Choose from the following 1, 2, 3, 4, 5, 10, 15, 20, 30, or 60 minutes. If you do not want accounts to be automatically unblocked, select Never. The default is 10 minutes.
If you select Never, there is a chance that you could lock out the system account.
See Blocking of the System Account for more information.
Unused user accounts can be deactivated after a specified period of time. Select the period from the list. Choose from the following 15, 30, 45, 60, 75, 90, 105, and 120 days. If you do not want accounts to be deactivated, select Never. The default is that disabled accounts cannot be reactivated.
Disabled Accounts can be reactivated
Select Yes or No to allow user accounts to be reactivated. You will need an administrator to reactivate the account.
Minimum Password Length
You can specify a minimum length for passwords. Select a minimum length from the list.
Choose a length from 1 to 32 characters. Select None to enforce no minimum length. The default is 8 characters.
You can specify a password history length to prevent users from recycling passwords too quickly. Select the password history length from the list. Choose from 3, 5, 10, or 20. Select None to enforce no restrictions on password reuse. The default is 10.
Select from the following check boxes to apply constraints to the password contents. In general, the password quality improves with more selected check boxes:
• Must contain uppercase characters — for example AIV. The default is true.
• Must contain lowercase characters — for example aiv. The default is true.
• Must contain numeric characters — for example 174. The default is true.
• Must contain special characters — for example ^£). The default is true.
• Must not contain sequences — for example AAA, ppp, or 222. The default is true.
Password Expiry Period
You can specify a maximum length of time for passwords before they are automatically expired. Select an expiry period from the list. Choose from 30, 45, 60, 75, 90, 105, and 120 days. Select Never to enforce no expiry period. The default is 90 days.
Password Expiry Warning
Users can be warned that their password will expire soon when logging into the user interface.
The warning icon is displayed in the . Select a warning period from the list. Choose from 5, 10, and 15 days. Select Never to give users no warning of an expiring password. The default is 10 days. The expiry warning cannot be set to more than the expiry period.
Lock Accounts After Password Expiry Select Yes or No to specify if an account must be locked after the password expiry period is completed and the user has still not changed the password in that period. For example, if the password expiry is set to 90 days and the user does not change the password in that period, you can select if the account must be locked after 90 days. The default is Yes.
If Password Expiry Period is set to Never, then the Password Expiry Warning and Lock Accounts After Password Expiry fields are automatically disabled as they are not applicable.
Blocking of the system account
In the following scenario, the system user account can be locked.
- Account blocking is enabled (the default).
- Automatic account unblocking is disabled (not the default).
- A user repeatedly attempts to log in unsuccessfully to the UI as the system user.
An administrator is required to log in to the system and unblock the account.
A user might be blocked on a cluster member, if for example, they used incorrect credentials more than the permitted number of times, or did not log into that member for a sufficiently long period that their account was deactivated. They are only blocked on that cluster member. They are not blocked on the other members of the cluster, and can continue to use the cluster as before.
You can configure the appearance of the login page and add a legal notice to the login page.
To configure the login page:
In the Security section of the Administration tab, select Login Page Options.
The following table lists the options on the The Security Options: Login page:
Plain login page
Where security is a concern, you can choose to remove all banners and logos from the login page. Doing so reduces the risk of attack by hiding the nature of system from a would be attacker. Select Yes to do this. This option is not available in the BMC Discovery Community Edition.
Enter an additional legal notice in the Legal Notice text field.
You can prevent cross site framing to defend against possible "clickjacking" attacks.
To configure the UI security page:
In the Security section of the Administration tab, select UI Security.
Prevent Cross Site Framing
You can specify whether to allow the BMC Discovery UI to be incorporated as part of an umbrella UI. Select Yes or No.