Skip to Content
Information

This site will undergo a brief period of maintenance on Friday, 18 December at 12:30 AM Central/12:00 PM IST. During a 30 minute window, site availability may be intermittent.

Information
Limited support BMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Command Center for Security 6.2.

System logins security configuration screen

As a BMC Defender Server administrator, you can access the System > Logins > Security tab to configure special parameters that can enhance the security of the BMC Defender Server site. You can configure authentication methods and other parameters that apply to all BMC Defender Server users. 

(SPE2110) All enhanced security features are enabled and all users must log in through the BMC Defender Server interface and use session cookies.

The standard BMC Defender Server edit options provide various user logins options, such as whether passwords expire, maximum login attempts before the user is logged out, and lockout duration. The tab provides the following parameters: 

  • Use Active Directory Authentication—You can access BMC Defender Server through SSPI (Microsoft Active Directory) authentication. If enabled, the user's password is checked against the value for the platform (either the local logon password or the Active Directory password.) 
  • NetBIOS Logon Domain—In edit mode, if Use Active Directory Authentication is true, you must specify the NetBIOS domain that you are authenticated against. If the value is not specified, you can still log in to BMC Defender Server using the local password (if any) and the password of the local computer (if any.) 
  • Auto Logout Time—This value represents the time in minutes before you are automatically logged out of BMC Defender Server due to inactivity. The default value is 60 minutes. That is, after 60 minutes of inactivity, a login screen is displayed after you click any button, tab, or link.

  • Bypass Auto Logout Users (SPE2110)—This is a comma-separated list of user names who are not automatically logged out of BMC Defender Server. After the specified users are logged in to the system, the automatic logout timer does not apply to the users in this list.

    Success

    Tip

    Bypassing the automatic logout timer is especially useful in a security operations center (SOC) environment where BMC Defender Server is displayed on a large overhead monitor for a long time.

  • Require Strong Passwords—This selection enforces strong passwords. A strong password must have eight characters or more, including one upper and lower case letter, and one digit. The default setting is False, that does not enforce strong passwords (and requires only that the password be three or more characters.) 
  • Password Expire Time (Days)—This value represents the time in days before you must change your password. When the password expires, you are forced to enter the current password and select a new password. This action occurs immediately upon expiration before any other screen can be launched. 
  • Max Login Attempts—This value represents the maximum number of attempts to login to the system without a correct password and the maximum number of attempts to change a password. After this number of attempts, you are automatically locked out from the system for the User Lockout Duration. The default value is 10 unsuccessful attempts to login. 
  • User Lockout Duration (Minutes)—This value represents the time that you are locked out from BMC Defender Server if the Max Login Attempts value is exceeded. You are presented with a screen indicating you have been locked out of the system, and this screen persists for the specified number of minute. (The administrator can unlock you from the Login screen, described previously.)
  • Require IP Address / Group—This value is an IP address, an address wildcard, or an address group that indicates what IP addresses are allowed to access BMC Defender Server. If the administrator specifies an address group, the value should include the @@ character delimiters in standard BMC Defender Server format.
  • Click here to see options from earlier than SPE2110.
    • Security Enhanced Functions—This selection allows the administrator to enable enhanced login security, or disable it. The default is Disabled. The administrator must first enable Enhanced Session Security before any of the other following settings are applied. 
    • Login Authentication Method—This selection specifies whether authentication takes place with HTTP authentication, a built-in Web screen, or both. When using HTTP authentication, you are prompted for a password via a browser pop-up dialog. When using Web Screen authentication, you are prompted for a password via a BMC Defender Server screen.

Configuring Active Directory authentication

For convenience, as the BMC Defender Server administrator, you can configure BMC Defender Server to authenticate users to Active Directory, so that the organization maintains passwords.

Warning

Important

If you principally use BMC Defender Server to monitor privileged user activity, configuring Active Directory authentication might cause a security risk because a malicious managed administrator can compromise the system through modifications to Active Directory.

To configure Active Directory authentication

  1. Make sure that the users for whom you want to define the privileges exist in BMC Defender Server.
  2. Add users and privileges to the System > Logins > Users list.
    The configured password applies to the BMC Defender Server users only if they want to log in to the BMC Defender Server system using the Local setting. In most cases, you can select a long and random password to prohibit user access except through Active Directory authentication. 
  3. On the System > Logins > Security screen, set the following options:
    1. Set Authenticate Using AD / SSPI to True.
    2. Provide the domain name for the login.
    3. Click Commit to save the settings.

The preceding steps are sufficient to enable Active Directory login authentication. When a BMC Defender Server user logs into the system, the password is authenticated against the user's Active Directory settings. The permissions for the user (to the BMC Defender Server screens) is determined by the settings of step 2.

Related topic

System-screens


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Command Center for Security 6.1