Security enhanced functions configuration screen

The Security screen is accessed by clicking the System tab, and then clicking Logins, and then clicking the Security tab. This screen is available only to admin type users and permits the operator to configure special parameters that might enhance the security of the BMC Defender Server site. The screen permits the BMC Defender Server administrator to configure authentication methods and other parameters that apply to all BMC Defender Server users. The screen is depicted as follows:

This screen is a standard BMC Defender Server Edit dialog that gives the administrator various extra options regarding user logins, such as whether passwords expire, maximum login attempts before the user is logged out, and lockout duration. The screen provides various parameters as follows: 

• Security Enhanced Functions—This selection allows the administrator to enable enhanced login security, or disable it. The default is Disabled. The administrator must first enable Enhanced Session Security before any of the other following settings are applied. 
• Login Authentication Method—This selection specifies whether authentication takes place with HTTP authentication, a built-in Web screen, or both. When using HTTP authentication, you are prompted for a password via a browser pop-up dialog. When using Web Screen authentication, you are prompted for a password via a BMC Defender Server screen. 
• Use Active Directory Authentication—This selection permits you to access BMC Defender Server via SSPI (Microsoft Active Directory) authentication. In this case, the user's password is checked against the value for the platform (either the local logon password if any or the active directory password.) 
• NetBIOS Logon Domain—This section (that appears only after clicking the Edit tab) is necessary only if Use Active Directory Authentication is True. The administrator must specify the NetBIOS domain that you are authenticated against. If the value is not specified, you are still able to logon to BMC Defender Server using the local password (if any) and the password of the local computer (if any.) 
• Auto Logout Time (Minutes)—This value represents the time in minutes before you are automatically logged out of BMC Defender Server due to inactivity. The default value is 60 minutes. After 60 minutes of inactivity, you are automatically presented with a login screen when any button, tab, or link is clicked. 
• Require Strong Passwords—This selection enforces strong passwords. A strong password must have eight characters or more, including one upper and lower case letter, and one digit. The default setting is False, that does not enforce strong passwords (and requires only that the password be three or more characters.) 
• Password Expire Time (Days)—This value represents the time in days before you must change your password. When the password expires, you are forced to enter the current password and select a new password. This action occurs immediately upon expiration before any other screen can be launched. 
• Max Login Attempts—This value represents the maximum number of attempts to login to the system without a correct password and the maximum number of attempts to change a password. After this number of attempts, you are automatically locked out from the system for the User Lockout Duration. The default value is 10 unsuccessful attempts to login. 
• User Lockout Duration (Minutes)—This value represents the time that you are locked out from BMC Defender Server if the Max Login Attempts value is exceeded. You are presented with a screen indicating they have been locked out of the system, and this screen persists for the number of minute specified here. (The administrator can unlock you from the Login screen, described previously.) 
• Require IP Address / Group—This value is an IP address, an address wildcard, or an address group that indicates what IP addresses are allowed to access BMC Defender Server. If the administrator specifies an address group, the value should include the @@ character delimiters in standard BMC Defender Server format.

Configuring active directory authentication

For convenience, BMC Defender Server can be configured to authenticate users to active directory, so that the organization maintains passwords.

To configure active directory authentication: 

1. The BMC Defender Server administrator adds you and privileges for the user to the System > Logins > Users list. (You MUST first exist in BMC Defender Server, necessary to define the privileges associated with the BMC Defender Server user.) The password configured for you to apply ONLY if the BMC Defender Server user wants to login to the BMC Defender Server system using the Local setting. In most cases, a long and random password can be selected for this field to prohibit user access except through Active Directory Authentication. 
2. On the System > Logins > Security screen, the BMC Defender Server administrator 
   1. sets Security Enhanced Functions to be Enabled;
   2. sets Login Authentication Method to be Web Screen;
   3. sets Authenticate Using SSPI / AD to be True;
   4. provides the domain name for the login, and then (e) clicks Commit to save the settings.

The preceding steps are sufficient to enable Active Directory login authentication. When a BMC Defender Server user logs into the system, the password is authenticated against the user's active directory settings. The permissions for the user (to the BMC Defender Server screens) is determined by the settings of step 1.