Advanced Tab(3.0)
You use the Advanced tab to specify the number of consecutive erroneous login attempts permitted by a user, enable logging in the System Log when a user fails to login to , and configure user authentication by selecting the relevant authentication method.
Number of Consecutive Erroneous Login Attempts
In order to configure the maximum number consecutive failed login attempts, open the Advanced tab, and set a value in Number Of Consecutive Erroneous Login Attempts. The default is 3.
When the maximum number of failed login attempts is reached, the user must restart the Desktop. If enhanced user security is enabled, the user account is also locked. For more information, see the section below, Enhanced User Security.
Enable Logging for User Login
In order to configure the system to log failed attempts in the System Log, open the Advanced tab, and select the check box Enable Logging For User Login. Successful logins and locked accounts are always logged regardless of this setting.
Reauthenticate Users after Inactivity
In order to configure the system to reauthenticate users after a period of inactivity in the Desktop or mzsh shell (interactive mode), open the Advanced tab, and select the check box Reauthenticate Users After Inactivity. Then set the maximum inactive time in Time of Inactivity Before Reauthentication (Minutes).
In the Desktop, the duration of time that the user does not perform any actions is counted as inactive time, regardless of ongoing processes.
However, users are not logged out due to inactivity, but must authenticate again in order to continue the session.
In the mzsh shell, the duration of time that the user does not press any key is counted as inactive time, provided that there is no ongoing command execution. Users are logged out as a result of inactivity and are prompted to enter the password again.
Enhanced User Security
The security user control can be enhanced by changing the Platform property mz.security.user.control.enabled
in the platform.conf
. By default this property is set to false
. If set to true
a number of rules regarding the passwords apply as soon as the platform is restarted.
Note!
When you are using LDAP authentication, the information in this section is only applicable for the user mzadmin.
Enhanced User Security Password Rules
If enhanced user security is enabled, the default password rules are:
The password must:
Be at least eight characters long
Include at least one special character and one that is either a number or capital letter
The password must not:
Contain more than two identical characters in an uninterrupted sequence. Such as "aaa".
Note!
Repetitive characters that are not consecutively sequenced are still valid. Such as "adadad".
Include the username.
- Be in alphabetical sequence, such as Abcd.
- Be in numerical sequence, such as 1234.
- Be in any US keyboard pattern, such as Qwerty.
- Contain any whitespace.
Be identical to any of the recent twelve (minimum) passwords used for the user ID
The default maximum password age is 30 days for administrators, i e users that are members of the Administrator group, and 90 days for other users.
If you have a custom password policy that you will want to include with the default policies listed above, you can use the mz.security.user.control.password.extra properties.
You can modify the password rules with the following Platform properties:
Note!
All properties listed below is only applicable when the value of mz.security.user.control.enabled
is set to true
.
Property | Description |
---|---|
mz.security.max.password.age.enabled | Default value: false Enables or disables the password expiration check. This property is only applicable when mz.security.user.control.enabled is also set to true. If both properties above are set to true, user is required to change password every N days set in mz.security.max.password.age.admin and mz.security.max.password.age.user. |
mz.security.max.password.age.admin | Default value: The maximum password age for administrator users in days. Please refer mz.security.max.password.age.enabled column. |
mz.security.max.password.age.user | Default value: The maximum password age for users in days. Please refer mz.security.max.password.age.enabled column. |
mz.security.max.password.history | Default value: The maximum amount of recent passwords to retain for a user ID, to prevent the same password from being reused. |
mz.security.user.control.password.numcaps.count | Default value: The minimum number of upper case characters or number of numerical characters, in a password. |
mz.security.user.control.password.numcaps.message | Default value: The message to be displayed for the user when they have not met the condition for the minimum number of upper case or numerical characters in the password. |
mz.security.user.control.password.numcaps.pattern | Default value: The pattern of the permitted values in regular expression. The password will be matched to the pattern to determine if the condition is met. |
mz.security.user.control.password.length.count | Default value: The minimum total number of characters in a password. |
mz.security.user.control.password.length.message | Default value: The message to be displayed for the user when they have not met the condition for the minimum length of the password. |
mz.security.user.control.password.lowercase.count | Default value: |
mz.security.user.control.password.uppercase.count | Default value: The minimum total number of uppercase characters in a password. |
mz.security.user.control.password.number.count | Default value: The minimum total number of numeric characters in a password. |
mz.security.user.control.password.special.count | Default value: The minimum number of special characters, in a password. |
mz.security.user.control.password.special.message | Default value: The message to be displayed for the user when they have not met the condition for the minimum number of special characters in the password. |
mz.security.user.control.password.special.pattern | Default value: The pattern of the permitted values in regular expression. The password will be matched to the pattern to determine if the condition is met. |
mz.security.user.control.password.repetition.message | Default value: The message to be displayed for the user when they have not met the condition for the password having the least amount of multiple repeated characters in a sequence. |
mz.security.user.control.password.username.message | Default value: The message to be displayed for the user when they have the username contained withing the password. |
mz.security.user.control.password.history.message | Default value: The message to be displayed for the user when they are reusing a password that they have used before. |
mz.security.user.control.password.extra.count | Default value: The minimum number of characters for the extra user policy. |
mz.security.user.control.password.extra.message | Default value: The message to be displayed for the user when they did not meet the requirements of the extra user policy. |
mz.security.user.control.password.extra.pattern | Default value: The pattern of the permitted values. The password will be matched to the pattern to determine if the condition is met. |
mz.security.user.control.password.extra.type | Default value: The type that determines what the extra pattern will be. The value of this property can be set to regexp or none. Setting it to regexp ensures that the pattern has to conform to regular expressions.. |
Note!
The user account will be locked after a configurable number of failed login attempts. If this happens, the password settings for the user account must be updated in the Users tab, unless automatic unlocking is selected. For more information about how to update password settings for a user account and how to configure automatic unlocking, see the section above, Users Tab, and the section below, Enhanced User Security Configuration.
Enhanced User Security Configuration
The settings that are described in this section are available when enhanced user security is enabled.
Setting | Description |
---|---|
Enable Automatic Unlocking Of Users | Select this check box to automatically unlock accounts that have been disabled due failed login attempts. Accounts that have been manually disabled from the Users tab are not affected by this setting. |
Time Before Automatic Unlocking (Minutes) | Enter the time that should pass before a locked account is automatically unlocked by the system. The minimum value is 1 minute. |
User authentication is by default performed in . As an alternative, you can connect to an external LDAP directory for delegated authentication. This facilitates automation of administrative tasks such as creation of users and assigning access groups as mentioned in the following sub-chapter: