One Identity Safeguard for Privileged Passwords 2.5 - Administration Guide

Login Control

It is the responsibility of the Appliance Administrator to configure the Safeguard for Privileged Passwords user login control settings, such as the number of failed sign-in attempts before locking out an account.

To configure the login controls

1. Navigate to Administrative Tools | Settings | Safeguard for Privileged Passwords Access | Login Control.
2. Provide the following information:

   Token Lifetime	Set the number of minutes a user can stay logged into Safeguard for Privileged Passwords. Range: 10 minutes to 28800 minutes (20 days) Default: 1440 minutes (1 day)
   Lockout Duration	Set the number of minutes a locked out account remains locked. Range: 1 to 9999 minutes; A setting of 9999 requires an administrator to manually unlock the account. Default: 15 minutes
   Lockout Threshold	Set the number of consecutive failed sign-in attempts within the Lockout Window required to lock a user account. If a user submits an incorrect password for the maximum number of times specified by the account Lockout Threshold settings within the Lockout Window, Safeguard for Privileged Passwords locks the account until the Lockout Duration period has been met. Range: 0 to 100 failed sign-in attempts; A value of 0 (zero) indicates the user’s account will never be locked due to failed log ins. Default: 5 consecutive failures TIP: Set the Lockout Threshold to a high enough number that authorized users are not locked out of their user accounts simply because they mistype a password.
   Lockout Window	Set the duration (in minutes) in which Safeguard for Privileged Passwords increments the number of failed sign-in attempts. Range: 0 to 15 minutes; A value of 0 (zero) means that there is no time limit to tracking failed log on attempts. Default: 10 minutes
   Disable After	Set the number of days to wait before automatically disabling an inactive user account. If a user has not logged onto Safeguard for Privileged Passwords this number of days, Safeguard for Privileged Passwords disables the user account. NOTE: The Authorizer Administrator must also reset the user's password when re-enabling a disabled account. Range: 14 to 365 days Default: 365 days
   Inform User of Disabled Account	Select this option to inform users when Safeguard for Privileged Passwords has disabled their account when they attempt to log in. When cleared, Safeguard for Privileged Passwords tells the user that his or her access has been denied. NOTE: For security reasons, One Identity recommends leaving this option cleared, unless you are troubleshooting login and authentication problems. A disabled user cannot sign into Safeguard for Privileged Passwords until an administrator has re-enabled his or her account. For more information, see Enabling or disabling a user. Default: Not set
   Inform User of Locked Account	Select this option to inform users when Safeguard for Privileged Passwords has locked their account when they attempt to log in. When cleared, Safeguard for Privileged Passwords tells the user that his or her access has been denied. NOTE: For security reasons, One Identity recommends leaving this option cleared, unless you are troubleshooting login and authentication problems. A user with a locked account cannot sign into Safeguard for Privileged Passwords until the Lockout Duration period has been met or an administrator has unlocked the account. For more information, see Unlocking a user's account. Default: Not set
   Minimum Password Age	Set the number of days a user must wait before changing his or her password. Range: 0 to 14 days Default: 0
   Maximum Password Age	Set the number of days users can use their current password before they must change it. Range: 0 to 180 days; A value of 0 (zero) indicates passwords never expire. Default: 42 days
   Password Age Reminder	Set the period of time (in days) before the Maximum Password Age limit is met and Safeguard for Privileged Passwords begins to remind the user that their password is about to expire. Range: 0 to 30 days Default: 14 days
   Password History	Enter the number of old passwords stored by Safeguard for Privileged Passwords for user accounts. Stored passwords cannot be reused, and are replaced on a first-in first-out basis. NOTE: Administrators are not restricted by the password history setting. Range: 0 to 24 old passwords; A value of 0 (zero) disables password history restrictions allowing users to always reuse old passwords. Default: 5 stored passwords

Password Rules

Password rules define the complexity requirements for user authentication to Safeguard for Privileged Passwords. Some companies suggest or impose requirements on what type of password a user can create, such as:

• The use of both upper- and lower-case letters.
• Inclusion of one or more numerical digits.
• Inclusion of special characters, such as @, #, $ and so forth.

Modifying user password requirements

It is the responsibility of the Authorizer Administrator to configure the user password rules.

To configure user password rules

1. Navigate to Administrative Tools | Settings | Safeguard for Privileged Passwords Access | Password Rules.

2. Set the Password Length from 3 to 255 characters.

   Default: 6 to 64 characters

   Note: The maximum length must be equal to or greater than the sum of minimum characters described in the next step.

3. Set the character Requirements:

   First Character Type	Choose one of the following: All: Alphabetical, numeric, or symbols Alphanumeric: Alphabetical or numeric Alphabetic: Only alphabetical characters Default: All
   Last Character Type	Choose one of the following: All: Alphabetical, numeric, or symbols Alphanumeric: Alphabetical or numeric Alphabetic: Only alphabetical characters Default: All
   Allow Consecutively Repeated Characters	Select this option to allow a user to create a password with consecutively repeated characters. NOTE: Clear this option to disallow consecutively repeated characters. Default: Allowed
   Allow Uppercase	Select this option to allow Safeguard for Privileged Passwords to create a password with uppercase characters. Set the minimum number of required uppercase characters, or set it to zero if there is no minimum requirement. NOTE: Clear this option to disallow uppercase characters. Default: Require a minimum of 1.
   Allow Lowercase	Select this option to allow a user to create a password with lowercase characters. Set the minimum number of required lowercase characters, or set it to zero if there is no minimum requirement. NOTE: Clear this option to disallow lowercase characters. Default: Require a minimum of 1.
   Allow Numeric (0-9)	Select this option to allow a user to create a password with numeric characters. Set the minimum number of required numeric characters, or set it to zero if there is no minimum requirement. NOTE: Clear this option to disallow numeric characters. Default: Require a minimum of 1.
   Allow Symbols (e.g @ # $ % &)	Select this option to allow a user to create a password with special characters. Set the minimum number of required symbolic characters, or set it to zero if there is no minimum requirement. NOTE: Clear this option to disallow special characters. Default: Not allowed
   Valid Symbols	Enter allowable special characters, such as: ~!@#$%^*()_+-=;'?/\|><.,`[]{}. NOTE: You must have the Allow Symbols option selected to enable this box.

Sessions settings

One Identity Safeguard for Privileged Passwords enables you to issue privileged access to users for a specific period or session and gives you the ability to record, archive, and replay user sessions so that your company can meet its auditing and compliance requirements.

It is the responsibility of the Appliance Administrator to configure the One Identity Safeguard for Privileged Passwords Privileged Sessions settings.

If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, sessions configuration is handled via Safeguard for Privileged Session.

Navigate to Administrative Tools | Settings | Sessions.