How to Configure Password Policies

sm1252sp1

Contents
2
Password Policy Considerations
If you plan to implement password policies in your enterprise, consider the following items:
  • CA Single Sign-On
    requires read/write access to the user directory, including exclusive use of several attributes within that directory to store passwords and password–related information.
  • Password policies can affect
    CA Single Sign-On
    performance because of the additional user directory searches required to validate passwords. Password policies that are configured to search only part of a user directory, instead of the entire directory, can also affect performance.
  • If your user directory has a native password policy, this policy must be less-restrictive then the password policy or it must be disabled.
    Otherwise the native password policy accepts or rejects passwords without notifying
    CA Single Sign-On
    . Therefore,
    CA Single Sign-On
    cannot manage those passwords.
  • By default, if a user enters incorrect information when changing a password,
    CA Single Sign-On
    returns a generic failure message. This message does not specify the failure reason. Create and enable the DisallowForceLogin registry key to change the default behavior and explicitly tell users why the change failed.
  • If you use password policies on multiple Policy Servers, synchronize the system times of all servers. Synchronizing times helps to avoid the disabling of accounts or forcing password changes prematurely.
Create Password Policies
You can create a password policy to provide an extra layer of security to protected resources.
Follow these steps:
  1. Click Policies, Password.
  2. Click Password Policies.
  3. Click Create Password Policy.
  4. Enter a policy name.
  5. Select the user directory to which the policy applies from the Directory list.
  6. Specify if the policy applies to the entire directory or part of the directory.
  7. (Optional) If the policy only applies to part of the directory, click Lookup to specify which part.
  8. (Optional) Specify the location of the FCC to which users are redirected if they enter a password that is deemed invalid by the password policy in the Redirection URL field.
    • To host the redirection FCC on the same server as the agent, accept the default:
      /siteminderagent/forms/smpwservices.fcc
    • To host the redirection FCC for all hosts on a specific server:
      http://
      server_name:port
      /siteminderagent/forms/smpwservices.fcc
    • To host the redirection FCC for all hosts on a specific server over SSL:
      https://
      server_name:port
      /siteminderagent/forms/smpwservices.fcc
  9. Configure the policy to reflect the password logic by defining options, such as the password expiration (whether the password is valid), composition, expression, restriction, or advanced settings.
(Optional) Configure Password Expiration
Optionally, configure password expiration settings to define events, that when triggered, causes the Policy Server to disable the user account or force a password change. Examples of such events include multiple failed login attempts and account inactivity.
When a user with an expired password attempts to access a protected resource, one of the following actions occurs:
  • If the Disable user option is set, they are redirected to a page that states "You cannot access your account at this time. Please contact your Security Administrator or Help Desk." 
  • If the Force password change option is set, they are redirected to a change password page. 
    : The force password change option is only enforced when a user with an expired password is authenticated using
    password-based
    authentication. If the user is authenticated using another authentication method such as a certificate or assertion, they are taken directly to the requested resource. 
Follow these steps:
  1. Click the Expiration tab.
  2. Specify user login tracking settings by selecting the Track successful logins, Track failed logins, and Authenticate on Login Tracking Failure options in the Expiration section .
    Note:
    Select the Track successful logins check box if you want to disable accounts because of account inactivity. Select the Track failed logins check box if you want to disable accounts because of failed login attempts.
  3. Specify the settings that determine how often a password must be changed in the Password expires if not changed section .
  4. Specify the settings that determine how many incorrect password attempts are permitted in the Incorrect Password section.
  5. Specify the settings that determine how long a password can remain inactive in Password expires from inactivity section.
    For performances reasons, we recommend that you only set this option if you need to configure passwords to expire from inactivity.
  6. Click Submit to save the password policy or click another tab to continue working with the password policy.
(Optional) Configure Password Composition
Optionally, configure password composition rules to control the character composition of newly created passwords.
Follow these steps:
  1. Click the Composition tab.
  2. Enter the minimum and maximum character length for passwords in the Minimum Length and Maximum Length fields.
  3. Enter the maximum number of characters that can appear consecutively in a password in the Maximum field.
  4. Specify the permissible characters types and the minimum requirements for each in the Content Minimum section.
  5. Click Submit.
(Optional) Password Regular Expressions
Regular expression matching for passwords allows you to specify text patterns that are used for string matching that each password must match or not match to be considered valid.
For example, if you require the first character in the password be a digit but not be the last character, you can configure a regular expression to enforce this requirement and all passwords will be checked against it.
Regular Expressions Syntax
The following table describes the characters that you can use for constructing regular expressions for password matching. This syntax is consistent with the regular expression syntax supported for resource matching when specifying realms.
All closure operators (+, *, ?) are greedy by default, meaning that they match as many elements of the string as possible without causing the overall match to fail. If you want a closure to be reluctant (non-greedy), follow it with a ’?’. A reluctant closure matches as few elements of the string as possible when finding matches.
The regular expression syntax is a s follows:
Characters
Results
\
Used to quote a meta-character (like ’*’)
\\
Matches a single ’\’ character
(A)
Groups subexpressions (affects order of pattern evaluation)
[abc]
Simple character class (any character within brackets matches the target character)
[a-zA-Z]
Character class with ranges (any character range within the brackets matches the target character)
[^abc]
Negated character class
.
Matches any character other than newline
^
Matches only at the beginning of a line
$
Matches only at the end of a line
A*
Matches A 0 or more times (greedy)
A+
Matches A 1 or more times (greedy)
A?
Matches A 1 or 0 times (greedy)
A*?
Matches A 0 or more times (reluctant)
A+?
Matches A 1 or more times (reluctant)
A??
Matches A 0 or 1 times (reluctant)
AB
Matches A followed by B
A|B
Matches either A or B
\1
Backreference to 1st parenthesized subexpression
\
n
Backreference to
n
th parenthesized subexpression
Limit:
Each regular expression can contain no more than 10 subexpressions, including the expression itself. The number of subexpressions equals the number of left or opening parentheses in the regular expression plus one more left parenthesis for the expression itself.
Configure Regular Expression Matching
Configure regular expressions to specify text patterns that are used for string matching. A password must match or not match the expression to be valid. Each regular expression entry is a name/value pair consisting of a descriptive tag and expression definition.
Regular expression matching for passwords is optional. If you decide to use regular expression, you only specify entries for expressions that passwords must match or must not match. If you have no expression matching requirements, do not create any regular expression entries.
Follow these steps:
  1. In the Password Policy dialog, select the Regular Expressions tab.
  2. Click Add to add an expression.
    The Password Regular Expression dialog opens.
  3. Select one of the following radio buttons:
    • MUST Match
      If you select this option, define a regular expression that passwords must match.
    • MUST NOT Match
      If you select this option, add an entry for each regular expression that passwords must not match.
  4. Enter values for the fields.
  5. Click OK.
    The regular expression is added to the table. If you selected MUST NOT match, a checkbox appears in the NO Match column.
(Optional) Configure Password Restrictions
Optionally, configure password restrictions to place restrictions on password usage. Restrictions include:
  • How long a user must wait before reusing a password
  • How different the password must be from ones that were previously used
You can also prevent users from specifying words that you determine are a security risk or contain  personal information.
Follow these steps:
  1. Click the Restrictions tab.
  2. Specify how much time must pass, how many new passwords must be created, or both before an old password can be reused in the Reuse section .
    If you specify both criteria, each must be satisfied before a user can reuse a password.
    Example:
    A password policy requires users to wait 365 days and specify 12 passwords before reusing a password. After a year, if a user only supplied six passwords, the user would have to supply another six passwords before reusing the first password.
  3. Specify how much a new password must differ from the previous password in the Change Required section.
  4. Specify the number of consecutive characters the password policy compares to personal information stored in user profiles in the Profile Attributes section .
  5. Specify the path to a user-defined dictionary of forbidden passwords and the length of the string compared against values in the dictionary in the Dictionary section .
  6. Click Apply to save the changes or click OK to save the changes and return to the Administrative UI.
(Optional) Configure Advanced Password Options
Optionally, configure advanced password policy options to specify that submitted passwords be preprocessed before validation and storage. Advanced password policies let you assign a priority to a policy, which allows the predictable evaluation of multiple password policies that apply to the same user directory or namespace.
Preprocessing options are optional. Specify a unique password policy evaluation priority for each password policy that can be assigned to the user directory or namespace.
Follow these steps:
  1. Click the Advanced tab.
  2. Specify options to process submitted passwords prior to evaluation and storage in the Password Pre-Processing section.
    You should specify identical preprocessing options for each password policy that is applied to the same user directory or namespace.
  3. (Optional) If the password policy is one of multiple policies that applies to the same user directory or namespace, specify a the password policy priority in the Password Policy Priority section .
    Evaluation priorities range from 0-999, where 999 is the highest.
Remove the Login ID When Redirecting for Password Services
During password services processing, a user request is redirected multiple times. When the request is redirected, the login ID (typically the username) which was entered by the user is appended to the request URL by default. To modify the default behavior so that the login ID (username) is not appended to redirects, you can do one of the following procedures.
To remove the login ID when redirecting for password services in Windows
  1. Add the following registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\PolicyServer\DisallowUsernameInURL
  2. Set the DWORD value to one of the following values:
    • 0 — Applies the default behavior of appending the UID to the request URL.
    • 1 — Changes the default behavior so that the UID is not appended to the request URL.
To remove the login ID when redirecting for password services in UNIX
  1. Navigate to:
    policy-server-install-dir
    /registry/
  2. In a text editor, open the following file:
    sm.registry
  3. Add the following registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer=(#number)\DisallowUsernameInURL
  4. Set the DWORD value to one of the following values:
    • 0 — Applies the default behavior of appending the UID to the request URL.
    • 1 — Changes the default behavior so that the UID is not appended to the request URL.
CA Directory Password Policy Control
You can configure the Policy Server to honor CA Directory password policies. The Policy Server, together with a properly configured Web Agent, can send end-users configured warnings and notifications that are based on the directory password policies.
The following CA Directory password policies are supported:
  • Native password expiration.
  • To use this feature, do
    one
    of the following options:
    • Do not set the Policy Server password policy for password expiration.
    • Configure the policy settings for expiration and warnings so they are less restrictive than the settings in the CA directory password policy.
  • User account lock-out settings.
    If you use the CA Directory settings, disable the Policy Server account lock-out feature.
  • Password expiration warnings.
  • Notification of the remaining grace logins, if the client can recognize the password message code for the grace login message.
    The Policy Server has no notion of grace logins remaining.
Follow these steps:
  1. Define a password policy that refers to the CA Directory where your users reside.
  2. Use the XPSConfig tool and set the configuration parameter
    CA.SM::$LdapEnablePwdCtrlSupport
    to true.
    To use the tool, refer to the XPSConfig instructions.
  3. Open the 
    dsaname
    .dxi file from the 
    DXHOME
    \config\servers folder on your CA Directory installation.
  4. Update the value of
    set mimic-netscape-for-siteminder
     parameter to
    true
    .
    This setting will ensure that the password policies of CA Directory are honored.