Endpoint Policies Configuration
Contents
cminder12901
Contents
Policies set system-wide CA Privileged Identity Manager options on the endpoint. For example, you can use policies to set a user password policy or a native audit policy on a Windows endpoint.
Set an Audit Policy on a Windows Endpoint
You set audit policies for a group, profile, or a user. In addition, you can also specify Windows events that you want to write to the audit log.
Follow these steps:
- In CA Privileged Identity Manager Endpoint Console, do as follows:
- Click Configuration.
- Click Audit Policy.
- Complete the following fields:
- Audit PolicySpecifies whether auditing is enabled or disabled. If you enable auditing, specify the events that you want to audit.
- Audit Policy EventsSpecifies whether to audit the success and failure of each of the following events:
- File and object access-- attempts to access securable objects, such as files.
- Use of user rights-- attempts to use Windows Server privileges.
- Logon and logoff-- attempts to log in to or log out from the system.
- Process tracking-- attempts to activate a program, duplicate a handle, access an object directly, and so on.
- Security policy changes-- attempts to change Policy object rules.
- Restart, shutdown, system-- attempts to shut down or restart the computer.
- User and group management-- attempts to create, delete, or change user or group accounts. Also, password changes.
A confirmation message appears, letting you know that native options have been successfully updated.
Set a User Password Policy
You can define the content requirements for user passwords.
To set a user password policy.
- In CA Privileged Identity Manager Endpoint Console, do as follows:
- Click the Configuration tab.
- Click User Password Policy.
- Complete the following fields:
- Minimum Password AgeDefines the minimum number of days between password changes.
- Maximum Password AgeDefines the number of days that must pass after passwords are set or changed before the system prompts users for a new password. An interval of zero disables password interval checking for users. If you do not want a password to expire, set the interval to zero.
- Minimum Password LengthDefines the minimum number of characters that passwords must contain.
- Maximum Password LengthDefines the maximum number of characters that passwords can contain.
- Password UniquenessDefines the maximum number of characters the new password can share with the previous password.
- Number of Lower Case CharactersDefines the minimum number of lowercase characters passwords must contain.
- Number of Upper Case CharactersDefines the minimum number of uppercase characters passwords must contain.
- Number of Alpha CharactersDefines the minimum number of alphabetic characters passwords must contain.
- Number of Special CharactersDefines the minimum number of special characters passwords must contain.
- Number of Alpha Numeric CharactersDefines the minimum number of alphanumeric characters passwords must contain.
- Number of Numeric CharactersDefines the minimum number of numeric characters passwords must contain.
- Number of Logons PermittedDefines the maximum number of grace logins that a user is permitted to make before they are suspended.Limits:An integer from 0 through 255
- Number of Repetitive CharactersDefines the maximum number of repeating characters passwords can contain.
- Password Identical to Account NameSpecifies whether to check if the password contains or is contained by the name of the user.
- Password is Being ReplacedSpecifies to check if the new password contains or is contained by the password that is being replaced.
- Bidirectional PasswordSpecifies that the passwords are distributed in clear text (within encrypted messages) when they are propagated to other systems from a PMDB.On UNIX, this option is equivalent to setting the followingpasswdsection configuration setting value:Passwd_distribution_encryption_mode=bidirectionalWe recommend that you set the configuration setting rather than use thesetoptionscommand.On Windows, the passwords are stored in the history list with the encryption specified in the registry value:HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\Encryption Package
- Prohibited CharactersDefines which characters a user cannot use in a password.
- Dictionary SourceSpecifies the password dictionary. Words that appear in the dictionary cannot be used as a password. The possible values are as follows:
- Database-- CA Privileged Identity Manager compares passwords against words in the CA Privileged Identity Manager database.
- File-- CA Privileged Identity Manager compares passwords against a file that is specified in the configuration settings.
- Click Save.A confirmation message appears, letting you know that password policy has been successfully updated.