Endpoint Policies Configuration

Contents
cminder12901
Contents
Policies set system-wide CA Privileged Identity Manager options on the endpoint. For example, you can use policies to set a user password policy or a native audit policy on a Windows endpoint.
Set an Audit Policy on a Windows Endpoint
You set audit policies for a group, profile, or a user. In addition, you can also specify Windows events that you want to write to the audit log.
Follow these steps:
  1. In CA Privileged Identity Manager Endpoint Console, do as follows:
    1. Click Configuration.
    2. Click Audit Policy.
    The Audit Policy page appears.
  2. Complete the following fields:
    • Audit Policy
      Specifies whether auditing is enabled or disabled. If you enable auditing, specify the events that you want to audit.
    • Audit Policy Events
      Specifies whether to audit the success and failure of each of the following events:
      • File and object access
         -- attempts to access securable objects, such as files.
      • Use of user rights
         -- attempts to use Windows Server privileges.
      • Logon and logoff
         -- attempts to log in to or log out from the system.
      • Process tracking
         -- attempts to activate a program, duplicate a handle, access an object directly, and so on.
      • Security policy changes
         -- attempts to change Policy object rules.
      • Restart, shutdown, system
         -- attempts to shut down or restart the computer.
      • User and group management
         -- attempts to create, delete, or change user or group accounts. Also, password changes.
    Click Save.
    A confirmation message appears, letting you know that native options have been successfully updated.
Set a User Password Policy
You can define the content requirements for user passwords.
To set a user password policy.
  1. In CA Privileged Identity Manager Endpoint Console, do as follows:
    1. Click the Configuration tab.
    2. Click User Password Policy.
    The User Password Policy page appears.
  2. Complete the following fields:
    • Minimum Password Age
      Defines the minimum number of days between password changes.
    • Maximum Password Age
      Defines the number of days that must pass after passwords are set or changed before the system prompts users for a new password. An interval of zero disables password interval checking for users. If you do not want a password to expire, set the interval to zero.
    • Minimum Password Length
      Defines the minimum number of characters that passwords must contain.
    • Maximum Password Length
      Defines the maximum number of characters that passwords can contain.
    • Password Uniqueness
      Defines the maximum number of characters the new password can share with the previous password.
    • Number of Lower Case Characters
      Defines the minimum number of lowercase characters passwords must contain.
    • Number of Upper Case Characters
      Defines the minimum number of uppercase characters passwords must contain.
    • Number of Alpha Characters
      Defines the minimum number of alphabetic characters passwords must contain.
    • Number of Special Characters
      Defines the minimum number of special characters passwords must contain.
    • Number of Alpha Numeric Characters
      Defines the minimum number of alphanumeric characters passwords must contain.
    • Number of Numeric Characters
      Defines the minimum number of numeric characters passwords must contain.
    • Number of Logons Permitted
      Defines the maximum number of grace logins that a user is permitted to make before they are suspended.
      Limits:
       An integer from 0 through 255
    • Number of Repetitive Characters
      Defines the maximum number of repeating characters passwords can contain.
    • Password Identical to Account Name
      Specifies whether to check if the password contains or is contained by the name of the user.
    • Password is Being Replaced
      Specifies to check if the new password contains or is contained by the password that is being replaced.
    • Bidirectional Password
      Specifies that the passwords are distributed in clear text (within encrypted messages) when they are propagated to other systems from a PMDB.
      On UNIX, this option is equivalent to setting the following 
      passwd 
      section configuration setting value:
      Passwd_distribution_encryption_mode=bidirectional
      We recommend that you set the configuration setting rather than use the
      setoptions
      command.
      On Windows, the passwords are stored in the history list with the encryption specified in the registry value:
      HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\Encryption Package
    • Prohibited Characters
      Defines which characters a user cannot use in a password.
    • Dictionary Source
      Specifies the password dictionary. Words that appear in the dictionary cannot be used as a password. The possible values are as follows:
      • Database
         -- CA Privileged Identity Manager compares passwords against words in the CA Privileged Identity Manager database.
      • File
         -- CA Privileged Identity Manager compares passwords against a file that is specified in the configuration settings.
  3. Click Save.
    A confirmation message appears, letting you know that password policy has been successfully updated.