User account security policies

System Administrator Guide for VSP 5000 Series

Version
90-09-2x
Audience
anonymous
Part Number
MK-98RD9009-16

The HDvM - SN user accounts can be protected from unauthorized use by user-defined password and login requirements. The HDvM - SN Security Administrator can enable and specify these user account security settings by using HDvM - SN. The PF-REST API provides partial support for the user account security policies. For details, see the REST API Reference Guide.

The user account security settings are included in the HDvM - SN backup configuration file. If the HDvM - SN configuration is restored by using the HDvM - SN configuration file and the information in HDvM - SN configuration file is old, a user account will be locked out if the password has expired according to the old information. In this case, the Security Administrator must release the account lockout.

User account security events are recorded in the audit log for the storage system, except for the following three events that are not recorded in the audit log:

  • Account lockout when the password has expired.
  • Account lockout when the user exceeds the maximum number of login attempts.
  • Account unlock when the lockout mode is lock.
Note:
  • If you update the SVP firmware from a version that does not support this function to a version that supports it, user account security remains the same as in the older version until you reset the user account security policies using the Edit User Account Policies window. When you open the Edit User Account Policies window for the first time after upgrading the SVP version, the window is displayed with the updated default (recommended) values. Note that these default values are different from the default values in previous versions.
  • For CLI and API users:
    • The password must be changed at the first login and before expiration.
    • Password expiration warnings are not issued by the CLI or API.

Password requirements

  • Character requirements:
    • Minimum number of numeric characters (0-256, default = 0)
    • Minimum number of uppercase letters (0-256, default = 0)
    • Minimum number of lowercase letters (0-256, default = 0)
    • Minimum number of symbol characters (0-256, default = 0)
    • Minimum total number of characters (6-256, default = 8)
    • Allowed symbol characters: ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
  • Number of previous passwords that cannot be used (1-10, default = 1)
  • Limit available keywords (yes or no)
  • Require initial password reset (password change on first login) (enabled or disabled)

    To enable this function, you must select Yes on the Edit User Account Policies window and also on either the Create User window or the Edit User window. If No is selected on the Edit User Account Policies window, or if No is selected on both the Create User and Edit User windows, this function is disabled.

    When this function is enabled, HDvM - SN users will not be able to perform any other operations until they reset their initial password.

    If the initial password reset function is changed from disabled to enabled, existing users are not asked to change their current password at the next login.

  • Password validity period (disabled (default) or number of days, range = 1-365)

    If there is only one local user account with the Security Administrator role for the storage system, the account is not locked out when the password has expired.

    The password validity period is not checked until the first time the user changes the password after the Security Administrator configures the user account security policy. To enforce the password validity period, the Security Administrator or user must change the password. The Security Administrator can check the password expiration dates in the HDvM - SN user list.

  • Password change prohibition period (disabled (default) or number of days, range = 1-10)

    The password change prohibition period is not checked until the user first changes the password after the Security Administrator configures the user account security policy. To enforce the password change prohibition period, the Security Administrator or user must change the password. The Security Administrator can check the password expiration dates in the HDvM - SN user list.

Note: A password cannot be changed when any of the following conditions applies:
  • The password change prohibition period has not yet elapsed.
  • The requirements for the new password (for example, number of uppercase letters) are not met.
  • The new password is the same as a previous password within the defined range.
  • The new password contains a user name.

Login requirements

  • Maximum number of login attempts
  • Lockout mode (lock or disable)

    The account is either locked or disabled when the user exceeds the maximum number of login attempts.

  • Duration of the account lockout period (seconds, 60-345,600, default = 60)
Note: When the maximum number of login attempts is exceeded and the lockout mode is lock, the user must wait until the account lockout period has elapsed before logging in again. When the maximum number of login attempts is exceeded and the lockout mode is disable, the Security Administrator must re-enable the user account and reset the password.

Password expiration

Users are notified about password expiration by email and also when logging in to HDvM - SN.

  • Email notifications
    • Warning 30 days before password expiration
    • Warning 14 days before password expiration and daily thereafter
    • Notification at password expiration and none thereafter
  • Login notifications
    • Warning at each GUI login starting 14 days before password expiration
    • Login failure at each login after password expiration

To prevent a password from expiring, the user must change the existing password before the end of the day (23:59 or earlier) on which the password expires.

After a password has expired, the Security Administrator must re-enable the account and reset the password.

Note:
  • If a password expires while the user is logged in, the next navigation within HDvM - SN will fail and the user account is disabled. The user must contact the Security Administrator to regain access to HDvM - SN.
  • The mail server settings for email notification of password expiration are not backed up in the HDvM - SN configuration file. If the backup HDvM - SN configuration file is applied, you must re-enter the email notification settings for password expiration.

Account lockout

The following table lists and describes the user account lockout specifications.

Note: The account lockout specifications apply to all user accounts, including the maintenance personnel user account. If the maintenance personnel user account becomes locked or disabled, the Security Administrator must re-enable the account and reset the password.

Lockout type

Lockout triggers

Unlock details
Account locked The maximum number of failed login attempts has been exceeded. The user can log in after the lockout period has elapsed.
Account disabled
  • The maximum number of failed login attempts has been exceeded.
  • The password has expired.
The Security Administrator must reset the password.