Creating or Editing a Password Policy

1. Click Password Policies.

   
   

   The Description column displays the name of the password policy. A down-arrow on the icon indicates that the policy is inherited.

   The Source column displays the distinguished name of the object that contains the password policy (the container that the policy is inherited from).

   SecureLogin enforces only new or more restrictive edited policies when a password is created or changed. SecureLogin doesn't check existing passwords to see whether they conform to new or edited policies.

2. Click New, enter a descriptive name for the new policy, then click OK.

   
   

   Use a unique name for all password policies, user IDs, and applications. A password policy can't have the same name as any other SecureLogin object.

3. (Conditional) If you are editing a policy, click the policy name, then click Edit.

   
   

4. Edit the settings, then click OK.

   
   

   By default, several basic settings are displayed. To display all settings (basic and advanced), select All from the drop-down list below the Delete button.

   You can edit more than one setting before clicking OK.

   Not all settings are mandatory. You can set as few or as many policy restrictions as are necessary to meet security requirements.

   To modify a setting, select it, click Edit, then type or select a value in the Value edit box.

   
   

   If you change a value for a setting, the new value appears in the Value column and in the modified script for the password policy. To see the changes to the script, click Edit Script.

   For example, if you set the value of Maximum Number of Numeric Characters to 3, the script (available through Edit Script) displays MAXNUMERALS 3.

   By default, the settings are case sensitive. For example, "a" is a different character from "A." Even if repeating characters aren't allowed, the password AaBC is still accepted.

   The following table lists default values for basic settings:

   Setting	Value	Details
   Maximum number of uppercase characters	whole number	minimum zero, no upper limit
   Maximum password length	whole number	minimum zero, no upper limit
   Minimum number of uppercase characters	whole number	minimum zero, no upper limit
   Minimum password length	whole number	minimum zero, no upper limit
   Password must begin with an uppercase character	Yes/No	Default is No

   The following table lists default values for advanced settings:

   Setting	Value	Details
   Allow duplicate characters	Yes/No No, case insensitive	The No option doesn't prohibit uppercase or lowercase use of the same character. ABCA contains a duplicate character, but ABCD doesn't.
   Allow repeating characters	Yes/No No, case insensitive	The No option isn't case sensitive. Therefore, it doesn't prohibit uppercase or lowercase of the same character. AABC contains a repeating character, but ABCA doesn't.
   Allow sequential characters	Yes/No No, case insensitive	The No option isn't case sensitive. ABCD and 1234 contain sequential characters, as do BDAC and 4321.
   Maximum number of lowercase characters	whole number	minimum zero, no upper limit
   Maximum number of numerals	whole number	minimum zero, no upper limit
   Maximum number of punctuation characters	whole number	minimum zero, no upper limit
   Minimum number of lowercase characters	whole number	minimum zero, no upper limit
   Minimum number of numerals	whole number	minimum zero, no upper limit
   Minimum number of punctuation characters	whole number	minimum zero, no upper limit. See Allowable Punctuation Characters.
   Password must not contain any of these characters	keyboard characters	case sensitive

   If you set a minimum and maximum option to the same number, the password contains that number of letters. If the minimum number is higher than the maximum number, you receive an error.

   Changes are saved to the script for the policy. To view changes you have made to the script, click Edit Script. Later, you can easily edit these changes by again using the Edit Script feature.

5. Save the settings by clicking Apply.

Using Password Policies in Scripts

Within a script, you can use a password policy to restrict a variable to the assigned security settings.

1. Click Applications.

   
   

2. Click the required application, then click Edit.

   
   

3. Add the following line to the top of the script:

   RestrictVariable variable name password policy

   For example, for SpinTeller.exe shown in Step 2, add

   RestrictVariable $Password PasswordPolicy2

To restrict multiple variables to a particular password policy, add multiple RestrictVariable commands.

The variable name parameter can be a normal variable (for example, $Password), or a runtime variable (for example, ?temp). This flexibility can be useful if you change a password by using a runtime variable and then set a normal variable to the value of the runtime variable.

Adding the RestrictVariable command ensures that a variable complies with the policy. The value entered is rejected if it doesn't comply with the policy set for that variable. The RestrictVariable command applies the policy specified regardless of whether the variable is being added or edited through SecureLogin administration tools or through a script that is running.

If the value being changed by a user is not accepted, a message informs the user as to why the value was rejected.

If the value is being set through the ChangePassword command being run in automatic (random) mode, the value generated will comply with the policy.

In some cases, a policy might be created where no acceptable values exist. When this occurs, an error is displayed when the ChangePassword command tries to generate a password.

If you use the SecureLogin SET command to set values, they will not be forced to comply with password policies.

For more information, see "RestrictVariable" in the Nsure SecureLogin 3.51.2 Scripting Guide.

MAXPASSWORDLENGTH 8 
MINPASSWORDLENGTH 8 
MAXPUNCTUATION 0 
MINPUNCTUATION 0 
MAXUPPERCASE 8 
MINUPPERCASE 0 
MAXLOWERCASE 8 
MINLOWERCASE 0 
MAXNUMERALS 8 
MINNUMERALS 0

MAXPASSWORDLENGTH 12 
MINPASSWORDLENGTH 6 
MAXPUNCTUATION 8 
MINPUNCTUATION 0 
MAXUPPERCASE 8 
MINUPPERCASE 0 
MAXLOWERCASE 8 
MINLOWERCASE 0 
MAXNUMERALS 8 
MINNUMERALS 0 
NODUPLICATECHARACTERS CASEINSENSITIVE 
POSITIONCHARACTER NUMERAL 3,4,5

MAXPASSWORDLENGTH 16 
MINPASSWORDLENGTH 6 
MAXPUNCTUATION 8 
MINPUNCTUATION 0 
MAXUPPERCASE 16 
MINUPPERCASE 1 
MAXLOWERCASE 16 
MINLOWERCASE 0 
MAXNUMERALS 16 
MINNUMERALS 0 
BEGINWITHUPPERCASE 
DISALLOWEDCHARACTERS @&

Deleting a Password Policy

1. Select the Password Policies page.

   
   

2. Select the policy that you want to delete, click Delete, then click OK.

   In the Active Directory snap-in and SecureLogin on the desktop, you must also click Yes in the confirmation dialog box.

Distributing Password Policies

You can configure password policies at the container, OU, or User object level. Policies set at the container or OU level apply to all associated User objects or user accounts. Policies set at the User object or user account level override all higher-level policies.

For ease of maintenance in multiple-user environments, we recommend that you maintain password policies at the container or OU level.

Setting the Default Domain Policy in Active Directory

In Active Directory environments, at the domain level, make sure that the Default Domain policy allows all authenticated users to have Read rights to All Properties.

1. Expand Active Directory Users and Computers, right-click the domain name, then click Properties.

2. Click Group Policy > Properties, then click Security.

3. Click Advanced.

4. Click Authenticated Users Special, then click View/Edit.

5. Under the Allow column, check the Read All Properties check box, then click OK.