Managing Password Policies

The policy ensures that the values of the variables comply with specified rules governing their composition. Although this feature is called password policies, these policies can be used on any variables, not just password variables.

A password policy is a set of requirements or rules, such as the number of characters required for a password. To enforce security during logins, policies are applied to scripts.


Creating or Editing a Password Policy

  1. Click Password Policies.


    The Password Policies page

    The Description column displays the name of the password policy. A down-arrow Application icon with a down-arrow on the icon indicates that the policy is inherited.

    The Source column displays the distinguished name of the object that contains the password policy (the container that the policy is inherited from).

    SecureLogin enforces only new or more restrictive edited policies when a password is created or changed. SecureLogin doesn't check existing passwords to see whether they conform to new or edited policies.

  2. Click New, enter a descriptive name for the new policy, then click OK.


    Dialog box to name a policy

  3. (Conditional) If you are editing a policy, click the policy name, then click Edit.


    List of password policies

  4. Edit settings, then click OK.


    Password policy settings and values

    By default, several basic settings are displayed. To display all settings, select All from the drop-down list below the Delete button.

    You can edit more than one setting before clicking OK.

    Not all settings are mandatory. You can set as few or as many policy restrictions as are necessary to meet security requirements.

    To modify a setting, select it, click Edit, then type or select a value in the Editing a Setting text box.


    The Editing a Setting dialog box

    If you change a value for a setting, the new value appears in the Value column and in the modified script for the password policy. To see the changes to the script, click Edit Script.

    For example, if you set the value of Maximum Number of Numeric Characters to 3, the script (available through Edit Script) displays MAXNUMERALS 3.

    By default, the settings are case sensitive. For example, "a" is a different character from "A." Even if repeating characters aren't allowed, this password AaBC is still accepted.

    The following table lists default values for the settings:

    Setting Default Value

    Disallow duplicate characters

    No

    ABCA contains a duplicate character, but ABCD doesn't.

    Disallow repeating characters

    No

    AABC contains a repeating character, but ABCA doesn't.

    Disallow sequential characters

    No

    ABCD contains sequential characters, but BDAC doesn't.

    Maximum number of lowercase characters

    No value unless you set it.

    Maximum number of numeric characters

    No value unless you set it.

    Maximum number of punctuation characters

    No value unless you set it.

    Maximum number of uppercase characters

    No value unless you set it.

    Maximum password length

    No value unless you set it.

    Minimum number of lowercase characters

    No value unless you set it.

    Minimum number of numeric characters

    No value unless you set it.

    Minimum number of punctuation characters

    No value unless you set it. See Allowable Punctuation Characters.

    Minimum number of uppercase characters

    No value unless you set it.

    Minimum password length

    No value unless you set it.

    Password must begin with an uppercase character

    No

    Password must not contain any of these characters

    No value unless you set it.

    If you set a minimum and maximum option to the same number, the password contains that number of letters. If the minimum number is higher than the maximum number, you receive an error.

    Changes are saved to the script for the policy. To view changes you have made to the script, click Edit Script. Later, you can easily edit these changes by again using the Edit Script feature.

  5. Save the settings by clicking Apply.


Allowable Punctuation Characters

The following characters satisfy the punctuation setting:

Character Character Name

~

Tilde or swung dash

!

Exclamation mark

@

At

#

Hash or pound

$

Dollar

%

Percent

^

Caret

&

Ampersand

*

Asterisk

 

Space

( )

Parentheses

_

Underscore

+

Plus

|

Delimiter or delimiter bar

-

Hyphen

=

Equals

\

Backward slash or backward diagonal

{ }

Braces or curly brackets

[ ]

Brackets

:

Colon

;

Semicolon

"

Quotation mark

'

Single quotation mark

<

Greater than

>

Less than

?

Question mark

/

Slash, diagonal, or slant

,

Comma

.

Period or full stop

`

Grave or accent grave mark

Using Password Policies in Scripts

You can use a password policy to restrict a variable within a script to the assigned security settings.

  1. Click Applications.


    The Applications tab

  2. Click the required application, then click Edit.


    The Script tab

  3. Add the following line to the top of the script:

    RestrictVariable variable name password policy

    For example, for SpinTeller.exe shown in Step 2, add

    RestrictVariable $Password PasswordPolicy2

To restrict multiple variables to a particular password policy, add multiple RestrictVariable commands.

The variable name parameter can be a normal variable (for example, $Password), or a runtime variable (for example, ?temp). This flexibility can be useful if you change a password by using a runtime variable and then set a normal variable to the value of the runtime variable.

Adding the RestrictVariable command ensures that a variable complies with the policy. The value entered is rejected if it doesn't comply with the policy set for that variable. The RestrictVariable command applies the policy specified regardless of whether the variable is being added or edited through SecureLogin administration tools or through a script that is running.

If the value being changed by a user is not accepted, a message informs the user as to why the value was rejected.

If the value is being set through the ChangePassword command being run in automatic (random) mode, the value generated will comply with the policy.

In some cases, a policy might be created where no acceptable values exist. When this occurs, an error is displayed when the ChangePassword command tries to generate a password.

If you use the SecureLogin SET command to set values, they will not be forced to comply with password policies.

For more information on the RestrictVariable and other commands, see the Nsure SecureLogin 3.51 Scripting Guide.


Example Password Policy Scripts


Example 1
MAXPASSWORDLENGTH 8 
MINPASSWORDLENGTH 8 
MAXPUNCTUATION 0 
MINPUNCTUATION 0 
MAXUPPERCASE 8 
MINUPPERCASE 0 
MAXLOWERCASE 8 
MINLOWERCASE 0 
MAXNUMERALS 8 
MINNUMERALS 0

This password policy indicates that the password must be exactly 8 characters long and contain no punctuation characters.

The password asdf4jB8 is acceptable.

The password aasdf5$n is unacceptable because it contains a punctuation character.


Example 2
MAXPASSWORDLENGTH 12 
MINPASSWORDLENGTH 6 
MAXPUNCTUATION 8 
MINPUNCTUATION 0 
MAXUPPERCASE 8 
MINUPPERCASE 0 
MAXLOWERCASE 8 
MINLOWERCASE 0 
MAXNUMERALS 8 
MINNUMERALS 0 
NODUPLICATECHARACTERS CASEINSENSITIVE 
POSITIONCHARACTER NUMERAL 3,4,5

This password policy indicates that the password must be between 6 and 12 characters long. It can contain no more than 8 of any character type (uppercase, lowercase, numeral, or punctuation). No character can appear more than once in the policy, regardless of case. A numeral must appear in at least one of positions 3, 4, or 5.

The password f54v9)_Q is acceptable.

The password f5v)_QF7 is unacceptable because it has no numeral in positions 3, 4 or 5, and the letter F occurs in positions 1 and 7.


Example 3
MAXPASSWORDLENGTH 16 
MINPASSWORDLENGTH 6 
MAXPUNCTUATION 8 
MINPUNCTUATION 0 
MAXUPPERCASE 16 
MINUPPERCASE 1 
MAXLOWERCASE 16 
MINLOWERCASE 0 
MAXNUMERALS 16 
MINNUMERALS 0 
BEGINWITHUPPERCASE 
DISALLOWEDCHARACTERS @&

This password policy indicates that the password must be between 6 and 16 characters long. It must contain at least one uppercase character. It can contain no more than 8 punctuation characters. It must begin with an uppercase character, and it can't contain either the @ character or the & character.

The password R48iv"? is acceptable.Managing Administrative and User Settings

The password R48?- is unacceptable because it is less than 6 characters long.


Setting the Default Domain Policy

At the domain level, make sure that the Default Domain policy allows all authenticated users to have Read rights to All Properties.

  1. Expand Active Directory Users and Computers, right-click the domain name, then click Properties.

  2. Click Group Policy > Properties, then click Security.

  3. Click Advanced.

  4. Click Authenticated Users Special, then click View/Edit.

  5. Under the Allow column, check the Read All Properties check box, then click OK.