Automatically Locking User Accounts
You can automatically lock user accounts based on failed
login attempts.
- Click Administration.
- In the Select Utility drop-down
list, click Portal Settings.
- On the User Settings Manager page,
enable account locking and specify how long failed logins are tracked,
the total number of failed logins required before an account will
be locked, and the number of minutes for which automatically locked
accounts remain locked.
Your individual security needs will determine what settings
to use for automatic account locking. For example, to meet a strength
of password function rating of SOF-basic as defined in the Common
Criteria for Information Technology Security Evaluation, Version 2.3,
August 2005 (found at http://niap.bahialab.com/cc-scheme/cc_docs/), you might set
the following values:
- Minutes to track failed Logins: 60 minutes
or more
- Number of failed Login attempts allowed: 5 or fewer
- Minutes to keep user account locked: 60
minutes or more