Implementing Password Management Policies

It is important to implement a password management policy so that only authorized users can access Siebel Business Applications. The details of the policy are likely to vary across Siebel implementations, depending on the language and character set in use in a Siebel environment, and depending on the business needs of users. However, a set of rules need to be defined, implemented, and checked each time a new password is created or modified.

Implement the password management recommendations in the following topics:

• "General Password Policies"

• "Defining Rules for Password Syntax"

• "About Configuring Password Hashing for Users"

General Password Policies

Implement the following general password management policies:

• Determine a password expiry period (except for the Siebel administrator).

• Determine the number of password failures allowed before an account is locked.

• Implement password syntax rules. See "Defining Rules for Password Syntax".

• Implement password hashing. For additional information, see "About Configuring Password Hashing for Users".

• Change the password of the SADMIN account regularly.

  During the Siebel Business Applications installation process, the Siebel administrator account (SADMIN) is created. You are required to specify a password for this account before you install and configure the Siebel database components. Change the password for the administrator account at regular intervals. For information on this task, see Siebel Security Guide.

• Change the password for Siebel utilities after installation.

A number of Siebel command-line utilities can be used during the installation and configuration of Siebel Business Applications, for example:

• srvrmgr

• srvrcfg

• srvredit

When starting any of these utilities, you must specify the Siebel administrator user name and password in the command line as command flags. In a Siebel deployment with high-security requirements, it is recommended that you change the Siebel administrator user name and password used for these utilities after you have completed the Siebel implementation process.

Defining Rules for Password Syntax

To make sure that the passwords in your Siebel deployment are difficult to guess and are capable of withstanding brute-force attacks, define rules for your organization relating to password syntax. It is recommended that you implement password syntax rules similar to the following:

• The password value must not be the same as the user name.

• Password values must include a variety of characters within the supported character set, for example:

  • Both alphabetic and numeric characters are required.

  • A special character is required, such as a symbol, an accented character, or a punctuation mark.

  • At least one uppercase and one lowercase letter is required.

  • Specify illegal values, for example, no more than one space character is permitted, or no more than 2 repetitions of the same character are permitted.

• Password values must be a minimum length, usually 8 characters.

In general, Siebel Business Applications do not provide support for either implementing password syntax rules or for verifying them. However, the following options exist:

• For the Siebel Mobile Web Client, the following options for managing the passwords of Remote clients are available:

  • Application lockout after a specified number of consecutive, unsuccessful login attempts

  • Password expiration after a defined interval

  • Password syntax check

  • User password reset by the administrator

  For information on setting these options, see Siebel Remote and Replication Manager Administration Guide.

• Users who have previously self-registered on a Siebel customer or partner application who forget their passwords can get new passwords by clicking the Forgot Your Password? link in the login dialog box. You can configure the length (maximum and minimum characters) of the passwords generated by your Siebel application for such users. For additional information, see Siebel Security Guide.

About Configuring Password Hashing for Users

Password hashing is a critical tool for preventing unauthorized users from bypassing Siebel Business Applications and logging in to the Siebel database directly. It also prevents passwords intercepted over the network from being used to access Siebel Business Applications, because an intercepted hashed password is itself hashed when a login is attempted, leading to a failed login.

Password hashing is not enabled by default in Siebel CRM. It is recommended that you enable password hashing after installing Siebel Business Applications if appropriate for your environment.

Password hashing is enabled by setting the value of the HashUserPwd parameter to True and hashing each user password using the hashpwd.exe utility. For detailed information on enabling password hashing, see Siebel Security Guide.