Disabling or Locking Out an Account after a Defined Number of Incorrect Login Attempts

EFT Server can automatically disable user accounts after a specified number of incorrect login attempts over a specified time. This feature is enabled at the User Setting Level and/or per user. Once a user is disabled, you can enable the account on the Main tab of the user.

The PCI DSS  (multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures)requires that you should limit repeated access attempts by locking out a user after not more than six attempts and that you should set the lockout duration to thirty minutes or until administrator enables the user account. EFT Server's Disable account after <n> invalid login attempts feature includes options to temporarily lockout an account over a specific a time frame in which login attempts are considered consecutive. If a Site is running in PCI DSS mode, and you clear the Disable account after <n> invalid login attempts check box or set the maximum login attempts to a value greater than 6, a warning appears.

To disable an account after a defined number of incorrect login attempts

  1. In EFT Administrator, connect to EFT Server and click the Server tab.

  2. In the left pane, click the User Setting Level or user that you want to configure.

  3. In the right pane, click the Security tab.

    		4.

    If the check box contains a gray check mark, the user or User Setting Level is inheriting permission from the parent level.

  4. Select the check box next to Disable/Lockout accounts, specify whether to Disable or Lockout the account, then type or select the length of time to lockout the account, the number of login attempts, and the number of minutes during which to count the incorrect logins. (A gray check box in a user account indicates that the account is inheriting parameters from the User Setting Level.)

  5. Click Apply to save the changes on EFT Server.

Related Topics

Disconnecting Users

Enabling or Disabling a User

Enabling or Disabling a User Setting Level or User

Disabling or Removing an Administrator Account due to Repeated Incorrect Logins

Possible PCI DSS Compliance Report Outcomes