EFT Server's HS-PCI module provides a method for resetting the password via FTP (File Transfer Protocol; protocol used for exchanging files over any network that supports TCP/IP (such as the Internet or an intranet). FTP servers by default listen on port 21 for incoming connections from FTP clients) and SFTP (Secure File Transfer Protocol; a network protocol designed by the IETF to provide secure file transfer and manipulation facilities over the secure shell (SSH) protocol). If you do not activate the HS-PCI module, this feature is disabled after the 30-day trial period expires.
On HS-PCI-enabled Sites, passwords are set by default to expire in 90 days.
EFT Server checks all accounts for expired passwords daily at midnight, as well as at Server Startup and each GetAllSites() response. Each day it also checks whether passwords are <n> days from expiration, and those passwords are flagged for reminders, if reminders are enabled. All reminder e-mail messages are sent immediately after flagging the accounts to be reminded.
If a user with an expired password logs in over FTP, the user is prompted that the password is expired and must be reset. Until the password is successfully changed, EFT Server will not process any commands other than changing the password or exiting. If a user with an expired password logs in over SFTP, the user is forced to reset the password before continuing with the login process.
Password initial reset, expiration, and account management
features only apply to GlobalSCAPE and ODBC authentication sites. These
options are not available if other authentication types (AD, LDAP, etc.)
are used. Password security features all apply to the Server, not to individual
accounts. |
To expire a password after <n> days
In EFT Administrator, connect to EFT Server and click the Server tab.
In the left pane, click the user or User Setting Level you want to configure, then click the Security tab.
Select the Allows users to reset their passwords check box, then click Advanced.
To expire the password after a certain number of days, select the Expire passwords in check box, then specify the number of days.
Click Apply to save the changes on EFT Server.
If reminders are enabled in EFT Administrator, users are prompted when their account passwords are about to expire and after the account is expired.
The text of the password expired message, below, is stored by default in C:\Program Files\GlobalSCAPE\EFT\PasswordResetMsg.html.
%full_name%, The password for account: %username% has expired. Please change your password at your earliest convenience. Instructions for changing your password via FTP, SFTP, and HTTP/S are provided below for your convenience: 1. Please enter the following URL into your browser: %reset_page% 2. Supply your current password when prompted 3. Enter your new password and confirm 4. If approved, exit the browser and login as normal.
The text of the password expiration reminder message, below, is stored by default in C:\Program Files\GlobalSCAPE\EFT\PasswordResetReminderMsg.html.
% full_name%, The password for account: %username% will expire in %days_left% days. Please change your password at your earliest convenience. Instructions for changing your password via FTP, SFTP, and HTTP/S are provided below for your convenience: 1. Please enter the following URL into your browser: %reset_page% 2. Supply your current password when prompted 3. Enter your new password and confirm 4. If approved, exit the browser and login as normal.
You can edit the HTML file for the password messages; however, be sure not to change the variables, which are enclosed in percent signs (%text%). |
The account is not disabled; users with expired passwords may login if they provide their existing password and then the new password. Users are not allowed to proceed with their session until a password is created and accepted by the system.
In HTTP/S and SFTP, the authentication request will be denied.
In FTP, no further FTP commands will be accepted until the new password is provided and meets any complexity and reuse requirements.
If Expire password in N days is enabled, /manageaccount and the reset page are enabled, the password has expired, and the user logs in with an expired password, EFT Server automatically redirects the authenticated user to the reset page. (In HTTPS, the user is redirected to the rest page on the HTTPS port.)
When resetting passwords, all password complexity requirements, reuse history, and cyclical password-use checks apply, if those settings are enabled in EFT Administrator.
On a HS-PCI-enabled Site, a warning message appears in the following situations:
If the Expire passwords check box is selected, and the account management / reset page is enabled, and the password has expired, and the user logs in with an expired password. If the user logs in with an expired password to the FTP port, no commands are allowed other than exiting or changing the password until the password has been changed, a prompt appears to remind the user to change the password.
If the Expire passwords check box is selected and an administrator logs in using an expired password, a warning appears to prompt the administrator to supply a new password.
If the Expire passwords check box is selected and a user logs in to the HTTP/S index page when their password is <n> days from the expiration period (<n> being the value set in the Remind users box), a prompt appears to remind the user to change the password.
If you clear the Disallow password reuse check box or set the expiration value to a number > 90.
If you disable account management over HTTPS, and the Expire passwords after <n> days check boxes is enabled.
If you clear the Expire passwords after <n> days check box, users for whom HTTPs login is enabled can change passwords over a dedicated HTTP/S account management page located at /manageaccount, which is a reserved path name on EFT Server.