EFT Server allows you to automatically disable or remove accounts that have been inactive for a period that you specify (1 to 365 days). The removal of accounts is captured in the Auditing and Reporting database for reporting.
Removing a user account deletes the account from the Authentication manager, but does not delete the user home folder or its contents. |
When an HS-PCI-enabled Site In EFT Administrator, a Site is similar to a virtual FTP server bound to one or more IP addresses. is created in the Site Setup wizard, the option to remove inactive user and administrator accounts after 90 days is enabled by default. If during Site setup EFT Server detects that one or more administrator accounts already exist, and that the option to remove administrator accounts after 90 days is not enabled or set to a value greater than 90 days, you are prompted to enable or change that setting.
If an EFT Server administrator attempts to login from a remote system via EFT Administrator and the password was incorrect or the username does not exist (either because it never existed or because it was removed), when you click Apply, EFT Server does not commit the change, and a warning message appears. In the message that appears, you can accept the non-compliant setting and provide a reason for using this setting (e.g., if you are using an alternate solution), or discard the change. If you accept the change and provide a reason, a warning message and the reason that you provided appear in the PCI compliance report.
Removing inactive accounts takes place by use of an internal
timer every night at midnight, at Server Startup, and each GetAllSites()
response. |
On an HS-PCI-enabled Site, if you do any of the following and the click Apply, EFT Server does not commit the change, and a warning message appears.
Disable the disable/remove inactive account option for administrators or regular users
Set the inactivity period to a value > 90 days of inactivity
Change the setting from "remove" to "disable"
In the message that appears, you can discard the change or accept the non-compliant setting and provide a reason for using this setting (e.g., if you are using an alternate solution). If you accept the change and provide a reason, the warning and the reason that you provided appear in the PCI DSS Compliance report.
To specify automatic removal or disabling of inactive user accounts
In EFT Administrator, connect to EFT Server and click the Server tab.
In the left pane, click the user or User Setting Level you want to configure, then click the Security tab.
If the check box contains a gray check mark, the user or User Setting Level is inheriting permission from the parent level. |
Select the Disable/Remove account after <n> days of inactivity check box, click the down arrow to specify Disable or Remove, then specify the number of days. You can specify from 1 to 365 days. 90 days is the default, per PCI DSS 8.5.5.