EFT Server can automatically disable or lockout user accounts after a specified number of bad password login attempts over a specified time. This feature can be enabled for a Site, Settings Template, and/or per user. Once an account is disabled, you can re-enable the account on the General tab of the user.
The PCI DSS requires that you should limit repeated access attempts by locking out a user after not more than six attempts and that you should set the lockout duration to thirty minutes or until administrator enables the user account. If a Site is running in PCI DSS mode and you clear the Disable/Lockout check box or set the maximum login attempts to a value greater than 6, a warning appears. |
To disable or lockout an account after a defined number of incorrect login attempts
In the administration interface, connect to EFT Server and click the Server tab.
In the left pane, click the Site that you want to configure.
In the right pane, click the Security tab.
In the Password Security area, next to Invalid login options, click Configure. The Login Security Options dialog box appears.
Select the check box next to Lockout, then specify the following:
Whether to Disable or Lockout the account
Number of minutes to lock out the account (30 minutes is the default)
Number of invalid login (bad password) attempts after which to disable or lock out the account (6 attempts is the default)
Number of minutes during which to count the invalid login attempts (1 minute is the default)
Click OK to save the changes and close the dialog box.
Click Apply to save the changes on EFT Server.
Banning an IP Address that Uses an Invalid Account
Enabling or Disabling a Settings Template or User
Disabling or Removing an Administrator Account due to Repeated Incorrect Logins