For information about Globalscape, visit www.globalscape.com. |
|
|
For information about Globalscape, visit www.globalscape.com. |
|
Occasionally, EFT users may want to change their passwords. You may also want them to change their password the first time they log in with the temporary password that you've assigned them. The account management page is provided (via HTTPS) for users to change their passwords without intervention from the system administrator. (You can enable the password reset page while disallowing general access to HTTP or HTTPS, but you still must provide an SSL certificate.)
The option to force password reset requires that the High Security module (HSM) is installed and activated. If Force users to change their first-time password immediately upon first use check box is selected, users are forced to change their passwords the first time that they log in to the server. When a new user logs in to EFT via the HTTP or HTTPS index page, EFT redirects the user to the Change Password page (e.g., https://localhost:4439/EFTClient/Account/ChangePassword.htm). After the user creates a new password, they are returned to the index page (WTC or PTC).
(On AD/LDAP Sites, if you have enabled the "User must change password at next logon" feature in AD, you must enable (set to "on") the registry setting described in KB article 10516. If you have enabled the "User cannot change password" feature in AD, users will not be able to change their passwords.)
When a user logs in to the HTTPS index page for the first time, the user is automatically redirected to the change password page if:
The Enable account management page over HTTPS check box is selected and the user logs in with a temporary password.
The Enable account management page over HTTPS and the Redirect all plaintext HTTP traffic to HTTPS check box are selected, and the user logs in with a temporary password.
The user logs in with a temporary password to the FTP port or SFTP engine. (No commands are allowed other than exiting or changing the password until the password has been changed; the user is prompted to change the password.)
An administrator logs in using a temporary password. A warning appears to prompt the administrator to supply a new password.
Note: "Temporary password" means the administrator created a password for them and selected the check box requiring them to change the password when they log in for the first time with that password.
You can configure password rest on the Site, Settings Template, and for each user. (The Site setting is inherited by the Settings Templates; the Settings Template setting is inherited by the users in that Settings Template.)
To configure the Site to allow or force password reset
In the administration interface, connect to EFT and click the Server tab.
On the Server tab, click the Site, Settings Template, or user account that you want to configure.
In the right pane, click the Security tab.
Select the Allow users to reset their passwords check box.
If you want users to reset their password the first time they log in to the server, select the Force users to change their first-time password immediately upon first use check box.
If you want to configure password expiration options, click Configure.
Click Apply to save the changes on EFT. Users will be prompted to change their password when they log in to the Site.
|
|
|
When a password is reset, EFT verifies the new password against complexity criteria and password history, if those features are enabled. Users are not allowed to proceed with their session until a password is created and accepted by the system. If the password is not accepted by the system:
In HTTPS and SFTP, the authentication request will be denied.
In FTP, no further FTP commands will be accepted until the new password is provided and meets complexity and password history requirements, if those features are enabled.
For Sites defined using the "strict security settings" option:
PCI DSS requirement 8.5.3 states that you should set first-time passwords to a unique value for each user and force users to change their password immediately after the first use.
PCI DSS requirement 8.5.9 states that users should change their passwords at least every 90 days.
PCI DSS requirement 8.5.8 states that you should generate unique passwords for each user. These requirements apply to both end users and administrators.
PCI DSS requirement 8.5.10 states that you should generate strong passwords. Manual entry of passwords is disallowed in the Create New User and Change Password dialog boxes; users and administrators are forced to generate complex passwords by clicking Generate, to avoid the possibility of reusing the same password.
If a Site is running in PCI DSS Compliance mode, warnings appear in the following situations:
If you clear the Force users to change their first-time password immediately upon first use or Admin must reset their password after first login check box.
If you clear the Allow users to reset their password check box.
If you disable account management over HTTPS, and the Force users to change their first-time password immediately upon first use or Expire passwords in <n> days check boxes are enabled.
If you clear the Force users to change their first-time password immediately upon first use or clear the Enable account management page over HTTPS check boxes.
