The HS module provides the option to expire passwords. If you do not activate the HS module, this feature is disabled after the 30-day trial expires.
On HS-enabled Sites, users are forced to change their passwords on first use. Each day it also checks whether passwords are <n> days from expiration, and those passwords are flagged for reminders, if reminders are enabled. All reminder e-mail messages are sent immediately after flagging the accounts to be reminded.
You can enable the password reset page while disallowing general access to HTTP or HTTPS. When a new user logs in to EFT Server via the HTTP or HTTPS index page, EFT Server redirects the user to the reset page. After the user creates a new password, they are returned to the index page.
|
|
Password initial reset, expiration, and account management
features only apply to GlobalSCAPE and ODBC authentication Sites. These options are not available for AD/LDAP Sites.
Password security features all apply at EFT Server level, not to individual
accounts. |
When a password is reset, EFT Server verifies the new password against complexity criteria and password history, if those features are enabled. Users are not allowed to proceed with their session until a password is created and accepted by the system. If the password is not accepted by the system:
In HTTPS and SFTP, the authentication request will be denied.
In FTP, no further FTP commands will be accepted until a new password is provided that meets complexity and password history requirements, if those features are enabled.
For High-Security Sites:
PCI DSS requirement 8.5.3 states that you should set first-time passwords to a unique value for each user and force users to change their password immediately after the first use.
PCI DSS requirement 8.5.9 states that users should change their passwords at least every 90 days.
PCI DSS requirement 8.5.8 states that you should generate unique passwords for each user. These requirements apply to both end users and administrators.
PCI DSS requirement 8.5.10 states that you should generate strong passwords. Manual entry of passwords is disallowed in the Create New User and Change Password dialog boxes; users and administrators are forced to generate complex passwords by clicking Generate, to avoid the possibility of reusing the same password.
If a Site is running in High Security mode, the warnings appear in the following situations:
If you clear the Force users to reset their passwords on initial login or Admin must reset their password at next login check box.
To configure the Site to expire passwords after a specific number of days
In the Administrator, connect to EFT Server and click the Server tab.
In the left pane, click the Site that you want to configure.
In the right pane, click the Security tab.
The Password expiration options are only available if the Allow users to reset their passwords check box is selected. If necessary, select the check box.
Next to Password expiration options, click Configure. The Password Expiration dialog box appears.
Select the Expire passwords in <n> days check box and specify the number of days.
|
|
For HS-enabled Sites, the number of days is set by default to 90 days. If you attempt to change it to fewer than 90 days, or if you clear the check box, a warning message appears. |
If you want users to be warned that their password is about to expire, select the Remind <n> days prior to expiration check box.
Do either or both of the following:
To send an e-mail when the password is about to expire, select the Send user an e-mail prior to expiration check box.
To send an e-mail when the password has expired, select the Send user an e-mail upon expiration check box.
Click OK to close the dialog box.
Click Apply to save the changes on EFT Server.
Edit the Password Reset Messages, as desired.
