EFT allows you to automatically disable or remove accounts that have been inactive for a period that you specify (1 to 365 days). You can set account security on the Site, Settings Template, and per user. The deletion of accounts is captured in the Auditing and Reporting database for reporting.
When a high security-enabled Site is created in the Site Setup wizard, the option to delete inactive user and administrator accounts after 90 days is enabled by default. If during Site setup EFT detects that one or more administrator accounts already exist, and that the option to delete administrator accounts after 90 days is not enabled or set to a value greater than 90 days, you are prompted to enable or change that setting.
If a Server administrator attempts to login from a remote system via the administration interface and the password was incorrect or the username does not exist (either because it never existed or because it was removed), when you click Apply, EFT does not commit the change, and a warning message appears. In the message that appears, you can accept the non-compliant setting and provide a reason for using this setting (for example, if you are using an alternate solution), or discard the change. If you accept the change and provide a reason, a warning message and the reason that you provided appear in the PCI DSS Compliance report.
- Deleting a user account deletes the account from the authentication manager, but does not delete the user's home folder or its contents.
- EFT executes cleanup procedures every day at 00:00:00 UTC and at Server Startup. This daily server cleanup removes/disables inactive administrators and user accounts and sends password reset and expiration notifications for every Site.
- Any transition from a non-PCI DSS compliant state to a PCI DSS compliant state, or a change in any date-sensitive value, will reset all data value calculations. For example, on a high security-enabled Site, if the administrator disables Remove inactive administrator accounts after 90 days, clicks Apply, and then immediately decides to re-enable that option, the date values for all administrator accounts are reset from the time the option is enabled, even if the last login dates for those administrators was <n> days ago. The same reset also occurs if you change the password reset period from 30 days to 60 days; that is, the change itself prompts a reset of all the time-based values for that feature.
To specify automatic deletion or disabling of inactive user accounts
In the administration interface, connect to EFT and click the Server tab.
On the Server tab, click the Site, Settings Template, or user account that you want to configure, and then click the Security tab.
In the Account Security area, select the Disable/Remove account after <n> days of inactivity check box.
Click the list to specify Disable or Remove.
Specify the number of days of inactivity after which the account is deleted or disabled. You can specify from 1 to 365 days. 90 days is the default, per PCI DSS 8.5.5.
Click Apply to save the changes on EFT.
On a high security-enabled Site, if you do any of the following and then click Apply, EFT does not commit the change, and a warning message appears.
Disable the disable/remove inactive account option for administrators or regular users
Set the inactivity period to a value > 90 days of inactivity
Change the setting from "remove" to "disable"
In the message that appears, you can discard the change or accept the non-compliant setting and provide a reason for using this setting (for example, if you are using an alternate solution). If you accept the change and provide a reason, the warning and the reason that you provided appear in the PCI DSS Compliance report.