You can configure SSPR to prevent from intruder attacks. You can specify the number of consecutive login attempts a user can make. When a user attempts more than a specified number, SSPR locks that user’s account for a specified period. Users can re-attempt login after this period only. A user cannot recover the password by answering the challenge-response in this scenario. If users want to unlock the account immediately, they need to call to helpdesk and provide the helpdesk challenge response. If the user’s answers match the configured responses, the helpdesk user resets the account on behalf of the user.
To configure the intruder lockout settings, perform the following steps:
In Configuration Editor, click Settings > Intruder Detection.
Configure the following settings:
|
Field |
Description |
|---|---|
|
Intruder Record Storage Location |
Store the data for intruder records. This data can be saved either in the LDAP database or in the LocalDB. Select any one of the following from the list to store data for intruder records: Auto Configure: If the database is configured, this option lets you store data in the database otherwise, data is stored in LocalDB. Database: Lets you store the data in the database. If database is used, a common view for intruder status is shared on all application instances LocalDB: Stores data in the LocalDB. If LocalDB is used, an intruder status is determined with each instance of the application. |
|
Intruder User Reset Time |
Specify the time in seconds after that a user account recovers from the intruder lockout automatically. The user lockout table contains logs for a failed attempt to authenticate, recover a password, or activate a user account. Specify zero if you want to disable this functionality. |
|
Intruder User Maximum Attempts |
Specify the maximum number of attempts a user can make during the login process. When this value is exceeded, the user cannot perform any activities until the reset time interval has passed or helpdesk user has reset the password. Specify zero if you want to disable the user lockout functionality. NOTE:Ensure that the maximum attempts specified in this setting is always greater than what is specified in LDAP. This avoids the Denial of Service (DOS) attack. |
|
Intruder User Check Time |
Specify the maximum time period between each intruder attempt. When this time period is exceeded, the intruder attempt count is reset to zero. |
|
Intruder Attribute Reset Time |
Specify the time period, in seconds, after which a bad attempt will be cleared from the lockout table. Specify zero to disable the attribute lockout functionality. |
|
Intruder Attribute Maximum Attempts |
Specify the maximum number of attempts a user can make. This setting is used to limit the number of times a user can provide incorrect attribute value. When this value is exceeded, the user cannot perform any activities until the reset time interval has passed. Specify zero if you want to disable this functionality. |
|
Intruder Attribute Check Time |
Specify the maximum time period between each attempt a user can make for the attributes. When this time period is exceeded, the intruder attempt count is reset to zero. |
|
Intruder Token Destination Reset Time |
Specify the time period (in seconds) after which a bad attempt will be cleared from the lockout table. The attribute lockout table is marked for a user when a token is sent, and it is cleared when the token is used. Specify zero to disable the attribute lockout functionality. |
|
Intruder Token Destination Attempts |
Specify the maximum number of attempts a user can make before a lockout occurs. When this value exceeds the limit, the user cannot perform any activities until the reset time interval has passed. Specify zero to disable the user lockout functionality. |
|
Intruder Token Destination Check Time |
Specify the maximum time period between each intruder attempt. When this time period exceeds the limit, the intruder attempt count is reset to zero. |
|
Intruder Address Reset Time |
Specify the time in seconds after which SSPR removes an intruder attempt from the lockout table. Specify zero if you want to disable this functionality. The address lockout table contains logs for the source IP address of users who had a failed attempt to authenticate, recover a password, or activate a user account from that address. |
|
Intruder Address Maximum Attempts |
Specify the maximum number of attempts any user can make using a particular address. When this value is exceeded, no user from that address can do any activities until the reset time interval has passed. Specify zero if you want to disable this functionality. |
|
Intruder Address Check Time |
Specify the maximum time between each intruder attempt. When this period is exceeded, the intruder attempt count is reset to zero. Specify zero if you want to disable this functionality. |
|
Maximum Intruder Attempts Per Session |
Specify the maximum amount of invalid password reset attemps that are allowed for the users. When this limit exceeds, the session gets "locked", and the user cannot perform any more requests by using that session. Specify zero to disable this functionality. |
|
Enable Bad Password Simulation |
Select this check box to enable bad password simulation process. This setting is used when user selects to use a forgotten password field. |
Click the Save icon.