Self Service Password Reset contains a built in intruder detection independent of what your LDAP directory might provide. Because Self Service Password Reset can be exposed directly to the internet, this additional layer of detection helps protect against direct attacks. Self Service Password Reset always honors the internal intruder detection (if enabled) of the LDAP directory.
The goal for this intruder detection system is not to watch for human intruders, but it is designed to stop robotic or automatic attacks. Set the triggers to be sufficiently high so that normal user usage does not cause an application-level intruder detection. The help desk or administrator cannot unlock accounts due to this intruder detection.
To configure the intruder lockout settings:
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor.
Click Settings > Intruder Detection > Intruder Settings.
Configure the following settings:
Enable the Self Service Password Reset intruder detection system. Your LDAP directory intruder detection settings function independently of this setting.
Select the location of where to store the data for intruder records. Select any one of the following from the list:
Database: Allows you to store the data in the external database. All application instances share a common view for intruder status.
LocalDB: Stores data in the local database. If you use the local database, Self Service Password Reset determines an intruder status with each instance of the application.
Enable this option to have Bad Password Simulation activity occur when users add information to a forgotten password field. When an identified user attempts to recover a forgotten password but uses incorrect data, the application attempts to authenticate to the directory using a known bad password value. This is done to allow the LDAP directory to trigger its own defense mechanisms against intruders.
Click Settings > Intruder Detection > Intruder Timeouts.
Configure the following settings:
Specify the time in seconds after which a user account recovers from the intruder lockout automatically. The user lockout table contains logs for a failed attempt to authenticate, recover a password, or activate a user account.
The default value is 1800 seconds or 30 minutes. Specify 0 if you want to disable the user lockout functionality.
Specify the maximum number of attempts a user can make during the login process. When a user exceeds this value, the user cannot perform any activities until the reset time interval has passed or a help desk user has reset the password.
The default value is 10 attempts. Specify 0 if you want to disable the user lockout functionality.
NOTE:Ensure that the maximum attempts specified in this setting is always greater than what is specified in the LDAP directory. This avoids the denial of service (DOS) attacks.
Specify the maximum time period between each intruder attempt. When this time period is exceeded, the intruder attempt count is reset to zero. The default value is 300 seconds or 5 minutes.
Specify the time period, in seconds, after which Self Service Password Reset clears a bad attempt from the lockout table.
The default value is 1800 seconds or 30 minutes. Specify 0 to disable the attribute lockout functionality.
Specify the maximum number of attempts a user can make. Self Service Password Reset uses this setting to limit the number of times a user can provide incorrect attribute values. When a user exceeds this value, the user cannot perform any activities until the reset time interval has passed.
The default value is 10 attempts. Specify 0 if you want to disable the attribute lockout functionality.
Specify the maximum time period between each attempt a user can make for the attributes. When users exceed this time period, Self Service Password Reset resets the intruder attempt count is to zero. The default value is 300 seconds or 5 minutes.
Specify the time period (in seconds) after which a bad attempt is cleared from the lockout table. The attribute lockout table is marked for a user when a token is sent, and it is cleared when the token is used.
The default value is 1800 seconds or 30 minutes. Specify 0 to disable the attribute lockout functionality.
Specify the maximum number of attempts a user can make before a lockout occurs. When this value exceeds the limit, the user cannot perform any activities until the reset time interval has passed.
The default value is 10 attempts. Specify 0 to disable the user lockout functionality.
Specify the maximum time period between each intruder attempt. When this time period exceeds the limit, the intruder attempt count is reset to zero. The default value is 300 seconds or 5 minutes.
Specify the time in seconds after which Self Service Password Reset removes an intruder attempt from the lockout table. The default value is 1800 seconds or 30 minutes. Specify 0 if you want to disable the lockout functionality.
The address lockout table contains logs for the source IP address of the user who had a failed attempt to authenticate, recover a password, or activate a user account from that address.
Specify the maximum number of attempts any user can make using a particular address. When this value is exceeded, no user from that address can perform any activities until the reset time interval has passed.
The default is 30 attempts. Specify 0 if you want to disable the address lockout functionality.
Specify the maximum time between each intruder attempt. When this period is exceeded, the intruder attempt count is reset to zero.
The default is 300 seconds or 5 minutes. Specify 0 if you want to disable the address lockout functionality.
Specify the maximum amount of invalid password reset attempts that are allowed for the users. When this limit exceeds, the session gets “locked”, and the user cannot perform any more requests by using that session.
The default is 8 attempts. Specify 0 to disable the session lockout functionality.
In the toolbar, click Save changes.