CDE Security Options Assignment

Parameter

Description

Default Value

DISA Parameters

DISA Failed Attempts Before Lock-Out (3-255 attempts)

Enter the number of failed attempts that are permitted on a DISA number before going into DND mode. The number of attempts can be set between 3 and 255. This parameter can also be configured on the System Options form.

3

DISA Number Lock-Out Timer (0-15 minutes)

If the system records a number of failed attempts greater than the number specified in the DISA Failed Attempts Before Lock-Out field, the DISA number being accessed will go into DND mode. The duration of DND mode can be set between 0 and 15 minutes. This parameter can also be configured on the System Options form.

15 minutes

Maintenance Terminal Lock-Out Parameters

Failed Attempts Before Port Lock-Out (3-16)

Enter the number of unsuccessful login attempts an administrative user can make before a Maintenance Terminal port is locked to ALL administrators.

3

Number of Port Lock-Outs Before Raising Security Alarm (1-5)

Enter the number of port lock-outs that can occur before the system raises a security alarm.

3

Port Lock-Out Duration (1-255 minutes)

The length of time that a Maintenance Terminal port will remain out of service after being locked out. Locking out disables softkey #1 on the Maintenance Terminal and SUPERSET 700 console. Locking out also disables telnet logins to the Maintenance Terminal, and SUPERCONSOLE 1000 CDE/Maintenance Terminal logins via the Application Softkey.

1 minute

Maintenance Terminal Logout Parameters

Auto Logout Timer (10-255 minutes)

On a maintenance terminal, if the user has been inactive for the programmed amount of time, the user will be logged out. The Auto Logout timer can be set between 10 and 255 minutes. This feature is always active. The timer is not carried over an activity switch.

15 minutes

Clear Screen After Logout (Yes/No)

Use this field to specify whether or not the maintenance terminal screen is cleared (made blank) after logout.

No

Miscellaneous Options

Database Access Inactivity Timer (1-60 minutes):

If a Database Access Application (e.g., PMS, Maintenance Terminals, Attendant Consoles, etc.) does not complete an operation within the specified time, access to the database is released. Changes made to the database that have not yet been committed are not saved. The system can be set to time out after a period of inactivity from 1 to 60 minutes. After a time out, software logs are generated to indicate when the timer expired, who was using the database at that time, and when an application was denied access because the database was already in use.

30 minutes

Password Expiry Warning Indication (1-14 days)

Enter the number of days notice (1 to 14) that administrators are provided before their passwords expire. The system displays the warning message in the Command/Response area of the terminal when the administrator logs in.

7 days

Enhanced Login Security Options

Enhanced Login Security Enabled (Yes/No)

Enter "Yes" to enable the Enhanced Login Security (ELS) options for the system. Some of the options are programmable (see the fields, below); others are non-programmable (see the next table).

No

Account Inactivity Timer (30-90 days)

Enter the length of time that an administrative account can remain unused before being disabled. An administrator with a higher authorization level can re-enable the account by entering the RESET PASSWORD command, or by setting the Admin Enabled field to "Y" on the User Authorization Profile form.

Note: This option does not apply to the SYSTEM administrator.  

30 days

Default Password Expiry Interval (20-90 days)

Enter the number of days (20 to 90) that will elapse between the creation of a password and its expiry. To enable login, an expired password must be changed by its owner or reset by an administrator with a higher authorization level (see the CHANGE PASSWORD and RESET PASSWORD  maintenance commands).

Note: This option applies system-wide, and can be overridden on a per-user basis in the User Authorization Profile form.

59 days

Minimum Password Length (1-8 digits)

Enter the minimum length of system passwords. If Enhanced Login Security is enabled, the minimum password length ranges from 6 to 8 digits. Otherwise, the minimum password length ranges from 1 to 8 digits.

8 digits

Number of Old Passwords Saved (1-8)

Enter the number of "old" passwords that are saved for each administrator. Old passwords cannot be reused.

5

Password Change Waiting Period (1-20 days)

Enter the minimum period of time administrators must wait before changing their passwords. This waiting period discourages the reuse of current or favorite passwords.

Note: This option does apply to default passwords, which can be changed immediately.  

20 days

Function/Feature

Enhanced Login Security

Enabled

Disabled

Minimum password length

Programmable: 6 to 8 characters

Programmable: 1 to 8 characters

Account Inactivity Timer

Programmable: 30 to 90 days

No

Number of Old Passwords Saved

Programmable: 1 to 8

No

Password Change Waiting Period

Programmable: 1 to 20 days

No

Strict password content

Passwords must contain at least one numeric character, one special character, one upper case character, and one lower case character. Passwords are case sensitive and cannot contain the username, spaces, or repeating characters (such as "aaa").

Passwords are case sensitive and cannot contain spaces.

Password echo on Maintenance Terminal, SUPERSET 700, and telnet session

Displays blank spaces

Displays blank spaces

Password echo on SUPERCONSOLE 1000

Displays stars (*)

Displays plain text

System response to use of default username or password  

The system raises a security alarm (based on alarm threshold programming), displays a warning message, and prevents the user from logging in. To enable login, a new secure username and password must be programmed. (See Usernames and Passwords for details.)

The system raises a security alarm, displays a warning message, and allows the user to log in.

System response to use of expired password

The system displays a warning message and prevents the user from logging in. The expired password must be changed by its owner or reset by an administrator with a higher authorization level.

The system displays a warning message and allows the user to log in.

Support for multiple maintenance sessions (maximum four telnet and one RS-232)

Multiple sessions are supported. To log in, users must have a higher authorization level than the user who logs in first.

Multiple sessions are supported. All users can log in, and are assigned the same authorization level as the user who logs in first.

System response to maintenance commands entered by a user who is not logged in

The user is prevented from executing commands. A warning message dispAll fields enabled. lays.

The user can traverse the command graph but is prevented from executing complete commands

Support for multiple users with INSTALLER, MAINTENANCE1, or MAINTENANCE2 privileges

Yes

Yes

Accounts can be enabled and disabled

Yes. Accounts can be enabled or disabled in the User Authorization Profile form, or disabled when the Account Inactivity Timer expires.

No. Accounts are always enabled.

Display Usernames (DISP U) maintenance command output

All fields enabled.

User Enabled field displays YES for all users.

Security-related events recorded to a separate log file

Yes

Yes

Telnet and consoles are locked out when failed locked attempts threshold passed

Yes

Yes