Policy Settings
Password Complexity Requirements
Password Complexity Requirements Section on the Policy page
These settings only apply to native accounts.
Note: Changing the Password Complexity Requirements affects password changes from that point forward. Users with existing passwords that do not meet the new complexity requirements are unaffected until the next time they are required to change their password or request a password change. At that time their new password will need to conform to the new complexity requirements.
| Policy | Description |
|---|---|
| Minimum Length | The password must be at least x characters long. |
| Require at Least x Letters | The password must contain at least x count of letters. |
| Require at Least x Uppercase Letters | The password must contain at least x count of uppercase letters. |
| Require at Least x Lowercase Letters | The password must contain at least x count of lowercase letters. |
| Require at Least x Numbers | The password must contain at least x count of numbers. |
| Require at Least x Special Characters | The password must contain at least x count of special characters (ex, %, $, #). |
Password Change Policy
Password Change Policy Settings
| Require Password Change Every X Days | The server will require that native account passwords be changed after this number of days. Not all protocols have standard support for password changing, and not all clients implement that support when it does exist. To overcome this limitation, you can disable password expiration checking for specific protocols. Note, marking a user account password as requiring a change on the next login requires the password change option to be checked.
|
| Email Notify Before Expiration | (Enterprise edition only) If enabled, the server will send an email to native user accounts when their passwords are nearing expiration. The number of days before expiration to send the email is configurable. |
Password History
Password History Settings on the Policy Page
| Remember Last X Passwords | Cerberus will save a secure hash of the last specified number of passwords that the user has used. |
| Can't Reuse Last X Passwords | Cerberus will prevent a user from changing their password to any password used within the specified history count. |
Authentication Order
Authentiction Order Settings on the Policy Page
Cerberus FTP Server can authenticate against several different types of data sources. The current possible authentication sources include the Native user system, Active Directory (AD), and LDAP. You can have multiple AD and LDAP servers configured and Cerberus will check each one and attempt to match a username and password. Cerberus will try each authentication source in order until a successful authentication occurs, or until all sources fail authentication.
The order that authentication sources are checked is determined by the Authentication Order list box. You can move authentication sources up and down in order depending upon your needs.
Authentication Requirements
Authentication Requirements Settings on the Policy Page
The Disable Account After, Disable Account Last Login Exceeded, and Password Storage Format options only apply to Cerberus Native accounts.
| Disable Account After Too Many Failed Attempts | The Native account becomes disabled if x number of consecutive failed login attempts. The counter is reset on a successful login. |
| Disable Account Last Login Exceeded | Native accounts become disabled if they exceed x number of days without successful login. |
| Password Storage Format | This is the method Cerberus uses to store native user account password information. Options are:
All options are salted and are performed using FIPS-compliant crypto routines if the server is in FIPS mode. The PBKDF2 options are considered more secure, but take longer and require more computational resources to compute for each password. |
| Stop Authentication Chain if User Exists | If a user is found in an authentication source, but the password is incorrect, don’t proceed to check the other authentication sources. No other authentication sources will be checked if the user is found and the password is incorrect. |
| Auto-Create Variable Directories | The variable %USER% can be used in virtual directory names and paths. This variable is evaluated to the account’s name when the user logs in. Selecting this option ensures that virtual directory paths with the %USER% variable in them will be automatically created when the user account is evaluated during login. |
| Create Home Directory As User For AD | This setting influences how home directories are created for Active Directory users when the default virtual directory mapping mode in AD is set to Global Home/%USER% mode. Normally, Cerberus creates the home directory while under the service account. If this option is enabled, Cerberus will impersonate the AD user before creating the directory. This ensures the home directory is owned by the AD user instead of the service account. |
| Use UPN for Home Directory for AD | This setting influences how home directories are created for Active Directory users when the default virtual directory mapping mode in AD is set to Global Home/%USER% mode. If this option is checked, Cerberus will always use the AD user’s UPN name as the home directory name, instead of the user’s login name. AD users can usually use either their SAMAccount or their UPN name. Checking this option will ensure the user is always placed in the same home directory, regardless of whether they log in with their SAMAccount or UPN name. |
| Follow Active Directory Referrals | When querying a domain controller, a referral is a way that a directory server communicates that it does not contain the data required to complete a query, but has a reference to a server that may contain the required data. If this option is selected, Cerberus will query other domain controllers to get a complete set of results. |
Comments
0 comments
Please sign in to leave a comment.