 |
MCU 4510 |
| ホスト: 150.7.1.9 |
Help contents >
Configuring the MCU >
Configuring security settings
|
Search/Print 一覧 |
Configuring security settings
To configure security settings, go to .
| Field | Field description |
|---|---|
| Security settings | |
| Advanced account security mode | Advanced account security mode causes the MCU to hash passwords before storing them in the configuration.xml file (see below). Note that hashing user passwords is an irreversible process. Before you enable advanced account security mode, we recommend that you back up your configuration. The MCU gives you the option to do that after you have enabled Advanced account security mode. If you enable advanced account security mode, all current passwords (created when the MCU was not in advanced account security mode) will expire and users must change them. Advanced account security mode is described in greater detail below. |
| Redirect HTTP requests to HTTPS | Enable this option to have HTTP requests to the MCU automatically redirected to HTTPS. This option is unavailable if either HTTP (Web) or HTTPS (Secure web) access is disabled on the page. |
| Idle web session timeout | The timeout setting for idle web sessions. The user must log in again if the web sessions expires. The timeout value must be between 1 and 60 minutes. Note that status web pages that auto-refresh will keep a web session active indefinitely. You can configure the MCU not to auto-refresh those pages; to do so, go to . |
| Serial console settings | |
| Hide log messages on console | The serial console interface displays log messages. If that is considered to be a security weakness in your environment, select this option to hide those messages. |
| Disable serial input during startup | Select this option for enhanced serial port security. |
| Require administrator login | Select this option to require an administrator login by anyone attempting to connect to the MCU via the console port. If this is not enabled, anyone with physical access to the MCU (or with access to your terminal server) can potentially enter commands on the serial console. |
| Idle console session timeout | If you have enabled Require administrator login , you can configure a session timeout period. The timeout setting for idle console sessions. The admin must log in again if the console sessions expires. The timeout value must be between 1 and 60 minutes. |
Advanced account security mode
You can configure the MCU to use advanced account security mode. Advanced account security mode has the following features:
- The MCU will hash passwords before storing them in the configuration.xml file (see below)
- The MCU will demand that passwords fullfil certain criteria, using a mixture of alphanumeric and non-alphanumeric (special) characters (see below)
- Passwords will expire after 60 days
- A new password for an account must be different from the last ten passwords used with that account
- The MCU will disable a user's account if that user incorrectly enters a password three times consecutively. If this is an admin account, it is disabled for 30 minutes; for any other account, it is disabled indefinitely (or until you, the administrator, re-enable the account from the page)
- Non-administrator account holders are not allowed to change their password more than once in any 24 hour period
- Administrators can change any user account’s password and force any account to change its password by selecting Force user to change password on next login on the page. Administrators can prevent any non-administrator account from changing its password by selecting Lock password on the page.
- The MCU will disable any non-administrator account after a 30 day period of account inactivity. To re-enable the account, you must edit that account's settings on the page
If you enable advanced security, all current passwords (created when the MCU was not in advanced account security mode) will expire and users must change them.
When using Advanced account security mode, we recommend that you rename the default administrator account. This is especially true where the MCU is connected to the public internet because security attacks will often use “admin” when attempting to access a device with a public IP address. Even on a secure network, if the default administrator account is “admin”, it is not inconceivable that innocent attempts to log into the MCU will cause you to be locked out for 30 minutes.
We recommend that you create several accounts with administrator privileges. This will mean that you will have an account through which you can access the MCU even if one administrator account has been locked out.
If there are applications accessing the MCU, for example TMS, Conference Director, or any other API application, we recommend that you create dedicated administrator accounts for each application.
In advanced account security mode, if a user logs in with a correct but expired password the MCU asks that user to change the password. If the user chooses not to change it, that user is allowed two more login attempts to change the password before the account gets disabled.
Hashing passwords
In advanced account security mode, the MCU will hash passwords before storing them in the configuration.xml file. The configuration.xml file is used for backing up and restoring the configuration of the MCU (see Upgrading and backing up the MCU). If you do not select to use advanced password security, all user passwords are stored in plain text in the configuration.xml; this might be a security issue. If you select to use advanced password security, they will not be stored anywhere on the MCU in plain text; instead the passwords will be stored as hash sums. Note that hashing user passwords is an irreversible process.
Password format
In advanced account security mode, passwords must have:
- at least fifteen characters
- at least two uppercase alphabetic characters
- at least two lowercase alphabetic characters
- at least two numeric characters
- at least two non-alphanumeric (special) characters
- not more than two consecutive repeating characters. That is, two repeating characters are allowed, three are not
In advanced account security mode, a new password must be different to the previous 10 passwords that have been used with an account.
Expiring passwords
In advanced account security mode, if a user logs in with a correct but expired password the MCU asks that user to change the password. If the user chooses not to change it, that user is allowed two more login attempts to change the password before the account gets disabled.
Related topics
| (c) Copyright Codian 2003-2010, ライセンス情報 |