No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring AAA Security Measures

Configuring AAA Security Measures

You can set the password strength requirement and maximum number of unsuccessful login attempts to improve AAA security.

Configuring Security Hardening

You can configure the maximum number of unsuccessful login attempts, password strength requirement, and alarms to improve local user security.

Context

To improve user security, you can raise password strength requirements and restrict local users' unsuccessful login attempts.

If the login password does not satisfy the security hardening policy, the system prompts you to change your password. Change your password based on the prompted message.

Procedure

  • Raise password strength requirements globally.
    1. Run system-view

      The system view is displayed.

    2. Run user-security-policy enable

      The user security policy is configured.

    3. Run commit

      The configuration is committed.

  • Improve the password security in the AAA view.
    1. Run system-view

      The system view is displayed.

    2. Run aaa

      The AAA view is displayed.

    3. Run user-aging aging-period or local-user user-name aging aging-period

      The aging period of a local account is configured.

      If the period during which a local account is idle exceeds the configured aging period, the local account automatically ages.

      The user-aging command applies to all users in the system. The local-user aging command applies only to the specific user.

      If the user-aging command configures the aging period for all users, the following standard applies to a specific user:
      • If the local-user aging command has not been configured for the user, the user-aging command configuration preferentially takes effect for the user.
      • If the local-user aging command has been configured for the user, the local-user aging command configuration preferentially takes effect for the user.

    4. Run local-user user-name expire date

      The expiration date of a local account is configured.

      NOTE:

      If all accounts on a device are configured with expiration dates, after the last account expires, no more accounts can log in to the device. As a result, the device is out of management. To resolve this problem, new configurations allow the last account to keep valid when all the management accounts (terminal, Telnet, FTP, or SSH accounts) are configured with expiration dates.

    5. Run user-name minimum-length length

      The minimum length of a local user name is configured.

      The newly created local user name must comply with this command configuration. Otherwise, the local user name cannot be created.

    6. Run local-user user-name login-period begin-time to end-time begin-day to end-day

      The period during which a local user is allowed to log in is configured.

    7. Run user-password complexity-check

      The password strength check is enabled for local users.

    8. Run user-password min-len min-length

      The minimum length of the password is configured.

      This command applies to the passwords in simple text mode only.

    9. Run user-password change

      A local administrator is required to change the initial password upon a second login.

    10. Run local-user user-name password expire days

      The period after which a password for a local user expires is configured.

      NOTE:

      To harden network security, administrators can run the local-user password expire command to configure the period after which a password expires.

      When the password for a local user is changed, the system resets the period.

      The local-user password expire command applies only to local users. After a password expires, reconfigure a new password for users. Otherwise, users fail to log in.

    11. Run user-password expire expire-days prompt prompt-days

      The password validity period and advance warning before the password expires are configured.

      NOTE:

      To prevent account stealing due to unchanged passwords, run the user-password expire command to set the password validity period and the period for advance warning before the password expires.

      Only a level-3 or higher-level administrator can run the user-password expire command.

      • The user-password expire command applies only to administrators. The system prompts the administrator to change the password N days before the password expires.
      • If the administrator does not change the password till the password expires, the administrator is denied access to the device.

    12. Run local-user user-name state { active | block [ fail-times fail-times-value interval interval-value ] }

      The status of a local user is configured.

    13. Run login-failed threshold-alarm upper-limit report-times lower-limit resume-times period period

      The alarm and clear alarm thresholds for unsuccessful login attempts are configured.

    14. Run commit

      The configuration is committed.

  • Improve the password security in the local AAA server view.
    1. Run system-view

      The system view is displayed.

    2. Run local-aaa-server

      The local AAA server view is displayed.

    3. Run user-password complexity-check

      The password strength check is enabled for local users.

    4. Run user-password min-len

      The minimum length of the password is configured.

      This command applies to the passwords in simple text mode only.

    5. Run user-password change

      A local administrator is required to change the initial password upon a second login.

    6. Run user-password expire expire-days prompt prompt-days

      The password validity period and advance warning before the password expires are configured.

    7. Run user user-name block [ fail-times fail-times-value interval interval-value ]

      The status of a local user is configured as Blocked.

    8. Run commit

      The configuration is committed.

Result

You can run the display current-configuration configuration configuration-type command to check the configuration.

Example

Run the display current-configuration configuration aaa command to check the AAA configuration.
<HUAWEI> display current-configuration configuration aaa
aaa
 user-password min-len 16  
 user-password complexity-check
 user-password expire 90 prompt 7
 user-password change

Configuring a Forbidden Password String for Local Users

To improve local account security, specify character strings that are not allowed in passwords.

Context

Simple passwords can be easily compromised. To avoid security problems caused by simple passwords, you can specify character strings that are not allowed in passwords.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run security password

    The password security view is displayed.

  3. Run rule admin

    The rules management view is displayed.

  4. Run forbidden word word

    A forbidden password string is configured.

    After a forbidden password string is configured, new passwords cannot contain this string, regardless of case.

    The forbidden word command takes effect only with local users' passwords. After the forbidden word command is executed, a newly configured or modified password cannot contain any forbidden password string. Otherwise, the configuration fails. If an existing password contains a forbidden password string, the system will prompt the user to change the password. The user, however, can continue to use the password.

    A device supports a maximum of 32 password configuration rules. Each rule can specify only one forbidden password string. The same forbidden password string can be specified in different rules.

  5. Run commit

    The configuration is committed.

Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 25921

Downloads: 52

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next