Configuring Security Policies
System security policies include the account policy, login policy, access control, and user account audit. Configuring system security policies helps improve system security.
Configuring the Account Policy
The account policy includes the user name, password complexity, and validity period.
Procedure
- Log in to DeviceManager.
- Choose Settings > User and Security > Security Policies.
- Configure an account policy. Table 5-1 describes the related parameters.
Click Advanced to display the advanced settings of Account Policy.
Table 5-1 Account policy parametersParameter
Description
Complexity
Complexity of the user password. A complex password is recommended.
[Value range]
- A password must contain special characters and at least two of the following types: uppercase letters, lowercase letters, and digits.
- A password must contain special characters, uppercase letters, lowercase letters, and digits.
Password Validity
Indicates whether to set a password validity period.
NOTE:- If Password Validity is not enabled, the password is always valid. To ensure the security of the storage system, you are advised to enable Password Validity.
- If Password Validity is enabled, you need to set Password Validity Period and Password Expiration Warning.
Password Validity Period (Day)
After the validity period of a password expires, the system asks you to change the password promptly.
[Value range]
Its value is an integer ranging from 1 to 999.
Password Expiration Warning
Number of days prior to password expiration that the user receives a warning message.
[Value range]
Its value is an integer ranging from 1 to 99.
Min. Username Length
Minimum length of the user name.
[Value range]
Its value is an integer ranging from 5 to 32.
Password Length
This parameter is used to prevent the user from setting a too simple or lengthy password.
[Value range]
Its value is an integer ranging from 8 to 32.
Duplicate Characters
Maximum number of consecutive duplicate characters.
[Value range]
Its value is an integer ranging from 0 to 9. If the value is 0, the number is not limited.
Retained Historical Passwords
Number of retained historical passwords of the account. A new password must be different from retained historical passwords.
[Value range]
Its value is an integer ranging from 0 to 30. If the value is 0, the number is not limited.
Password Change Interval
Indicates whether to enable a password change interval.
NOTE:If Password Change Interval is enabled, you must set Interval.
Interval
Minimum interval for changing a password.
[Value range]
Its value is an integer ranging from 1 to 9999.
- Click Save.
Configuring the Login Policy
The login policy includes session timeout and account lockout.
Procedure
- Log in to DeviceManager.
- Choose Settings > User and Security > Security Policies.
- Configure a login policy. Table 5-2 describes the related parameters.
Click Advanced to display the advanced settings of Login Policy.
Table 5-2 Login policy parametersParameter
Description
Session Timeout Duration (Minute)
A user will be automatically logged out if the user does not perform any operation within the specified time.
[Value range]
Its value is an integer ranging from 1 to 100.
Account Lockout
If Account Lockout is enabled and the number of consecutive incorrect password attempts exceeds the value of Lockout Threshold within 5 minutes, the user account is locked.
NOTE:- Disabling Account Lockout poses security risks. You are advised to enable this function.
- If Account Lockout is enabled, you need to set Lockout Threshold, Lockout Mode, and Automatic Unlock In.
- A locked account can be manually unlocked by the super administrator. If Lockout Mode is set to Temporary, the system automatically unlocks a locked account after the time specified by Automatic Unlock In has elapsed.
Lockout Threshold
Number of consecutive incorrect password attempts. If the number of incorrect password attempts exceeds the value of Lockout Threshold, the system automatically locks the account.
[Value range]
Its value is an integer ranging from 1 to 9.
Lockout Mode
The mode in which a user is automatically locked by the system.NOTE:- If you select Permanent, a super administrator account is automatically unlocked by the system after being locked for 15 minutes, and an administrator account is permanently locked by the system.
- If you select Temporary, set Automatic Unlock In to specify the automatic unlock time.
[Value range]
Temporary or Permanent
Automatic Unlock In (Minute)
Period after which a locked account will be automatically unlocked.
NOTE:- The automatic unlock time applies only to automatic lockout. If an account is manually locked, the time does not take effect, and the account can only be manually unlocked.
- When Automatic Unlock In is set to a value ranging from 3 to 15, the automatic unlock time applies to all accounts.
- When Automatic Unlock In is set to a value ranging from 16 to 2000, the automatic unlock time applies only to non-super administrator accounts. A super administrator account will be automatically unlocked after 15 minutes.
[Value range]
Its value is an integer ranging from 3 to 2000.
Lock Account When Idle
If an account never logs in to the system within the specified number of days, the account will be locked.
NOTE:If Lock Account When Idle is enabled, you need to set Idle Period.
Idle Period
Number of days for which an account remains idle.
[Value range]
Its value is an integer ranging from 1 to 999.
Login Security Info
After an account logs in, the system displays information about its last login, including the login time and IP address, to enhance security.
User-Defined Info
After an account successfully logs in to the system, a warning is displayed, showing the preset prompt information.
NOTE:After User-Defined Info is enabled, you need to enter prompt information.
Info
This message is used to notify the user that login is successful.
[Value range]
Its value contains 1 to 511 characters.
- Click Save.
Configuring Authorized IP Addresses
To prevent unauthorized IP addresses from accessing storage system, specify the IP addresses or segments that can access the device from storage system.
Prerequisites
You are a super administrator. (Only super administrators have the permission to perform this operation.)
Procedure
- Log in to DeviceManager.
- Choose Settings > User and Security > Security Policies.
- Specify the IP addresses allowed to access the storage system.
- Enable Access Control.
- Enter the IP addresses or IP address segments that can access the device.
- An example of an IP address is 192.168.1.100 or fx00::1234.
- An example of an IP address segment is 192.168.1.10-192.168.1.11.
- Click Add to add the specified IP address segments or IP addresses to the IP address/address segment list.
- A maximum of 32 IP addresses and IP address segments can be added.
- After this function is enabled, if you do not allow an IP address or IP address segment to access the storage system, click
next to the IP address or IP address segment. However, you must reserve at least one IP address or IP address segment. You can also click Clear All to delete all IP addresses and IP address segments.
- Click Save.
If a dialog box is displayed, perform operations as prompted.
Configuring User Account Audit
After the user account audit function is enabled, the system periodically sends account audit alarms to remind the super administrator to audit the number of accounts, roles, and status information to ensure account security.
Procedure
- Log in to DeviceManager.
- Choose Settings > User and Security > Security Policies.
- Configure user account audit.
- Enable User Account Audit.
- Set Audit Period.
- The value of Audit Period ranges from 0 to 999.
- If Audit Period is set to 0 or 1, the system sends a user account audit alarm every day.