Scribd Logo
Upload

Welcome to Scribd!

  • Enforcing A Secure Password Policy On The BIG-IP System: Digital Education Series

    Uploaded by

    Paul Sjoberg
    15 views6 pages

    Original Title

    26410_2021012504562216_498996421_PDF

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    15 views6 pages

    Enforcing A Secure Password Policy On The BIG-IP System: Digital Education Series

    Uploaded by

    Paul Sjoberg

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    DIGITAL EDUCATION SERIES

    JOB AID

    Enforcing a Secure
    Password Policy on the
    BIG-IP System
    DIGITAL EDUCATION SERIES
    JOB AID

    TABLE OF CONTENTS

    Enabling and Configuring a Secure Password Policy 3


    Secure Password Policy Enforcement Settings 3
    Enabling and Configuring a Secure Password Policy Using the Configuration Utility 5
    Enabling and Configuring a Secure Password Policy Using TMSH 6

    DIGITAL 2
    EDUCATION
    SERIES
    BIG-IP ADMINISTRATOR TRAINING
    BIG-IP FUNDAMENTALS CURRICULUM

    ENFORCING A STRICT PASSWORD POLICY ON THE


    BIG-IP SYSTEM

    Enabling and Configuring a Secure Password Policy


    Creating a strong password policy is key to helping safeguard against unauthorized or malicious administrative
    access to your BIG-IP system. In version 13.1 and earlier, by default, the system does not enforce a secure
    password policy for locally defined BIG-IP users. Any password is allowed. Effective in BIG-IP v14.0, the system
    enforces a secure password policy by default, but only when starting from a brand-new system, not from an
    upgraded system. And, keep in mind that all BIG-IP systems ship with two default administrative accounts - root and
    admin - both of which have default passwords known to all and, unless a secure password policy is enforced, with no
    requirement (other than common sense) to change them.
    Two types of restrictions are available when using a secure password policy:
    • Enforcement restrictions define the standards for forming new passwords, and consist of the minimum
    password length, required character types, such as numbers, upper- and lower-case letters, or other
    characters, the required number of occurrences of each character type, and whether the use of
    recognizable words will be permitted or not.
    • Policy restrictions define the minimum and maximum period a password can be active, the number of
    previous passwords the system will store to prevent previous password reuse, the maximum number of
    login failures before a user is locked out, and the number of days before password expiration that the
    system should begin issuing warning messages to the user about the pending expiration.
    Once you have enabled secure password enforcement, you can customize the password policy's configuration
    settings to meet your security requirements.

    Secure Password Policy Enforcement Settings

    The following table summarizes the various secure password policy options available. The system only enforces
    these options when Secure Password Enforcement (policy-enforcement in TMSH) is enabled:

    Configuration Utility Option TMSH Option Default Description


    Minimum Length minimum-length 6 Specifies the minimum number of
    characters required for a valid password.
    Allowable values range from 6 through 255.
    Required Characters - Numeric required-numeric 0 (zero) Specifies the number of numeric characters
    required for a valid password. Allowable
    values range from 0 (zero) through 127.
    Required Characters - Uppercase required-uppercase 0 (zero) Specifies the number of uppercase
    characters required for a valid password.
    Allowable values range from 0 (zero)
    through 127.

    DIGITAL 3
    EDUCATION
    SERIES
    BIG-IP ADMINISTRATOR TRAINING
    BIG-IP FUNDAMENTALS CURRICULUM

    Configuration Utility Option TMSH Option Default Description


    Required Characters - Lowercase required-lowercase 0 (zero) Specifies the number of lowercase
    characters required for a valid password.
    Allowable values range from 0 (zero)
    through 127.
    Required Characters - Other required-special 0 (zero) Specifies the number of special characters
    required for a valid password. Allowable
    values range from 0 (zero) through 127.
    Password Memory password-memory 0 (zero) Specifies the number of passwords the
    BIG-IP system will remember for each user
    to prevent reuse of previous passwords.
    Minimum Duration min-duration 0 (zero) Specifies the minimum number of days a
    user must wait before they can change their
    password again. Allowable values range
    from 0 (zero) through 255. For users with
    an administrator role, the Configuration
    utility enforces this setting, but the TMOS
    Shell (TMSH) does not.
    Maximum Duration max-duration 99999 Specifies the maximum number of days a
    password is valid. Allowable values range
    from 1 through 99999. If a user does not
    change their password by the time the
    maximum duration is reached, an
    administrator must change their password
    (BIG-IP version 13.0 and earlier) or the user
    must change their password (BIG-IP
    version 13.1 and later).
    Expiration Warning expiration-warning 7 Specifies the number of days prior to
    password expiration that the system sends
    a warning message to a user. Allowable
    values range from 1 through 255.
    Maximum Login Failures max-login-failures 0 (zero) Specifies the number of consecutive
    unsuccessful login attempts the system
    allows before locking out a user. When set
    to 0 (zero), maximum login failures is not
    enforced. Allowable values range from 0
    through 65535. Locked out users must
    contact a system administrator to reinstate
    their access.

    DIGITAL 4
    EDUCATION
    SERIES
    BIG-IP ADMINISTRATOR TRAINING
    BIG-IP FUNDAMENTALS CURRICULUM

    Enabling and Configuring a Secure Password Policy Using the Configuration


    Utility

    Requirements: You must be an Administrator to enable and configure a secure password policy.
    1. On the BIG-IP system, navigate to System » Users : Authentication, and set Secure Password
    Enforcement to Enabled...
    2. In the Password Policy section, change the password restriction settings as desired. In the screenshot below,
    the following restrictions are set:
    a. Minimum password length is 12
    b. Passwords must contain at least 2 numbers, 2 uppercase characters, 2 lowercase characters, and 1
    special character.
    c. No password reuse for up to 4 previous passwords
    d. Users must change their passwords every 90 days
    e. Users are locked out if they enter an invalid password 3 times

    3. Click the Update button to save the configuration and begin enforcing the secure password policy.

    DIGITAL 5
    EDUCATION
    SERIES
    BIG-IP ADMINISTRATOR TRAINING
    BIG-IP FUNDAMENTALS CURRICULUM

    Enabling and Configuring a Secure Password Policy Using TMSH

    Requirements: You must be an Administrator to enable and configure a secure password policy. Any role can list
    the current secure password policy's settings.
    In the example below, the following restrictions are set, and the configuration saved:
    • Minimum password length is 12
    • Passwords must contain at least 2 numbers, 2 uppercase characters, 2 lowercase characters, and 1 special
    character.
    • No password reuse for up to 4 previous passwords
    • Users must change their passwords every 90 days
    • Users are locked out if they enter an invalid password 3 times
    • All other settings are left at their defaults

    (tmos)# modify /auth password-policy minimum-length 12 required-numeric 2


    required-uppercase 2 required-lowercase 2 required-special 1 password-
    memory 4 max-duration 90 max-login-failures 3
    (tmos)# list auth password-policy all-properties
    auth password-policy {
    description none
    expiration-warning 7
    max-duration 90
    max-login-failures 3
    min-duration 0
    minimum-length 12
    password-memory 4
    policy-enforcement enabled
    required-lowercase 2
    required-numeric 2
    required-special 1
    required-uppercase 2
    }
    (tmos)# save sys config

    DIGITAL 6
    EDUCATION
    SERIES

    You might also like