Creating password policies
By default, Bravura Security Fabric is configured to support a single, global password policy, to ensure that all new passwords are acceptable to every system. You can create additional password policies to apply to:
Target system groups
You may want to set up multiple target system groups and password policies, for example, if subsets of target systems have incompatible password strength rules, or you want a user’s passwords to vary on two or more target systems.
Users defined by user class
You can use user classes to apply different password policies for segments of the user population on the same target system group; for example to apply stricter rules to Active Directory administrators than to regular users on the same domain.
See Target system groups for more information about target system groups and user-class-selected policies.
Click below to view a demonstration of reviewing a default password policy, defining and testing password-strength rules using a regular expression and a built-in plugin, testing the random password generator, preventing users from re-using old passwords and adding rules using a white list.
The case for alternative password policies across systems
Bravura Security Fabric allows you to create multiple alternative password policies that you can apply to subsets of target systems, defined by a target system group.
For example, you may want to create multiple policies for incompatible systems. In some cases, it is impossible to formulate a single, consistent password policy that works across two different systems. Typically this happens when one system requires strong security, and complex passwords, while another system simply cannot support complex passwords.
Click below to view a demonstration of giving Linux target system accounts a separate password policy.
Examples of weak systems include legacy applications that use very short passwords or numeric PINs, voice mail passwords, and so on.
Systems with a moderate password complexity capability typically include mainframes and DBMS servers.
Systems with a strong password complexity capability typically include Novell NetWare, Windows Active Directory, LDAP directories, and modern implementations of Unix.
Best practice
Bravura Security recommends that all target systems belong to a single target group, and are subject to a single password policy. Synchronizing passwords significantly reduces help desk call volume. Even passwords on systems notorious for "weak" passwords, such as mainframes, can be made strong with a good combination of password policy rules. Forcing users to change passwords often also strengthens security. Grouping target systems is usually only done for legacy applications or to comply with internal policy.
The case for alternative password policies across user classes
In some cases, you may want to use different password policies on the same target for different users. For example, administrative users on an Active Directory domain may have a stricter password policy than regular users on the same domain. You can implement this by defining user class points and password policy associations in target system groups, in addition to the default password policy for each target system group. Bravura Security Fabric uses these associations to find which password policy should be applied to a given user’s password changes.
Click below to view a demonstration of applying stronger password policies for only the AD accounts of help-desk users.
Add a password policy
To add a password policy:
Click Manage the system > Policies > Password policies .
Click Add new… .
Type a unique password policy ID and a Description.
Click Add.