I am implementing a password complexity and expiration policy and have a couple of questions:
Some users only VPN in and use services provided by the servers (VPN uses AD authentication). Will an expired password stop them from VPNing in and using the Portal to change their password?
If the answer is yes: Is it safe to have the portal facing the Internet?
If the answer is no, how do I enforce the 90 day password expiration on remote users?
Gerald
Hello,
On 1.
On 2.
On 3.
What ever you do, have fun 
I’d like to run the Portal with nothing but Self Service password changing (no password reset, profile, etc). I guess the password can be brute force changed, but it still doesn’t give them access.
Please check:
ucr search --brief self-service |grep --color enabled
self-service/web/enabled: yes
umc/self-service/account-deregistration/enabled: false
umc/self-service/account-registration/backend/enabled: false
umc/self-service/account-registration/frontend/enabled: false
umc/self-service/account-verification/backend/enabled: false
umc/self-service/account-verification/frontend/enabled: false
umc/self-service/enabled: yes
umc/self-service/invitation/enabled: true
umc/self-service/passwordchange/frontend/enabled: <empty>
umc/self-service/passwordreset/backend/enabled: <empty>
umc/self-service/passwordreset/email/enabled: yes
umc/self-service/passwordreset/external/enabled: no
umc/self-service/passwordreset/frontend/enabled: <empty>
umc/self-service/passwordreset/sms/enabled: no
umc/self-service/profiledata/enabled: true
umc/self-service/protect-account/backend/enabled: <empty>
umc/self-service/protect-account/frontend/enabled: <empty
this might be the tool you looking for
and:
ucr set umc/self-service/account-deregistration/enabled='false'`
is a example how to put it in practice.
How to design the Portal in your turns, was described in more details here.
I hope this helps