Password expiration and remote users

I am implementing a password complexity and expiration policy and have a couple of questions:

  1. Some users only VPN in and use services provided by the servers (VPN uses AD authentication). Will an expired password stop them from VPNing in and using the Portal to change their password?

  2. If the answer is yes: Is it safe to have the portal facing the Internet?

  3. If the answer is no, how do I enforce the 90 day password expiration on remote users?

Gerald

Hello,

On 1.

  • Yes an expired password should stop them from using the VPN. I say Should because it depends strongly on your exact VPN-Settings. If you bind your Authentication straight to the AD I would say Yes.

On 2.

On 3.

  • If no you might use the auth-module in your VPN Environment. If yes have a look to our documentation about password management

What ever you do, have fun :slight_smile:

I’d like to run the Portal with nothing but Self Service password changing (no password reset, profile, etc). I guess the password can be brute force changed, but it still doesn’t give them access.

Please check:

ucr search --brief self-service |grep --color enabled
self-service/web/enabled: yes
umc/self-service/account-deregistration/enabled: false
umc/self-service/account-registration/backend/enabled: false
umc/self-service/account-registration/frontend/enabled: false
umc/self-service/account-verification/backend/enabled: false
umc/self-service/account-verification/frontend/enabled: false
umc/self-service/enabled: yes
umc/self-service/invitation/enabled: true
umc/self-service/passwordchange/frontend/enabled: <empty>
umc/self-service/passwordreset/backend/enabled: <empty>
umc/self-service/passwordreset/email/enabled: yes
umc/self-service/passwordreset/external/enabled: no
umc/self-service/passwordreset/frontend/enabled: <empty>
umc/self-service/passwordreset/sms/enabled: no
umc/self-service/profiledata/enabled: true
umc/self-service/protect-account/backend/enabled: <empty>
umc/self-service/protect-account/frontend/enabled: <empty

this might be the tool you looking for
and:

ucr set umc/self-service/account-deregistration/enabled='false'`

is a example how to put it in practice.

How to design the Portal in your turns, was described in more details here.

I hope this helps :slight_smile: