System Settings -- Security Policies tab

Security Policies

The Security Policies tab is visible to operators who have the pzViewAuthPoliciesLP privilege in their Access Roles. This privilege is part of the role PegaRULES:SysAdm4.

The tab controls the appearance and functions of a CAPTCHA, a test that verifies that a human, not a computer process, is attempting to log in or change an operator password. The user must enter the characters that appear above an image that makes it difficult for a machine to read the characters. If you cannot read the characters, click the Refresh button to get a different image and character set.

A CAPTCHA may appear on the login screen when the user first attempts to log into the system from a given computer or after an authentication failure, and on the password-change screen. The goal is to counter "brute-force" automated attacks on system security.

The tab offers a check box, a button, and a series of settings that allow the operator to fine-tune CAPTCHA behavior. Each setting has default, minimum, and maximum values.

Check the Enable Security Policies check box to enable the settings the tab displays. Uncheck the check box to prevent the CAPTCHA functions from operating.

Click Display Audit Log to display the log that can record login attempts. Audit log behavior is governed by The Audit log level policy setting, described below.

A Report Definition report displays the "Security Audit Log" report, with a default filter to display all audit events (the filter is set to ".pxCreateDateTime is Less or Equal to Current Month"). Click the link to the right of "Filters in the report header to adjust the date range.

For each logged event, the log captures:

Create Date/Time — the time of the attempt.
Remote IP Address — The IP address of the system from which the attempt was made.
Remote Host — The name of the computer involved.
User Name — The operator ID used in the login attempt.
Message — The status message returned during authentication of the login.
Browser (User-Agent) — HTTP Request Header "User-Agent".
Referrer — HTTP Request Header "User-Agent".
Via — Records proxies through which the request was sent.

Click View History to see a report of changes to security settings, including the date, the operator who made the change, and what change was made.

You can set the following policies:

Policy	Notes	Default value	Min value	Max value
Minimum operator identifier (ID) length		8	3	64
Minimum operator password length		8	3	64
Minimum numeric [0-9] characters required in operator password		1	0	64
Minimum alphabetic [a-zA-Z] characters required in operator password		1	0	64
Minimum special characters required in operator password	The available special characters are: ` ~ ! @ # $ % ^ & * ( ) _ + - = { } [ ] \| \ : " ; ' < >? , . /	1	0	64
Minimum unique historical operator passwords	If the value is 5, you cannot change your password to match any of the most recent five passwords you used.	5	0	128
Maximum operator password age	The maximum number of days before the operator must change the password. Note: If you set the value to 0, the password will never expire. To have the password expire, select a value between 1 and 128	5	0	128
CAPTCHA implementation	If Default, the system presents the CAPTCHA implementation shipped with Pega 7. If Custom, the system presents the custom CAPTCHA implementation enabled for this system. An application can make use of third-party CAPTCHA solutions on the application login screen; however, a certain amount of developer work is required to prepare the custom RuleSet to deliver the third-party resource.	Default
Enable CAPTCHA Reverse Turing Test Module	If enabled, the system presents the CAPTCHA upon authentication failure, with a probability set by the following field. If disabled, no CAPTCHA is presented even on login failure.	Enabled
Probability that CAPTCHA will be presented upon authentication failure	If the CAPTCHA Revers Turing Test is enabled in the field above, the percentage set here is the likelihood CAPTCHA appears.	5	0	100
Enable presentation of CAPTCHA upon initial login	If enabled, CAPTCHA displays the first time the user tries to log on a new system or from a new compute.	Enabled
Enable authentication lockout penalty mechanism	If enabled, after n failed login attempts, the system imposes a delay of mm seconds after every unsuccessful login attempt. The values are set in the fields below.	Enabled
Failed login attempts before employing authentication lockout penalty	After the number of failed attempts set here, the user will experience a delay after each further attempt. The delay will get longer with each attempt.	5	0	128
Initial authentication lockout penalty	Set the initial delay, in seconds	8	0	128
Audit log level	Set the Audit log level: the options are None — No log entry is added. Basic — Record failed login attempts only. Advanced — Record failed and successful login attempts.

For an example, see PDN article How to configure login security and password policies.

More advanced customizations are possible. See PDN article Customizing CAPTCHA presentation and function.

Open topic with navigation