Forum Discussion

Ireda's avatar
Ireda
Icon for Cirrus rankCirrus
Sep 12, 2023

APM Password policy

Dears

We need to enable the password policy on IT-Admin accounts as per the below details, Is the below ok, or what is recommended? Is there any impact?

 

 

6 Replies

  • 1- how can I send expiration notifications?
    I personally don't use expiration notifications, i use the f5 to enforce a password update.
    You can do this on the day or give them a certain amount of days to bypass the password change before its enforced.  The only thing being is that i do this with AD (its controlled using the AD Query) i don't know if that functionality is avaiable when using the local user database. JRahm is there someone who can answer this?

    Getting the f5 to manage the change is quick, and ensures its done and people don't miss notificaitions before the account is locked.

    2- If the user did not see the notification, the expiration period is finished and the user is locked, how user can change the password?

    Using a password update feature may be best for you here, as long as they know their previous password it should work nicely for you.

    3- if the user is locked, is another admin can unlock this user? if yes, is the user must change the password after unlock, or maybe user's last password?

    I've done this using AD, so clicking the box in the user on AD for "user changes password at next logon" triggers the f5 to enforce a password update. Very nice and clean. If its using the internal user DB i don't know hopefully Jason can find someone for you to help.

    Hope this helps.

    • Ireda's avatar
      Ireda
      Icon for Cirrus rankCirrus

      Dears,

      Please support us in below:

      • How can we receive the expiration warning?
      • If the admin didn’t change the password on the same date/time, what we can do?
      • When we receive the expiration warning, how can we change the password? The system will ask us to change it, our we must log in and change it from GUI.
      • I'm not sure how to do the expiration warning, as your using internal auth.

        But what ever happens your root and admin access will still be in place so you can always get in to fix an account.

  • Like Amine_Kadimi suggested those parameters need to be verfied by your security team and the business policy.

    But looking at the numbers you have selected, for "Required Characters" look very heavy, hey i like heavy i work in security but this is a standard policy for all users so this might cause you a issue.

    So you have set a 14 character min, cool. Recommendations seem to be going to 20+ characters for admins, but as a standard policy in the f5 you can't set different rules.

    The point i want to make here is you have requested 
    Number:6 
    Upper Case: 3
    Lower Case: 3
    Other: 2

    So this is a minimum config.
    So you are asking for a something like 3D4g!g8DF5w6£0 or more characters.
    In CIS, it only suggests you have 14 characters and at least 1 Upper case, 1 lower case and 1 other.
    A quick google found this that might help - https://www.securden.com/blog/top-10-password-policies.html
    Or look at CIS if you have the log in creds.

    This doesn't mean that the password can't have more, it just means the enforcement is lower and normally you have to find a good balance with your user community. If this isn't a issue then you should be fine.

    My other question, is when you say IT-Admin is this a internal group for RBAC or are you talking about the default "admin" account as these parameters do not affect that account as its a break glass account if nothing else.

    I normally use a password manager and set a 32 character password with everything thrown at it for that account!
    (And the root one)

    • Ireda's avatar
      Ireda
      Icon for Cirrus rankCirrus

      Thanks for your support, Noted.

      Please I have other some questions.

      1- how can I send expiration notifications?

      2- If the user did not see the notification, the expiration period is finished and the user is locked, how user can change the password?

      3- if the user is locked, is another admin can unlock this user? if yes, is the user must change the password after unlock, or maybe user's last password?

      Thanks

  • Hi, first of all I assume this is not a question specific to APM users accessing through portal or vpn client but to big-ip local admins 

    As per your screenshot, there is no reason to specify the exact number of required characters (6 3 3 2). I -personnaly- consider (1 1 1 1) to be secure enough, and I -personnaly- think what you have now is paranoia not security.

    Regarding other fields, some would tell you that it is a very secure configuration, some others would not, I would tell you that it depends on your environment and this is the type of question I always forward to the CISO team to decide what has to be configured not to F5 admins nor to my -personal- feeling of what is secure or not.