Forum Discussion
NimbostratusSecure password policy for the BIG-IP system (11.x)
SOL15497 states "When enabled, enforcement restrictions are applied to all user accounts, except for the user accounts that have the administrator role assigned to them. Consequently, a user with administrator permissions does not need to adhere to these restrictions when either changing passwords, or changing the passwords of other user accounts."
The SOL further states under the Minimum Length and Required Characters sections: "Important: When enabled, this setting is enforced on all user accounts, except the user account with the administrator role assigned (including the root and admin accounts) and is not subjected to the restrictions imposed by this setting."
When I tested this on the trial VE software both of those settings do seem to apply and enforces the settings on both the admin and root accounts, contrary to what is stated in the SOL.
Is this caused by a possible difference between the trial software and the actual production software?
Is this a possible bug?
If the enforcement restrictions do not apply to the admin and root accounts then how do you recommend configuring the management access to support the PCI 3.0 requirements of section 8.2.3?
8.2.3 Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters.
2 Replies
ArieAltostratus
Using Active Directory should satisfy PCI 3.0.
R_MarcFor PCI, just set it to something ridiculously long and lock those in a vault. Then never use them, except under emergency situations. You can use a remote directory (AD/Radius) and force compliance with those policies. There's no reason for users to ever log in as admin or root unless you loose access to your remote directory. PCI is all about mitigating controls.
