Password Policy Enforcer Administrator's Guide

<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" /> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <meta http-equiv="Content-Style-Type" content="text/css" /> <meta name="keywords" content="password policy enforcer anixis windows password policy passfilt password filter PPE Rules" /> <meta name="description" content="Password Policy Enforcer PPE Rules." /> <title>Password Policy Enforcer PPE Rules</title> <link rel="StyleSheet" href="document.css" type="text/css" media="all" /> <link rel="StyleSheet" href="catalog.css" type="text/css" media="all" /> <link rel="first" title="First" href="TOC.html" /> <link rel="last" title="Last" href="License_Agreement.html" /> <link rel="previous" title="Previous" href="Testing_Policies.html" /> <link rel="next" title="Next" href="Length_Rule.html" /> </head> <body> <table id="SummaryNotReq1" width="220" border="0" align="right" cellpadding="0" cellspacing="0"> <tr> <td align="right"> <a accesskey="4" href="Testing_Policies.html"><img id="LongDescNotReq1" src="images/prev.gif" border="0" alt="Previous" /></a><a accesskey="5" href="Length_Rule.html"><img id="LongDescNotReq2" src="images/next.gif" border="0" alt="Next" /></a><br /><br /> <span><a href="http://www.anixis.com/" style="font-family: Arial, Verdana, Helvetica, sans-serif; font-weight: bold; color: #007577;" target="_top">ANIXIS Web Site</a></span> </td> </tr> </table> <p> <a href="http://www.anixis.com/products/ppe/" target="_top"><img id="LongDescNotReq3" src="images/logo.gif" width="174" height="46" border="0" alt="Password Policy Enforcer" /></a> </p> <hr align="left" /> <blockquote> <a name="wp9000521"> </a><h2 class="pHeading1"> PPE Rules </h2> <a name="wp9000522"> </a><p class="pBody"> PPE uses rules to decide if it should accept or reject a password. Each policy has rules that are configured independently of the rules in other policies. To display the rules for a policy: </p> <div class="pSmartList1"><ol type="1" class="pSmartList1"> <a name="wp9000523"> </a><div class="pSmartList1"><li>Click the <span style="font-weight: bold">Policies</span> item to display the <a href="Management_Console_Views.html#wp9000335">Policies view</a>.</li></div> <a name="wp9000524"> </a><div class="pSmartList1"><li>Double-click the desired policy in the right pane of the management console.</li></div> </ol></div> <a name="wp9000525"> </a><p class="pBody"> Icons representing each rule appear in the right pane of the management console. If a rule icon is displayed in a dimmed state, it indicates that the rule is disabled (not enforced). Double-click a rule's icon to display the Rule Properties page. </p> <a name="wp9000526"> </a><h4 class="pHeading4"> Detecting Character Substitution </h4> <a name="wp9000527"> </a><p class="pBody"> Character substitution is a technique used by some users to improve password quality. These users replace some alphabetic characters with non-alphabetic characters that have a similar appearance. For example, "sold" becomes "$old". Unfortunately, many of these substitutions are well know, and do little to improve password strength. </p> <a name="wp9000528"> </a><p class="pBody"> Several PPE rules have a <span style="font-weight: bold">Detect Character Substitution</span> check box. When this check box is selected, PPE tests passwords with, and without character substitution. This stops users from using common character substitutions to circumvent the rule. PPE detects these common character substitutions: </p> <a name="wp9000529"> </a><p class="pBodyRelative"> </p> <div align="left"> <table border="1" cellpadding="2" cellspacing="0" bordercolor="#007577" id="wp9000009table4000003"> <caption></caption> <tr align="left" valign="top"> <td><a name="wp9000009"> </a><div class="pCellHeading"> Original      </div> </td> <td><a name="wp9000010"> </a><div class="pCellHeading"> Substituted      </div> </td> </tr> <tr align="left" valign="top"> <td><a name="wp9000011"> </a><div class="pCellBody"> A        a </div> </td> <td><a name="wp9000012"> </a><div class="pCellBody"> ^      @ </div> </td> </tr> <tr align="left" valign="top"> <td><a name="wp9000013"> </a><div class="pCellBody"> B        b </div> </td> <td><a name="wp9000014"> </a><div class="pCellBody"> 8 </div> </td> </tr> <tr align="left" valign="top"> <td><a name="wp9000015"> </a><div class="pCellBody"> C        c </div> </td> <td><a name="wp9000016"> </a><div class="pCellBody"> (       {       <       [      </div> </td> </tr> <tr align="left" valign="top"> <td><a name="wp9000017"> </a><div class="pCellBody"> D        d </div> </td> <td><a name="wp9000018"> </a><div class="pCellBody"> )       }       >       ]      </div> </td> </tr> <tr align="left" valign="top"> <td><a name="wp9000019"> </a><div class="pCellBody"> E        e </div> </td> <td><a name="wp9000020"> </a><div class="pCellBody"> 3 </div> </td> </tr> <tr align="left" valign="top"> <td><a name="wp9000021"> </a><div class="pCellBody"> G        g </div> </td> <td><a name="wp9000022"> </a><div class="pCellBody"> 6      9 </div> </td> </tr> <tr align="left" valign="top"> <td><a name="wp9000023"> </a><div class="pCellBody"> I          i </div> </td> <td><a name="wp9000024"> </a><div class="pCellBody"> !        |       1 </div> </td> </tr> <tr align="left" valign="top"> <td><a name="wp9000025"> </a><div class="pCellBody"> O        o </div> </td> <td><a name="wp9000026"> </a><div class="pCellBody"> 0 (zero) </div> </td> </tr> <tr align="left" valign="top"> <td><a name="wp9000027"> </a><div class="pCellBody"> S        s </div> </td> <td><a name="wp9000028"> </a><div class="pCellBody"> $      5 </div> </td> </tr> <tr align="left" valign="top"> <td><a name="wp9000029"> </a><div class="pCellBody"> T         t </div> </td> <td><a name="wp9000030"> </a><div class="pCellBody"> +      7 </div> </td> </tr> <tr align="left" valign="top"> <td><a name="wp9000031"> </a><div class="pCellBody"> Z         z </div> </td> <td><a name="wp9000032"> </a><div class="pCellBody"> 2 </div> </td> </tr> </table> </div> <p class="pBodyRelative"> </p> <a name="wp9000530"> </a><p class="pBody"> <br />The <span style="font-weight: bold">Use version 3 Character Substitution Table</span> check box in the <a href="PPS_Properties.html">PPS Properties</a> page is used to maintain backwards compatibility with older versions of the <a href="The_Password_Policy_Client.html">Password Policy Client</a>. Refer to the PPE V3.x documentation for a list of substitutions detected by PPE V3.x. </p> <a name="wp9000531"> </a><h4 class="pHeading4"> Automatic Tolerance </h4> <a name="wp9000532"> </a><p class="pBody"> Some PPE rules have a <span style="font-weight: bold">Tolerance</span> drop-down list that allows you to control how strictly PPE enforces the rule. Tolerance is normally expressed as the maximum allowable number of consecutive matching characters in the password and some other parameter. PPE rejects a password if the specified tolerance is exceeded. For example, the logon name "mary<span style="font-weight: bold">jones</span>", and the password "<span style="font-weight: bold">Jones</span>town" contain five consecutive matching characters (shown in bold type). PPE will reject this password if the tolerance for the <a href="User_Logon_Name_Rule.html">User Logon Name</a> rule is four (or lower), and accept it if the tolerance is five (or higher). </p> <a name="wp9000533"> </a><p class="pBody"> The <a href="User_Logon_Name_Rule.html">User Logon Name</a>, <a href="User_Display_Name_Rule.html">User Display Name</a>, and <a href="Similarity_Rule.html">Similarity</a> rules have an Auto tolerance option. Setting the tolerance to Auto instructs PPE to only reject passwords that contain the entire parameter being compared. This is very useful when the length of the comparison parameter is unknown. For example, if you want PPE to reject passwords that contain the user's entire logon name, then you cannot specify a fixed tolerance unless all logon names have the same length. Setting the tolerance to Auto allows PPE to calculate an appropriate tolerance during every password change. </p> <a name="wp9000534"> </a><p class="pBody"> PPE sets the tolerance to the length of the comparison parameter minus one. The table below shows three different parameter values and the calculated tolerance for each one. PPE will reject a password if it contains all the text in the Value column (or a derivative of it if <a href="PPE_Rules.html#wp9000526">character substitution</a> detection or bi-directional analysis is enabled). </p> <a name="wp9000535"> </a><p class="pBodyRelative"> </p> <div align="left"> <table border="1" cellpadding="2" cellspacing="0" bordercolor="#007577" id="wp9000033table4000004"> <caption></caption> <tr align="left" valign="top"> <td><a name="wp9000033"> </a><div class="pCellHeading"> Rule </div> </td> <td><a name="wp9000034"> </a><div class="pCellHeading"> Parameter </div> </td> <td><a name="wp9000035"> </a><div class="pCellHeading"> Value </div> </td> <td><a name="wp9000036"> </a><div class="pCellHeading"> Tolerance </div> </td> </tr> <tr align="left" valign="top"> <td><a name="wp9000037"> </a><div class="pCellBody"> User Logon Name </div> </td> <td><a name="wp9000038"> </a><div class="pCellBody"> Logon name </div> </td> <td><a name="wp9000039"> </a><div class="pCellBody"> maryjones </div> </td> <td><a name="wp9000040"> </a><div class="pCellBody"> 8 </div> </td> </tr> <tr align="left" valign="top"> <td><a name="wp9000041"> </a><div class="pCellBody"> User Display Name  </div> </td> <td><a name="wp9000042"> </a><div class="pCellBody"> Display name </div> </td> <td><a name="wp9000043"> </a><div class="pCellBody"> Mary Jones  </div> </td> <td><a name="wp9000044"> </a><div class="pCellBody"> 9 </div> </td> </tr> <tr align="left" valign="top"> <td><a name="wp9000045"> </a><div class="pCellBody"> Similarity </div> </td> <td><a name="wp9000046"> </a><div class="pCellBody"> Current password  </div> </td> <td><a name="wp9000047"> </a><div class="pCellBody"> oldpass </div> </td> <td><a name="wp9000048"> </a><div class="pCellBody"> 6 </div> </td> </tr> </table> </div> <p class="pBodyRelative"> </p> <a name="wp9000536"> </a><p class="pBody"> <br />PPE's Auto tolerance calculation has a minimum limit to stop passwords from being rejected when the comparison parameter is very short. The limit is set to two by default, so PPE will accept passwords that contain the parameter value if the comparison parameter only contains one or two characters. Send an e-mail to <a href="mailto:support@anixis.com">support@anixis.com</a> if you need to change the minimum limit. </p> <hr width="100%" align="left" size="1" /> <table width="95%" border="0" cellspacing="0"> <tr> <td width="50" valign="top"> <img src="images/warning.gif" width="32" height="32" /> </td> <td> <a name="wp9000537"> </a><p class="pWarning"> Do not use the automatic tolerance option with PPE V4.x or V3.x clients, including PPE/Web V3.x and ANIXIS Password Reset V1.x. These clients will enforce an extremely restrictive password policy if this option is enabled. They will reject any password that contains a character found in the comparison parameter. </p> </td> </tr> </table> <hr width="100%" align="left" size="1" /> </blockquote> <hr /> <table id="SummaryNotReq2" align="right" border="0" cellspacing="0" cellpadding="0"> <tr> <td align="right"> <span style="font-family: Arial, Verdana, Helvetica, sans-serif; font-size: 11px"> © Copyright 1998 - 2009 <a href="http://www.anixis.com/" target="_top">ANIXIS</a>.<br />All rights reserved. </span> </td> </tr> </table> <table id="SummaryNotReq3" width="220" border="0" cellpadding="0" cellspacing="0"> <tr> <td> <a accesskey="4" href="Testing_Policies.html"><img id="LongDescNotReq4" src="images/prev.gif" border="0" alt="Previous" /></a><a accesskey="5" href="Length_Rule.html"><img id="LongDescNotReq5" src="images/next.gif" border="0" alt="Next" /></a> </td> </tr> </table> </body> </html>