_Policy Settings_MX1_MX4_DISA

Password Policies

Policy Setting	Default	Description/Values
Minimum Length	6 characters	Type in the minimum password length (from 6-40 characters). Note Passwords can be up to 80 characters.
Quality	Basic	Select the required password quality; works in conjunction with Password requires at least below: Basic: Sets the minimum password length as the only requirement to accept a new password. Strong: Adds more strict requirements to the password structure. Checks for minimum length as well as other criteria such as minimum number of required upper case characters, digits, and symbols.
Strong Requirements	0	(Password quality must be Strong) Specify the minimum required number of: Uppercase letters Digits Symbols The range is from 0 to 40 for all 3.
Remember Last (Passwords)	5	(Password quality must be Strong) This option determines the number of unique new passwords that must be associated with a user account before an old password can be reused. The range is from 5 to 500.
Minimum Lifetime (Days)	0	(Password quality must be Strong) This option restricts the user's ability to change their password. Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. The range is from 0 (no restriction) to 7 days.
Password Expiration	Disabled	Check this checkbox to enable Password expiration.

Session Policies

Policy Setting	Default	Description/Values
Auto Logout	Disabled	Check this checkbox to automatically log users out after a specified period of idle time. When enabled, if a user has been inactive for longer than the specified period of time, he/she will be logged out and redirected to the Sign-in page. Systems that are left logged on may represent a security risk for an organization. Note Enabling the Auto-Logout Session policy also limits the number of concurrent sign-ins per account to 4.
Logout when idle for	N/A if Disabled ---------- 15 minutes if Enabled	(Auto Logout must be enabled) Specifies the maximum length of time the system may be idle before the user will be logged out. Range: 1 - 1440 minutes.
Limit Login Attempts	Disabled	Check this checkbox to lock a user account after the specified number of consecutive failed sign-in attempts during the specified time period. This may be used to reduce the risk of unauthorized system access via user password guessing.
Max Failed Attempts	N/A if Disabled ---------- 3	(Limit Login Attempts must be enabled) Specifies the maximum number of consecutive failed sign-in attempts allowed during the specified time interval before the account will be locked. Range: 3..10
Failed Interval (Minutes)	N/A if Disabled ---------- 15 minutes if Enabled	(Limit Login Attempts must be enabled) Specifies the time period during which the consecutive failed sign-in attempts will be counted to lock out the account. Range: 5..60 minutes Note If a user fails the “Max Failed Attempts” within the “Failed interval”, the account will be locked for 10 minutes.

Account Policies

Policy Setting	Default	Description/Values
Disable Inactive Accounts	Disabled	Check this checkbox to enable automatic disabling of user accounts after the specified number of days of account inactivity.
Inactivity Timeout (Days)	N/A if Disabled ---------- 90 Days if Enabled	(Disable Inactive Accounts must be enabled) Specifies the number of days (since the last login) after which the user account will be disabled. Disabled accounts can be re-enabled either via the “account `<uname> enable`” CLI command or from the Web Interface Admin>Accounts List View where the Action drop-down list will include an option to re-enable a disabled account. Tip The system adds one (1) day (or 24hour grace period) to the setting configured by the user.

Cryptography Policies

Policy Setting	Default	Description/Values
Compliance	None	Specifies the required cryptographic compliance, either: None FIPS 140-2: Applies cryptographic modules accredited under the Federal Information Processing Standard (FIPS) Publication 140-2. NDPP v1.1: Activates cryptographic security to a level compliant with the National Information Assurance Partnership (NIAP) Network Device Protection Profile, Revision 1.1. SP800-52 Revision 1 (deprecated): Applies cryptographic modules accredited under the National Institute of Standards and Technology (NIST) Special Publication 800-52, Revision 1. SP800-52 Revision 2: Supersedes SP800-52 Revision 1. Applies cryptographic modules accredited under the NIST Special Publication 800-52, Revision 2. Note Either selection will reinforce security for all management functions of the decoder in terms of cryptography. This setting will take effect upon the next reboot.
TLS Versions	TLSv1.2, TLSv1.1, TLSv1.0	Specifies which TLS (Transport Layer Security) versions are accepted from the HTTPS client. TLSv1.2 TLSv1.1 TLSv1.0 SSLv3 Note SSLv3 can be enabled only if Compliance is set to None. At least one TLS version must be enabled. Tip For backward compatibility considerations, you may choose to disable the older TLS versions not needed by the organization's TLS peers (i.e., browsers, `syslog` server) and plan the upgrade of those not supporting the latest TLS version with the objective of enabling only the latest TLS version.

HTTP Policies

Policy Setting	Default	Description/Values
Strict Transport Security	Disabled	Check this checkbox to enable HTTP Strict Transport Security (HSTS). HSTS forces web browsers to only contact the Web interface over HTTPS, instead of using HTTP.