Closed

Closed due to inactivity. Received 38 votes with last vote on 08 Nov 2019.

Password Security Policies - DoD requires them

Searching around, I've seen some of these items have been requested for quite some time.  One of these capabilities has actually been removed.  I thought I would bring them back up again.

Things that my organization needs:

1 - Implement password policies.  Being military, we have some pretty strict password policies.  Many are required for any DoD system.  SolarWinds does not allow for implementation of any of them.  A good example of a policy is requiring users with any elevated rights on any DoD system to change their password every 90 days.  Another good one is not allowing previous passwords being used.  On top of that, enforcing strong passwords.

2 - Users able to change their own password at any time WITHOUT any type of elevated rights.

3 - Password reset/recovery system of some sorts.  Upon first login, require the user type a challenge question and answer along with changing their givien default password.

4 - Account lockout after multiple incorrect password attempts.

There has been a big push for Active Directory integration.  The problem with this is AD control is no longer in the hands of the base.  The same thing with CAC-logins.  We can't integrate in AD or make our system CAC-enabled because of certain circumstances.  Not to mention, the AFNOC has already crashed the server once by pushing mandated patches.

I have to say that SolarWinds does what it is intended to do very well for us.  However, the more I dig into tweaking our setup, the more I realize that SolarWinds is severely lacking in basic security features for an IT system.  What makes that so alarming is what can be done to a network if NCM is installed.  Unfortunately, I'm having to brief leadership on these issues and they are not happy.

FormerIdeaCreator

  • Let's take this a step further. The Federal Government and DoD has a mandate that access to all websites within the Federal Government and DoD use Two Factor Authentication (2FA). That  means for us to access the SolarWinds Web gui, it has to use 1) an active directory account and 2) linked to the users CAC and the accompanying users certficate.

    Although the process to configure it worked well for Windows server 2008 r2 with NPM pre 12.0 and pre IIS 7.5, there are problems when it is tried with Server 2012 r2, NPM 12.0 and IIS 7.5 when SSL is required. I know that there are patches and work arounds to fix this issue, but is there going to be a solution that is rolled up into a future version of NPM 12.X? I would hate to get this operational on the current version and then when the next version of NPM is implemented it breaks and there is no way to roll back short of doing a full rebuild.

    Any information would be greatly appreciated. Although the deadline for completing this is at the end of the year for my customer, I could probably get them to push it back based on when the developers will have a working solution.

  • Patrick I understand your pain.  The AD integration works great and as I'm sure you're already aware you can implement CAC with AD.  Not being able to control your own AD forest would be a big deal for us if we were in that boat... I too have to deal with strict guidelines on password policy... in fact the 90 days you mentioned was recently shortened to 60 for us with 16 min char and complex pwd complexity reqs.  It would seem fairly easy to implement at least a couple variables for say at least password age and character length... it would be nice go a little further than that and require Upper/Lower, numbers, and special chars too but event length and age would be better than what is built in.  Welcome to the SW family... you can count on my vote!

  • Thank you for the detailed write up about your specific use cases. We definitely have a lot of room for improvement for password security.

    On your second point, you can actually access a page to reset your password without requiring elevated permissions. Unfortunately it's a bit hidden. Just have your users go to: http://<servername>/Orion/Admin/ResetPassword.aspx where <servername> is replaced with your server's name or IP. You might want to modify your menu bar to add a link to this page if your users need to change their passwords regularly.

    I realize we still have a lot of work to do, but hopefully this little item makes a difference for you.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.