cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 7

Case # 00609347 - Identity and Access Management

Hello,
The following security requests must be made in the accounts on the Solarwinds application.We ask for your help. Thank you.
a) Regarding unsuccessful authentication attempts, if unsuccessful attempts exceed a certain number, blocking the access of the relevant user, (For 5 false attempts, the account will be locked for 15 minutes)
b) Failure to inform the person who performed the attempt after unsuccessful authentication attempts, regarding the incorrectly entered username or password, that such a username is not in the system or that the password has been entered incorrectly, (Your username or password should not be displayed incorrectly)
c) Terminating or locking the session after a certain period of time for inactive sessions, (idle timeout 15 min)
d) If more than one user can use the same user account or if a user can log in different sessions at the same time, the information security officer does not allow this and warns the user in case of attempts to log in more than once for the same user. (If there is more than one session, either the user will not be allowed in, or the previous session will end)

0 Kudos
1 Reply

Interesting requests, they should probably be broken up and put in as separate feature requests if you really want them.

However, there are some questions I'd have.   Are you relying on the internal users?   Have you thought of integrating with Active Directory so you can leverage their user policies and such?  

Many security policies don't want the software to inform the user if a user exists or not, because if a hacker knows they have a correct username, they then know that is correct at least?   That's why so many sites, if there is a bad password, tells you to put in your email to recover and says "if that email exists in our system we'll mail out a link".  They purposely don't confirm at that point to avoid giving out information.

The third option in every account is whether not you disable a session after a certain amount of idle time.

cnorborg_0-1601399783346.png

You set this "session timeout" under "Web Console Settings".   I believe its set to 25 minutes by default.

As far as multiple users logging in at the same time on the same account, that's kind of hard I think with a web-based app.   A web-based app isn't a persistent session, but a number of different short sessions as a page loads.   Maybe this could be handled via AD also?   ie: if a user is already logged in via this IP, don't let other authentication sessions happen from other IP's.  This would depend on whether SW divulges the end-user session IP when it authenticates with AD.    Or, if this is a hard limitation your security guys are putting in place, maybe put a FW that authenticates in front of it and have it lock down users to a single session?

HTH! 

0 Kudos