Starting with BigFix 8.2, you can add password policies to local console users. These instructions apply to the console users that are not using the Active Directory / LDAP integration.



To set the password policies:

1. Open the BES Admin tool (Start->All Programs->Tivoli Endpoint Manager->TEM Administration Tool).
2. Choose the "Advanced Options" tab.
3. Click "Add" button to add the following Name and Value pairs to the table:

Advanced Deployment Options Password Policies

• passwordComplexityRegex
  • Set to a [http://www.boost.org/doc/libs/1_35_0/libs/regex/doc/html/boost_regex/syntax/perl_syntax.html perl-style] regular expression that will be used as a password complexity requirement when choosing or changing operator passwords.
  • Some examples:
  • Require a 6-letter or longer password that does not equal the string 'bigfix'.
    
    
    • (?![bB][iI][gG][fF][iI][xX]).{6,}
  • Require a 6-letter or longer password containing lower-case, upper case, and punctuation.
    • (?=.*:lower:)(?=.*:upper:)(?=.*:punct:).{6,}

Note: The Site Administrator passwords are not affected by this complexity requirement.

passwordComplexityDescription

• Set to a human-readable string describing the password complexity requirement. This string will be shown to the user when a password choice fails the complexity requirements set using the 'passwordComplexity' option. An example password complexity description is "Passwords must have at least 6 characters." If this value is not set but the 'passwordComplexityRegex' is, the user will be shown the 'passwordComplexityRegex' string instead.

• passwordsRemembered
  • introduced in 8.2
  • This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused.
  • default: 0

• maximumPasswordAgeDays
  • introduced in 8.2
  • This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it.
  • default: 0 (no maximum)

• minimumPasswordAgeDays
  • introduced in 8.2
  • This security setting determines the period of time (in days) that a password must be used before the user can change it.
  • default: 0

• minimumPasswordLength
  • introduced in 8.2
  • This security setting determines the least number of characters that a password for a user account may contain.
  • default: 6
• enforcePasswordComplexity
  
  
  • introduced in 8.2
  • If this policy is '1' or 'true', passwords must meet the following minimum requirements:
  • Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
• • Be at least six characters in length (this setting and minimumPasswordLength can both be set, the effective minimum password length will be the higher of six and the value of minimumPasswordLength)
  • Contain characters from three of the following four categories:
  • English uppercase characters (A through Z)
  • English lowercase characters (a through z)
  • Base 10 digits (0 through 9)
  • Non-alphabetic characters (for example, !, $, #, %)
  • Complexity requirements are enforced when passwords are changed or created.
  • default: 0

• accountLockoutThreshold
  • introduced in 8.2
  • Number of incorrect log on attempts for a username before locking the account for accountLockoutDurationSeconds
  • default: 5

• accountLockoutDurationSeconds
  • introduced in 8.2
  • Number of seconds an account gets locked for after accountLockoutThreshold failed log on attempts
  • default: 30