Managers can do this by going to Users > Setup > Security. Advanced security options should be set to prevent unauthorized users from accessing the service. Tip - Be sure to click Save after making changes.
You can restrict access by IP address. Select the option "Allow connections from the following IPs only" and enter the IP addresses that should be allowed to connect to your subscription. An unlimited number of IPs may be entered. Users with valid accounts will only be able to connect to the service from one of the allowed IPs.
Tip - Be sure to add your own IP to the list of allowed IPs or you will not be able to log back in to the service. For your convenience, your IP is displayed on screen.
IP addresses dynamically assigned?
If your client is assigned an IP address dynamically, such as through DHCP, enter the entire possible IP range in the Allowed IPs list. If your IP address changes and the new IP is not listed, then you will not be able to log back in to the service.
Select the password security settings you want to enforce for all users in the subscription.
Password expiration options
Go to Users > Setup > Security and scroll down to the Password Security section. Here you can define how often users will need to change their password. We start counting from the date the password was last changed or when it was first created, not from when you turn on this feature. For example, if you turn on this feature and set passwords to expire after 1 month and your password was last changed over a month ago then we'll expire your password and you'll need to change it.
Want to notify users before their password expires? No problem. You can have the user notified in the UI and/or by email. Choose when to notify the user and how often email notifications will be sent.
Want users to be prompted at login to change passwords? Select these options: Allow users to change expired passwords at login and Allow user defined passwords.
Want passwords to never expire? Clear the "Password expires after N months" check box. Keep in mind that password security settings are global settings and apply to *all* user accounts in the subscription.
User defined passwords
When selected, users must define passwords following the guidelines under password security. Please note:
- 8 characters is the minimum password length unless this is set higher by a Manager.
- Password guidelines also apply to secure PDF report passwords.
- User defined passwords is turned on automatically in Express Lite subscriptions.
Force password change at initial login
When selected, new users will be prompted to change their password when they log in for the first time. (This option is turned on automatically in Express Lite subscriptions.)
Lock account after failed login attempts
We recommend this setting to prevent password brute forcing attacks. If a user is locked out, the user's account must be re-activated by a Manager or Unit Manager.
Select this option if you want to require all users to log in using VeriSign Identity Protection (VIP) two-factor authentication. If selected, all users will be required to provide a VIP credential ID and a one-time security code in addition to their login name and password each time they log in to the user interface. Learn more
External IDs can be added to user account settings by the Manager Primary Contact (for the subscription). The Manager Primary Contact has the option to allow other Managers, Unit Managers and User Administrators to edit external IDs for users. Follow these steps: 1) select the External IDs security setting "Allow other users to manage external IDs", and then 2) edit each manager's account to grant this permission.
What if I clear this option after granting permission to users?
The permission is immediately removed from all users who have it, and it cannot be assigned to new users. The Manager Primary Contact can turn it on again at any time, allowing users who previously had the permission to have it again.
In order to provide new features, such as Scheduled Reporting, Zero-Day Risk Analyzer and Asset Tagging, we are migrating customers to a new powerful data security model. A green check mark next to a new feature indicates that it is available for use within your subscription. Once you accept the new data security model, you cannot undo this action in the application. Please Contact Support if you would like to disable this option. Learn more
Are you an Express Lite user? If yes, the New Data Security Model is turned on for your subscription.
Define how long a user's session may be inactive before automatically timing out. You can make a global setting that applies to all users or customize this setting based on the user role. This setting applies to all new user sessions. Only Managers can enable this option. For both global and customized session timeout, choose a range between 10-240 minutes. The default setting of 60 minutes is considered a best practice.
Why might I increase global setting?
It may be desirable to increase this setting so that users do not lose their place in the application, for example when conducting routine business, attending meetings and taking breaks. To accommodate for these situations, a Manager may choose to increase the session timeout to a maximum of 240 minutes. The added security risk of increasing the session time out can be mitigated by ensuring that screen savers at the operating system level are set to time out after a reasonable amount of time that's in line with your corporate security policies.
If you change this setting, users will need to log in again for your changes to take effect.
Why do I need to set different session timeouts for users?
You can set different session timeouts to set shorter timeouts for more restricted users. For example, you can set a timeout of 15 minutes for most users and then define a longer session timeout for the users who need to be logged in for longer periods because of long running tasks.