EFT Server can automatically disable or lockout user accounts after a specified number of bad password login attempts over a specified time. This feature can be enabled for a Site, Settings Template, and/or per user. Once an account is disabled, you can re-enable the account on the General tab of the user.
The PCI DSS (multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures)requires that you should limit repeated access attempts by locking out a user after not more than six attempts and that you should set the lockout duration to thirty minutes or until administrator enables the user account. If a Site is running in high-security mode, and you clear the Disable/Lockout check box or set the maximum login attempts to a value greater than 6, a warning appears.
To disable or lockout an account after a defined number of incorrect login attempts
In the Administrator, connect to EFT Server and click the Server tab.
In the left pane, click the Site that you want to configure.
In the right pane, click the Security tab.
In the Password Security area, next to Invalid login options, click Configure. The Login Security Options dialog box appears.
Select the check box next to Lockout, then specify the following:
Whether to Disable or Lockout the account
Number of minutes to lock out the account
Number of invalid login attempts after which to disable or lock out the account
Number of minutes during which to count the invalid login attempts
Click OK to save the changes and close the dialog box.
Click Apply to save the changes on EFT Server.
Banning an IP Address that Uses an Invalid Account
Enabling or Disabling a User
Enabling or Disabling a Settings Template or User
Disabling or Removing an Administrator Account due to Repeated Incorrect Logins
Possible PCI Compliance Report Outcomes