Enforcing Password Reset for Administrator Accounts

EFT Server provides the option to force administrators to change their password on log in. On Sites defined using the "strict security settings," users are forced to change their passwords on first use.

You can enable the password reset page while disallowing general access to HTTP or HTTPS. When a new user logs in to EFT Server via the HTTP or HTTPS index page, EFT Server redirects the user to the reset page. After the user creates a new password, they are returned to the index page.

EFT Server cannot ask FTP users to change their password prior to logging in and identifying themselves. EFT Server allows them to login (authenticate), but then prevents any further interaction until they change their password.

Refer to Using the High Security Module with the Secure Ad Hoc Transfer Module if you are using a High Security (PCI DSS) Site.

To configure administrator accounts to enforce password reset

In the administration interface, connect to EFT Server and click the Server tab.
In the left pane, click the Server node you want to configure.
In the right pane, click the Administration tab.
Click an EFT Server-managed administrator account, then click Password Policy. The Password Security Settings dialog box appears.
Select the Admin must reset their password after first login check box. Administrators are prompted to change their password when they log in to the Site.
Click OK to close the dialog box.
Click Apply to save the changes on EFT Server.

When a password is reset, EFT Server verifies the new password against complexity criteria and password history, if those features are enabled. The administrator is not allowed to proceed with the session until a password is created and accepted by the system. If the password is not accepted by the system:

In HTTPS and SFTP, the authentication request will be denied.
In FTP, no further FTP commands will be accepted until the new password is provided and meets complexity and password history requirements, if those features are enabled.

For PCI DSS-enabled (strict security) Sites:

PCI DSS requirement 8.5.3 states that you should set first-time passwords to a unique value for each user and force users to change their password immediately after the first use.
A warning appears if you clear the Admin must reset their password after first login check box. If an administrator logs in using a temporary password, a warning appears to prompt the administrator to supply a new password.

This online help file is for EFT Server version 6.4.7. For other versions of EFT Server, please refer to http://help.globalscape.com/help/index.html.

(If the Index and Contents are hidden, click Show Contents pane in the top left corner of this topic.)

If this help topic did not help you, search the Knowledgebase or pose your question in the GlobalSCAPE User Forum.

For the most up-to-date information, to view version history, updates, and activation instructions; or to download a PDF of this user guide, visit the Support Center at http://www.globalscape.com/support.

Leave compliments or complaints regarding the help in the User Forum. At a minimum, please provide the topic title and why you needed help.

For information about GlobalSCAPE, visit www.globalscape.com, subscribe to our RSS feeds.

Last modified: 13-Jun-12 at 10:51:56