Configuring the security policy for logging in to the KUMA web interface

To reduce the risk of unauthorized access to the KUMA web interface, you can configure rules for users logging in to the KUMA web interface. For example, configuring a security policy helps prevent an attacker from brute-forcing a password to log in to the KUMA web interface.

The security policy applies only to user accounts created in KUMA and does not affect domain accounts imported into KUMA when integrating with domain controllers. At the same time, the security policy affects the admin user account, which is used for the first login to the KUMA web interface, in a limited way. The only security policy setting that applies to this user account is the forced re-authentication requirement after a period of inactivity.

The security policy applies to all tenants and cannot be configured on a per-tenant basis.

When migrating from a previous version of KUMA, the password requirements apply only to new passwords. Existing passwords are affected only by the Password lifetime (days), other requirements do not apply to such passwords.

Managing security policy settings requires the General administrator role.

To configure the security policy for logging in to the KUMA web interface

  1. Open the Settings → Access → Security policy settings section of the KUMA web interface.
  2. Specify the following security settings:
    • Maximum number of failed authentications. If this value is exceeded, the user account is locked out for a duration specified in the Blockage period after failed authentication attempts (mins) setting. Enter a number from 0 to 10. The default setting is 0, meaning that this setting is disabled.
    • Maximum number of authentication attempts per second per Core. This setting helps prevent brute-forcing a password to log in to the KUMA web interface. Enter a number from 1 to 8. The default value is 3. If KUMA detects that the specified value is exceeded, further authentication attempts are blocked.

      Note that the value is specified in terms of one KUMA Core. If your KUMA installation has more than one Core deployed, the actual number of allowed authentication attempts per second is calculated as the specified value multiplied by the number of Cores.

    • Blockage period after failed authentication attempts (mins). The duration for which the user account is locked out when the value of the Maximum number of failed authentications setting is exceeded. Enter a number from 0 to 1440. The default value is 15. If 0, the account status is changed to Inactive. A user with this status cannot log in to the KUMA web interface. The General administrator can change the user account status later. If the General administrator changes the status of a user account to Active, the user account is unlocked and the counter of failed login attempts is reset to 0.
    • Prevent users from signing in after the password expiration. This setting allows you to configure the behavior of the application after the expiration of the Password lifetime (days).

      If this setting is enabled, the user is locked out of the KUMA web interface. The user account status changes to Inactive. A user with this status cannot log in to the KUMA web interface. The General administrator can change the user account status later. The user is locked out if the user has the User must change password on next login setting enabled.

      If this setting is disabled, the user with an expired password can log in to the KUMA web interface. KUMA then automatically prompts the user to change the password.

    • Re-authentication is required after the user is inactive for (mins). If no mouse movement or key presses are registered for the specified time during a user's KUMA web interface session, KUMA requires the user to authenticate again. Enter a number from 1 to 1440. The default value is 15.
  3. Specify the following user password settings:
    • Password lifetime (days). After the password lifetime expires, KUMA locks out or does not lock out the user account, depending on the Prevent users from signing in after the password expiration setting. Enter a number from 1 to 365. The default value is 90.
    • Minimum password length (symbols). Specify a number from 16 to 128. The default value is 16.
    • Time to notify the user before the password expiration (days). When the specified number of days remains before the password expires, the user is prompted in the KUMA web interface to change the password. Enter a number from 1 to 14. The default value is 14.
    • Character categories a password must include. You can use this setting to configure requirements that apply to manually entered and automatically generated passwords:
      • The password must contain lower-case and upper-case letters of the Latin alphabet, numerals, and at least one of the special characters that you specified.
      • Ignore duplicate characters in passwords. If this check box is selected, two or more identical characters in a row are allowed in passwords.
  4. Click Save.

Security policy is configured.

Page top