Account Lockout - Polycom RealPresence Group 550 Administrator's Manual

Administrator's Guide for the Polycom RealPresence Group Series

Account Lockout

RealPresence Group systems provide access controls that prevent unauthorized use of the system. One
way someone might try to discover valid user names and passwords is by exhaustively attempting to log in,
varying the user name and password data in a programmatic way until discovering a combination that
succeeds. Such a method is called a "brute-force" attack.
To mitigate the risk of such an attack, two access control mechanisms are available on RealPresence Group
systems. The first type of access control, account lockout, protects local accounts from being vulnerable to
brute-force attacks, while the second, port lockout, protects login ports themselves from being vulnerable to
brute-force attacks. For more information about that mechanism, refer to
Account lockout temporarily locks a local account from accepting logins after a configurable number of
unsuccessful attempts to log in to that account. It protects only the local RealPresence Group system's
Admin and User local accounts. When external authentication is used, the Active Directory Server protects
Active Directory accounts.
RealPresence Group systems provide separate account lockout controls for each of their local accounts,
which are named Admin and User. The account lock can be invoked due to failed logins on any of the
following login ports:
● Local interface
● Web interface
● Telnet interface
To configure the account lockout feature:
1 In the web interface, go to Admin Settings > Security > Local Accounts > Account Lockout.
2 Configure these settings for the appropriate account on the Account Lockout page, then click Save.
You can configure account lock for the admin account, user account, or both accounts.
Setting
Lock Admin/User Account after
Failed Logins
Admin/User Account Lock Duration
Reset Admin/User Account Lock
Counter After
The following are examples of how the account lockout feature works.
A RealPresence Group system web interface is configured with these settings:
Polycom, Inc.
Description
Specifies the number of failed login attempts allowed before the system
locks the account. If set to Off, the system does not lock the account due
to failed login attempts.
Specifies the amount of time that the account remains locked due to failed
login attempts. After this time period has expired, the failed login attempts
counter is reset to zero and logins to the account are once again allowed.
Specifies the "failed login window" period of time, starting with the first
failed login attempt, during which subsequent failed login attempts will be
counted against the maximum number allowed (Lock Admin/User
Account after Failed Logins). If the number of failed login attempts
made during this window does not reach the maximum number allowed,
the failed login attempts counter is reset to zero at the end of this window.
Note: The failed login attempts counter is always reset to zero anytime a
user successfully logs in.
Port Lockout on page 113.
Security
111