AMX NX-1200 Webconsole And Programming Manual page 44

System Security Options (Cont.)
Option
Password Expiration
Cryptography
Strength:
Password Complexity Set the password complexity to Low, Medium, or High. When the password complexity level is raised from a lower
Lockout Access
HTTP/HTTPS
Telnet/SSH/SSH FTP
Access
NX-Series Controllers - WebConsole & Programming Guide
Description
Select to force a user to change its password after a set period of time. After enabling the password expiration
options, use the spin box to set the interval for password expiration. You can set an amount of time in the range of
1 to 180 days. The default setting is 60 days.
NOTE: This option is only valid on locally-maintained accounts. When external LDAP is enabled, only the
administrator and device user accounts are affected.
Set the cryptography strength of the Master to Low or High. On the High setting, only FIPS 140-2 validated
binaries are used.
level to a higher level, the Master requires confirmation from the user. When the user confirms the change, all
passwords are marked as expired on all local user accounts, and the passwords must be changed to meet the new
complexity requirements. Password complexity requirements are as follows:
• Low - Minimum length is 4 characters, and must be different from previous password.
• Medium - Minimum length is 8 characters, must contain characters from 3 of the following characters sets
(uppercase letters, lowercase letters, numbers, other characters), must contain at least 4 changes from the
previous password, and must be different from the previous 10 passwords.
• High - Minimum length is 15 characters, must contain characters from all of the following characters sets
(uppercase letters, lowercase letters, numbers, other characters), must contain at least 8 changes from the
previous password, and must be different from the previous 30 passwords.
NOTE: This option is only valid on locally-maintained accounts. When external LDAP is enabled, only the
administrator and device user accounts are affected.
Select to enable a lock on a user account after a set number of failed logins. When enabled, use the Attempts spin
box to set the number of login attempts allowed. Use the Lockout Duration options menu to indicate the amount of
time you want the lockout to last. The default setting is 60 minutes.
NOTE: This option is only valid on locally-maintained accounts. When external LDAP is enabled, only the
administrator user is affected.
Select to enable HTTP and HTTPS access to the Master.
HTTP: The port value used for unsecure HTTP Internet communication between the web browser's UI and the
target Master. By disabling this port, the administrator (or other authorized user) can require that any consecutive
sessions between the UI and the target Master are done over a more secure HTTPS connection.
By default, the Master does not have security enabled and must be communicated with using http:// in the
Address field. The default port value is 80.
NOTE: One method of adding security to HTTP communication is to change the Port value. If the port value is
changed, any consecutive session to the target Master has to add the port value at the end of the address
(within the Address f ield). An example is if the port were changed to 99, the new address information would
be: http://192.192.192.192:99.
HTTPS:
The port value used by web browser to securely communicate between the web server UI and the target
Master. This port is also used to simultaneously encrypt this data using the SSL certificate information on the
Master as a key.
This port is used not only used to communicate securely between the browser (using the web server UI) and the
Master using HTTPS but also provide a port for use by the SSL encryption key (embedded into the certificate).
Whereas SSL creates a secure connection between a client and a server, over which any amount of data can be
sent securely, HTTPS is designed to transmit individual messages securely. Therefore both HTTPS and SSL can be
seen as complementary and are configured to communicate over the same port on the Master. These two methods
of security and encryption are occurring simultaneously over this port as data is being transferred. The default
port value is 443.
Another method of adding security to HTTPS communication would be to change the port value. If the port
value is changed, any consecutive session to the target Master has to add the port value at the end of the
address (within the Address f ield). An example is if the port were changed to 99, the new address information
would be: http://192.192.192.192:99.
Select to enable Telnet, SSH, and SSH FTP access to the Master.
Telnet: The port value used for Telnet communication to the target Master. Enabling this feature allows future
communication with the Master via a separate Telnet application.
• The default port value for Telnet is 23.
• Refer to the NetLinx Security with a Terminal Connection section for more information on the related procedures.
SSH: The port value used for secure Telnet communication. A separate secure SSH Client would handle
communication over this port. When using a secure SSH login, the entire login session (including the transmission
of passwords) is encrypted; therefore it is secure method of preventing an external user from collecting
passwords.
• SSH version 2 is supported.
• The default port value is 22.
NOTE: If this port's value is changed, make sure to use it within the Address f ield of the SSH Client
application.
WebConsole - Security Options
44