User session security
Securing the user session prevents unauthorized personnel from accessing the user desktop or stealing the application credentials of the user. There are different options for securing the user session on a private or shared desktop.
Password policies
Enforce password policies, such as password aging and password complexity policies. Implementing these password policies protect the user against password guessing attacks.
- Password aging
- You can enable password aging and define the maximum password age. For example, after 90 days, the user must change the password.
- Password complexity
- You can define the minimum and maximum length of the password, and the minimum number of numeric and alphabetic characters. You can also set whether to allow mixed uppercase and lowercase characters.
See the IBM Security Access Manager for Enterprise Single Sign-On Policies Definition Guide for the password policies.
Kerberos Authentication
Use any Windows Authentication mechanism to log in to AccessAgent when it is configured to run in a personal workstation mode.
Two-factor and fingerprint authentication
Enforce the use of a second authentication factor to prevent an attacker from impersonating a legitimate user through theft or forgery of any single authentication factor. You can use RFID cards, smart cards, or hybrid smart cards for strong authentication.
See "Set up Kerberos Authentication" in the IBM Security Access Manager for Enterprise Single Sign-On Planning and Deployment Guide to evaluate and verify that your workstation meets the requirements and compatibilities to set up Kerberos authentication.
- If your workstation is compatible, it is recommended that you set up Kerberos authentication.
- If your workstation is not compatible, see Strong authentication for the different authentication devices that can secure a session.
See the IBM Security Access Manager for Enterprise Single Sign-On Policies Definition Guide for the different authentication-related policies.
Lock and unlock policies
Define the scenarios on when to lock and unlock the user desktop to prevent unauthorized access. These policies are important particularly for those using shared workstations.
- Desktop inactivity
- The authentication factor is removed from the reader
- The authentication factor is presented to the reader
- The Windows screen saver is activated
See the IBM Security Access Manager for Enterprise Single Sign-On Policies Definition Guide for the lock and unlock policy details.
Inactivity timeout policy
- Log off from the Windows session
- Log off from the Wallet
- Lock the computer
- Log off from the Wallet and lock the computer
See the IBM Security Access Manager for Enterprise Single Sign-On Policies Definition Guide for the desktop inactivity policies.
Session lock, unlock, logon, and logoff scripts
This feature is only applicable for shared desktop mode.
You can use session lock and session unlock scripts to automatically minimize or close applications that must not be displayed.
You can also use session logon and session logoff scripts that enable any walk away policy to be automated and enforced.
See the IBM Security Access Manager for Enterprise Single Sign-On Policies Definition Guide for the policies that you can set during logon and logoff, lock, and unlock.
Security questions (Secrets)
Set up security questions for users to answer when they want to reset their passwords. These security questions help with user verification. Review the security questions with the Legal department to ensure that the questions are in compliance with local privacy laws.