Product guide

ManualsBrandsMcAfee ManualsOtherENDPOINT ENCRYPTION ENTERPRISE - BEST PRACTICES GUIDE

Table 3-2 Recommended User Based Policy Settings

Policy

Options

Recommendations

Authentication Tab

• Token type: Select Password only. There are a number of other tokens that can be

effectively used for your authentication as required. However, the Password only

token is as strong as any other token that you could configure.

•

Certificate rule

• Provide LDAP user certificate — Leave this option checked (enabled).

• Use latest certificate — Leave this option checked (enabled).

The Certificate rule options are not active if Password only token is selected.

• Logon hours — You could enable and set the logon day and time-line as required. It is

better to have this disabled if you do not have a specific requirement.

Password Tab

• Change Default Password — Leave this option unchecked (disabled) - This leaves the

default password as 12345 for all new users. All new users are prompted to change

the default password during user initialization.

• Password Change — Disable all of these settings as you would be using SSO and don't

want to cause conflict with Windows password requirements.

• Enable Password history — Leave this option checked (enabled) to prevent users from

reusing passwords unless your security policy exempts users from using new

passwords.

• Prevent change — Leave this option unchecked (disabled).

• Require change after ____ days (1-366)—Leave this option unchecked (disabled).

• Warn user _____ days before password expiry (0-30)—This is disabled by default when

you disable the Require change after ____ days (1-366) option.

•

Incorrect Passwords

• Timeout password entry after ----invalid attempts (3-20) — Set required number of password

invalid attempts.

• Maximum disable time ------ minutes (1-64) — This is disabled by default when you disable

the Timeout password option.

• Invalidate password after ------ invalid attempts — Leave this option checked (enabled).

Password Content

Rules Tab

• Password length — Use default.

• Enforce password content — Use default.

• Password content restrictions — Use default or enable restrictions for better password

strength.

Self-Recovery Tab

• Enable self-recovery — Leave this option checked (enabled).

• Invalidate self recovery after No. of invalid attempts: Enable and set the number of attempts to

a number that does not abruptly lock out the Self Recovery.

• Questions to be answered — Can be set to 3. This can give you the required security

without giving the user a lot of pain of keying in the characters. However, it is up to

the administrator to decide this number depending on the requirement.

• Logons before forcing user to set answers — Set this to 0. This makes sure the users set the

answers during the user initialization.

• Questions — Use the default ones or configure the questions as required.

Software configuration and policies

Recommended User-Based Policy Settings

McAfee Endpoint Encryption for PC 6.2 Software Best Practices Guide