I've been asked the following questions by our Cyber Security Team to make sure we are compliant with company policies and asked to provide evidence to support these statements.
I know that user logging shows when people have recently logged into Dataminer and that a user can set a logout timer within their own profiles but i can't seem to find anywhere that i can set a group policy in Dataminer for items 1. & 4. and struggling to find logs that show 2. & 3.
Does anyone have any ideas if these are at all possible and if so where i would find the logs showing all the login attempts whether they be successful or not?
Thanks
Dave
- Accounts are being locked or blocked for a period of time after a number of predefined unsuccessful log-on attempts.
Screenshot taken after a number of failed logon attempts which demonstrates that the account is locked or logon is temporarily blocked. (Alternatively report from compliance management system which demonstrates that the appropriate system setting is in place.) Confirmation that the number of allowed failed logon attempts until the account gets locked / the system gets blocked is aligned with the relevant policy.
2. Unsuccessful and successful attempts are being logged and security events are raised if a potential attempted or successful breach of log-on controls is detected.
3. Log files from the system showing the unsuccessful logon attempts and screenshot of the resulting security event.
4. Inactive sessions are being terminated or locked after a defined period of inactivity.
Screenshot showing terminated or locked session after a period of inactivity. (Alternatively report from compliance management system which demonstrates that the appropriate system setting is in place.) Confirmation that the timeout limit is aligned with the relevant policy.
Hi David,
- Account's get locked after unsuccessful login attempts:As mentioned by Ben, if you authenticate users through an active directory (or LDAP), then these settings get managed by the LDAP server.
In case you use DataMiner users, the security policy settings will be taken from the Windows server settings, as defined in secpol.msc.
- Logs of successful and unsuccessful login attemptsSuccessful and unsuccessful login attempts are stored in the information events in the DataMiner system.
Prior to DataMiner version 10.1.8 DataMiner doesn't log failed authentication attempts (by default). However, this can be activated.
More information on how to set this up can be found under the "Configuration of DataMiner processes" section in the help.The file that needs to be updated is "C:\Skyline DataMiner\MaintenanceSettings.xml", where the highlighted line needs to be added.
- Log files showing unsuccessful login attempts.It's advised to consult the information events rather than the log files.
- Inactive sessions are being terminated.Through the user settings, you can define the time after which inactive sessions get disconnected.
More info can be found under the user settings section in the dataminer help.
Hi Ive.
Thanks so much for that info. I’ve managed to get everything sorted using your guide apart from the SLNet bit for the MaintenanceSettings as i’m now trying to find where that file is to edit it.
If you could point me in the right direction that would be tremendous.
Kind regards
Dave
Hi David,
I’ve added the filepath and an example file with the correct change in the answer above.
Please note that a server restart will be required after you updated the maintenance.xml file.
Thanks everyone for your help and explanations with this. You've saved me probably a weeks work trying to find all these settings and of course the Cyber Security Team will be over the moon that we're in compliance.
Glad we could help!
I think this blog post could also be interesting for you: https://community.dataminer.services/securing-dataminer/
More security topics will be coming soon!
To add to Ive's answer:
1. Besides the lockout policies in Windows or an external LDAP, DataMiner also provides a 'MaxConnectionAttempts' setting. DataMiner will refuse a particular client when exceeding this amount of connections in a specific timespan. For more information see MaxConnectionAttemptsCheck.
This cannot be configured through a group policy.
Note that the lowest setting will take priority, if your Windows lockout policy is set to 10 attempts and DataMiner is set to 5. DataMiner will block new attempts after the 5th attempt.
3. When the 'EnableFailedAuthenticationAttempts' setting is enabled, you can find failed authentication attempts in the history Information Events. You can also find these in the SLNet.txt logfile.
4. This is how the client looks after an automatic disconnect (I set it to 1 minute for testing purposes)
Thanks Jens for the added info. Much appreciated
Hi Ben.
Thanks for the swift reply. This is something i'll have to check as i know that we create the users within Dataminer but i'm unsure if they're linked to the server accounts. We run Dataminer on standalone servers and access DM using the cube client software rather than a browser session.
Kind regards
Dave
Hi David – is your DataMiner System using Active Directory or maybe another LDAP compatible directory? Or are you running your DataMiner stand-alone? Because I believe this might be relevant in response to you questions. Integration with a directory is recommended, and in that case the actual authentication of the user itself is not done by DataMiner. Just checking what kind of environment / set-up you have.