New feature in version 11.28: Security Policy

[MelanieSeibert]

In the upcoming 11.28 version, cPanel/WHM will include the Security Policy feature.

This will allow WHM and cPanel account owners to:

• Set a maximum password age. (Once the password hits that age, it must be reset.)
• Require users from unrecognized IPs to answer security questions before they can access the server's cPanel, WHM, and webmail interfaces.

If you have questions or comments about this feature, feel free to enter them here. Thanks!

[inetbizo]

Can you provide a zip file with screen capture images and proposed knowledgebase article?

[cPanelTristan]

There is a white paper on the security policy at this location:

Software Releases - cPanel Inc.

I'm attaching a screen print of the area in WHM to this message.

[manokiss]

Hi, do this policy apply to whm login as root too? Will be great to have those features enabled at the end user so is just an option the end user can enable/disable but sounds like enabling it will be applied to everyone including root whm without option to disable it individually.

Also there is any api command to bypass the policy? Most billing programs allow users reset the cpanel password through them but most probably will fail if the password strength is weak, and as far as i know there isnt a way to match the password strenght of those programs with the one cpanel use.

Thanx!

[cPanelDon]

Hi, do this policy apply to whm login as root too? Will be great to have those features enabled at the end user so is just an option the end user can enable/disable but sounds like enabling it will be applied to everyone including root whm without option to disable it individually.

Also there is any api command to bypass the policy? Most billing programs allow users reset the cpanel password through them but most probably will fail if the password strength is weak, and as far as i know there isnt a way to match the password strenght of those programs with the one cpanel use.

Thanx!

Yes; the security policy applies to all users, including root. Connecting to the API should not pose any difficulty provided that your third-party applications are configured to authenticate using the Remote Access Key (hash) that is obtained via WebHost Manager.

[manokiss]

Thanx for the reply but i dont meant that....

if this is only a switch to enable server wide for all users is not good really, will be great to enable the option and each user then enable/disable it through they cpanel as they like. Forcing all of them to change passwords time to time is not good, is a good idea and good practice but many clients will not like you force them.

About the api...i mean if the password strength is enabled and the billing system attempt to change the password with something not stronger like the one cpanel want is simply erroring, somehow will be great the api allow you use any password no matter the password strength level you have configured in cpanel and only force the user to that strong level if they attempt to change through cpanel directly.

Not sure if i was clear

[cPanelDon]

Thanx for the reply but i dont meant that....

if this is only a switch to enable server wide for all users is not good really, will be great to enable the option and each user then enable/disable it through they cpanel as they like. Forcing all of them to change passwords time to time is not good, is a good idea and good practice but many clients will not like you force them.

About the api...i mean if the password strength is enabled and the billing system attempt to change the password with something not stronger like the one cpanel want is simply erroring, somehow will be great the api allow you use any password no matter the password strength level you have configured in cpanel and only force the user to that strong level if they attempt to change through cpanel directly.

Not sure if i was clear

If you would like a specific enhancement to the Security Policies implementation I recommend posting a detailed feature request in the following forums section: Feature Requests for cPanel and WHM - cPanel Forums

For more verbose information, including applicable API implications, please reference the following PDF document entitled Description of the cPanel Security Policy Plugin System.

Related documentation and navigational menu paths:

• cPanel: Preferences >> Security Policy
• WHM: Main >> Security Center >> Configure Security Policies

[cPanelKenneth]

Thanx for the reply but i dont meant that....

if this is only a switch to enable server wide for all users is not good really, will be great to enable the option and each user then enable/disable it through they cpanel as they like. Forcing all of them to change passwords time to time is not good, is a good idea and good practice but many clients will not like you force them.

About the api...i mean if the password strength is enabled and the billing system attempt to change the password with something not stronger like the one cpanel want is simply erroring, somehow will be great the api allow you use any password no matter the password strength level you have configured in cpanel and only force the user to that strong level if they attempt to change through cpanel directly.

Not sure if i was clear

You can force a single user to change their password, or multiple users. It's not a single 'force everyone to change their passwords at once' mechanism.

The minimum password strength feature has been in the product for a couple years now. Established 3rd party applications should already be able to handle interaction with this feature. That of course can only be answered by your application developer. The threshold is enforced at the API level as well.

[electric]

• Require users from unrecognized IPs to answer security questions before they can access the server's cPanel, WHM, and webmail interfaces.

What would be considered an "unrecognized" IP address? (ie: Where does the list of recognized IPs get created and managed?)

If it's a manual list, then no way. With a server of a hundred different customers, it would be impossible to constantly maintain a list of IPs where the customer can login from.

If it's automated... then how does the automation work?

Thanks.

[cPanelTristan]

The first time the user logs into cPanel, it grabs that IP as their default IP and asks them to set a series of security questions. If they log in from a different IP into cPanel in the future, they will then be required to answer those security questions in order to log in. At that point, the new IP is also added to the list for recognized IPs. If they are unable to answer the security questions, they will be unable to log in unless someone resets their security questions and IP login (via root).

[electric]

That sounds pretty good.

Hopefully it won't result in too many customers asking for a manual reset.

Will they be able to select their own security questions?

I've seen lots of "secure" websites with this kind of setup, but they provide the list of questions.. and they are often ones that I would not remember.

So a good way to do this would be to ask the customer to provide their own questions and answers. (ie: Don't use a drop down list of "premade" questions. Or if you do, please still let them enter their own "other" questions.)

Thanks!

[cPanelTristan]

You can create your own questions. I've attached a screen print of the cPanel area.

[BambiB]

This is another nonsense feature.

Recent research into password strength concludes that frequently changing passwords is a WASTE OF TIME.

Why doesn't cPanel put effort in making current features usable? Like that butt-ugly "error log" that forces the use of an html window (and doesn't offer the option to write errors to a user error file) --- doesn't even wrap text and has to be refreshed for every update?

TALK ABOUT USELESS!

Instead of getting a fix, we get MORE USELESS FEATURES!

[SIZE=""]This is another "solution" in search of a problem.[/SIZE]

[SIZE=""]This is another "solution" in search of a problem.[/SIZE]

Why doesn't the cPanel dev team focus their attention on fixing the BUGS that have already been reported, instead of adding new (useless) "features" that nobody needs?

[cPanelTristan]

The security policy doesn't just encourage changing passwords. It also limits log ins (when that option is enabled) to only the user's IP along with needing security questions to be answered if logging in from a different IP. How precisely is it useless to require IP-based logins and security questions to be answered if you log in from a different IP than normal?

Certainly, if you are dissatisfied with the current features available, you should post feature requests for changes to the existing features. Such feature requests are taken seriously when done in a civil manner.

[kotakomputer]

Dear,

The 4 Security Questions make my Client confuse! They must create the 4 security questions before they can login. This security model is unusual. I think better CPanel provides a common solution, like: Captcha.

Overall, the password strengh is a very good implementation. Keep the good works!

Regards