Set Security Options

Who can set security options?

Tell me about external IDs

How do I restrict access?

New Data Security Model

Tell me about password security

How to configure session timeout

Symantec VIP

 


Why to set Security Options?

Setting the security options ensures security and prevents unauthorized access to the Qualys platform. Only specific IP addresses that have been authorized are permitted to access the Qualys platform through both the graphical user interface (GUI) and the application programming interface (API).

Note: Access to the platform can be restricted to specific public IP addresses based on the subscription requirements.

 

Who can set security options?

Managers can do this by going to Users > Setup > Security. Advanced security options must be set to prevent unauthorized users from accessing the service. 

Dashboard of Users showing the sequence.

Note: Ensure to click Save after making changes.

How do I restrict access?

You can restrict access by IP address. Select the option Allow connections from the following IPs only and enter the IP addresses that should be allowed to connect to your subscription. An unlimited number of IPs may be entered. Users with valid accounts will only be able to connect to the service from one of the allowed IPs.

Restricted access that allows only the IPs.

Tip - Be sure to add your own IP to the list of allowed IPs or you will not be able to log back in to the service. For your convenience, your IP is displayed on screen.

IP addresses dynamically assigned?IP addresses dynamically assigned?

If your client is assigned an IP address dynamically, such as through DHCP, enter the entire possible IP range in the Allowed IPs list. If your IP address changes and the new IP is not listed, then you will not be able to log back in to the service.

Tell me about password security

Select the password security settings you want to enforce for all users in the subscription.

Password security settings.

Password expiration optionsPassword expiration options

Go to Users > Setup > Security and scroll down to the Password Security section. Here you can define how often users will need to change their password. We start counting from the date the password was last changed or when it was first created, not from when you turn on this feature. For example, if you turn on this feature and set passwords to expire after 1 month and your password was last changed over a month ago then we'll expire your password and you'll need to change it.

Want to notify users before their password expires? No problem. You can have the user notified in the UI and/or by email. Choose when to notify the user and how often email notifications will be sent.

Want users to be prompted at login to change passwords? Select these options: Allow users to change expired passwords at login and Allow user defined passwords.

Want passwords to never expire? Clear the "Password expires after N months" check box. Keep in mind that password security settings are global settings and apply to *all* user accounts in the subscription.

User defined passwordsUser defined passwords

When selected, users must define passwords following the guidelines under password security. Please note:

- 8 characters is the minimum password length unless this is set higher by a Manager.

- Password guidelines also apply to secure PDF report passwords.

- User defined passwords is turned on automatically in Express Lite subscriptions.

You'll see several password options. Select each option you want to enforce. Your options include: 

- Password must contain at least one lowercase letter.

- Password must contain at least one uppercase letter.

- Password must contain at least one numeric character.

- Password must contain at least one special character.

- Password must not contain 3 identical characters in a row. For example, the password cannot include aaa, bbb, 222, etc. 

 - Password must not contain 3 or more sequential alpha, numeric characters in a row (in ascending or descending order). For example, the password cannot include abc, cba, xyz, zyx, 012, 123, 321, 210, and so on.

- Password must not contain user's first name or last name. For example, the user John Doe cannot have a password like 88johnab3!e or doe!6209ad# because these passwords contain the user’s name. 

Force password change at initial loginForce password change at initial login

When selected, new users will be prompted to change their password when they log in for the first time. (This option is turned on automatically in Express Lite subscriptions.)

Lock account after failed login attemptsLock account after failed login attempts

We recommend this setting to prevent password brute forcing attacks. If a user is locked out, the user's account must be re-activated by a Manager or Unit Manager.

Password never expires for API accessPassword never expires for API access

Organizational security policies require that account passwords be set to expire periodically. This can be problematic for API accounts that are not monitored regularly, as it is difficult to know when a password has expired until the API integration is broken.

Set the password of such API-only access accounts to never expire. The password of such accounts will not expire until a password change request is initiated through the UI or the password change API. Note that this may pose a security risk and you must accept an agreement acknowledging and accepting the risk to activate this feature. As per the organizational password security standards, Qualys recommends that account owners change the account password periodically.
You can decline this agreement and opt out of this feature at any time. 

Note: You must be a Manager POC user to access this feature.

To activate this feature, perform the following steps:

1. Contact your Technical Account Manager or Qualys support to activate this feature for your subscription.

2. After the activation, navigate to Users > Setup, and click Password Never Expires.

3. Read and accept the agreement describing the associated security risk.

4. In the Users tab, edit the user account with API-only access.

5. In the Security tab of the Edit User dialog box, under Password Never Expires for API Access, select the Set the password of this account to “Never Expire” check box.

Symantec VIP

Select this option if you want to require all users to log in using Symantec VIP two-factor authentication. If selected, all users will be required to provide a Symantec VIP credential ID and a one-time security code in addition to their login name and password each time they log in to the user interface. Learn more

Symantec validation and ID Protection.

Tell me about external IDs

External IDs can be added to user account settings by the Manager Primary Contact (for the subscription). The Manager Primary Contact has the option to allow other Managers, Unit Managers and User Administrators to edit external IDs for users. Follow these steps: 1) select the External IDs security setting "Allow other users to manage external IDs", and then 2) edit each manager's account to grant this permission.

Allowing other users to manage External IDs.

What if I clear this option after granting permission to users?What if I clear this option after granting permission to users?

The permission is immediately removed from all users who have it, and it cannot be assigned to new users. The Manager Primary Contact can turn it on again at any time, allowing users who previously had the permission to have it again.

New Data Security Model

In order to provide new features, such as Scheduled Reporting and Asset Tagging, we are migrating customers to a new powerful data security model. A green check mark next to a new feature indicates that it is available for use within your subscription. Once you accept the new data security model, you cannot undo this action in the application. Please Contact Support if you would like to disable this option. Learn more

New data security model.

Are you an Express Lite user? If yes, the New Data Security Model is turned on for your subscription.

How to configure session timeout?

Define how long a user's session may be inactive before automatically timing out. You can make a global setting that applies to all users or customize this setting based on the user role. This setting applies to all new user sessions. Only Managers can enable this option. For both global and customized session timeout, choose a range between 10-240 minutes. The default setting of 60 minutes is considered a best practice.

Customization of Session timeout.

Why might I increase global setting?Why might I increase global setting?

It may be desirable to increase this setting so that users do not lose their place in the application, for example when conducting routine business, attending meetings and taking breaks. To accommodate for these situations, a Manager may choose to increase the session timeout to a maximum of 240 minutes. The added security risk of increasing the session time out can be mitigated by ensuring that screen savers at the operating system level are set to time out after a reasonable amount of time that's in line with your corporate security policies.

If you change this setting, users will need to log in again for your changes to take effect.

Why do I need to set different session timeouts for users?Why do I need to set different session timeouts for users?

You can set different session timeouts to set shorter timeouts for more restricted users. For example, you can set a timeout of 15 minutes for most users and then define a longer session timeout for the users who need to be logged in for longer periods because of long-running tasks.

Can I specify a session timeout for a particular user?Can I specify a session timeout for a particular user?

While creating or editing a user, you can specify a session timeout for this user in the Security section. Note that this user-specific timeout takes precedence over the role-based timeout.