Configuring Security Hardening

Procedure

1. Run system-view

   The system view is displayed.

2. Run user-security-policy enable

   The user security policy is configured.

3. Run aaa

   The AAA view is displayed.

4. Perform the configurations in the AAA view as required to improve user security.

   Table 1 Configurations in the AAA view

   Operation	Command	Description
   Enable forced change of initial password for local users.	undo user-password password-force-change disable	If the current version supports forced change of initial password for a local user, this function is enabled by default, and you do not need to run this command. A local user created or reset by the administrator is forced to change the initial password upon the first login. To ensure user security, you are not advised to disable this function. If the device is upgraded from an earlier version that does not support forced change of initial password for a local user to a later version that supports this function, this function is disabled by default. In this case, you can run the command to enable this function to improve user security.
   Forcible modification of the initial password is disabled for a specified local user.	local-user user-name password-force-change disable	When forced change of initial password for a local user is enabled, you can run this command to disable this function for a specified user.
   The minimum length of a local user name is configured.	user-name minimum-length length	The newly created local user name must comply with this command configuration. Otherwise, the local user name cannot be created.
   The minimum length of the password is configured.	user-password min-len min-length	This command applies to the passwords in simple text mode only.
   The password strength check is enabled for local users.	user-password complexity-check	-
   The maximum number of times the local user can use historical passwords is configured.	user-password history-password-check historyPwdNum	-
   The aging period of a local account is configured.	user-aging aging-period local-user user-name aging aging-period	If the period during which a local account is idle exceeds the configured aging period, the local account automatically ages. The user-aging command applies to all users in the system. The local-user aging command applies only to the specific user. If the user-aging command configures the aging period for all users, the following standard applies to a specific user: If the local-user aging command has not been configured for the user, the user-aging command configuration preferentially takes effect for the user. If the local-user aging command has been configured for the user, the local-user aging command configuration preferentially takes effect for the user.
   The expiration date of a local account is configured.	local-user user-name expire date	If all accounts on a device are configured with expiration dates, after the last account expires, no more accounts can log in to the device. As a result, the device is out of management. To resolve this problem, new configurations allow the last account to keep valid when all the management accounts (terminal, Telnet, FTP, or SSH accounts) are configured with expiration dates.
   The period after which a password for a local user expires is configured.	local-user user-name password expire days	To harden network security, administrators can run the local-user password expire command to configure the period after which a password expires. When the password for a local user is changed, the system resets the period. The local-user password expire command applies only to local users. After a password expires, reconfigure a new password for users. Otherwise, users fail to log in.
   The password validity period the period for advance warning before the password expires are configured.	user-password expire expire-days prompt prompt-days	To prevent account stealing due to unchanged passwords, run the user-password expire command to set the password validity period and the period for advance warning before the password expires. Only a level-3 or higher-level administrator can run the user-password expire command. The user-password expire command applies only to administrators. The system prompts the administrator to change the password N days before the password expires. If the administrator does not change the password till the password expires, the administrator is denied access to the device.
   The period during which a local user is allowed to log in is configured.	local-user user-name login-period begin-time to end-time begin-day to end-day	-
   The status of a local user is configured.	local-user user-name state { active | block [ fail-times fail-times-value interval interval-value ] }	-
   The alarm and clear alarm thresholds for unsuccessful login attempts are configured.	login-failed threshold-alarm upper-limit report-times lower-limit resume-times period period	-

5. Run quit

   Return to system view.

6. Run local-aaa-server

   The local AAA server view is displayed.

7. Perform the configurations in the local AAA view as required to improve user security.

   Table 2 Configurations in the local AAA view

   Operation	Command	Description
   The password strength check is enabled for local users.	user-password complexity-check	-
   The minimum length of the password is configured.	user-password min-len min-length	This command applies to the passwords in simple text mode only.
   A local administrator is required to change the initial password upon a second login.	user-password change	-
   The password validity period and the period for advance warning before the password expires are configured.	user-password expire expire-days prompt prompt-days	-
   The status of a local user is configured as Blocked.	user username block [ fail-times fail-times-value interval interval-value ]	-

8. Run commit

   The configuration is committed.