Security Settings

General For Administrators System Configuration Last updated: June 20, 2025 Version: 1.0

Security Settings

Configure comprehensive security controls for your organization, including password policies, two-factor authentication requirements, IP restrictions, and session management.

Overview

The Security Settings section allows administrators to define and enforce security policies across the organization. These settings help protect sensitive data, ensure compliance with security standards, and reduce the risk of unauthorized access.

Accessing Security Settings

Log in with an administrator account
Navigate to Admin Dashboard → System Configuration → Security Settings
Different tabs organize related security controls

Password Policy Configuration

Password Requirements

Configure password complexity requirements:

Minimum Length: Set the minimum number of characters (8-32)
Character Types: Require combinations of uppercase, lowercase, numbers, and special characters
Dictionary Check: Block common words and passwords
Personal Information: Prevent using personal information in passwords

Password Expiration

Password Age: Set maximum days before passwords must be changed (30-365 days)
Password History: Prevent reusing recent passwords (1-24 previous passwords)
Grace Period: Allow a window to update expiring passwords (1-14 days)

Account Lockout

Failed Attempts: Number of failed login attempts before lockout (3-10 attempts)
Lockout Duration: Time account remains locked (5-60 minutes)
Reset Counter: Time until failed attempt counter resets (5-60 minutes)

Two-Factor Authentication (2FA) Settings

2FA Enforcement

Required for Roles: Require 2FA for specific user roles (e.g., administrators, managers)
Grace Period: Allow users time to set up 2FA (1-30 days)
2FA Methods: Choose which 2FA methods to enable (authenticator app, backup codes)

2FA Recovery

Backup Codes: Set number of backup codes provided (5-15 codes)
Administrator Reset: Allow administrators to reset user 2FA
Reset Verification: Configure identification requirements for 2FA resets

IP Restriction Management

Allowed IP Ranges

Add IP Range: Define IP addresses or CIDR ranges that can access the system
Range Naming: Label IP ranges for easier management
Enforcement Level: Set validation mode (monitor, warn, enforce)

Location-Based Restrictions

Location Assignments: Restrict specific locations to certain IP ranges
Exception Users: Define users exempt from IP restrictions
Off-Network Access: Configure policies for remote workers

Session Security

Session Management

Session Timeout: Set inactive time before automatic logout (1-240 minutes)
Concurrent Sessions: Allow or restrict multiple simultaneous logins
Remember Me: Enable/disable persistent login functionality
Session Revocation: Immediately terminate all active sessions

Mobile Security

Device Verification: Require verification of new mobile devices
Device Management: View and manage authorized devices
Offline Access: Configure security rules for offline app usage

Activity Monitoring

Security Logging

Login Monitoring: Track successful and failed login attempts
Critical Actions: Log security-sensitive operations
Export Options: Download security logs for compliance and analysis
Retention Period: Configure how long logs are kept (30-730 days)

Best Practices

For optimal security configuration:

Balance security and usability: Overly restrictive policies may lead to workarounds
Implement progressive security: Start with basic requirements and gradually increase
Communicate changes: Inform users before implementing new security policies
Review regularly: Audit security settings quarterly to ensure they remain appropriate
Test thoroughly: Verify impact on different user types before full deployment