This article describes how to enforce password complexity on NetScaler.

Instructions

1. Create a super account having same privileges as the nsroot account which adheres to the password complexity that you are about to set. Navigate to System > User Administration > Users and create the user.

2. Execute the below commands:

   1. > set system parameter Strongpassword (enableall/enablelocal) Warning: Strong Password now enabled. Please ensure all the existing user passwords adhere to this restriction. Minimum Password Length is set to 4 as default.

      Note: Command Strongpassword can have values enableall, enablelocal or disabled. By default it is disabled. If you want to force strong passwords for local accounts then we can set the value as enablelocal.

      After enabling strong password (enableall / enablelocal - not included in exclude list), all the passwords / sensitive information must have - Atleast 1 Lower case character, Atleast 1 Upper case character, Atleast 1 numeric character, Atleast 1 special character ( ~, `, !, @, #, $, %, ^, &, *, -, _, =, +, {, }, [, ], |, \, :, <, >, /, ., ,, " ").

      After enabling strong passwords for the appliance, make sure that you update the passwords to match the strong password criteria. Otherwise, users with weak passwords cannot access the appliance. To locate the weak passwords, in the shell, go to the "/netscaler" directory and run the "nsconfigaudit -weakpasswd" utility.

   2. >set system parameter minpasswordlen <positive_integer> Note: Minimum length of system user password. When strong password is enabled default minimum length is 4. User entered value can be greater than or equal to 4.
      Default minimum value is 1 when strong password is disabled. Maximum value is 127 in both cases. Minimum value: 1 Maximum value: 127

   3. > set system parameter timeout <secs> Note: CLI session inactivity timeout, in seconds. If Restrictedtimeout argument is enabled, Timeout can have values in the range [300-86400] seconds. If Restricted timeout argument is disabled, Timeout can have values in the range [0, 10-100000000] seconds. Default value is 900 seconds.

   4. > set system parameter restrictedtimeout (enabled/disabled) Note: Enable/Disable the restricted timeout behaviour. When enabled, timeout cannot be configured beyond admin configured timeout and also it will have the [minimum - maximum] range check. When disabled, timeout will have the old behaviour. By default the value is disabled Possible values: ENABLED, DISABLED Default value: DISABLED