6.4.2. Session start lock

<< Prev   Next >>

6.4.2.1. Manually, for all

Interactive method

1C:Enterprise allows you to prohibit users from creating new sessions with the infobase. In this case, when users attempt to access the infobase, an error message with the reason for prohibition is displayed. This capability can be useful when, for example, you need all current users to close their sessions and make sure that no new users can connect to the infobase.

When using client/server mode, you can enable this lock with 1C:Enterprise server cluster administration utility.

To connect to the infobase regardless of the lock, use the UC command-line parameter and the UC connection string parameter. If a non-empty access code is specified for the lock, enter this code in the UC parameter to bypass the lock and connect to the infobase. If the access code contains spaces, you need to enclose it in quotes.

When using a web client or a thin client running via a web server, you can also specify the access code in the UC connection string parameter of a descriptor file (see article default.vrd). In this case, additional publication of the infobase on a web server is recommended.

When the session start lock is set and the access code is set to 123, you need to enter /UC123 in the client application startup command line in order to bypass the lock.

Software method

In any infobase mode, you can enable session start lock using 1C:Enterprise language. The SessionsLock object of the 1C:Enterprise language is used for this purpose. You can create it in constructor and configure the required properties for locking new connections. You can specify a message to display to a user (using the SessionsLock.Message property) as a simple text string or a formatted string.

The global context method SetSessionLock() enables the lock and GetSessionsLock() method gets the enabled lock.

6.4.2.2. By default, when password is under attack

Password attack is one of the methods which can be used to be granted unauthorized access to infobase data. In this scenario, a malicious user tries to hack a password using a pre-defined algorithm, until it is cracked and a password for a selected user becomes available thereto. To avoid the said manipulations, 1C:Enterprise supports a dedicated mechanism available in the infobase client/server mode only.

An administrator manages this mechanism by configuring the following infobase parameters (to open the dialog box, go to Main menu – Administration – Infobase parameters):

  • Maximum number of failed authentication attempts. Defines the number of attempts allowed to be made by a user to enter their password, before access is blocked. Access is blocked as soon as the aggregate number of consecutive unsuccessful attempts to authenticate becomes equal to N+1, where N is a parameter value. In other words, if this parameter is equal to 2, a user will be blocked as soon as their third attempt to authenticate fails.

    If this parameter is equal to 0, this mechanism is disabled, and the aggregate number of failed attempts to authenticate is not monitored by the platform.

  • Lock duration on exceeding the maximum number of failed authentication attempts (in seconds). Defines the time period when a user is unable to authenticate, if they attempt to enter a wrong password in excess of the number of attempts specified in the Maximum number of failed authentication attempts parameter.
  • User name add-on codes when authentication is blocked. Allows you to block authentication attempts made by the already blocked user. Add-on codes are separated by ";". In this case, a username is generated based on the name of the blocked user and one of the add-on codes. A user with username generated with the help of add-on codes has as many authentication attempts as an ordinary user. As soon as all available attempts to authenticate are made, the said "extra" user is blocked as well.

This feature works as follows:

  • Malicious user enters a username and attempts to hack a password by entering a password expected to be a valid password of a user. As soon as the aggregate number of failed attempts to authenticate is exceeded, the username entered by a malicious user is blocked.
  • If the blocked user attempts to sign in using their name and password, a warning is displayed specifying that the user has been blocked.
  • Whenever add-on codes are specified in an infobase, these can be used by a user. To do it, the user must enter their name with an add-on code. When you use add-on codes, consider that an add-on code is analyzed only if the specified username is not included in the list of infobase users. Username add-on codes specified in the settings are successively subtracted from a username. Then, it is checked whether an infobase user with such name is available in the infobase or not. Therefore, we recommend that you avoid creating add-on codes that are similar to the end of an existing username. If such a user is blocked using the block feature, they will not be able to sign in using add-on codes. Moreover, we recommend that you start each add-on code with the so-called "technical" characters, which are unavailable in the username, for instance, "!", "^", and so on.

To view a list of blocked users, in Designer, click Main menu – Administration – Blocked authentication. This form is available to each user with the Administration or DataAdministration rights assigned. Information about blocked users is available in the event log.

Data about blocked users is stored by the auxiliary cluster function service. It means that:

  1. If a single administrator is blocked, to sign in using their username, reload the server cluster.
  2. Unsuccessful sign-in attempts are counted from the last successful sign-in without any time limitation. However, when you reload the server cluster, all counters for all infobase users are reset.

To manage the block feature, use the AuthenticationBlock global context object. Use this object to change settings of the feature (GetSettings() and SetSettings() methods). Moreover, a list of current blocks can be displayed using the GetBlocks() method.

In 1C:Enterprise language, you can force unblock all or certain blocked users. For that purpose, get a list of current blocks displayed as the InfoBaseUserAuthenticationLock object array. Then, define the list of users to unblock (based on the InfoBaseUserAuthenticationLock object properties). Call the Unlock() method of this object for the selected blocked users.

<< Prev   Next >>

Icon/Social/001 Icon/Social/006 Icon/Social/005 Icon/Social/004 Icon/Social/002