How to set up password constraints via UI and/or the file
search cancel

How to set up password constraints via UI and/or the file


Article ID: 159770


Updated On:


Data Loss Prevention Enforce Data Loss Prevention


Password constraint properties are specified in


DLP 15.8.x and 16.0.x


Password constraint properties are specified in the following file:

DLP 15.8:

<Install Drive>\Program Files\Symantec\DataLossPrevention\EnforceServer\15.8.00000\Protect\config

DLP 16.0:

<Install Drive>\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.00000\Protect\config

DLP supports the following types of password constraints:

1. Default constraints. These constraints are specified in the file. Properties include:

  • Minimum length
  • requires at least one digit
  • requires at least one upper case letter
  • requires at least one lower case letter
  • no single character sequence greater than 2

2. Strong password enforcement. This feature can be chosen through the UI (system settings page). The following properties can be configured if the feature is turned on:

  • passwords are allowed to change no more than once per day
  • passwords must change on first login
  • length of password history
  • number of consecutive failed login attempts before lockout.
  • number of failed password renewal attempts before logout.
  • number of minutes before Administrator lockout is turned off. The administrator lockout can be overridden by running a SQL script.
  • Number of day before password expiration to start password expiration warning

3. Password rotation period. This feature can be chosen through the UI (system settings page). The rotation period can be specified through the UI or in the file.


ProtectRealm - the login realm performs the following checks:

  1. Expires administrator lockout
  2. Checks for password correctness.
  3. Resets the last password renewal date if password should be changed on first login. The actual check for password expiration is performed in PasswordExpiration filter.
  4. Resets the lockout count on a successful login attempt.
  5. Marks password as compliant or non compliant.
  6. Increments the count if its a failed login attempt. Marks the account as locked if the number of failed login attempts the specified limit. Also logs a system event.
  7. Checks if the account is marked as disabled.

The PasswordExpirationFilter does the following:

  1. Tests for an expired password and presents the password renewal page.
  2. Performs password renewal if this is a valid renewal request.
  3. Logs out the user if the number of renewal requests exceeds the specified limit.