Prevent Account Harvesting by exploiting account lockout.

Username information is exposed when the account lockout state occurs due to the conditions set by the Active Directories Policies.

CVA 0042

CWE 204

PolicyServer 12.8

Failed login attempts cause the Usernames to be exposed within the URL because of the Password policies on the AD.

Use the smpwservices.fcc instead of the default login.fcc

1. Verify from where the login fcc environment is being loaded.
   e.g,

From the WebAgentTrace logs:

[Localized Path = C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc, working locale = en-US]

2. Go to the location C:\Program Files\CA\webagent\win64\samples/forms_en-US/

3. Take backup of login_en-US.fcc

4. Take backup of login_en-US.unauth

5. Find smpwservices_en-US.fcc file duplicate it and rename it to login_en-US.fcc.

6. Duplicate the newly created login_en-US.fcc and rename it to login_en-US.unauth. Both login_en-US.fcc and login_en-US.unauth files have same data.

7. Go to PolicyServer, Polcies > Password > Password Policies. Modify

8. Change the Redirection URL to /siteminderagent/forms/login.fcc. And click Submit.

9. On PolicyServer, go to registry: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer
10. Find the registry DisallowUsernameInURL, if not present create one. Select (DWORD 32-bit Value).

Set the value to 1.

11. Restart the Policy Server Services.

This will still show the SMAuthReason in the URL. If you are OK with it, you can stop here. If not, follow next steps.

If it is still considered vulnerable and may give hint with SMAuthReason code. And do not want to see the SMAuthReason, please continue.

12. Modify the ACO to use SecureURL
    
13. Restart the Agent.

You can also customize the message that appear on the screen like below,

Modify the login_en-US.fcc file to customize the Account information Message Displayed.

Go to the below and provide a suitable message.