If your Maximo site is used by external third parties then your architecture may mean that they connect via the internet. In that case the login page may be indexed by search engines such as Google.

Vetasi has detected unauthorised login attempts against customer's internet facing systems from countries/locations/companies that have no reason to login. These attempts have been made using commonly known account names such as maxadmin/mxintadm/maxreg.

If your system is accessible via the internet then there are several things you should consider doing:

• Create an escalation to warn you when the key system accounts have a high number of failed login attempts – this needs to be below the blocking threshold to warn you before the account becomes blocked
• Create an escalation to warn you when the key system accounts are blocked
• Consider using the security functionality to control traffic from certain IP addresses as discussed in this help page – bear in mind the points made in this article
• Monitor the logintracking table for failed login attempts – studying the IP addresses can prove quite illuminating and can produce evidence for prosecutions
• Configure a robots.txt file on the public facing servers to prevent the Maximo login page appearing in search engine results
• Change the password for the maxadmin/maxreg/mxintadm accounts if they are still set to the default values. Don’t forget to change any places where they are stored e.g. system properties/properties files
• Consider building a specialised logintracking report that summarises details about failed logins and possible attacks

Previous Solution - Reconfiguring the System Accounts that Maximo Uses

In the past customers have renamed the standard account names by modifying the values in the system properties below.

The standard account names (maxadmin / mxintadm / maxreg) are managed via these system properties:

• mxe.adminuserid – maxadmin – used for system administration activities
• mxe.int.dfltuser – mxintadm – used for the integration code
• mxe.system.reguser – maxreg – used for self-registration functionality

These cannot all be set to the same account name.

A blog posting in March 2016 warns that changing these values can lead to CTGIN2080E errors and the installation process failing and recommends changing the value back. If you are going to change these values then it is likely that a PMR will be required to resolve the CTGIN2080E errors.

Why the Maxreg Account Should have Minimal Privileges

It is particularly important that the account used for self-registration/forgot password has the minimum number of privileges required to perform its work. It should not be set to a privileged account, such as maxadmin or mxintadm. When users use the self-registration functionality they are automatically logged into Maximo using the maxreg account.

You can see this by using the self-registration link (or forgot your password) and checking the links at the top of the page.

In my example the default maxreg account has rather more privileges than it should…

If the self-registration account is changed to be maxadmin then there is a risk that anyone resetting their password could immediately gain administator access. The maxreg account should always have the minimum privileges required to do its work.

Tip -> Have you ensured that the maxreg account has the minimum number of privileges required to do its work?

Disabling the Forgotten Password Link on the Login Page and Other Links

If you don’t want users to see the “Forgot your password” link on the home page then consider commenting out the relevant block in the login.jsp file as per technote 1586981.

The text for the various links are stored in a number of messages defined in MAXMESSAGES in the message group “login”.

A mistake I sometimes see is that the maxmessage entries have been changed to:

This HTML code represents a space e.g. “ “. The aim is to make the link "invisible" by not displaying any text.

In practice this leads to a false sense of security because the link is still there if you move your mouse over it… so people can still use the link…

Vetasi Customisations

Vetasi can provide a report that summarises key login related activity and extends the information in the standard out of the box logintracking report.

Vetasi can work with you to provide a suitable robots.txt file and ensure that it is installed correctly.

Vetasi can modify the login.jsp file to safely hide the forgot password link.