An admin can manage the IP-address restrictions and brute-force settings in Settings → Security.
The main view of the security settings is presented in the picture below.
In brute-force protection field you can determine, how many failed login attempts will ban the IP address and for how long. The IP addresses that are trusted can be defined in the whitelist. Session timeout determines the time an inactive user can stay logged in to the system. It is also possible to set different session timeouts for different roles.
You can also set a minimum length for the passwords for all the users in the system. In Password Expiration section, you can set the passwords to expire after a certain amount of time. The expiration time can be selected between 1 and 6 months.