Enterprise - Harden Your Systems

Enterprise - Harden Your Systems

Jan 20, 2023

We highly recommend Keeper Administrators enable the following security settings.

Create two Keeper Administrators in case one account is lost or no longer accessible. Keeper Administrators hold the encryption keys used to access the Admin Console, provision users, manage enforcement policies and perform day to day user administration. To assign the Keeper Administrator role to a user simply select the Keeper Administrator role, click the “add” icon and choose the user you want to add.

To avoid losing records when an employee leaves the company, enable the Account Transfer Policy. Account Transfer is an optional feature that should be configured by the Keeper Administrator during the initial deployment phase of the Keeper rollout. See our video on Account Transfers for more details.

Enforce a Strong Master Password for your users. Reducing the risk of a cybersecurity attack starts with the use of a strong master password for all users who are on-boarded to your Keeper enterprise account. A strong and complex master password is highly recommended as the first step towards reducing unauthorized access to a user's vault. Passwords should be easy to remember but hard to guess. At minimum, we recommend an eight character password but a higher value will ultimately result in a harder to crack password. Password complexity can be configured on a per role-basis. To do this select the role you wish to edit, navigate to Enforcement Policies, and adjust the sliders to the password complexity you choose.

Mandate the use of Two-Factor Authentication for your users. Two-Factor Authentication, also commonly referred to as multi-factor authentication or MFA, adds an additional layer of security to access the vault. The first layer is something your users know; his or her master password. The second layer is something they have. It can be either their mobile device through the use of SMS text or a TOTP application, or by using a hardware token. Adding a second means of authentication will make it considerably more difficult for an attacker to gain access to a user's vault.

Using a role based enforcement can ensure all users of the enterprise are mandated to configure 2FA on their vault account. SSO enabled users should ensure 2FA is configured with their IdP at a minimum. Keeper checks for a signed login during SSO authentication and prompts for email verification on new devices. For additional security, 2FA can be enabled on the Keeper account.

​​As with any SaaS platform, account recovery provides end-users with a route to restore access to their account, if the primary authentication methods are lost or forgotten. In Keeper, by default the user has an ability to configure a self-selected Security Question and Answer. The answer is then used to encrypt the user's Data Key using a key derivation similar to the Master Password method.
If you are deploying to users with a single sign-on product like Azure, account recovery may not be necessary or warranted, since authentication is delegated to your identity provider. In addition, the encryption model of SSO authentication with Elliptic Curve cryptography is far superior to the encryption model with password-based key derivation. Therefore, it is best to simply not have account recovery as an option, if this is acceptable to your users.
To disable account recovery, visit the Role - Enforcement Policies - Account Settings - select "Disable security question and answer for account recovery

In the event a user has forgotten their master password and vault transfer has been configured by the administrator and accepted by the end user, you can recover the account via Vault Transfer.

To prevent users from accessing their work vault outside of approved locations and networks, administrators will want to enable IP Address Allowlisting. This is a role-based enforcement setting that will ensure users can only access their vaults when their device is on an approved network.

As a general security practice, we recommend that Enterprise customers limit the ability of end-users to install unapproved 3rd party browser extensions. Browser extensions with elevated permissions could have the ability to access any information within any website or browser-based application. Please refer to your device management software to ensure that Keeper is allowed, and unapproved extensions are blocked or removed.