⮐ Keeper HomeAll DocumentationAdmin Console
Search…
Getting Started
Start Your Trial
Resources
Quick Start for Small Business Teams
Why Choose Keeper Enterprise
Implementation Overview
Domain Reservation
Deploying Keeper to End-Users
Keeper Admin Console Overview
Nodes and Organizational Structure
User and Team Provisioning
SSO / SAML Authentication
User Management and Lifecycle
Roles, RBAC and Permissions
Delegated Administration
Account Transfer Policy
Teams (Groups)
Folders and Shared Folders
Creating Vault Records
Importing Data
Record Types
Two-Factor Authentication
Storing Two-Factor Codes
Security Audit
BreachWatch (Dark Web)
Secure File Storage
Reporting, Alerts & SIEM
Recommended Alerts
Webhooks (Slack & Teams)
Compliance Reports
Vault Offline Access
Keeper MSP
Free Family License for Personal Use
Training and Support
IP Allow Keeper
Migrating User Vaults Between Regions
Password Recovery Via Vault Transfer
Keeper Encryption Model
Developer Tools
SSH Connections
Recommended Security Settings
End-User Guides
Use Cases
On-Prem vs. Cloud
Login API
Migrating from LastPass
Docs Home
Powered By GitBook
Recommended Security Settings
We highly recommend Keeper Admin's enable the following security settings.

1. Create Two Keeper Administrators

Keeper Administrators hold the encryption keys used to access the Admin Console, provision users, manage enforcement policies and perform day to day user administration.
The "Keeper Administrator" role requires at least two users in that role. We strongly recommend adding a secondary admin to this role in case one account is lost or no longer accessible. Keeper employees cannot elevate a user to an administrative role or reset an administrator's Master Password.

2. Enable Account Transfer Policy

Account Transfer is an optional feature that should be configured by the Keeper Administrator during the initial deployment phase of the Keeper rollout. For step by step details visit the Account Transfer Policy guide.

3. Enforce a Strong Master Password

Reducing the risk of a cybersecurity attack starts with the use of a strong master password for all users who are on-boarded to your Keeper enterprise account. A strong and complex master password is highly recommended as the first step towards reducing unauthorized access to a users vault.
The National Institute of Standards and Technology (NIST) provides password guidelines in: Special Publication 800-63B. The guidelines promote a balance between usability and security; Or in other words, passwords should be easy to remember but hard to guess. The NIST instruction recommends an eight character minimum but a higher value will ultimately result in a harder to guess/crack password.
Password complexity can be configured on a per role-basis. See the master password complexity enforcement setting in the guide.

4. Mandate the use of Two-Factor Authentication

Two-Factor Authentication (2FA), also commonly referred to as multi-factor authentication (MFA), adds an additional layer of security to access the vault. The first layer is something your users know; his or her master password. The second layer is something they have. It can be either their mobile device (SMS text or a TOTP application) or by using a hardware token (Duo or RSA offers hardware tokens. Or adding a security key like a YubiKey or Google Titan key). Adding a second means of authentication will makes it considerably more difficult for an attacker to gain access a users vault. Using a role based enforcement can ensure all users of the enterprise are mandated to configure 2FA on their vault account. SSO enabled users should ensure 2FA is configured with their IdP at a minimum. Keeper checks for a signed login during SSO authentication and prompts for email verification on new devices. For additional security 2FA can be enabled on the Keeper account. To set up 2FA See the section in the guide: Two-factor Authentication

5. Configure IP Allowlisting

To prevent users from accessing their work vault outside of approved locations and networks, administrators will want to enable IP Address Allowlisting. This is a role-based enforcement setting that will ensure users can only access their vaults when their device is on an approved network.
Visit the section on IP Allowlisting for more information on configuring roles to include this feature.

6. Prevent Installation of Untrusted Extensions

As a general security practice, we recommend that Enterprise customers limit the ability of end-users to install unapproved 3rd party browser extensions. Browser extensions with elevated permissions could have the ability to access any information within any website or browser-based application. Please refer to your device management software to ensure that Keeper is allowed, and unapproved extensions are blocked or removed.
Watch the video below to learn more about hardening your systems.
Harden Your Systems
Previous
SSH Connections
Next
End-User Guides
Last modified 3mo ago
Export as PDF
Copy link
Contents
1. Create Two Keeper Administrators
2. Enable Account Transfer Policy
3. Enforce a Strong Master Password
4. Mandate the use of Two-Factor Authentication
5. Configure IP Allowlisting
6. Prevent Installation of Untrusted Extensions