Effective security settings are essential for protecting sensitive data and maintaining organizational integrity. They involve configuring controls for user access, authentication, and password management to safeguard against unauthorized access and breaches. By implementing strong security measures tailored to your organization’s needs, you ensure robust data protection and enhance overall security resilience.
This guide summarizes the steps for optimizing and configuring your account’s security settings to meet your organization’s specific requirements.
-
Access Security Settings:
-
Go to Admin Console > Enterprise Settings > Security tab
-
-
Signup and Login Settings:
-
Self Signup: Allow users to add themselves by directing them to your account’s custom URL to sign up
-
Account Creation Notification: Email notifications for new user creation.
-
Immediately (default): Sent as soon as a managed user account is created.
-
In daily summary emails: Sent once per day with a list of all managed user accounts created during the past day.
-
-
User Email/Login: Restrict users from changing their Box login emails to personal addresses.
-
Failed Logins: Notifications for failed login attempts with customizable triggers. You can select any number from 3 (default) to 8.
-
-
2-Step Login Verification
- Managed Users: Require two-step verification for all managed users.
Authentication Method:- Authenticator app (TOTP) - default and recommended option: Requires users to authenticate using a one-time password generated by the TOTP in an authenticator app.
- Text message (SMS), authenticator app (TOTP), or Email: Authenticate by either a one-time password sent by SMS (less secure), a one-time password generated by the TOTP in an authenticator app, or a code to the user's email for logging into a Box account.
-
External Users: Configure two-step login verification for external collaborators. See here for more details.
- Managed Users: Require two-step verification for all managed users.
-
Password Requirements:
-
Set length/complexity requirements and reset intervals.
-
Option to prevent password reuse and force immediate password changes.
-
Notifications for password changes.
-
Require strong passwords for external collaborators.
-
-
Uploads Section
- Controls whether your managed users can access Box using unencrypted FTP. By default, they can use encrypted FTP (FTPS) for secure access.
- Controls whether your managed users can access Box using unencrypted FTP. By default, they can use encrypted FTP (FTPS) for secure access.
-
Session Duration:
- Set auto-logout for inactivity (default is 14 days). Applies only to Box web application and not through any other Box endpoints (e.g. mobile or desktop apps).
- Click “Save” in the top-right corner after configuring the settings.
Visit www.box.com/security for more on Box’s security measures.