What security settings can I enforce for my users?



Get Training

What security settings can I enforce for my users?

As an Enterprise admin, you have access to an additional Security tab within the Enterprise Settings that allows you to set account-wide security settings for your managed users.

To access your security settings, follow these steps:

  • Log in to your account and navigate to the Admin Console
  • Click on the gear icon in the top right corner and select Enterprise Settings from the drop-down menu
  •  Navigate to the Security tab
Signup and Login: This section gives you the option to enable self-signup, restrict users from changing their email address, set up admin notifications for user activity, prevent persistent account sessions, and require 2-step login verification for unrecognized logins.
Password Requirements:

Enterprise Admins can configure password policies for their managed users, including:

  • Password strength requirements 
  • Password resets (automated or manual global password reset.)
  • Password re-use restrictions
  • Notification after a set number of failed attempts
  • Prevention of persistent logins
  • Maximum session duration limits
Note: If your enterprise account is SSO enabled, these password settings apply to a user's external "Box-specific password", not their SSO password.  This is also where you can require strong passwords for external collaborators.
Uploads: This setting gives Enterprise and Elite admins the option to prevent users from accessing their Box accounts via regular (unencrypted) FTP.
Application Management: This section allows you to configure the number of applications allowed per user, and if users need to verify logins from unrecognized browsers and applications.
Session Duration: Here you can set a limit on how long a managed user can stay logged into their account without activity. Default session duration is set for 48 hours. 
Was this article helpful?
6 out of 6 found this helpful