Businesses around the world trust Box with their most sensitive data, and for good reason: In addition to our robust back-end security, we offer admins a host of options for controlling how users sign up for and log in to Box.
This guide walks you step by step through your account’s security settings panel, where you configure your settings to match your organization’s security requirements. Check with your IT department if you’re unsure what they are. We also understand that every customer's needs are unique. For those with external security products, we recommend reaching out to your account team to discuss how to integrate your existing security tools with Box.
To open the security settings panel and get started:
- Click Admin Console > Enterprise Settings in the lefthand navigation.
- Towards the top of the page, click the Security tab.
Signup and Login Settings section
The Signup and Login section is where you’ll set rules for users either signing up for or logging in to Box:
Here's more about what the different options do:
Self Signup
As an admin, you can add users manually, but you also have the option to allow users to add themselves to your account. If you select this option, you can direct new users to your account’s custom URL to sign up. This is a good option if you’re not concerned about your seat count.
Account Creation Notification
Select this option if you would like admins to be notified via email whenever a new user is created. You can choose to receive an immediate notification or a summary of new users once a day.
User email/login
Selecting this option prevents users from changing their Box login emails to personal addresses. Check this box if you want your users to stick with the corporate email they used to sign up.
Failed Logins
Turn on this option to be kept apprised of login troubles – or unauthorized access attempts. You can customize the number of failed login attempts that will trigger your notification.
2-Step Login Verification section
In this section, you can require people to provide a second source of verification to access your enterprise's content.
Here's more about what the different options do:
Managed Users
To enable two-factor verification for everyone in your organization, check Require two-step Verification for all managed users.
External Users
To enable two-factor verification for external collaborators, click Edit Configuration. Box displays a range of options. Here are more details about enabling two-factor verification.
Password Requirements section
Here's more about what the different options do:
Password Requirements
You can set length or complexity requirements for your users' passwords in the Character Settings fields.
Also consider creating a password reset calendar in the Password Resets field. This setting forces managed users to update their passwords at regular intervals. Further, you can prevent users from reusing passwords if need be; just check the Prevent reusing passwords from last x times box, then set the number that works best for your organization.
You can also force everyone in your organization to change their passwords immediately. To do this, click Reset Passwords Now.
To track password changes for auditing purposes, check the two Password changes notification boxes. You will receive these notifications by email.
Finally, check External Collaborator if you require strong passwords from anyone you work with outside the four walls of your organization, such as consultants, agencies, designers, and so on. This means you will be locking out any current collaborators with weaker passwords. These people must re-set their passwords to stronger ones to regain access to your files and systems.
Session Duration for All Users Section
The Session Duration for All Users section is well worth a look if you work in an open office setting where people are moving around frequently, or if you have an external presence in your company. This option enables you to set how long an account can stay logged in without activity. Anyone who exceeds this limit is logged out automatically. The default is 14 days (2 weeks).
Session duration settings only apply to the Box web application. Any session duration limits set here do not apply to people accessing Box through any other Box endpoints (e.g. Box mobile applications, Box desktop applications, etc.).
When you’ve applied the security settings that you need, be sure to click Save
To read more about how we keep your content safe in the cloud, just visit www.box.com/security