Businesses around the world trust Box with their most sensitive data, and for good reason: In addition to our robust back-end security, we offer admins a host of options for controlling how users sign up for and log in to Box.
This guide walks you step by step through your account’s security settings panel, where you configure your settings to match your organization’s security requirements . Check with your IT department if you’re unsure what they are.
To open the security settings panel and get started:
- Click Admin Console in the header bar at the top of your page
- Click Enterprise Settings in the lefthand navigation.
- Towards the top of the page, click the Security tab.
Signup and Login Settings
The Signup and Login section is where you’ll set rules for users either signing up for or logging in to Box:
Here's more about what the different options do:
Self Signup
As an admin, you can add users manually, but you also have the option to allow users to add themselves to your account. If you select this option, you can direct new users to your account’s custom URL to sign up. This is a good option if you’re not concerned about your seat count.
Account Creation Notification
Select this option if you would like admins to be notified via email whenever a new user is created. You can choose to receive an immediate notification or a summary of new users once a day.
User email/login
Selecting this option prevents users from changing their Box login emails to personal addresses. Check this box if you want your users to stick with the corporate email they used to sign up.
Failed Logins
Turn on this option to be kept apprised of login troubles – or unauthorized access attempts. You can customize the number of failed login attempts that will trigger your notification.
2-Step Login Verification
In this section, you can require people to provide a second source of verification to access your enterprise's content.
Here's more about what the different options do:
Managed Users
To enable two-factor verification for everyone in your organization, check Require all managed users to have additional verification for unrecognized logins.
External Users
To enable two-factor verification for external collaborators, click Configure. Box displays a range of options. Here are more details about enabling two-factor verification.
Password Requirements section
Here's more about what the different options do:
Password Requirements
You can set length or complexity requirements for your users' passwords in the Character Settings fields..
Also consider creating a password reset calendar in the Password Resets field. This setting forces managed users to update their passwords at regular intervals. Further, you can prevent users from reusing passwords if need be; just check the Prevent Reusing Passwords box, then set the number that works best for your organization.
You can also force everyone in your organization to change their passwords immediately. To do this, click Reset Passwords Now.
To track password changes for auditing purposes, check the two Password changes notification boxes. You will receive these notifications by email.
Finally, check External Collaborator if you require strong passwords from anyone you work with outside the four walls of your organization, such as consultants, agencies, designers, and so on. This means you will be locking out any current collaborators with weaker passwords. These people must re-set their passwords to stronger ones to regain access to your files and systems.
Uploads Section
The Uploads setting gives Enterprise and Elite admins the option to prevent users from accessing their Box accounts via regular (unencrypted) FTP.
Session Duration Section
The Session Duration section is well worth a look if you work in an open office setting where people are moving around frequently, or if you have an external presence in your company. This option enables you to set how long an account can stay logged in without activity. Anyone who exceeds this limit is logged out automatically. The default is 48 hours, but you can shorten it to as little as ten minutes.
Session duration settings only apply to the Box web application. Any session duration limits set here do not apply to people accessing Box through any other Box endpoints (e.g. Box mobile applications, Box desktop applications, m.box.com, etc.).
When you’ve applied the security settings that you need, be sure to click Save at the bottom of the page.
To read more about how we keep your content safe in the cloud, just visit www.box.com/security