Security policy recommendations
Recommended security policy settings for MSPs
Table of Contents
Recommended security policy settings
Password Boss provides a full set of security policies that you can configure based on the security needs of your clients. The policies are fully explained in our support articles, as well as in the portal itself.
Here are some guidelines for getting the most out of the security policies
- It may make sense to begin enabling the security policies slowly at first.
- When you make changes to the security policies be sure to tell your clients & users in advance so that they are aware of the changes.
- If you are enabling any of the restrictive policies, like disabling sharing, add these restrictions to your internal policies and let the users know in advance so that there are fewer support questions for your team.
- Several of the policies are designed to work well together. For example, forcing all team items into the team profile and the policy to backup all team items work very well together. If you have any questions on the security policies, please reach out to our support team and we will be happy to provide any help and guidance, so you can get the most out of the security policies.
- The Advanced security policy to Backup all team items is a powerful policy and gives the admin on your account access to all items stored in the team profile for each of your users. This policy creates a decryption key when the policy is enabled. Do not lose this key. You need the key to access the backup files from your users. Password Boss does not store a copy of this key anywhere. Without this key you cannot access the backups.
The recommendations are listed in the same order the security policies appear in the Partner Portal.
Standard Security Policies
Online backups and device sync
Having this policy enabled means members of your team cannot disabled backups of their accounts.
Having this policy enabled requires each team member to enable 2FA on their Password Boss account.
Remove team profile items when users are removed
Generally, your team members will be using a business email address that will not go with them if they leave your company, so this policy will not apply to those users. This policy will apply to any contractors that are set up on your account using their own email address.
If a contractor is set up on your account with a personal email address, when that user is removed from your account, and you choose to convert the user to a personal account as opposed to deleting the user account, the contents of the business profile will be removed from the user's Password Boss account.
Force business items into business profile
This policy allows you to make sure business items are stored in the business profile. You have the ability to use the policy Backup all business profile items to ensure you have a disaster recovery backup of all business items from all users.
Enabling this policy would block your ability to share items with your team
Disable emergency access
We recommend that MSPs disable the ability of their team to use emergency access. Enabling this policy allows possible leakage of confidential data to people outside of your company.
Recommendation: Enabled - No Profiles
We recommend enabling this policy to prevent your team from exporting the passwords and other saved items. Note: For any user who is an Admin on your account this policy is not enforced. We recommend limiting the Admin users on your account to 1 or 2 - all team members should not be admins.
If you are off-boarding a team member and they want to take their personal profile items with them to a new personal Password Boss account then we recommend that you temporarily change this policy to Enabled - Personal profile only. When the user has exported their personal profile then change this policy back to Enabled - No Profiles.
Master password change
Recommendation: Company Choice
Current NIST guidelines for password security have removed password change requirements in favor of easy to remember but hard to guess passwords. We recommend that you enable or disable this policy in line with your other internal password guidelines.
Advanced Security Policies
Backup all business profile items
Recommendation: Enabled - HIGHLY RECOMMENDED
This policy is an additional backup of just the contents of the business profile from each user. When this policy is enabled a decryption key is generated and provided to the user enabling this policy. Restrict the access to this decryption key since whoever has access to the key has access to all of the items in every user's business profile.
Each user's entire account, both the business profile and the personal profile, will also be backed up every five minutes the user is online. This 5-minute backup is used for device and share synchronization and is different from the backup enable by this policy.
Restrict sharing to specific recipients
Generally not needed in an MSP environment.
Choose location for online backups
Choose a location physically close to your location for the fastest backup and synchronization.
Restrict business profile items from Emergency Access
We recommend disabling Emergency Access altogether for MSPs. However, if you do choose to allow your team to use Emergency Access then we recommend that you Enable this policy to prevent business items from potentially being sent to users outside of your business.
User change notifications
Recommendation: As needed
Each admin on your account will receive an email when users are added, deleted or backup files are downloaded. since our recommendation is to limit the number of users on your account who are admins, this would also limit the number of people who would receive these notifications. If additional members of your team need to receive these notifications then you can add their individual email addresses or a distribution list address.
Restrict user portal access
This policy limits any non-admin user's ability to login to the user portal (portal.passwordboss.com). A non-admin user has limited functionality in the user portal, but it is probably best if your team knows the functionality of the user portal to be able to answer end-user questions.
Generally, your team should be logging in to the Partner Portal to make any changes needed and will not use the user portal for any administrative tasks.
Disable Password Boss on individual pages or entire domains
Recommendation: As Needed
This policy allows you to centrally disable Password Boss from running on pages or sites for all users in your company. This is useful for sites where you do not want Password Boss to run like the internal pages of your PSA, CRM, RMM, etc.
This policy should be enabled for all MSPs. When this policy is enabled all password access and use for any passwords in the business profile for each user is logged. Access reports are available in the Partner Portal on the Reports tab. Access to the password audit reports is restricted to Partner Portal users with the Admin role or who have specifically been granted Reports -> Password Auditing permission via a custom access role.