Security: Manage Security Settings

Management

Security

Passwords

Minimum Password Length

Set rules for local user accounts regarding the length of passwords.

Require Complex Passwords

Set rules for local user accounts regarding the complexity of passwords.

Default Password Expiration

Set rules for local user accounts regarding how often passwords expire.

Enable Password Reset

Allow users with configured email addresses to reset passwords. The link provided in password reset emails are valid until one of the following events occurs:

  • 24 hours has elapsed.
  • The link is clicked, and the password is successfully reset.
  • The system sends another link to the email address.

Account Lockout After

Set the number of times an incorrect password can be entered before the account is locked out.

Account Lockout Duration

Set how long a locked-out user must wait before being allowed to reattempt login. Alternatively, require an admin to unlock the account.

Access Console

Terminate Session If Account Is In Use

If a user tries to log into the access console with an account already in use, a checked Terminate Session box disconnects the previous connection in order to allow the new login.

Enable Saved Logins

Allow or disallow the access console to remember a user's credentials.

Log Out Idle User After

Set the length of time after which an inactive user is logged out of the access console to free the license for another user.

Enable Warning and Logout Notification on Idle Timeout

Set this option to show a notification to an idle user 30 seconds before a logout is set to occur. The user will also receive another notification when the logout has occurred.

Remove User from Session After Inactivity

This option effectively pushes a user out of a session after the period of inactivity you select. This helps BeyondTrust customers meet compliance initiatives with inactivity requirements. The user is notified 1 minute prior to removal and may reset the timeout.

A user is considered active in a session if any files are being transferred, whether through the file transfer tab or the chat interface, or if they click the mouse or press a key in the session tab. Mouse movement by itself does not count as activity. As soon as activity stops, the inactivity timer begins.

Default Access Console Authentication Method

Select the default authentication method. The authentication method selected here is automatically selected on the login page when the user logs into the access console the next time after the setting is changed. Users can select a different method if needed.

You can change the setting at any time. However, you must log out of the access console and log in again to see the change.

Allow Mobile Access Console and Privileged Web Access Console to Connect

Give users the option of accessing remote systems through the BeyondTrust access console app for iOS and Android, as well as through the privileged web access console, a browser-based access console.

Clipboard Synchronization Mode

Clipboard Synchronization Mode determines how users are allowed to synchronize clipboards within a screen sharing session. The available settings are as follows:

  • Automatic: The customer and representative's clipboards are automatically synchronized when one or the other changes.
  • Manual: The representative has to click one of the clipboard icons on the access console to either send content to or pull content from the endpoint's clipboard

You MUST restart the software on the status page for this setting to take effect.

Admins can prevent representatives from accessing the clipboard, can allow reps to send data to the endpoint, or can allow reps to have access in both directions (send and receive data). These settings control which clipboard icons the representative sees in the access console when Manual mode is selected, as well as how the synchronization flows in Automatic mode.

Granular control of access to the clipboard can be set for session policies and group policies, as well as granted to specific representatives. Please see the links below for each particular case:

You MUST restart the software on the status page for this setting to take effect.

Miscellaneous

Days to Keep Logging Information

In Days to Keep Logging Information, you can set how long logging information should be stored on the B Series Appliance. This information includes the session reporting data and recordings. The maximum duration for which session reporting data and recordings can be retained on a B Series Appliance is 90 days. This is the default value in a new installation. It is possible that session recordings for some sessions within the retention time frame are not available. This could be caused by disk space constraints or the Days to Keep Logging Information setting.

The B Series Appliance runs a maintenance script every day that ensures disk usage does not exceed 90%. Should this be exceeded, the script begins deleting session recordings based on a formula until the disk usage is less than 90%. If the Days to Keep Logging Information setting was recently changed, the new setting may take up to 24 hours to go into effect.

If data or recordings must be retained beyond the configured limit, BeyondTrust recommends using the Reporting API.

Inter-appliance Communication Pre-shared Key

This feature is available only to customers who own an on-premises BeyondTrust Appliance B Series. BeyondTrust Cloud customers do not have access to this feature.

Enter a password in the Inter-appliance Communication Pre-shared Key field to establish a trusted relationship between two B Series Appliances. Matching keys are required for two or more B Series Appliances to be configured for features such as failover or clustering. The key must contain at least 6 characters and contain at least one uppercase letter, one lowercase letter, one number, and one special character.

Network Restrictions

Determine which IP networks should be able to access /login, /api, and the BeyondTrust access console on your B Series Appliance. If you enable network restrictions, you can also enforce the networks on which access consoles may be used.

Admin Interface (/login) and API Interface (/api)

  • Always apply network restrictions: when selected, you have the option of creating either an Allow list containing only allowed networks, or a Deny list containing networks that are denied access. When this option is selected, you can determine which restrictions, if any, should apply to the desktop, mobile, and web access consoles.
  • Never apply network restrictions: when selected, no restrictions are applied and no other options are available to apply restrictions to the desktop, mobile, and web console.

Desktop and Mobile Access Console

  • Always apply network restrictions: when selected, it inherits the network restrictions entered for the Admin interface.
  • Never apply network restrictions: when selected, no restrictions are applied to the desktop and mobile consoles, but you have the option to apply restrictions to the web access console.
  • Only apply network restrictions for user's first authentication: this applies restrictions selected above, but only when the user first logs in.

Web Console (/console)

  • Always apply network restrictions: when selected, the web access console inherits the restrictions entered for the admin interface.
  • Never apply network restrictions: when selected, no restrictions are applied to the web access console, even if restrictions are in effect for the other access console methods.

For more information, please see Privileged Web Access Console Guide.

Port Restrictions for Administrative Web Interface

This feature is available only to customers who own an on-premises BeyondTrust Appliance B Series. BeyondTrust Cloud customers do not have access to this feature.

Set the ports through which your /login interface can be accessed.

Proxy Configuration

Configure a proxy server to control the dataflow for information sent from the B Series Appliance. This applies to outbound events and API calls.

Proxy Protocol

Configure HTTP or HTTPS proxy types for outbound connectivity from the B Series Appliance.

Enable Proxy Configuration

Check the box to enable the outbound proxy settings.

Proxy Host

Enter the IP address or hostname of your proxy server.

Proxy Port

Enter the port your proxy server uses. The default port is 1080.

Proxy Username and Password

If your proxy server requires authentication, enter a username and password.

Test

Click Test to ensure configuration settings are entered correctly. The current test result is displayed in the Last Test Result area. Error messages indicate where configuration settings must be corrected.