Security: Manage Security Settings

Management

Security

Authentication

Default Authentication Method

The default authentication method is Username & Password. If passwordless authentication is enabled, Passwordless FIDO2 can be selected as the default authentication method. If passwordless authentication is enabled, either authentication method can be selected when logging in.

Enable Passwordless FIDO2 Authentication

This feature allows users from the local security provider or vendor users to register and log in with FIDO2-certified authenticators rather than a password. FIDO2 authenticator devices must support CTAP2 and be able to perform user verification using biometrics or a PIN.

This feature is enabled by default. Uncheck to disable the feature. If unchecked:

• The Passwordless Authenticators section of My Account > Security is hidden.
• The Passwordless FIDO2 option is not available at the login dropdowns.
• Users are unable to log in using previously registered authenticators.

Unchecking this feature does not remove previously registered authentications. If it is necessary to remove those, they must be deleted before the feature is disabled.

Users with registered passwordless authentication can continue to log in using their username and password. This can be useful if they need to log in using a device that does not support passwordless authentication.

This feature cannot be limited to specific users or user groups.

For more information, and to register authenticators, please see Passwordless Authenticators.

Account Lockout After

Set the number of times an incorrect password can be entered before the account is locked out.

Account Lockout Duration

Set how long a locked-out user must wait before being allowed to reattempt login. Alternatively, require an admin to unlock the account.

Passwords

Minimum Password Length

Set rules for local user accounts regarding the length of passwords.

Default Password Expiration

Set rules for local user accounts regarding how often passwords expire.

Require Complex Passwords

Set rules for local user accounts regarding the complexity of passwords.

Enable Password Reset

Allow users with configured email addresses to reset passwords. The link provided in password reset emails are valid until one of the following events occurs:

• 24 hours has elapsed.
• The link is clicked, and the password is successfully reset.
• The system sends another link to the email address.

Representative Console

Terminate Session If Account Is In Use

If a user tries to log in to the representative console with an account already in use, a checked Terminate Session box disconnects the previous connection in order to allow the new login.

Enable Saved Logins

Allow or disallow the representative console to remember a user’s credentials.

Log Out Idle Representative After

Set the length of time after which an inactive user is logged out of the representative console to free the license for another user.

Enable Warning and Logout Notification on Idle Timeout

Set if a user should receive a prompt before being logged out due to inactivity. The first notification occurs 30 seconds before logout and the second when logout has occurred.

Remove Representative from Session After Inactivity

This option effectively pushes a user out of a session after the period of inactivity you select. This helps BeyondTrust customers meet compliance initiatives with inactivity requirements. The user is notified 1 minute prior to removal and may reset the timeout.

A user is considered active in a session if any files are being transferred, whether through the file transfer tab or the chat interface, or if they click the mouse or press a key in the session tab. Mouse movement by itself does not count as activity. As soon as activity stops, the inactivity timer begins.

Allow Mobile Representative Console and Web Rep Console to Connect

Give users the option of accessing remote systems through the representative console app for iOS and Android, as well as through the web rep console, a browser-based representative console.

Display Thumbnail View in the Representative Console

When supporting a customer with multiple monitors, this option allows user to see thumbnail images of all available displays. These thumbnail images are not recorded in session recordings. Uncheck this box to show rectangles rather than thumbnails.

Allow Representatives to Take Remote Screenshot

You can allow users to capture screenshots of the remote desktop from the representative console.

Allow Representatives to Control the Customer Client Window

Enabling this setting allows the representative to act as the user in the customer client window, including typing in the chat area, sending files, and interacting with links and buttons. When this setting is disabled, the representative's control of the customer client window is limited to moving and minimizing it.

When requesting to elevate, allow credentials to be entered

When elevating a session to have administrative rights, allow users to enter credentials manually, inject them from a password vault, or provide them through a virtual smart card. This allows users to use authorized privileged credentials to elevate the context of the customer client. Once elevated, the customer client will run in the context of the local system.

Allow Reboot with Cached Login Credentials

In a support session running with administrative rights on a remote Windows™ computer, this allows a representative to reboot the remote machine without the customer's assistance by having the customer enter login credentials prior to the reboot. These credentials can be saved for the duration of the support session, allowing the machine to automatically log in when rebooted multiple times.

Clipboard Synchronization Mode

Clipboard Synchronization Mode determines how users are allowed to synchronize clipboards within a screen sharing session. The available settings are as follows:

• Automatic: The customer and representative's clipboards are automatically synchronized when one or the other changes.
• Manual: The representative has to click one of the clipboard icons on the representative console to either send content to or pull content from the endpoint's clipboard

You MUST restart the software on the status page for this setting to take effect.

Admins can prevent representatives from accessing the clipboard, can allow reps to send data to the endpoint, or can allow reps to have access in both directions (send and receive data). These settings control which clipboard icons the representative sees in the representative console when Manual mode is selected, as well as how the synchronization flows in Automatic mode.

Granular control of access to the clipboard can be set for session policies and group policies, as well as granted to specific representatives. Please see the links below for each particular case:

• Users: Add User Permissions for a Representative or Admin: Users and Security > Users > Add > Attended and Unattended Session Permissions > Screen Sharing
• Session Policies: Set Session Permission and Prompting Rules: Users and Security > Session Policies > Add > Permission > Screen Sharing
• Group Policies: Apply User Permissions to Groups of Users: Users and Security > Group Policies > Add > Attended and Unattended Session Permissions

Allow Search for External Jump Items

This enables Jump item searching in Remote Support through a fully configured Endpoint Credential Manager (ECM).

You must restart the software for this setting to take effect. When enabling or disabling this setting, you are prompted to restart now or restart later from the Status page in /login.

Jumpoint for External Jump Item Sessions

This field is available only when the Allow Search for External Jump Items option is checked. All sessions started from external Jump items are performed through the Jumpoint selected here, or in the case where multiple Jumpoints are deployed on endpoints across segmented networks, the Jumpoint used can be selected automatically by matching against an External Jump Item's Network ID. A Jumpoint must be positioned on the network to have connectivity to potentially any of the External Jump Items returned by the ECM.

Select the Jumpoint to use for external Jump Item sessions from the dropdown list of available Jumpoints, or leave the default selection of Automatically Selected by External Jump Item Network ID to allow Remote Support to determine which Jumpoint handles the session.

The External Jump Item Network ID is an attribute you must set on the Jumpoint from Jump > Jumpoint in /login. It is equivalent to the Workgroup attribute on managed systems in Password Safe. Its value is matched against the Network ID property for external Jump Items returned by the ECM to determine the Jumpoint to handle a session.

External Jump Item Group Name

This field is available only when the Allow Search for External Jump Items option is checked. Optionally, enter a name for the external Jump Group, or leave the default option of External Jump Items. This name displays as the Jump Group name when viewing Jump Items in the representative console or the web rep console. Click Save if you have modified the default group name.

Log "Run As" Special Action Commands in Session Reports

Uncheck this option to stop logging and reporting all Run As commands. Since the entire command is logged, any credentials passed as command parameters are logged.

Session Key

Session Key Length

The Session Key Length can be set to any number of characters between 7 and 20.

One Time Use Session Key

If One Time Use Session Key is checked, a session key cannot be used more than once to create a support session.

Maximum Session Key Timeout

Maximum Session Key Timeout sets the longest time for which a session key may remain valid. From the representative console, a user can set the lifetime of each generated session key up to but no longer than the time defined on this page. If the customer does not use the session key within the allotted time, the key expires, and the user must issue a new session key in order to run a session.

Public Portal

Force Public Site to Use HTTPS

Additional security can be obtained with Force Public Site to Use SSL (https). Using HTTPS forces the internet connection to your public support portal to be SSL-encrypted, adding an additional layer of security to prevent unauthorized users from accessing accounts.

Block External Resources, Inline Scripts, and Inline Styles on the Public Site

Prevent your public site from loading external resources, running inline scripts, or displaying inline styles. This option is effected by sending the Content-Security-Policy (CSP) HTTP header with a value of default-src 'self'.

The CSP header tells the browser to ignore resources such as images, fonts, style sheets, scripts, frames, and other subresources from outside its own origin domain. It also ignores inline scripts and styles, whether included in the head or body of the page. This also affects inline scripts and styles added dynamically at runtime from JavaScript.

Any resources you wish to use must be uploaded to the B Series Appliance at Public Portals > File Store. You should not enable this option if you have customized your public site template to use inline scripts, inline styles, or resources external to your BeyondTrust site.

Enable Streamlined Session Start

Attempt to start sessions using ClickOnce or Java. If this option is unchecked, the customer client must be manually downloaded and run.

Disable Public Site Indexing

Check Disable Public Site Indexing to prevent search engines from indexing public sites hosted by your B Series Appliance.

Miscellaneous

Days to Keep Logging Information

In Days to Keep Logging Information, you can set how long logging information should be stored on the B Series Appliance. This information includes the session reporting data and recordings. The maximum duration for which session reporting data and recordings can be retained on a B Series Appliance is 90 days. This is the default value in a new installation. It is possible that session recordings for some sessions within the retention time frame are not available. This could be caused by disk space constraints or the Days to Keep Logging Information setting.

The BeyondTrust Appliance B Series runs a maintenance script every day that ensures disk usage does not exceed 90%. Should this be exceeded, the script begins deleting session recordings based on a formula until the disk usage is less than 90%. If the Days to Keep Logging Information setting was recently changed, the new setting may take up to 24 hours to go into effect.

If data or recordings must be retained beyond the configured limit, BeyondTrust recommends using the Integration Client or the Reporting API.

Days to Keep Jump Item Logging Information

Choose how long Jump Item reporting data will be accessible from the appliance. Because data is purged only once a day, it may actually be accessible for up to 24 hours beyond what is selected here.

Enable Chat History Recovery

Check this box so that if a session is interrupted and then resumed, the chat window will recover the chat messages.

Require Remote Support Client Verification During Elevation Attempts

You must provide remote support client verification during elevation.

SSL Certificate Validation

You can require SSL Certificate Validation to force BeyondTrust software - including representative consoles, customer clients, presentation clients, and Jump Clients - to verify that the certificate chain is trusted, that the certificate has not expired, and that the certificate name matches the B Series Appliance hostname. If the certificate chain cannot be properly validated, the connection is not allowed.

If certificate verification has been disabled and is then enabled, all consoles and clients automatically upgrade the next time they connect. Note that LDAP connection agents are not automatically upgraded but must be reinstalled for this setting to take effect.

When SSL Certificate Validation is enabled, security checks in addition to BeyondTrust’s built-in security are performed to validate the SSL certificate chain being used to secure communications. It is highly recommended that you do enable SSL validation. If certificate validation is disabled, a warning message appears on your administrative interface. You can hide this message for thirty days.

To enable SSL certificate validation, you must provide your SSL certificate to BeyondTrust so that the certificate can be embedded within your BeyondTrust software.

For more information, please see SSL Certificates and BeyondTrust Remote Support.

Network Restrictions

Determine which IP networks should be able to access /login, /api, and the representative console on your BeyondTrust Appliance B Series. If you enable network restrictions, you can also enforce the networks on which representative consoles may be used.

Define network rules for the following interfaces:

Admin Interface (/login) and API Interface (/api)

• Always apply network restrictions: when selected, you have the option of creating either an allow list containing only allowed networks, or a deny list containing networks that are denied access. When this option is selected, you can determine which restrictions, if any, should apply to the desktop, mobile, and web access consoles.
• Never apply network restrictions: when selected, no restrictions are applied and no other options are available to apply restrictions to the desktop, mobile, and web console.

Desktop and Mobile Representative Console

• Always apply network restrictions: when selected, it inherits the network restrictions entered for the Admin interface.
• Never apply network restrictions: when selected, no restrictions are applied to the desktop and mobile consoles, but you have the option to apply restrictions to the web representative console.
• Only apply network restrictions for user's first authentication: this applies restrictions selected above, but only when the user first logs in.

Web Console (/console)

• Always apply network restrictions: when selected, the web representative console inherits the restrictions entered for the admin interface.
• Never apply network restrictions: when selected, no restrictions are applied to the web representative console, even if restrictions are in effect for the other access console methods.

For more information, please see Web Rep Console Guide.

Define your network restrictions:

Enter network address prefixes, one per line. Netmasks are optional, and they can be given in either dotted-decimal or integer bitmask format. Entries that omit a netmask are assumed to be single IP addresses.

• Allow list: Allow only the specified networks
• Deny list: Deny the specified networks.

Proxy Configuration

Configure a proxy server to control the dataflow for information sent from the B Series Appliance. This applies to outbound events and API calls.

Proxy Protocol

Configure HTTP or HTTPS proxy types for outbound connectivity from the B Series Appliance.

Enable Proxy Configuration

Check the box to enable the outbound proxy settings.

Proxy Host

Enter the IP address or hostname of your proxy server.

Proxy Port

Enter the port your proxy server uses. The default port is 1080.

Proxy Username and Password

If your proxy server requires authentication, enter a username and password.

Test

Click Test to ensure configuration settings are entered correctly. The current test result is displayed in the Last Test Result area. Error messages indicate where configuration settings must be corrected.

ICAP Configuration

You can configure file transfers to pass through the Secure Remote Access Appliance and be scanned by an Internet Content Adaptation Protocol (ICAP) server. If the ICAP server indicates that a file is malicious, it is not sent to the destination.

 

File transfers cannot be sent to an ICAP server in the following scenarios: Protocol Tunnel Jump-based file transfers, clipboard file transfers within RDP sessions, and external tool file transfers within RDP or Shell Jump sessions. Even with ICAP enabled, these transfers are not scanned.

ICAP Settings

Enter the ICAP Server URL. This is supplied by your ICAP server vendor. The default port is 1344. If you are using another port, it must be entered with the URL, in this format: icap://example.com:0000 or icaps://example.com:0000.

If the protocol is icaps://, check Use a CA Certificate. Then click Choose a Certificate and upload the certificate.

Save the ICAP settings before testing.

Test ICAP Connection

After entering and saving the ICAP settings, click TEST WITH A FILE and select a file to upload. There are three possible results:

• A connection error. An error header and ICAP logs display (if available).
• A malicious file is detected. A warning header and response details display. The exact nature of the malicious content does not display.
• No problems are detected. The response details display.