KeePass Help Center
|
 KeePass Home |
 Downloads |
 Translations |
 Plugins  Help Center Home |
 Forums |
 Awards |
 Search |
Acknowledgements
Installation / Portability
Translations
Plugins
Compatibility / SxS
Repair Databases
Error Codes
License
Installation / Portability
Plugins
Compatibility / SxS
Application Policy
Auto-Type Obfuscation
User Interface
Database Settings
Entry
Interface Options
Load/Save From/To URL
License
Auto-Type
Command Line Options
Composite Master Key
Configuration
Import / Export
Integration
Password Generator
Secure Edit Controls
Security
TAN Support
URL Field
Using Stored Passwords
Administrative FAQ
Key Providers (1.x)
Donate
| Application PolicyDetails about the application policy system within KeePass. |
Help
for Users
Application policy is a KeePass feature that enables administrators to prevent you from accidently compromising the security system of your company.
Operations like exporting password entries to non-encrypted files or printing for example can be prevented effectively using the application policy.
If you are using KeePass at home, you can ignore the application policy (everything allowed anyway) or reduce your rights using the policy yourself, in order to avoid accidental leakage of sensitive information.
In order to prevent changing the policy after it has been specified, it is recommended to use an enforced configuration file.
Help
for Administrators
KeePass can be installed on a network drive and a policy can be enforced (like not permitting users to print the password list).
The application policy enforcement is based on the mechanism how KeePass stores configuration settings. You first need to understand this method before you can continue creating a policy: Configuration.
A policy-enforcing KeePass installation looks like the following: the KeePass application files are stored on the network drive and all users are starting KeePass from this drive (i.e. they only have links to the executable on the network drive). By using an enforced configuration file on the network drive (remember that this file overrides all others), a policy can be enforced.
In order to create a policy, follow these steps:
- Copy KeePass to a common network drive, which supports file permissions (like NTFS). All users must have access to it.
- Adjust the file permissions: allow users only to read and execute all files, don't allow write access!
- Adjust the file permissions for
KeePass.exe: only Execute must be allowed, all other permissions should be disabled (including Read access, disable this, too!). - Start KeePass. Open the Options dialog, switch to the Policy tab and configure the policy. Exit KeePass.
- Rename the KeePass.config.xml file to KeePass.config.enforced.xml.
That's it. You created a policy that is enforced on all computers, including your own one (until you change the enforced configuration file on the network drive).
Policy
Security
Recall what the policy mechanism looks like: KeePass and the configuration file are stored on the network drive. If you grant your users free access to the internet or allow them to insert CD-ROMs/DVDs/USB-Sticks, nothing prevents a user to download a fresh copy of KeePass and run it. In this case the policy isn't enforced, as the downloaded KeePass doesn't know anything of the enforced configuration file on the network drive.
Policy enforcement therefore only is effective if your users really use the KeePass version installed on the network drive.
Copyright © 2003-2008 Dominik Reichl, [Legal Contact] [Disclaimer] [Acknowledgements], Downloads hosted at