File: policy.html

package info (click to toggle)
keepass2 2.41%2Bdfsg-1
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 13,892 kB
  • sloc: cs: 103,600; xml: 5,869; cpp: 308; sh: 48; makefile: 46
file content (139 lines) | stat: -rw-r--r-- 4,826 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
	"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
	<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
	<meta http-equiv="expires" content="0" />
	<meta http-equiv="cache-control" content="no-cache" />
	<meta http-equiv="pragma" content="no-cache" />

	<meta name="author" content="Dominik Reichl" />

	
	

	<meta name="DC.title" content="Application Policy - KeePass" />
	<meta name="DC.creator" content="Dominik Reichl" />
	<meta name="DC.type" content="Text" />
	<meta name="DC.format" content="text/html" />
	<meta name="DC.language" content="en" />
	<meta name="DC.rights" content="Copyright (C) 2003-2019 Dominik Reichl" />

	<meta name="robots" content="index, follow" />
	<meta name="flattr:id" content="42rykv" />

	<title>Application Policy - KeePass</title>
	<base target="_self" />
	<link rel="stylesheet" type="text/css" href="../../default.css" />
	
</head>
<body>



<table class="sectionsummary"><tr><td width="68">
<img src="../images/b64x64_file_locked.png" width="64" height="64"
class="singleimg" align="left" alt="Settings" />
</td><td valign="middle"><h1>Application Policy</h1><br />
Details about the application policy system within KeePass.
</td></tr></table>

<ul>
<li><a href="#helpuser">Help for Users</a></li>
<li><a href="#helpadmin">Help for Administrators</a>

<ul>
<li><a href="#security">Policy Security</a></li>
</ul>

</li>
</ul>

<br />

<a name="helpuser"></a>
<h2 class="sectiontitle">
<img src="../images/b16x16_kdmconfig.png" class="singleimg" alt="Users" />&nbsp;&nbsp;Help
for Users</h2>

<p>Application policy is a KeePass feature that enables administrators
to prevent you from accidently compromising the security
system of your company.</p>

<p>Operations like exporting entries to non-encrypted
files or printing for example can be prevented effectively
using the application policy.</p>

<p>If you are using KeePass at home, you can ignore the
application policy (everything allowed anyway) or reduce
your rights using the policy yourself, in order to avoid
accidental leakage of sensitive information.</p>

<p>In order to prevent changing the policy after it has
been specified, it is recommended to use an
<a href="../base/configuration.html">enforced configuration file</a>.</p>

<br />

<a name="helpadmin"></a>
<h2 class="sectiontitle">
<img src="../images/b16x16_kgpg.png" class="singleimg" alt="Administrator" />&nbsp;&nbsp;Help
for Administrators</h2>

<p>KeePass can be installed on a network drive and a policy
can be enforced (like not permitting users to print the
entry list).</p>

<p>The application policy enforcement is based on
the mechanism how KeePass stores configuration settings. You
first need to understand this method before you can continue
creating a policy:
<a href="../base/configuration.html">Configuration</a>.</p>

<p>A policy-enforcing KeePass installation looks like
the following: the KeePass application files are stored
on the network drive and all users are starting KeePass from
this drive (i.e. they only have links to the executable on
the network drive). By using an enforced configuration file
on the network drive
(remember that this file overrides all others),
a policy can be enforced.</p>

<p>In order to create such an installation, follow these steps:</p>

<ol>
<li>Copy KeePass to a shared network drive that supports file
access rights (like NTFS).</li>

<li>Create an enforced configuration file that enforces the
application policy settings that you wish.</li>

<li>Adjust the file access rights: allow users only to read and
execute all KeePass files, no write access.</li>
</ol>

<!-- <p>That's it. You created a policy that is enforced on all computers,
including your own one (until you change the enforced configuration file
on the network drive).</p> -->

<br />

<a name="security"></a>
<h2 class="sectiontitle">
<img src="../images/b16x16_file_locked.png" class="singleimg" alt="Locked" />&nbsp;&nbsp;Policy
Security</h2>

<p>Recall what the policy mechanism looks like: KeePass and the
configuration file are stored on the network drive. If you
grant your users free access to the Internet or allow them
to insert CD-ROMs/DVDs/USB-sticks, nothing prevents
a user to download a fresh copy of KeePass and run it. In
this case the policy isn't enforced, as the downloaded KeePass
doesn't know anything of the enforced configuration file on the network
drive.</p>

<p>Policy enforcement therefore only is effective if your users
really use the KeePass version installed on the network drive.</p>

</body></html>