Keeper Security Hardening Guide
Enterprise password manager hardening for Keeper Security including role enforcement, MFA, and admin console security
Overview
Keeper Security is a leading zero-knowledge password management platform protecting credentials for millions of users across enterprises. With its zero-knowledge security architecture, Keeper ensures that only users can decrypt their vault data. Proper enterprise configuration ensures administrative controls are properly applied while maintaining the security model.
Intended Audience
- Security engineers managing password management
- IT administrators configuring Keeper Enterprise
- GRC professionals assessing credential security
- Third-party risk managers evaluating password managers
How to Use This Guide
- L1 (Baseline): Essential controls for all organizations
- L2 (Hardened): Enhanced controls for security-sensitive environments
- L3 (Maximum Security): Strictest controls for regulated industries
Scope
This guide covers Keeper Enterprise admin console security, role-based enforcement policies, MFA configuration, and SSO integration.
Table of Contents
- Admin Console Security
- Role-Based Enforcement Policies
- Authentication & MFA
- SSO Integration
- Monitoring & Compliance
- Compliance Quick Reference
1. Admin Console Security
1.1 Protect Keeper Administrator Accounts
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 5.4 |
| NIST 800-53 | AC-6 |
Description
Protect Keeper Administrator accounts as they have full control over the enterprise deployment.
Rationale
Why This Matters:
- Keeper support cannot elevate users to admin or reset admin passwords by design
- If all admins lose access, there’s no recovery path
- At least two users should have Keeper Administrator role
- Break-glass accounts are essential
ClickOps Implementation
Step 1: Ensure Redundant Admins
- Navigate to: Admin Console → Admin → Roles
- Verify Keeper Administrator role has 2+ members
- Ensure backup admin has different credentials
- Document break-glass account procedures
Step 2: Protect Admin Accounts
- Require MFA for all admin accounts
- Use strong master passwords (20+ characters)
- Store break-glass credentials securely (physical safe)
Step 3: Limit Admin Access
- Apply principle of least privilege
- Reduce total number of administrators
- Use delegated admin roles where possible
- Remove unnecessary admin privileges
Time to Complete: ~30 minutes
Code Implementation
1.2 Configure IP Address Allowlisting for Admins
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 13.5 |
| NIST 800-53 | AC-17, SC-7 |
Description
Restrict admin access to approved IP addresses to prevent unauthorized administrative actions.
Rationale
Why This Matters:
- At minimum, users with admin privileges should be IP-restricted
- Prevents malicious insider attacks
- Protects against identity provider takeover vectors
ClickOps Implementation
Step 1: Configure IP Allowlist
- Navigate to: Admin Console → Admin → Roles
- Select admin role
- Navigate to Enforcement Policies → IP Allowlist
- Add allowed IP addresses:
- Corporate network IPs
- VPN egress IPs
- Secure admin workstation IPs
Step 2: Apply to Admin Roles
- Apply IP restrictions to:
- Keeper Administrator role
- All custom admin roles
- Test access from allowed IPs
- Verify blocked from other IPs
Code Implementation
1.3 Enable Administrative Event Alerts
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 8.11 |
| NIST 800-53 | SI-4 |
Description
Configure alerts for administrative events to detect suspicious activity.
ClickOps Implementation
Step 1: Configure Alerts
- Navigate to: Admin Console → Reporting & Alerts
- Enable alerts for:
- Admin login events
- Role modifications
- Policy changes
- User provisioning/deprovisioning
Step 2: Configure Notification Recipients
- Add security team email addresses
- Configure alert thresholds
- Integrate with SIEM if available
Code Implementation
2. Role-Based Enforcement Policies
2.1 Configure Master Password Requirements
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 5.2 |
| NIST 800-53 | IA-5 |
Description
Configure master password requirements through role enforcement policies.
ClickOps Implementation
Step 1: Access Role Enforcement
- Navigate to: Admin Console → Admin → Roles
- Select role to configure
- Click Enforcement Policies
Step 2: Configure Password Policy
- Navigate to Master Password section
- Configure:
- Minimum length: 16+ characters
- Complexity requirements: Mixed case, numbers, symbols
- Maximum age: Optional (modern guidance prefers strong passwords without forced rotation)
- Password history: Prevent reuse
Step 3: Apply to All Users
- Apply policy to all user roles
- Allow grace period for compliance
- Monitor compliance dashboard
Code Implementation
2.2 Enforce Two-Factor Authentication
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 6.5 |
| NIST 800-53 | IA-2(1) |
Description
Require 2FA for all users accessing their Keeper vault.
ClickOps Implementation
Step 1: Configure 2FA Enforcement
- Navigate to: Role → Enforcement Policies → Two-Factor Authentication
- Enable Require 2FA
- Configure:
- Prompting frequency: Every login (most secure)
- Allowed methods: Select approved factors
Step 2: Configure Allowed 2FA Methods
- Enable secure methods:
- Keeper DNA (Apple Watch): Biometric
- TOTP Authenticator: Google Authenticator, etc.
- FIDO2 WebAuthn: Hardware keys (recommended)
- Duo Security: If integrated
- RSA SecurID: If integrated
- Consider disabling:
- SMS (vulnerable to SIM swap)
Step 3: Configure Dual 2FA (L3)
- For SSO users, enable 2FA on both:
- Identity provider side
- Keeper side (additional layer)
Code Implementation
2.3 Configure Sharing and Export Restrictions
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 3.3 |
| NIST 800-53 | AC-3 |
Description
Control how records can be shared and exported from Keeper.
ClickOps Implementation
Step 1: Configure Sharing Policies
- Navigate to: Role → Enforcement Policies → Sharing
- Configure:
- Allow sharing: Within organization only (L2)
- Allow external sharing: Disable or require approval
- One-time share: Configure expiration
Step 2: Configure Export Restrictions
- Navigate to: Enforcement Policies → Export
- Configure:
- Allow export: Disable for L2+ environments
- Allow printing: Disable if not needed
Code Implementation
2.4 Restrict Browser Extension Installation
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 2.5 |
| NIST 800-53 | CM-7 |
Description
Control which browser extensions users can install to prevent malicious extensions from accessing vault data.
Rationale
Why This Matters:
- Browser extensions with elevated permissions can access information in websites
- Malicious extensions could capture vault data
- Limit to Keeper and approved extensions only
ClickOps Implementation
Step 1: Configure Extension Policy
- Use device management (MDM) to:
- Allow only Keeper browser extension
- Block unapproved extensions
- Remove unknown extensions
Step 2: Document Approved Extensions
- Create whitelist of approved extensions
- Communicate policy to users
- Regular audit of installed extensions
Code Implementation
3. Authentication & MFA
3.1 Configure Biometric Authentication
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 6.5 |
| NIST 800-53 | IA-2 |
Description
Configure biometric authentication options for improved security and usability.
ClickOps Implementation
Step 1: Enable Biometrics
- Navigate to: Role → Enforcement Policies → Biometrics
- Configure allowed biometric methods:
- Windows Hello
- Touch ID
- Face ID
- Android biometrics
Step 2: Configure Biometric Policy
- Set biometric timeout
- Require master password periodically
- Configure fallback authentication
Code Implementation
3.2 Configure Account Recovery
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 5.2 |
| NIST 800-53 | IA-5 |
Description
Configure secure account recovery options.
ClickOps Implementation
Step 1: Configure Recovery Methods
- Navigate to: Role → Enforcement Policies → Account Recovery
- Enable appropriate recovery methods:
- Admin-assisted recovery: Recommended for enterprise
- Self-service recovery: With appropriate verification
Step 2: Configure Recovery Approval
- For admin-assisted recovery:
- Configure approval workflow
- Require verification steps
- Log all recovery events
Code Implementation
4. SSO Integration
4.1 Configure SAML SSO
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 6.3, 12.5 |
| NIST 800-53 | IA-2, IA-8 |
Description
Integrate Keeper with your SAML identity provider for centralized authentication.
Prerequisites
- Keeper SSO Connect Cloud license
- SAML 2.0 compatible identity provider
ClickOps Implementation
Step 1: Configure SSO Connect Cloud
- Navigate to: Admin Console → SSO Configuration
- Click Add SSO Configuration
- Configure SAML settings:
- Entity ID
- SSO URL
- Certificate
Step 2: Configure Identity Provider
- Create SAML application in IdP
- Upload Keeper metadata
- Configure attribute mappings:
- Email (required)
- First name, last name (optional)
- Configure groups for role mapping
Step 3: Secure SSO Configuration
- Critical: Lock down IdP with MFA
- Follow IdP security best practices
- Ensure admin accounts are secured
Code Implementation
4.2 Configure Just-in-Time Provisioning
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 5.3 |
| NIST 800-53 | AC-2 |
Description
Configure automatic user provisioning through SSO.
ClickOps Implementation
Step 1: Enable JIT Provisioning
- Navigate to: SSO Configuration → Provisioning
- Enable Just-in-Time provisioning
- Configure default role for new users
Step 2: Configure SCIM (Alternative)
- For automated lifecycle management
- Configure SCIM endpoint
- Integrate with IdP SCIM
Code Implementation
5. Monitoring & Compliance
5.1 Configure Audit Logging
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 8.2 |
| NIST 800-53 | AU-2 |
Description
Enable and review audit logs for security events.
ClickOps Implementation
Step 1: Access Reporting
- Navigate to: Admin Console → Reporting & Alerts
- Review available reports:
- Login activity
- Record access
- Sharing activity
- Admin actions
Step 2: Configure SIEM Integration
- Navigate to: Reporting & Alerts → SIEM Integration
- Configure export destination:
- Splunk
- Azure Sentinel
- Custom webhook
- Select events to stream
Key Events to Monitor:
- Failed login attempts
- 2FA changes
- Record sharing
- Admin privilege changes
- Policy modifications
Code Implementation
5.2 Monitor Security Audit
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 4.1 |
| NIST 800-53 | CA-7 |
Description
Use Security Audit to monitor organization password health.
ClickOps Implementation
Step 1: Access Security Audit
- Navigate to: Admin Console → Security Audit
- Review dashboard metrics:
- Overall security score
- Password strength distribution
- Reused passwords
- 2FA adoption
Step 2: Identify Issues
- Review weak passwords
- Identify reused credentials
- Track 2FA compliance
Step 3: Remediation
- Notify users with weak passwords
- Set improvement targets
- Track progress over time
Code Implementation
5.3 BreachWatch Integration
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 16.4 |
| NIST 800-53 | SI-4 |
Description
Enable BreachWatch to detect compromised credentials.
ClickOps Implementation
Step 1: Enable BreachWatch
- Navigate to: Admin Console → BreachWatch
- Enable for organization
- Configure alert settings
Step 2: Respond to Alerts
- When credentials detected:
- Notify affected users
- Require password change
- Investigate exposure source
- Document incident response
Code Implementation
6. Compliance Quick Reference
SOC 2 Trust Services Criteria Mapping
| Control ID | Keeper Control | Guide Section |
|---|---|---|
| CC6.1 | 2FA enforcement | 2.2 |
| CC6.1 | Master password policy | 2.1 |
| CC6.2 | Admin protection | 1.1 |
| CC6.6 | IP allowlisting | 1.2 |
| CC7.2 | Audit logging | 5.1 |
NIST 800-53 Rev 5 Mapping
| Control | Keeper Control | Guide Section |
|---|---|---|
| IA-2(1) | MFA | 2.2 |
| IA-5 | Password policy | 2.1 |
| AC-6 | Least privilege | 1.1 |
| AU-2 | Audit logging | 5.1 |
| SI-4 | BreachWatch | 5.3 |
Appendix A: Plan Compatibility
| Feature | Business | Enterprise | Enterprise Plus |
|---|---|---|---|
| Role Enforcement | Basic | ✅ | ✅ |
| SSO Connect Cloud | ❌ | ✅ | ✅ |
| SCIM Provisioning | ❌ | ✅ | ✅ |
| BreachWatch | Add-on | Add-on | ✅ |
| Advanced Reporting | Basic | ✅ | ✅ |
| SIEM Integration | ❌ | ✅ | ✅ |
Appendix B: References
Official Keeper Documentation:
- Keeper Trust Center
- Keeper Documentation
- Keeper Security Architecture
- Security Benchmarks and Recommended Settings
- Enforcement Policies
- Enterprise Password Management
API & Developer Resources:
SSO Integration:
Compliance Frameworks:
- SOC 2 Type II, SOC 3, ISO 27001, ISO 27017, ISO 27018, FedRAMP Authorized, GovRAMP Authorized, PCI DSS, HIPAA – via Keeper Trust Center
Security Incidents:
- No major public security breaches identified. Keeper’s zero-knowledge architecture means the company cannot access customer vault data.
Changelog
| Date | Version | Maturity | Changes | Author |
|---|---|---|---|---|
| 2025-02-05 | 0.1.0 | draft | Initial guide with admin security, enforcement policies, and SSO | Claude Code (Opus 4.5) |
Contributing
Found an issue or want to improve this guide?
- Report outdated information: Open an issue with tag
content-outdated - Propose new controls: Open an issue with tag
new-control - Submit improvements: See Contributing Guide