It is possible to enforce the settings of the KeePass client using configuration files and rules set in Pleasant Password Server. This can be used to enforce security policies by setting things like:
- lock timeout values
- default password generation settings
- password export
- copy whole entries (to another keepass)
To do this, we first need to create a configuration file.
- Open and log in to the KeePass client.
- Set your configuration settings.
- Most settings can be found in the Tools -> Options dialog.
- There are additional settings that can be found in:
- File -> Database Settings
- Tools -> Generate Password
- Tools -> Tan Wizard
- Tools -> Triggers
- Help -> Help Source
- Select File -> Export Configuration and save the file to a location on your hard drive.
This configuration file is in a human-readable format called XML. It contains every setting used by KeePass including all of the user interface settings like window position, columns shown, etc.
Open your saved configuration file in a text editor (like Notepad or Notepad++) to edit the configuration file. Refer to the sample configuration file to see lines that should and may be removed.
Repeat the process if more than one configuration is needed. Once the configuration file(s) are ready, it is time to set up the rules on Pleasant Password Server.
- Open the Password Server administration web page (typically https://localhost:10001/).
- Log is as an administrator (admin) and go to the Client Config tab.
- In the first section, click the Upload button and select the KeePass configuration file you created.
- Once the file is uploaded, it will appear in the first table.
- The name may be changed by clicking the Edit button.
- Create a new User or Role rule.
- Click the Create button on the appropriate table.
- Select a User or Role from the first drop down list.
- Set a value for the Sort Order (only for Role rules, see below).
- Select a configuration file from the second drop down list.
- Click the Save button.
Only one rule can be created for each user and role. Rules are selected on a first-found basis. If a user has a rule, then that is applied. If no user rule is found, then the role rules are searched. If there are multiple matches, then the rule with the lowest Sort Order value will be used. The rule for (everyone) is applied if no other matches are found.
If no rules are found or the configuration file is set to (none), then NO server configuration is enforced and the user will be free to make any changes to their settings. It is recommended that you create a rule for Administrators with a configuration of (none) so that Administrators can continue to have full access to KeePass settings.
The configuration file will be downloaded and applied the next time the user logs in or unlocks the KeePass client. KeePass will need to restart each time a new configuration file is downloaded so that the settings can be enforced.