Definition of Four-Eyes
Four-Eyes authentication is an extra layer of security added onto Impero's cloud-based product "Series C". The tool operates through a "Sensitive User List". Essentially, if a console user is on this "Sensitive User List", policies from both "Series C" and "Series 7" cannot be applied. This means that members of staff who store sensitive data are reassured that they can safely work without feeling vulnerable.
Adding a user to the "Sensitive Users List"
To get to the "Four-Eyes Sensitive User List", you will need to type "Four" in the search bar once you have logged into "Series C". This will automatically find the "Four-Eyes Sensitive User List" at the top of the browser (See Figure 1). It can also be accessed from the Menu. Click on the option to bring up the security module. Only users on the Sensitive Users List can access the list.
If you are a new customer looking to setup the Four-eyes Sensitive Users List, then you will need to contact Impero Support to add your first user. Once the first user has been added they can access the Sensitive User List and invite the second user. The first user can then approve the second user. This is a unique rule that only applies when inviting the second user. Four eyes authentication requires at least two users on the Sensitive User List to function so the rules around inviting the first two users are slightly different. So to recap:
- The first user must be added by the Impero Support team
- The second user can be invited and approved by the first user
- All other users can be invited by anyone on the list
- Invites can be approved by anyone on the list, but not the user who sent the invite
Figure 1- Finding Four- Eyes
In order to add a user to four eyes authentication, a console user that is already on the sensitive list will need to add the email address of the new user you wish to join.
Figure 2 - Four Eyes Sensitive Users List
Once you have added the user, please select "Add". The added member will then be set as "Awaiting Approval" which will need to be confirmed by another user who is a member of the "Sensitive User List". list.
Figure 3- Awaiting Approval
Note: A user cannot be added to the "Sensitive Users List" unless another console user already with Four-Eyes authentication confirms the new entry from the list.
Within the "Sensitive User List", console users will have the ability to see the audit history of changes to this security option. This allows you to see dates and times of when users were added to this list but also which sensitive users have granted access for staff to have Four-Eyes restrictions.
Figure 4- Audit History
- At this moment in time, four-eyes authentication only applies to users using a Windows device.
- Our cloud-based product "Series C" is the only place you can setup Four-Eyes Authentication, you will not be able to set up the security module on "Series 7".
- The four- eyes authentication option is available whether you are an on-premise user of "Series C" or if you have a hosted server.
Rules enforced when a user is a member of the "Sensitive Users List"
The following actions cannot be performed against a user with granted four-eyes authentication:
- Cannot view device thumbnail (Client will act as if the Series 7 group policy "Request access for Remote Control and deny after 10 seconds" is set)
- Cannot broadcast device screen
- Log data is not recorded
- Active Tab/Windows History not recorded
- Captures are not triggered
- Run file/website will not apply
- Admin commands from the product "Series 7", such as "Remote command prompt", "Remote Mimic Script", "Remote Task Manager" and "Remote File Search" will not apply for a Sensitive User.