HELP CENTER

senhasegura official documentation

Table of Contents

Administration
System Parameters 4
Access control 4
Remote sessions 4
General 5
SSH Proxy 5
RDP Proxy 5
Recordings 6
Security 7
Encryption 8
Security settings 8
User accounts maintenance 8
Multi-factor authentication 8
Password security level 8
Access control by IP 8
Adaptive MFA by location 9
Executions 9
User Behavior 9
Session settings 9
Weighted Assessment 10
Password View Settings 10
Weighted Assessment 10
Handling sessions with an unusual duration 10
Handling sessions at an unusual time 10
Handling sessions from an unusual origin 10
Handling sessions with unusual targets 11
Handling sessions from unusual credentials 11
User behavior notifications 11
Notifications 11
SMS configuration 11
Application 11
Application connection settings 12
Credentials and device settings 12
Reports settings 12
General application settings 12
Trusted IP Address Settings 13
Master key ceremony 13
LDAP / Active Directory 13
LDAP service settings 13
Login options 13
Domain settings 13
GO Endpoint Manager 14
GO Endpoint Manager for Windows 14
Modules 14
Installation settings 14
General settings 14
Workflow settings 15
Elevation settings 15
Access request settings 15

Copyright 2022 senhasegura | All Rights Reserved | Powered by MT4 Group | Public information

2
 Network access 15
JIT/Elevation methods 15
Authentication 16
Messages 16
GO Endpoint Manager for Linux 16
AD Bridge 16
Messages 17
Task Manager 17
Domum 17
Email settings 17
First authentication token 17

Copyright 2022 senhasegura | All Rights Reserved | Powered by MT4 Group | Public information

3
System Parameters

Access control
Go to Settings ➔ System Parameters ➔ System Parameters ➔ Access Control :

Password Parts : The number of parts a password should be broken down into in a split-
knowledge scheme.
Password display time(s) : Time, in seconds, the password window remains open. Set it at zero
to keep it open and not close it automatically.
Justification expiration time (min) : Time, in minutes, that the justification provided by a user
remains valid. During this time, the user will be able to access that password again, if needed,
without the need to provide a justification.
Approval expiration time (min) : Time, in minutes, that an access approval will remain valid by
default.

Note
This parameter is limited to 3,600 minutes (2.5 days).

Allow changes in the approval expiration time? : Choose Yes or No to decide whether
Approvers should be able to change the expiration time of an authorized access.
Limit group per user to one? : Choose Yes or No to decide whether users can be part of only
one or multiple groups.
List approvers with permission only? : Choose Yes or No to decide whether only approvers with
permission can be listed.
Allow self-approval? : Choose Yes or No to decide whether an Approver should be able to
approve a request that they have submitted themselves.
Allow duplicate credentials? : Choose Yes or No to decide whether the user can register the
same credentials.
Allow devices with a duplicate IP address? : Choose Yes or No to decide whether a user can
add a device with a duplicate IP address to the platform.
Process groups individually? : Choose Yes or No to decide whether a group could be processed
separately from others.
Allow batch approval? : Choose Yes or No to decide to allow or deny importing multiple
approvals at once.
Make the below fields required : Decide whether Users and Approvers will be required to fill in
the following fields:.
Notify a user about the response to their request via : Set whether the requester will
be notified by Email/On-screen notification.
Notify an approver of new requests via: Set whether the approver will be notified by
Email/On-Screen notification.
Display Governance ID: Write a message about the Governance ID.

Remote sessions
Go to Settings ➔ System Parameters ➔ System Parameters ➔ Remote Session :

Copyright 2022 senhasegura | All Rights Reserved | Powered by MT4 Group | Public information

4
 General
Enable File Transfer? : Choose Yes or No to decide whether users will be able to download
session files.
Enable Ctrl+Alt+Del? : Choose Yes or No to enable or disable this option.
Enable copy and paste? : Choose Yes or No to enable or disable this option.
Enable use of personal credentials? : Choose Yes or No to enable or disable this option.
Enable triggers for file transfer? : Choose Yes or No to enable or disable this option.
Convert /r/n to /n on SSH sessions when using the browser? : Choose Yes or No to enable
or disable this option on the web browser.
Enable local downloads : Choose Yes or No to decide whether users should be able to
download files for future local access.
PuT T Y installation path : Choose the directory where PuTTy should be installed
E.g., C:\Program Files\PuTTY\putty.exe

Allow users to change the PuT T Y installation path? : Choose Yes or No to enable or disable
this option.
IPv6 interface in senhasegura's server : To populate this field correctly, please check which
network interface you currently use. Example: eth0. If you are unsure, run the following command:
Type ifconfig in Linux terminal.
Type ipconfig in Windows cmd.

Color depth :
8 bit
16 bit
24 bit
32 bit

RDP drive letter : Fill in with the letter assigned to the RDP drive.
E.g., G:

Connection banner : Users are shown this banner upon login. It does not replace the device
banner.

SSH Proxy
Enable SUDO automation in Linux sessions? : Choose Yes or No to enable or disable this option.

SSH terminal type : Choose the type of proxy terminal.

Linux
Xterm

RDP Proxy
Ignore certificate errors? : Choose Yes or No to enable or disable this option.
Enable RAIL over RDP? : Choose Yes or No to enable or disable this option.
Enable wallpaper in RDP sessions? : Choose Yes or No to enable or disable this option.
Include the hostname when logging in locally in RDP sessions? : Choose Yes or No to
enable or disable this option.

Copyright 2022 senhasegura | All Rights Reserved | Powered by MT4 Group | Public information

5
 Recordings
Indexing session texts? : Choose Yes or No to enable or disable this option.
Enable importing Input-text indexes? : Choose Yes or No to enable or disable this option.
Enable importing Output-text indexes? : Choose Yes or No to enable or disable this option.
Enable user input recording? : Choose Yes or No to enable or disable this option.
Enable session recording? : Choose Yes or No to enable or disable this option.
Enable use of macros in session? : Choose Yes or No to enable or disable this option.
Enable session purging? : Choose Yes or No to enable or disable this option.
Days before a session is purged: Set a number between 0 and 1,000 days.
Number of concurrent user sessions (zero = unlimited) : Set a limit for simultaneously active
sessions.
Web session image quality : Between 10 and 100.
N umber frame rate (fps) : Choose a number between 2 and 24 frames per second.
Keyboard Layout : Choose one of the supported languages and its respective keyboard layout:

US English (Qwerty)
UK English (Qwerty)
Portuguese Brazil (Qwerty)
Spanish (Qwerty)
Spanish Latam (Qwerty)
German (Qwertz)
Swiss German (Qwertz)
Danish (Qwerty)
French (Azerty)
Belgian French (Azerty)
Swiss French (Qwertz)
Hungarian (Qwertz)
Japanese (Qwerty)
Norwegian (Qwerty)
Turkish (Qwerty)
Russian (Qwerty)
Croatian (Qwertz)
Swedish (Qwerty)
Italian (Qwerty)

Web session image type : Choose one of the available PNG and JPEG extensions.
Enable real time live stream: choose Yes or No to decide whether a session could be monitored
in real-time.
Language used in texts (OCR) : Choose the language that is being used during the session to
improve text recognition. Available languages:
English
Portuguese
Spanish
German
Danish
French
Hungarian
Japanese

Copyright 2022 senhasegura | All Rights Reserved | Powered by MT4 Group | Public information

6
 Norwegian
Turkish
Russian
Croatian
Swedish
Italian

Enable approval workflow for video recordings? : Choose Yes or No to enable or disable this
option.

Security
Go to Settings ➔ System Parameters ➔ System Parameters ➔ Security :

Require multi-factor authentication to view passwords? : choose Yes or No to enable or

disable this option.
Time between password token requests? : Set an interval between 0 to 60 minutes
Require multi-factor authentication to start a new session? : choose Yes or No to enable or
disable this option.
Time between session token requests (min)? : Set an interval between 0 to 60 minutes.
Require a secure connection (SSL) to change passwords? : choose Yes or No to enable or
disable this option.
Enable password change after a session starts? : choose Yes or No to enable or disable this
option.
Require a certificate for RDP Proxy authentications? : choose Yes or No to enable or disable
this option.
Require a certificate for SSH/Telnet authentications? : choose Yes or No to enable or disable
this option.
RDP safe mode :
Automatic
RDP (not recommended)
NLA (recommended)
TLS (recommended)

Session inactivity timeout : how long before an inactive session is terminated. Choose between 0
to 60:
Minutes
Hours
Days

Filter IP addresses with permissions to start a session : check this option to enable this filter.
List of IP addresses with permission to start a session : fixed IP addresses, ranges, or
networks, separated by a comma.
E.g. : 192.168.10.80, 172.66.1.0, 125.10.1.100-199

Ignore the "Trust this computer" option to view password? : choose Yes or No according to
the behavior you need.
Ignore the "Trust this computer" option to start a session? : choose Yes or No according to
the behavior you need.

Copyright 2022 senhasegura | All Rights Reserved | Powered by MT4 Group | Public information

7
 Info
By enabling these options, the MFA token will always be requested during login and/or password
retrieval.

Encryption
Encryption Mode*: Indicates whether the encryption mode will be Standard or HSM .
HSM : Indicates the corresponding ID of the HSM previously registered in the web application.

Info
Fields marked with * (asterisk) are mandatory.

Security settings
Go to Settings ➔ System Parameters ➔ Security to find additional security settings:

User accounts maintenance

Minutes before a session expires: 0 to 120.
Failed login attempts: 2 to 6 attempts before the account is locked.
Inactive accounts 0 to 120 days of inactivity before the account is disabled.
Require password change on first access.
Password expiration time: 1 to 120 days before a password expires.

Multi-factor authentication
Require all users to use multi-factor authentication.
Require all users to have a digital certificate.
Allow the use of third-party multi-factor authentication applications.
Enable "Trust this computer" for 1 to 72 hours.
Accept tokens generated up to 60 to 270 seconds before.

Password security level

Minimum password length : between 8 and 100 characters
Minimum number of numeric digits: between 1 and 100
Restrict password reuse: 0 to 100 previous passwords are stored to prevent reuse.
Require symbols: if checked, passwords must contain symbols.

Access control by IP
Allow All/Deny All:
IP address ranges:
Start
End
Action

Copyright 2022 senhasegura | All Rights Reserved | Powered by MT4 Group | Public information

8
 Allow all
Deny all

Adaptive MFA by location

IP address ranges:
Start
End
Action
Require MFA
Skip MFA

Note
Trust Thi s Computer can only be enabled for a user using the Web Interface. This option is not
available for other types of proxies.

Executions
Go to Settings ➔ System Parameters ➔ System Parameters ➔ Executions :

Number of change attempts : between 1 to 10

Connection timeout (s): between 1 and 300 seconds of inactivity before the connection is
terminated.
Read timeout(s): between 1 to 300 seconds without a response before a command request is
terminated.
Total cycles per instruction: between 1 to 10,000 cycles.
Time between attempts (min): minimum time, between 0 and 1440 minutes , before the next
attempt to change a password using a template.
Time between failed attempts (min): minimum time, between 1,440 and 10,080 minutes,
before the next attempt to change a password after a previous failed attempt.
Template Approval workflow: choose Yes or No to decide whether new templates need to be
approved before they can be used.

User Behavior
To change settings related to user behavior, go to Settings ➔ System Parameters ➔ System
Parameters ➔ User Behavior .

Minimum score (1 to 15): any user whose score is below the minimum will be listed as
suspicious.

Session settings
Days of user history: how long a user's behavior data should be kept.
Variation rate (%): variation rate between sessions.
Submit high-risk sessions for auditing?: If marked as Yes , send certain sessions to an auditor
for assessment.

Copyright 2022 senhasegura | All Rights Reserved | Powered by MT4 Group | Public information

9
 Important
To enable this feature, you will have to appoint at least one user as the auditor in charge of reviewing
these sessions.

To learn more about how to choose the commands that require auditing and set their criticality level, go to
Command Auditing.

Weighted Assessment
Access unusual target: user behavior score using a session to access a less-used target device.
Maximum score: 3.
Access from unusual origin: user behavior score for starting a session using a less-used source
device. Maximum score: 3.
Access of unusual credentials: user behavior score for starting a session using a less-used
credential. Maximum score: 3.
Access at an unusual time: user behavior score for starting a session at an unusual time of the
day. Maximum score: 3.
Access of unusual duration: user behavior score in sessions that last an unusual amount of time.
Maximum score: 3.

Password View Settings

Days of user history: how long a user's behavior data should be kept.
Variation rate (%): variation rate between password views.

Weighted Assessment
Request from unusual origin: user behavior score for viewing passwords using a less-used
source device. Maximum score: 3.
Request from unusual credential: user behavior score for viewing passwords using a less-used
credential. Maximum score: 3.
Request at an unusual time: user behavior score for viewing passwords at an unusual time of
the day. Maximum score: 3.
Unusual password change: user behavior score for odd password changes. Maximum score: 3.
An unusual password change is usually associated with credentials that have password change
automation, but whose passwords are changed manually at some point.

Handling sessions with an unusual duration

Block session only : Yes/No
Block both session and user: Yes/No

Handling sessions at an unusual time

Block session only: Yes/No
Block both session and user: Yes/No.

Handling sessions from an unusual origin

Copyright 2022 senhasegura | All Rights Reserved | Powered by MT4 Group | Public information

10
 Block session only: Yes/No
Block both session and user: Yes/No

Handling sessions with unusual targets

Block session only: Yes/No
Block both session and user: Yes/No

Handling sessions from unusual credentials

Block session only: Yes/No.
Block both session and user: Yes/No

User behavior notifications

Go to Settings ➔ Notifications ➔ Settings to set up notifications associated with unusual user
behavior. In the actions menu, add a new notification and filter by User Behavior . Notification options
include

Access at an unusual time

Access of unusual duration
Access from unusual origin
Unusual password change
Access to unusual target
Access from unusual credential
Request from unusual origin
Request with unusual credential

Notifications
Go to Settings ➔ System Parameters ➔ System Parameters ➔ Notifications:

SMS configuration
Communication platform: select Zenvia SMS.
Sender: the person sending the message.
User: your Zenvia SMS username.
Password: your Zenvia SMS password.

Info
For more information, access Zenvia 's website.

Application
Go to Settings ➔ System Parameters ➔ System Parameters ➔ Application.

Copyright 2022 senhasegura | All Rights Reserved | Powered by MT4 Group | Public information

11
 Application connection settings
Network connector: select senhasegura self-managed - NCagent:30200 . This is the default
agent to connect to third-party systems.

Important
In case you want to back up your credentials (secrets), you must specify a network connector.
It isn’t possible to back up the database and videos (system).
In case you’re a SaaS customer, you must allow communication from senhasegura to your
server across your firewall for the protocols used.

Info
If the target device has no network connector, but senhasegura's application has connector settings,
you can still use it to:

change passwords.
start sessions.
send data to the SIEM.
run a connectivity test.

Credentials and device settings

Force password change after a batch import?: choose Yes or No to decide whether
passwords should be changed after importing multiple credentials at once.
Use the additional information of a unique key?: Yes or No .
Use the credential type of a unique key?: Yes or No.
Additional fields (1 and 2): choose a name for the additional fields.

Reports settings
Data entries per page: default number of entries (between 1 and 1,000) listed on each report
page.
Data entries per page (máx.): maximum number of entries (between 1 and 1,000) a user can
choose to see on each report page.
Hide filters by default?: Yes or No .
Add hours and minutes to the data filter?: choose Yes or No to decide whether users should
be able to filter results by specific time periods.

General application settings

Default language : select one of the available languages:
Deutsch
English
Español
Français [BETA]
Polski
Português

Enable login banner?: choose Yes or No to show or hide a login message.

Copyright 2022 senhasegura | All Rights Reserved | Powered by MT4 Group | Public information

12
 Redirect on module change? : choose Yes or No to determine whether, when you change
modules, the page for that new module will load automatically rather than requiring additional clicks
to navigate to the desired screen.
Login banner: write a message to be shown to users immediately after login.
Remote backup credential: select one of the registered credentials by its IP address, Hostname,
or Username.

Trusted IP Address Settings

Application IP address: add a trusted IP address.
Trusted IP addresses: a list of all IP addresses that are trusted by the platform.

Master key ceremony

Require MFA in Master key ceremonies?: choose Yes or No to decide whether an
authentication token should be required when performing the master key ceremony.

Important
Unchecking this option will reduce the security of your vault.

LDAP / Active Directory

Go to Settings ➔ System Parameters ➔ System Parameters ➔ LDAP / Active Directory.

LDAP service settings

Disable users without a group when synchronizing?: choose Yes or No to decide whether a
user who has not been added to any groups should be deactivated in the sync process.
Use a vault credential on authentication?: choose Yes or No to decide whether a credential is
required to perform an authentication.

Login options
Update username when logging in?: choose Yes or No to enable or disable this option.
Update email address when logging in?: choose Yes or No to enable or disable this option.
Update local password when logging in?: choose Yes or No to enable or disable this option.
Enable local user after login?: choose Yes or No to enable or disable this option.
Block inactive users from logging in?: choose Yes or No to enable or disable this option.

Domain settings
New domain: add a new domain.
Domain: domain name.
Domain (Short Name): an alias for the domain name.

Note
You cannot delete a domain that is still associated with a device or credential.

Copyright 2022 senhasegura | All Rights Reserved | Powered by MT4 Group | Public information

13
 GO Endpoint Manager

GO Endpoint Manager for Windows

1. Log in to senhasegura.
2. Go to Settings ➔ System Parameters ➔ System Parameters ➔ go Windows .

Modules
Enable credentials?: choose Yes or No to enable or disable this option.
Enable applications?: choose Yes or No to enable or disable this option.
Enable uninstall?: choose Yes or No to enable or disable uninstalling GO Endpoint Manager.
Enable network sharing?: choose Yes or No to enable or disable this option.
Enable network interface?: choose Yes or No to enable or disable this option.
Enable control panel?: choose Yes or No to enable or disable this option.

Installation settings
Allow auto-approval for workstation links?: choose Yes or No to decide whether a workstation
request from a valid GO Endpoint Manager license should be automatically approved.
Allow auto-approval for a user's first link?: choose Yes or No to decide whether the first
request from a previously approved device should be automatically approved.
Allow auto-approval of all other links?: choose Yes or No to decide whether to automatically
approve all subsequent users who request access from a previously approved device.
Enable automatic updates for the client software?: choose Yes or No to decide if GO
Endpoint Manager should update automatically if a new version is available on the server.
Enable user expiration time?: choose Yes or No to decide whether a user's access approval
should expire after a set period of time.
User expiration time: Days after approval before a user expires. The time limit for a user approval
form.

General settings
Enable offline use?: choose Yes or No to decide whether users should be able to run GO
Endpoint Manager without an internet connection.
Enable UAC integration?: choose Yes or No to enable the use of senhasegura during UAC
operations. Users can choose to enter a credential to continue the process.
Enable controlling Windows applications?: choose Yes or No to enable or disable this option.
If enabled, GO Endpoint Manager will activate the driver that monitors Windows applications and
intervene whenever an application is not in the allowlist (or is in the denylist). Only user session
applications will be evaluated.
Enable session recordings?: choose Yes or No to decide whether to video record applications
with elevated privileges.
Deactivate certificates automatically after an intrusion attempt?: choose Yes or No to
decide whether the unique certificate that a workstation uses to communicate with the server should
be disabled if the server detects an intrusion attempt.
Enable application malware and reputation scans?: choose Yes or No to decide whether you
want to scan an application for malware and status.
Time between credential requests: if a Workstation is online, update a secure cache of the

Copyright 2022 senhasegura | All Rights Reserved | Powered by MT4 Group | Public information

14
 credential's details from time to time.

Note
Be careful when configuring this parameter, as it can lead to a system overload. The shorter the time, the more
resources this feature will use.

VirusTotal API token: connect to VirusTotal's API to run subsequent analyses.

Enable DLL analysis?: choose Yes or No to enable or disable this feature.
New trusted directory: add a directory you trust.
Directory path: add the path to this directory in your operating system.
Ignore directory during scan: check if you want to skip a given directory during the scan.
Directory path: add the path in your operating system to the directory you want to skip.

Note
This field accepts regular expressions.

Workflow settings

Elevation settings
Users can elevate applications: check this box to enable this function.
Require a justification to elevate applications: check this box to require users to first provide a
justification before elevating the privileges of an application
Require approval to elevate applications: check this box to require approval before users can
elevate the privileges of an application
Approvals required: if the previous box has been checked, decide how many approvals are
required for a user to elevate the privileges of an application
Denials required to cancel: how many request denials are required to prevent a user from
elevating the privileges of an application.
Allow emergency access: check this box if you want to allow emergency access.
Multi-level Approval: check this box to enable multi-level approval workflows.

Access request settings

Require governance ID when providing a justification?: choose Yes or N o to enable or
disable this option.
Always require approval from a user's manager?: choose Yes or No to decide whether the
manager of a particular user should always be one of the approvers for this user's requests.

Network access
Block access to the network?: when enabled, denies access to any user who tries to establish a
TCP or UDP connection.
Block user: when enabled, blocks the user who tries to access the network repeatedly.
Occurrences (minimum): Failed attempts before a user is blocked. Between 1 and 10.

JIT/Elevation methods
Enable JIT access?: choose Yes or No to enable or disable this option.

Copyright 2022 senhasegura | All Rights Reserved | Powered by MT4 Group | Public information

15
 Prevent elevation of privilege?: choose Yes or No to decide whether senhasegura should deny
any requests to elevate the privileges of an application outside senhasegura.go.
Block user: choose Yes or No to decide whether senhasegura should block a user who tries to
elevate the privileges of an application repeatedly.
Occurrences (minimum): Failed attempts before a user is blocked. Between 1 and 10.

Authentication
Enable multi-factor authentication at login?: Yes/No.
Enable Single Sign-On?: choose Yes or No to decide whether GO Endpoint Manager can start
an authenticated senhasegura web session in the user's default browser without a password. If an
MFA token is required, senhasegura’s web service will request it before authentication.

Messages
Execution message: message shown to the user when an application is running on GO Endpoint
Manager.
Execution block message: message shown to the user when a request is blocked on GO
Endpoint Manager.

GO Endpoint Manager for Linux

Go to GO Endpoint Manager ➔ Settings ➔ Parameters ➔ go Linux and open the GO Endpoint
Manager tab.

Allow auto-approval of workstation links?: automatically approves a workstation with a valid

Go Endpoint Manager license.
Allow auto-approval for a user's first link?: automatically approves the first request from a
previously approved device.
Allow auto-approval of all other links?: automatically approves all subsequent users who
request access from a previously approved device.
Enable user expiration time?: a user's access approval automatically expires after a set period
of time.
User expiration time: Days after approval before a user expires. The time limit for a user approval
form.

AD Bridge
Allow auto-approval of a workstation link?: automatically approves an integration from a
workstation with a valid Go Endpoint Manager license.
Domain: the domain of your account.
Credential : previously created credential for this integration.
LDAP Uri: add your IP address to AD.
Use SSL?: if you are using LDAPS, choose Yes .
DN Bind: username used to connect to the LDAP service.
DN Base: the beginning of the path that the LDAP server should use to search for a user's
authentication in the directory.
User DN: location of the user path.
User filter: how to find the user. Populate this field with the following filter: (objectClass=user)
User UID: populate this field with the following variable: sAMAccountName

Copyright 2022 senhasegura | All Rights Reserved | Powered by MT4 Group | Public information

16
 Username: populate this field with the following variable: displayName
User's HOME directory path: populate this field with the following path:
"/home/$sAMAccountName"
User shell: populate this field with the following path: "bin/bash "
Group DN: fill in to force group authentications.
Group filter: how to find a group. Populate this field with the following filter: (objectClass=group)
Group name: populate this field with the following variable: sAMAccountName

Messages
Execution message : message shown to the user when an application is running on GO Endpoint
Manager.
Execution block message: message shown to the user when a request is blocked on GO
Endpoint Manager.

Task Manager
Go to Settings ➔ System Parameters ➔ System Parameters ➔ Task Manager :

Enable file transfer: choose Yes or No to decide whether file transfers will be allowed when
using Task Manager .
Maximum transfer limit (in KB): maximum limit allowed when transferring files.
File retention time (in days): how long the files should be kept in the system. Type 0 to make it
unlimited.

Domum
Go to Settings ➔ System Parameters ➔ System Parameters ➔ Domum:

Employees domain: domain used in employee's access links.

E.g.: int.domum.senhasegura.com.

T hird-party domains : the domain used in the access link of the DNS server/Email settings:
E.g.: domum.senhasegura.com.

Email settings
Sender: email account that will send the remote access link.

First authentication token

Indicates how to send the first access token:

Email
SMS

Powered by Document360

Copyright 2022 senhasegura | All Rights Reserved | Powered by MT4 Group | Public information

17