This section presents security recommendations to apply in Bizagi Work portal related to Bizagi's configuration (application hardening).
You should be authorized to work with security of access and configuration of your premises and equipment, appliances or components involved in the complete solution which are not integral parts of Bizagi, such as: the network and storage, firewalls, load balancers or other appliances, and other servers such as domain controllers or database servers.
For more information regarding the scope of these recommendations, refer to Security setup recommendations.
The following recommendations apply when Bizagi is running on a .NET platform, independently from the Web server IIS version on which it runs.
In this section, the recommended configuration presumes an IIS Web server version 7.5, and hardening is carried out according to IIS capabilities.
Before you start
Keep in mind the following considerations:
Considerations regarding the platform
Always review and apply recommendations issued by Microsoft, the vendor of the base platform on which Bizagi runs for .NET environments.
Consider bulletins and notifications about fixes and patches announced by Microsoft regarding your Windows OS or the IIS.
Remember to carry out proper tests after applying fixes and patches to verify you are not affecting your Bizagi project.
Considerations regarding the database
For a higher level of security regarding data access, Bizagi lets you configure the service account which is used to configure database access through the Work portal and the Scheduler service to have the minimum required rights.
For more information about the setup of these accounts, for instance when using SQL Server, refer to SQL Server prerequisites.
Before you continue with the web-related configuration recommendations for the Work portal, make sure you establish security policies for passwords (password formation and length, duration, and other elements for protection and compliance with network security requirements).
When using local authentication for Bizagi, configure the relevant parameters to cover such policies, as described at Bizagi authentication.
We recommend that you set up as a minimum the following parameters:
•Enable Lock Account: On
•Enforce Password change: On
•Enforce Password History: On
•Log Authentication Events: On
•Max Logon Attempts: 3
•Password expiration time: 30 days, or according to your criteria.
•Password minimum length: 8 characters, or according to your criteria.
•Password must have letters: On
•Password must have capital letters: On
•Password must have small letters: On
•Password must have numbers: On
•Password must have special characters: On
•Session Time: 5 minutes.
•Verify Password Sequences: On
•Password block time: According to your criteria.
•Blocked account duration: According to your criteria.
•Duration to restart failed attempts: According to your criteria.
Considerations regarding the system user in Bizagi
Recall that domain\admon is the system user created by default and employed internally by Bizagi.
You may not disable this user since it is needed to perform automatic tasks related to processes such as timers and scheduled jobs. We recommend you to make sure that this user is always enabled in your project.
We strongly recommend that you edit this user's settings so that it that it does not have access to administration options in the Work portal (it should be able to start specific processes and run tasks, but not a full admin).
To make sure this exclude this user from those authorized to manage your Bizagi system (This user should not be able to manage users, nor modify values in Bizagi such as parameter entities, cancel or delete cases, etc).
Follow the configuration recommendations to mitigate most vulnerabilities.
These apply to your testing and pre-production environments as well (when using one).
For the next steps, make sure you have installed the IIS component World Wide Services -> Security -> Basic Authentication, and IP and Domain restrictions (when installing IIS).
1. Using the HTTPS protocol
We strongly recommend that you configure your Bizagi Work Portal using the HTTPS over SSL protocol.
To do this, make sure you have a valid certificate for your server which registers to your server's domain.
Once you have a valid certificate for your server, register it for the Bizagi Work portal by using the Server certificates option for the IIS Server:
Once the server is registered, specify the bindings in the Work portal's web site (by default, at Default Web site):
For the bindings, you will be able to specify HTTPS use, with its secure port, and select the appropriate registered certificate.
Click OK to save this configuration.
When using HTTPS, consider editing the web.config file to specify <add key="PROTOCOL" value="HTTPS"/>.
This applies when using case links in process notifications, as described at Notifications using case links.
2. Filtering unauthorized requests
We recommend you to identify the gateway from which your end users access the Bizagi Work portal.
This way, you can use a range of valid IP addresses to filter HTTP requests to your application.
To do this, include a white list of IP addresses authorized to access the Bizagi Work portal at the site level (you may even specify an authorized domain).
Use the IP Address and Domain restrictions option:
Similarly, you may rely on Web Application Firewall products to harden security to access Bizagi (to rely on additional features such as those oriented to intrusion detection, etc, and to consider corporate policies to secure your application especially when having Bizagi setup for internet access).
When using a DMZ, make sure that both the inside and outside firewalls do not allow indiscriminate access through firewall configuration and ports.
For Bizagi, security is an aspect of critical importance.
Therefore, Bizagi periodically releases new versions which feature improvements and fixes for issues detected in previous versions.
Fixes for those detected issues may include specific solutions for identified security vulnerabilities.
We strongly recommend you to consider a periodic upgrade to Bizagi's latest releases for your solution, by always following the usual guidelines for an upgrade procedure, including:
•Plan, coordinate and appropriately test these upgrades.
•Rely on an array of environments (development, testing, pre-production when applicable, and production).
•Take proper contingency measures (e.g backups) before upgrading.
•Evaluate customizations or additional security configurations such as the ones listed above, so that stakeholders are aware that it is part of the plan to reconfigure certain components after the upgrade.
When having customizations or applying hardening measures such as the ones above, follow one of these two alternatives when carrying out a version upgrade:
1. If doing the upgrade through Bizagi Management Console, you will need to reconfigure and verify that such measures are still applied after the upgrade. We recommend backing up customizations before starting the upgrade.
By default, an upgrade carried out through the Management Console will not check whether you have done modifications to the original files and file structure.
2. You may choose to do the upgrade through a manual procedure (without using the Bizagi Management Console).
If you do, consider all the relevant components and files that you need to replace manually for the Work Portal and Scheduler, while avoiding overwriting your configured customizations or the already applied hardening measures.
For highly critical security issues, Bizagi may consider issuing hot fixes and recommend that you apply them without awaiting for a newer version.
To evaluate or consider additional application hardening aspects, refer to Intermediate recommendations.