Overview

This section presents security recommendations to apply in Bizagi Work portal related to Bizagi's configuration (application hardening). You should be authorized to work with the security of access and configuration of your premises and equipment, appliances, or components involved in the complete solutions which are not integral parts of Bizagi, such as: the network and storage, firewalls, load balancers or other appliances, and other servers such as domain controllers or database servers.

The following recommendations apply when Bizagi is running on a .NET platform, independently from the Web server IIS version on which it runs.

In this section, the recommended configuration presumes an IIS Web server version 7.5, and hardening is carried out according to IIS capabilities.

The following recommendations are mandatory for test or production environments.

This section contains the following recommendations to enable secure connections and protocols in your environment and database:

•Configure the HTTPS protocol

•Enable a secure TLS version

•Configure a secure SSL/TLS cipher suite

•Configure TLS for database

For more information regarding the scope of these recommendations or other recommendations, refer to Security setup recommendations.

For the next steps, make sure you have installed the IIS component World Wide Services -> Security -> Basic Authentication, and IP and Domain restrictions (when installing IIS). Review the IIS instalation.

Using the HTTPS protocol

We strongly recommend that you configure your Bizagi Work Portal using the HTTPS over TLS protocol.

To do this, make sure you have a valid certificate for your server which registers to your server's domain.

Once you have a valid certificate for your server, register it for the Bizagi Work portal by using the Server certificates option for the IIS Server:

SecurityS_SOAP06

Once the server is registered, specify the bindings in the Work portal's web site (by default, at Default Web site):

SecurityS_SOAP07

For the bindings, you will be able to specify HTTPS use, with its secure port, and select the appropriate registered certificate.

Click OK to save this configuration.

When using HTTPS, consider editing the web.config file to specify <add key="PROTOCOL" value="HTTPS"/>.

This applies when using case links in process notifications, as described at Notifications using case links.

Enabling a secure TLS version

The Bizagi Work Portal supports the following protocols:

•TLS 1.2

We strongly suggest to use the TLS 1.2 secure protocol and deactivate the others.

To activate the TLS 1.2 protocol in your IIS server you must follow these steps:

1. Backup your registry files

Open the Registry Editor typing Regedit in the search option of your windows. From the File tab, select Export, and save the reg file from all branches.

2. Add the TLS 1.2 key

In the Registry editor, navigate to this location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

Include the TLS 1.2 key under Protocols folder. This look like a new directory under the Protocol folder.

3. Create two keys in the TLS folder.

Right click the TLS 1.2 folder and create the Client and Sever key.

4. Create values

Right click the right panel and create the DWORD values under both Server and Client keys as follow:

DisabledByDefault [Value = 0]
Enabled [Value = 1]

SecurityS_TLS

5. Disable TLS and SSL older versions

under the same location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

locate the DWORD values of TLS 1.0 , 1.1 and SSL 3.0 and set the Enabled value to 0.

Forcing the TLS version

If you are using HTTPS with the TLS protocol and you have to use a specific version (e.g., version 1.1 or 1.2), you must add the following key in the <appsettings> section of the Work Portal's web.config file (usually located in C:\Bizagi\Projects\[Project_Name]\WebApplication):

Bear in mind that the key value is case sensitive. Thus, you must add it as specified above to set the TLS protocol version (in this case, version 1.2) correctly.

Consider reviewing if the end-user browser has the TLS enabled. These browsers versions enable the TLS 1.1 version by default:

Browser	Version where TLS 1.1 is enabled by default
Internet Explorer	11
Microsoft Edge	All versions
Google Chrome	22
Mozilla	27

To review if TLS is enabled in your browser, follow these steps:

Microsoft Internet Explorer

1.Open Internet Explorer

2.From the menu bar, click Tools > Internet Options > Advanced tab

3.Scroll down to Security category, manually check the option box for Use TLS 1.1 OR Use TLS 1.2.

Google Chrome

1.Connections are automatically negotiated at the highest grade.

2. If you are using Google Chrome version 22 or greater, TLS 1.1 is automatically supported. TLS 1.1 & 1.2 are automatically enabled from version 29 onwards.

Mozilla Firefox

1.Open Firefox

2.In the address bar, type about:config and press Enter

3.In the Search field, enter tls. Find and double-click the entry for security.tls.version.max

4.Set the integer value to 4 to force a maximum protocol of TLS 1.3.

Configuring a secure SSL/TLS Cipher suite

The SSL/TLS is a protocol that defines the usage cryptography algorithms to guarantee integrity, confidentiality and authentication for the OSI/TCP transport layer. These algorithms are often referred as SSL/TLS Cipher Suite. To prevent systems from crypto hacking techniques, it is necessary to maintain a secure and updated Cipher Suite. By restricting the SSL/TLS Cipher Suite you could improve the security of SSL/TLS communications.

To do this, open the Run command and type gpedit.msc to open the Local Group Policy Editor.

SecurityS_Cipher_1

Go to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.

SecurityS_Cipher_2

Double click on SSL Cipher Suite Order and select the enabled option.

SecurityS_Cipher_3

Set the SSL cipher suite ordered from the most secure to the least secure sorted by comas. Click ok to finish the configuration.

SecurityS_Cipher_4

When the SSL/TLS communication starts, the server will offer the encryption algorithms specified in the Cipher Suite. Then the client and the server will choose the algorithm that both support within the list starting from the first one to the last one.

We suggest to use the following list of SSL Cipher Suites:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Configuring TLS for database

To increase security it is recommended to use the latest security protocol. We do not recommend using SSL as your secure transport protocol, instead use TLS version 1.2.

Review if your SQL version already supports TLS 1.2 in the following article:

https://support.microsoft.com/en-us/topic/kb3135244-tls-1-2-support-for-microsoft-sql-server-e4472ef8-90a9-13c1-e4d8-44aad198cdbe

Configuration steps

Open the SQL Server Configuration Manager. Expand SQL Server Network Configuration. Right-click Protocols for your server instance, and select Properties.

Security_01

Open the Certificate tab, and select a certificate from the drop-down list. Click, Apply when you are done.

Security_02

Certificates must be created for Server Authentication and installed through the MMC in the personal folder.

Security_04

Open the Flags tab, and activate Force Encryption.

Security_03

Reviewe the user registered in the logon options of the SQL instance.

Security_05

Make sure that this user has reading permission in the certificate. To do that, open the MMC, go to your Local Computer, and Personal Certificates. Right-click the certificate used previously, select All Tasks, and then Manage Private Keys.

Security_06