Mandatory hardening part 1

<< Click to Display Table of Contents >>

Navigation:  Automation Server > Automation Server configuration and administration guide > Initial project configuration > Best practices in the production environment > Security hardening >

Mandatory hardening part 1


This section presents security recommendations to apply in Bizagi Work portal related to Bizagi's configuration (application hardening). You should be authorized to work with the security of access and configuration of your premises and equipment, appliances, or components involved in the complete solutions which are not integral parts of Bizagi, such as: the network and storage, firewalls, load balancers or other appliances, and other servers such as domain controllers or database servers.



The following recommendations apply when Bizagi is running on a .NET platform, independently from the Web server IIS version on which it runs.

In this section, the recommended configuration presumes an IIS Web server version 7.5, and hardening is carried out according to IIS capabilities.


The following recommendations are mandatory for test or production environments.


This section contains the following recommendations  to enable secure connections and protocols in your environment and database:


Configure the HTTPS protocol

Enable a secure TLS version

Configure a secure SSL/TLS cipher suite

Configure TLS for database


For more information regarding the scope of these recommendations or other recommendations, refer to Security setup recommendations.



For the next steps, make sure you have installed the IIS component World Wide Services -> Security -> Basic Authentication, and IP and Domain restrictions (when installing IIS). Review the IIS instalation.


Using the HTTPS protocol

We strongly recommend that you configure your Bizagi Work Portal using the HTTPS over TLS protocol.

To do this, make sure you have a valid certificate for your server which registers to your server's domain.


Once you have a valid certificate for your server, register it for the Bizagi Work portal by using the Server certificates option for the IIS Server:




Once the server is registered, specify the bindings in the Work portal's web site (by default, at Default Web site):




For the bindings, you will be able to specify HTTPS use, with its secure port, and select the appropriate registered certificate.

Click OK to save this configuration.



When using HTTPS, consider editing the web.config file to specify <add key="PROTOCOL" value="HTTPS"/>.

This applies when using case links in process notifications, as described at Notifications using case links.


Enabling a secure TLS version

The Bizagi Work Portal supports the following protocols:


TLS 1.2



We strongly suggest to use the TLS 1.2 secure protocol and deactivate the others.


To activate the TLS 1.2 protocol in your IIS server you must follow these steps:


1. Backup your registry files

Open the Registry Editor typing Regedit in the search option of your windows. From the File tab, select Export, and save the reg file from all branches.


2.  Add the TLS 1.2 key

In the Registry editor, navigate to this location:




Include the TLS 1.2 key under Protocols folder. This look like a new directory under the Protocol folder.


3. Create two keys in the TLS folder.

Right click the TLS 1.2 folder and create the Client and Sever key.


4. Create values

Right click the right panel and create the DWORD values under both Server and Client keys as follow:


DisabledByDefault [Value = 0]
Enabled         [Value = 1]




5. Disable TLS and SSL older versions

under the same location:



locate the DWORD values of TLS 1.0 , 1.1 and SSL 3.0 and set the Enabled value to 0.


Forcing the TLS version

If you are using HTTPS with the TLS protocol and you have to use a specific version (e.g., version 1.1 or 1.2), you must add the following key in the <appsettings> section of the Work Portal's web.config file (usually located in C:\Bizagi\Projects\[Project_Name]\WebApplication):


<add key="TLSSupport" value="Tls1.2" />



Bear in mind that the key value is case sensitive. Thus, you must add it as specified above to set the TLS protocol version (in this case, version 1.2) correctly.


Consider reviewing if the end-user browser has the TLS enabled. These browsers versions enable the TLS 1.1 version by default:



Version where TLS 1.1 is enabled by default

Internet Explorer


Microsoft Edge

All versions

Google Chrome





To review if TLS is enabled in your browser, follow these steps:


Microsoft Internet Explorer

1.Open Internet Explorer

2.From the menu bar, click Tools >  Internet Options > Advanced tab

3.Scroll down to Security category, manually check the option box for Use TLS 1.1 OR Use TLS 1.2.


Google Chrome

1.Connections are automatically negotiated at the highest grade.

2. If you are using Google Chrome version 22 or greater, TLS 1.1 is automatically supported. TLS 1.1 & 1.2 are automatically enabled from version 29 onwards.


Mozilla Firefox

1.Open Firefox

2.In the address bar, type about:config and press Enter

3.In the Search field, enter tls. Find and double-click the entry for security.tls.version.max

4.Set the integer value to 4 to force a maximum protocol of TLS 1.3.


Configuring a secure SSL/TLS Cipher suite

The SSL/TLS is a protocol that defines the usage cryptography algorithms to guarantee integrity, confidentiality and authentication for the OSI/TCP transport layer. These algorithms are often referred as SSL/TLS Cipher Suite.  To prevent systems from crypto hacking techniques, it is necessary to maintain a secure and updated Cipher Suite. By restricting the SSL/TLS Cipher Suite you could improve the security of SSL/TLS communications.


To do this, open the Run command and type gpedit.msc to open the  Local Group Policy Editor.




Go to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.




Double click on SSL Cipher Suite Order and select the enabled option.




Set the SSL cipher suite ordered from the most secure to the least secure sorted by comas. Click ok to finish the configuration.




When the SSL/TLS communication starts, the server will offer the encryption algorithms specified in the Cipher Suite. Then the client and the server will choose the algorithm that both support within the list starting from the first one to the last one.



We suggest to use the following list of SSL Cipher Suites:



Configuring TLS for database

To increase security it is recommended to use the latest security protocol. We do not recommend using SSL as your secure transport protocol, instead use TLS version 1.2.


Review if your SQL version already supports TLS 1.2 in the following article:


Configuration steps

Open the SQL Server Configuration Manager. Expand SQL Server Network Configuration. Right-click Protocols for your server instance, and select Properties.



Open the Certificate tab, and select a certificate from the drop-down list. Click, Apply when you are done.





Certificates must be created for Server Authentication and installed through the MMC in the personal folder.




Open the Flags tab, and activate Force Encryption.





Reviewe the user registered in the logon options of the SQL instance.




Make sure that this user has reading permission in the certificate. To do that, open the MMC, go to your Local Computer, and Personal Certificates. Right-click the certificate used previously, select All Tasks, and then Manage Private Keys.




Add the user with reading permissions.




If you need to access the database using the SQL Management Studio. You have to follow these steps:


1.Copy either the original certificate or the exported certificate file to the client computer.

2.On the client's computer, use the Certificates snap-in to install either the root certificate or the exported certificate file.

3.Using SQL Server Configuration Manager, click the options button.




4.On the Connection Properties tab, check Encrypt connection.




5.On Additional Connection Parameters tab add: TrustServerCertificate=True


Security_09 Connect.


Next Steps

Follow more mandatory recommendations:


Authorization and authentication

Encrypting information using HTTPS

Filtering unauthorized requests