This section presents security recommendations to apply in the Bizagi Work portal regarding aspects which are relevant to Bizagi's configuration (application hardening).
The following recommendations apply when Bizagi runs on a .NET platform, independently from the Web server IIS version on which it runs.
This section describes the recommended configuration for an IIS Web server version 7.5, and such hardening is carried out according to the IIS capabilities.
These apply to your testing or pre-production (when you use one) environments as well as production environments. This section has the following recommendations:
For more information regarding the scope of these recommendations or other recommendations, refer to Security setup recommendations.
Bizagi offers multiple features to increase the security and access restriction to your Work Portal. Refer to Security Definition. Regarding user authentication, Bizagi supports several protocols. In production environments, the Bizagi Authentication is not recommended. Instead, we recommend using federal protocols like SAML. For further information see Work Portal Authentication.
If you decide to use Bizagi Authentication, we recommend configuring the relevant parameters to cover such policies, as described at Bizagi authentication.
We recommend that you set up as a minimum the following parameters:
•Enable account lockout for failed login attempts: On
•Enforce Password change after first login: On
•Enforce Password History: On
•Enable authentication logging: On
•Maximum number of failed login Attempts: 3
•Password minimum age: 30 days, or according to your criteria.
•Minimum length of passwords: 8 characters, or according to your criteria.
•Enforce the use of letters in passwords: On
•Enforce the use of capital letters in passwords: On
•Enforce the use of lower-case in passwords: On
•Enforce the use of numbers in passwords: On
•Enforce the use of special characters in passwords: On
•Idle session time-out: 5 minutes.
•Enforce validation of sequences in passwords: On
•Account lockout duration: According to your criteria.
Authorization in Bizagi
By default, the Work Portal comes with all menus accessible to all users. Edit this user's settings so that it does not have access to administration options in the Work portal (it should be able to start specific processes and run tasks, but not a full admin). Refer to Security for Work Portal menus.
To make sure this excludes users from those authorized to manage your Bizagi system (This user should not be able to manage users, nor modify values in Bizagi such as parameter entities, cancel or delete cases, etc).
The domain\admon is the system user created by default and employed internally by Bizagi. Username should not be changed for this user.
You may not disable this user since it is needed to perform automatic tasks related to processes such as timers and scheduled jobs. We recommend you make sure that this user is always enabled in your project.
Include the following element in the web.config file of your Work portal (by default, located at C:\Bizagi\Projects\[your_project]\WebApplication\) to encrypt cookies.
Include in the <system.web> element the following line:
<httpCookies httpOnlyCookies="true" requireSSL="true" />
You may verify the proper configuration by logging to the Work portal and using a tool of your choice to inspect how cookies are obtained (e.g. by means of Google Chrome's developer tools):
In the same web.config configuration file in your Work portal, edit the definition for <pages>, so that the ViewState attribute always uses encryption. This action secures the information dictionary as described at https://msdn.microsoft.com/en-us/library/ms178199(v=vs.85).aspx.
To do this, locate the pages element having:
<pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" />
Save the changes and close the file.
We recommend you to identify the gateway from which your end users access the Bizagi Work portal.
This way, you can use a range of valid IP addresses to filter HTTP requests to your application.
For the next steps, make sure you have installed the IIS components World Wide Services -> Security -> Basic Authentication, and IP and Domain restrictions (when installing the IIS).
To do this, include a white list of IP addresses authorized to access the Bizagi Work portal at the site level (you may even specify an authorized domain).
Use the IP Address and Domain restrictions option:
Similarly, you may rely on Web Application Firewall products to harden security to access Bizagi (to rely on additional features such as those oriented to intrusion detection, etc, and to consider corporate policies to secure your application especially when having Bizagi setup for internet access).
When using a DMZ, make sure that both the inside and outside firewalls do not allow indiscriminate access through firewall configuration and ports.
By default, cases of processes can be consulted by any user in the Work Portal. Bizagi includes the case security feature, where you can define the level of security of cases, so only users with permissions can consult cases. To configure this option consult Case Security.
We recommend the use of Transparent Data Encryption TDE to provide a real time I/O at page level, so your database files can be protected from unauthorized access to the Project Server.
To enable the SQL Server TDE you only need to run the script listed below in the database:
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<UseStrongPasswordHere>';
CREATE CERTIFICATE BizEncryptionCert WITH SUBJECT = '<DekCertificateName>';
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_128
ENCRYPTION BY SERVER CERTIFICATE BizEncryptionCert;
ALTER DATABASE <ProjectDatabase>
SET ENCRYPTION ON;
Change the following parameters.
• UserStrongPasswordHere: for a strong password since it is the key used to encrypt the master database.
• DekCertificateName, for a friendly certificate name that let you easily identify this certificate.
• ProjectDatabase, for the Bizagi Project database that you want to encrypt.
Once the script is executed, the database will take a bit to encrypt all data in the Bizagi Project.
You can follow additional recommended hardening :