Security Hardening Guide

This information in this guide helps you to make your Autoform DM system secure.

As a minimum, we recommend that you consider implementing the following security features:

• Disable “remember me” automatic logins

• Set password complexity rules

• Use HTTPS for all web traffic and redirect HTTP traffic to HTTPS

• Use TLS for the database connection

• Encrypt database connection password

• Firewall rules

• Antivirus

• Windows service account

• NAS user rights for service account

External Integrations

Content Security Policy (CSP)

We have implemented a Content Security Policy (CSP) that aligns with modern web security standards. This blocks and restricts dangerous behaviors.

The CSP prevents “iframing” in Autoform DM, but the configuration can be adjusted to allow this if required. For more information, contact a Formpipe representative.

Disable Automatic Website Login

The “remember me” feature enables automatic login to the Autoform DM web application.

To disable it, clear the Allow Automatic Website Login checkbox in the General Settings area of the Server Settings administration page.

Database Password Protection

This feature encrypts the password that Autoform DM uses to connect to the database. This password is stored in Autoform DM configuration files. If you do not encrypt it, it is stored as cleartext. For instructions, see Encrypt the Autoform DM Datasource Password.

Firewall Rules

Autoform DM Server

Configure the Autoform DM server’s firewall to allow inbound traffic on the HTTPS port (443). This is the only open port required.

Outbound rules should allow access to the database server. SQL Server typically uses port 1433; see the link in the next section.

If using a NAS, ensure the appropriate ports are open. For example, port 445 for SMB shares.

Database Server

This depends on whether SQL Server or Oracle is deployed and how it is configured.

For SQL Server, follow Microsoft’s recommendations: Configure the Windows Firewall to Allow SQL Server Access.

For Oracle, see Database Firewall Administration Guide and Oracle Database Port Numbers.

Antivirus

Install antivirus / antimalware software in accordance with appropriate corporate policy.

Windows Service Account

This is the account under which the Autoform DM software runs. By default it is the Local System account, but a specific local or domain account can be used to further enhance security. The account requires the “Log On As A Service” right.

If a NAS is being used to store archive data, see the next section. This may have already been configured during installation.

The account is set using the Windows Services application:

1. Right-click the Autoform DM Server service then click Properties.

2. Click the Log On tab.

3. Click the This Account option.

4. Enter the Windows Service account username (or browse for it).

5. Enter the account credentials.

6. Click OK.

NAS User Rights for Windows Service Account

If a Network Attached Storage (NAS) device is used to securely store archive data, the Windows Service account configured previously will require rights to access the share, and to read, write, and delete the archive files.