Deprecated Prizm Content Connect
Security Guidance

The following sections discuss items that should be considered before deploying your application using PCC.

To prevent attacks on viewing sessions, refer to the "Secure Viewing Sessions" section below.

PCCIS

PCCIS is designed to be run as an internal web service. Steps should be taken to ensure that PCCIS is not accessible to end-users or the public internet. Typically, this would involve configuring a firewall in-front of PCCIS to block access to the port it is using. See the "Ports" section below for specific port information about PCCIS.

PCCIS Administration

PCCIS includes an API to request real-time information about the state and health of the system. A sample ASP.NET web application is also included in the Windows installation that takes advantage of the administration API and demonstrates potential use cases.

The administration API provides information that can be helpful in diagnosing problems, but which may also be considered sensitive, like document information and specific processing tasks. Because of this, the administration sample or any application accessing the administration API of PCCIS should not be accessible to end-users or the public internet.

Ports

The following are the default ports used by PCCIS and other PCC services. All of these ports should not be accessible to end-users or the public internet:

Secure Viewing Sessions

The pcc.config file contains element tags which can help prevent users from setting inappropriate values should they attack the PCCIS services which could render performance problems with the server. These values are properties in the ViewingSessionProperties object that a client-user passes to PCCIS to start a viewing session. The following tags put limits on properties sensitive to abusive attacks:

Tags
Copy Code
<!--
  The regular expression check on ViewingSessionProperties.externalId to ensure appropriate values are being set. The default is to allow any string values.
  -->
  <ViewingSessionPropertyExternalId>.*</ViewingSessionPropertyExternalId>

  
  <!--
  The regular expression check on ViewingSessionProperties.documentExtension to ensure appropriate values are being set. The default is to allow any string values.
  -->
  <ViewingSessionPropertyDocumentExtension>.*</ViewingSessionPropertyDocumentExtension>

  <!-- 
   The minimum and maximum values allowed for ViewingSessionProperties.countOfInatialPages. Value of 0 means do all pages if min set to zero. The max value can be zero or a maximum value allowed for this property setting.
  -->
  <ViewingSessionPropertyCountOfInitialPages>min=0,max=10</ViewingSessionPropertyCountOfInitialPages>

  <!-- 
   The minimum and maximum dpi values allowed for rendering images. 
  -->
  <Html5RenderRasterResolution>min=100,max=300</Html5RenderRasterResolution>

  <!-- 
  The permitted values for alwayseUseRaster can be true, false, or any (which means don't care). The default here is false which means svg files can be rendered.
-->
  <Html5RenderAcceptableRasterValue>false</Html5RenderAcceptableRasterValue>

  <!-- 
  The permitted values for serverCaching which can be none, full or any (which means take whatever is set). The default is none.
  -->
  <ViewingSessionPropertyServerCaching>none</ViewingSessionPropertyServerCaching>
See Also

 

 


©2014. Accusoft Corporation. All Rights Reserved.

Send Feedback