PrizmDoc Viewer v13.19 - Updated
Administrator Guide / PrizmDoc Server / Security Guidance
In This Topic
    Security Guidance
    In This Topic

    Introduction

    This topic covers the essential items that you should consider before deploying your application. For example, how PrizmDoc Server is designed, ports that need to be open for single-server and cluster modes, PrizmDoc Server adminstration, and creating secure viewing sessions.

    PrizmDoc Server

    PrizmDoc Server is designed to run as an internal web service. Take steps to ensure that PrizmDoc Server is not accessible to end-users or the public internet by configuring a firewall in front of PrizmDoc Server to block access to the port it is using.

    Ports

    The following default ports should be open to access PrizmDoc Server:

    Single-server Mode

    • 18681 – PrizmDoc Server Entry Point (SEP) default port

    Cluster Mode

    • 18681 – PrizmDoc Server Cloud Entry Point (CEP) default port
    • 18682 – PrizmDoc Server Entry Point (SEP) default port

    NOTE: PrizmDoc Server uses a number of ports for internal purposes and must not be accessible from outside of the server.

    PrizmDoc Server Administration

    PrizmDoc Server includes a Health Status API to request real-time information about the state and health of the system. A sample ASP.NET web application is also included in the Windows installation that takes advantage of the Health Status API and demonstrates potential use cases.

    The Health Status API provides information that can be helpful in diagnosing problems. However, it also contains sensitive information such as document information and specific processing tasks. Because of this, the ASP.NET WebForms sample or any application accessing the Health Status API of PrizmDoc Server should not be accessible to end-users or the public internet.

    Secure Viewing Sessions

    The central configuration file contains properties that can help prevent users from setting inappropriate values to try and attack the PrizmDoc Server, which could render performance problems with the server. These values are properties in the ViewingSessionProperties object that a client-user passes to PrizmDoc Server to start a viewing session.

    The file paths for the Central Configuration file are:

    • Linux: /usr/share/prizm/prizm-services-config.yml
    • Windows: C:\Prizm\prizm-services-config.yml

    NOTE: The default installation directory is: C:\Prizm.

    For more information on creating secure viewing sessions, refer to the following topics:

    The following configuration properties put limits on viewing session properties sensitive to abusive attacks:

    Central Configuration Properties Example

    # Defines the min and max allowed values for the countOfInitialPages viewing
    # session creation option.
    #
    # viewing.sessionConstraints.countOfInitialPages.min: 0
    # viewing.sessionConstraints.countOfInitialPages.max: 10
    
    # A regex which defines the pattern of an acceptable value for the
    # documentExtension viewing session creation option.
    #
    # viewing.sessionConstraints.documentExtension.regex: ".\*"
    
    # A regex which defines the pattern of an acceptable value for the
    # externalId viewing session creation option.
    #
    # viewing.sessionConstraints.externalId.regex: ".\*"
    
    # Defines the list of allowed values for the serverCaching viewing session
    # creation option.
    #
    # Must be an array with one or more of the following strings:
    #
    # "none" - Allow REST API callers to create a new viewing session with caching
    #          explicitly disabled.
    #
    # "full" - Allow REST API callers to create a new viewing session with caching
    #          explicitly enabled.
    #
    # viewing.sessionConstraints.serverCaching.allowedValues: \["none","full"\]
    
    # Defines the list of allowed values for the alwaysUseRaster viewing session
    # creation option.
    #
    # Must be an array with one or more of the following values:
    #
    # false - Allow REST API callers to create a new viewing session which will
    #         generate both raster and vector page content. Ideal for modern
    #         browsers.
    # true -  Allow REST API callers to create a new viewing session which will
    #         only generate raster content; vector content will not be generated.
    #         This is useful for some older browsers.
    #
    # viewing.sessionConstraints.render.alwaysUseRaster.allowedValues: \[false\]
    
    

    Server Side Request Forgery Concerns

    Some source files, such as HTML, email, and Microsoft Office files, reference content that resides on another server. When rendering or converting these kinds of files, PrizmDoc Server may make network requests for this external content. Depending on what your deployment servers have network access to, this can be a security vulnerability. An attacker may leverage this to gain access to internal data and/or cause undesirable behavior. We recommend you take steps to prevent this.

    There are two primary kinds of files you should be concerned with: 1) HTML and email files and 2) Microsoft Office files.

    HTML and Email Files

    HTML code can be found in both HTML and email (EML and MSG) files. When rendering or converting these files, the content may include an HTML tag (like an image or iframe) which refers to external content. The presence of something like an iframe tag could allow an attacker a way to gain access to any URL or HTTP resource in your network, potentially exposing a variety of data you never intended to.

    If you do not need to render or convert HTML or email files, or if you do but you never need to include external content, we recommend you block all requests for external content by setting security.htmlRendering.blockExternalContent to true. When you do this, PrizmDoc Server will avoid making any external requests when rendering or converting HTML and email files.

    Microsoft Office Files

    The PrizmDoc Server running in both LibreOffice and MSO rendering modes disables all Macros for Word, Excel and PowerPoint formats.

    When rendering or converting Office files, Microsoft Office on Windows may make external requests for image data. Please see on the Windows Installation page how to block the traffic for Microsoft Office.

    Additionally, Microsoft Excel may make external requests for text data. If you are using Microsoft Office for rendering, we recommend you disable the Excel WEBSERVICE function:

    • Microsoft Office 2013: change the policy value for User Configuration -> Administrative Templates -> Microsoft Excel 2013 -> Excel Options -> Security -> "WEBSERVICE Function Notification Settings" to "Disabled".
    • Microsoft Office 2016 / 2019: change the policy value for User Configuration -> Administrative Templates -> Microsoft Excel 2016 -> Excel Options -> Security -> "WEBSERVICE Function Notification Settings" to "Disabled".

    Additionally, when using MSO, Microsoft Excel will execute the following spreadsheet formulas which can reveal information about your server:

    • CELL("filename")
    • INFO("osversion")
    • INFO("system")
    • INFO("release")

    Firewall Rules

    In addition to the recommendations above, we also recommend you put in place firewall rules to prevent unintended access to hosts in your network.

    Windows

    On Windows, we recommend setting up per-process firewall rules.

    For HTML and email files, the following PrizmDoc Server executables may make requests for external content:

    • C:\Prizm\modules\wkhtmltopdf.exe
    • C:\Prizm\modules\wkhtmltoimage.exe

    When using Microsoft Office, the following executables are known to potentially request external content:

    • C:\Program Files\Microsoft Office\Office16\EXCEL.EXE
    • C:\Program Files\Microsoft Office\Office16\WINWORD.EXE
    • C:\Program Files\Microsoft Office\Office16\POWERPNT.EXE
    • C:\Program Files\Microsoft Office\Office15\WINWORD.EXE
    • C:\Program Files\Microsoft Office\Office15\EXCEL.EXE
    • C:\Program Files\Microsoft Office\Office15\POWERPNT.EXE

    When using PrizmDoc Server's built-in LibreOffice, the following executable may make requests for external content:

    • C:\Prizm\libreoffice\program\soffice.bin

    If you do not need to render external content, we recommend you set up firewall rules which prevent all of the above executables from being able to make outgoing network requests.

    However, if you need to allow rendering of some external content, we still recommend you set up firewall rules which only allow these executables to access hosts you consider to be safe or, at the very least, prevent access to all internal hosts an attacker should not have access to (like metadata services, typically running on 169.254.169.254, or any other sensitive internal services or servers).

    Linux

    On linux, you cannot set up per-process firewall rules, but there are a variety of ways you can prevent PrizmDoc Server from making unintended network requests (user-specific firewall rules, Docker networking rules, and more). How exactly you set this up will depend upon your environment, but we recommend putting some sort of firewall rules in place which prevent PrizmDoc Server from being able to make network requests to hosts an attacker should not have access to.