Configuration best practices

Contents[Hide]

1. Overview

Dundas BI allows you to configure and secure the application using many options to meet your own needs. The following are recommended configuration best practices and settings.

2. Deployment

  • When installing Dundas BI and adding an instance, configure the website to use HTTPS using an SSL certificate, or deploy to a virtual directory on an existing HTTPS website. Ensure the website's bindings remain configured to allow only HTTPS connections in your web server (IIS or Nginx).
  • If the website is public-facing and accessible from the Internet, use a firewall with denial-of-service attack prevention features.

3. Best practices

  • For each user that needs administrative access in Dundas BI, add their account to the System Administrators group (or Tenant Administrators group) rather than sharing a single administrator account and credentials.
  • Set an Email Address for the built-in System Administrator account that will be monitored by someone who maintains Dundas BI in case of issues.
  • Uncheck Enabled to disable the built-in System Administrator account so that the names of the enabled administrator accounts are not well-known.
  • Edit the Everyone group to remove any application privileges not needed by all of your users. You can create new groups or configure individual accounts for granting application privileges instead.

4. Security configuration

It is recommended to review the following security-related configuration settings and configure them as needed:

SettingReview
Allowed Admin IP Addresses Always
Trusted Proxy IP Addresses If a reverse proxy and/or load balancer is used
Log On Modes Always
Registration Enabled If using local accounts - consider disabling
Authentication.Excessive Logon Failure Protection category If using local accounts
Authentication.Password Policy category If using local accounts
Allow External File-Based Data Sources Always
Allowed Data Providers If desired
Allowed Export Providers If desired
Allow Custom Email Recipients Always
Email Address Domain Whitelist If Allow Custom Email Recipients is enabled
Maximum Resource Size To prevent uploading very large files/resources in a denial-of-service attack attempt
Session Inactivity Timeout Always
Lock Session To IP Address Always
Federated Authentication Debug Screen Allowed If using federated authentication
SMTP Enable SSL Always
Hide Error Stack Traces Always - should be enabled for production environments
Signing Certificate If using federated authentication with the SAML2 protocol

Some settings such as password policies and allowed IP addresses (in version 8 and up) can also be configured on accounts and groups.

5. Other configuration settings

Also consider reviewing the following configuration settings that are not security-related but can help ensure the smooth operation of the application:

  • Job Failure Email Policy - consider setting to System Administrator
  • Creator Metadata Text / Company Metadata Text - used to populate metadata fields in exported documents such as Excel
  • License Expiration Reminder Threshold

6. See also

Dundas Data Visualization, Inc.
500-250 Ferrand Drive
Toronto, ON, Canada
M3C 3G8

North America: 1.800.463.1492
International: 1.416.467.5100

Dundas Support Hours:
Phone: 9am-6pm, ET, Mon-Fri
Email: 7am-6pm, ET, Mon-Fri