Configuration best practices
Contents[Hide]
1. Overview
Dundas BI allows you to configure and secure the application using many options to meet your own needs. The following are recommended configuration best practices and settings.
2. Deployment
- When installing Dundas BI and adding an instance, configure the website to use HTTPS using an SSL certificate, or deploy to a virtual directory on an existing HTTPS website. Ensure the website's bindings remain configured to allow only HTTPS connections in your web server (IIS or Nginx).
- If the website is public-facing and accessible from the Internet, use a firewall with denial-of-service attack prevention features.
3. Best practices
- For each user that needs administrative access in Dundas BI, add their account to the System Administrators group (or Tenant Administrators group) rather than sharing a single administrator account and credentials.
- Either set the Maintainer Email Address configuration setting or set the Email Address on the built-in System Administrator account to an address that will be monitored by someone who maintains Dundas BI in case of issues.
- Uncheck Enabled to disable the built-in System Administrator account so that the names of the enabled administrator accounts are not well-known.
- Edit the Everyone group to remove any application privileges not needed by all of your users. You can create new groups or configure individual accounts for granting application privileges instead.
4. Security configuration
It is recommended to review the following security-related configuration settings and configure them as needed:
| Setting | Review |
|---|---|
| Always Use Custom Home Page | Consider using if it's a public-facing installation and you don't want users to ever see the built-in home screen. |
| Allowed Admin IP Addresses | Always |
| Trusted Proxy IP Addresses | If a reverse proxy and/or load balancer is used |
| Log On Modes | Always |
| Registration Enabled | If using local accounts - consider disabling |
| Authentication.Excessive Logon Failure Protection category | If using local accounts |
| Authentication.Password Policy category | If using local accounts |
| Allow External File-Based Data Sources | Always |
| Allowed Data Providers | If desired |
| Allowed Export Providers | If desired |
| Allowed Delivery Providers | Always ensure that the File provider is disabled. |
| Allow Custom Email Recipients | Always |
| Email Address Domain Whitelist | If Allow Custom Email Recipients is enabled |
| Maximum Resource Size | To prevent uploading very large files/resources in a denial-of-service attack attempt |
| Session Inactivity Timeout | Always |
| Lock Session To IP Address | Always |
| Federated Authentication Debug Screen Allowed | If using federated authentication |
| SMTP Enable SSL | Always |
| Hide Error Stack Traces | Always - should be enabled for production environments |
| Signing Certificate | If using federated authentication with the SAML2 protocol |
Some settings such as password policies and allowed IP addresses (in version 8 and up) can also be configured on accounts and groups.
5. Other configuration settings
Also consider reviewing the following configuration settings that are not security-related but can help ensure the smooth operation of the application:
- Job Failure Email Policy - consider enabling emails sent to the Application Maintainer (System Administrator in earlier versions)
- Creator Metadata Text / Company Metadata Text - used to populate metadata fields in exported documents such as Excel
- License Expiration Reminder Threshold
- Performance Statistics Maximum Age - consider setting to 0 to improve server performance when performance tracking is not needed