XF Rendering Server
Here are several tips for securing your XF Rendering Server setup:
Allow only HTTPS access to the XF Rendering Server.
Configure your firewall so that connections to 1099 are allowed only from the loop-back IP address (127.0.0.1). �This will enable XF Rendering Server to be used by the XF Web Service, because it is installed on the same machine as the XF Rendering Server but will disable usage for anybody from the outside.
Then, configure the XF Web Service to run over a HTTPS connection by installing an SSL certificate in IIS.
Use server templates
Instead of allowing the clients to send both data (XML) and the template, configure the template as a Server Template in the Management Console. This will reduce traffic over the network and will allow system administrators to strictly control the documents that are being produced.
XSL transformations can be used to access unwanted resources from the server machines (via HTTP request or file requests).
XF Rendering Server allows system administrators to configure a DTD whitelist containing only trusted resources that can be accessed via XSL transformations.
If an XSL template contains URIs that are not contained in the DTD Whitelist, at rendering time, these resources will not be used and an error will be thrown.
In addition to all items above, you should also secure the EOS web interface by installing a SSL certificate in IIS. Then, ensure that the "Enable Website SSL" option in the setup is checked.
EOS can also be configured for different data retention policies. This means that all requests are stored by the server and can be recalled periodically for analysis.
EOS stores everything in a proprietary, high-performance repository. If required the repository can be encrypted. This means that the input data, templates, outputs (PDF, Postscript, etc.) contained in the repository cannot be examined without proper credentials.
Two factor authentication
More complex authentication schemes including two factor authentication, integration with Active Directory and other can be adopted when deploying EOS upon request, using our professional services.