How to harden and secure the server running the Conversion Service?
Some of our customers have stringent security requirements and mandate the server running the Conversion Service to be ‘hardened’. The following guidelines outline the necessary steps:
The Operating System (OS), and any other software (for example, SharePoint) running on the same system, must be independently hardened according to their respective best practices. Note: The below guidelines may seem conflicting at few places (for example, the Document Conversion Service only requires incoming TCP port 41734 to be open, but your OS may need other ports to be open for management purposes). Ultimately, readers should synthesize our guidance with information from other vendors to make informed decisions.
Before reading any further, have a look at the most common deployment scenarios for Nutrient Document Converter.
Firewall ports
If the Conversion Service runs on the same server as the only application that invokes it (for example, a single server SharePoint farm or other web application), the Conversion Service does not need to communicate with any other servers to open any incoming or outgoing firewall ports.
In most cases, the Conversion Service must be accessible from remote systems. When using the default configuration all incoming requests use HTTP on port 41734. Hence, it is the only incoming TCP port that will need to be opened on the firewall.
If the Conversion Service makes any outgoing calls (for example, when converting InfoPath files with the XSN file located on a remote system or when converting webpages that are located remotely), the relevant outgoing ports must be opened. In most cases, these are TCP ports 80 and 443 (SSL), but depending on the exact URLs being converted, other port numbers (as listed in those URLs) must be opened as well.
Network authentication
To make it feasible for people to evaluate Document Converter without spending hours on configuring security settings, by default all incoming calls to the Conversion Service are anonymous. It means that anyone with access to the server, and port 41734, can make conversion requests.
To restrict which Windows Group can make requests, see the Administration Guide, section Tuning the Document Conversion service, subsection Authentication.
This relies on Windows Group membership, something that may not be possible to control when invoking the Conversion Service from non-Microsoft systems and technologies (for example, PHP on Linux).
If the servers that will make conversion requests are known, and fixed, consider configuring your firewall to only allow access to the Conversion Service, on port 41734, from those known systems.
Secure communication
As the Conversion Service uses a standard HTTP based Web Service, by default documents are exchanged in an unencrypted manner. As the Document Converter generally runs behind a corporate firewall, it should not be problematic, at least not for most environments. However, if you want to encrypt all traffic, see Enable SSL HTTPS communication in the Nutrient Conversion Service for details.
Office installation
Depending on the file formats that you are looking to convert, it may be required to install MS-Office on the server running the Conversion Service. See the Administration Guide, Appendix - Installing converter dependencies. To harden the server, only install Office dependencies for those file formats that you are interested in. Afterwards, install the latest Service Packs for the chosen version of Office and use Windows Update to install the latest Post Service Pack updates.