Hardening / Securing the server that runs the Conversion Service

Some of our customers have particularly strict security requirements and require the server running the conversion service to be 'hardened' from a security perspective. Listed below is some guidance.

Please note that the Operating System, and any other software (e.g. SharePoint) running on the same system, will need to be hardened separately in line with best practices for those products. Some conflicting advice may be given (e.g. the Document Conversion Service only requires incoming TCP port 41734 to be open, but your OS may need other ports to be open for management purposes), it is up to the reader to interpret our advice and combine it with information provided by other vendors.

Before reading any further have a look at the most common deployment scenarios for the Muhimbi PDF Converter.

Firewall ports

If the Conversion Service runs on the same server as the only application that invokes it, e.g. a single server SharePoint farm or other web application, then the conversion service does not need to communicate with any other servers so there is no need to open ANY incoming or outgoing firewall ports.

In most situations the Conversion Service will need to be accessible from remote systems. When using the default configuration all incoming requests use HTTP on port 41734, so this is the only incoming TCP port that will need to be opened on the firewall.

If the Conversion Service makes any outgoing calls, e.g. when converting InfoPath files (and the XSN file is located on a remote system) or when converting Web Pages that are located remotely, then the relevant outgoing ports will need to be opened. In most situations these are TCP ports 80 and 443 (SSL), but depending on the exact URLs being converted other port numbers (as listed in those URLs) may need to be opened as well.

Network authentication

To make it feasible for people to evaluate the PDF Converter without spending hours on configuring security settings, by default all incoming calls to the Conversion Service are anonymous, meaning that anyone with access to the server, and port 41734, can make conversion requests.

To restrict which Windows Group can make requests see the Administration Guide, section Tuning the Document Conversion service, subsection Authentication. Please note that this relies on Windows Group membership, something that may not be possible to control when invoking the conversion service from non-Microsoft systems and technologies (e.g. PHP on Linux).

If the servers that will make conversion requests are known, and fixed, then you may want to consider configuring your firewall to only allow access to the Conversion Service, on port 41734, from those known systems.

Secure communication

As the Conversion Service uses a standard HTTP based web service, by default documents are exchanged in an unencrypted manner. As the PDF Converter generally runs behind a corporate firewall this is not a problem, at least not for most environments. However, if you wish to encrypt all traffic then see this blog post for details.

Office installation

Depending on the file formats that you are looking to convert, it may be required to install MS-Office on the server running the conversion service (See the Administration GuideAppendix - Installing converter dependencies). To harden the server only install Office dependencies for those file formats that you are interested in. Then install the latest Service Packs for the chosen version of Office and use Windows Update to install the latest Post Service Pack updates.

Have a Question?
We’re Always Happy to Help.

© Muhimbi Ltd. 2008 - 2024
This website uses cookies to ensure you get the best experience. Learn more