Skip to main content

Configuration best practices

This applies to: Managed Dashboards, Managed Reports

Symphony allows you to configure and secure the application using many options to meet your own needs. The following are recommended configuration best practices and settings.

Deployment

  • When installing Symphony, configure the website to use HTTPS using an SSL certificate, or deploy to a virtual directory on an existing HTTPS website. Ensure the website's bindings remain configured to allow only HTTPS connections in your web server (IIS or Nginx).
  • If the website is public-facing and accessible from the Internet, use a firewall with denial-of-service attack prevention features.

Best practices

  • For each user that needs administrative access in Symphony, add their account to the System Administratorsgroup (or Tenant Administrators group) rather than sharing a single administrator account and credentials.
  • Either set the Maintainer Email Addressconfiguration setting or set the Email Address on the built-in System Administrator account to an address that will be monitored by someone who maintains Symphony in case of issues.
  • Uncheck Enabled to disable the built-in System Administrator account so that the names of the enabled administrator accounts are not well-known.
  • Edit the Everyone group to remove any application privileges not needed by all of your users. You can create new groups or configure individual accounts for granting application privileges instead.

Security configuration

It is recommended to review the following security-related configuration settings and configure them as needed:

Setting

Review

Always Use Custom Home Page

For public-facing installations where users shouldn't see the built-in home screen

Allowed Admin IP Addresses

Always

Trusted Proxy IP Addresses

If a reverse proxy and/or load balancer is used

Log On Modes

Always

Registration Enabled

If using local accounts - consider disabling

Authentication.Excessive Logon Failure Protection category

If using local accounts

Authentication.Password Policy category

If using local accounts

Allow External File-Based Data Sources

Always

Allowed Data Providers

If desired

Allowed Export Providers

If desired

Allowed Delivery Providers

Disable the File provider if untrusted users can set up notifications

Allow Custom Email Recipients

Always

Email Address Domain Whitelist

If Allow Custom Email Recipients is enabled

Maximum Resource Size

To prevent uploading very large files/resources in a denial-of-service attack attempt

Session Inactivity Timeout

Always

Lock Session To IP Address

Always

Setting

Review

Federated Authentication Debug Screen Allowed

If using federated authentication

SMTP Enable SSL

Always

Hide Error Stack Traces

Always - should be enabled for production environments

Signing Certificate

If using federated authentication with the SAML2 protocol

Allowed Embedding Origins

Set to self; or when embedding, to your domains that run or embed Symphony

Some settings such as password policies and allowed IP addresses can also be configured on accounts and groups.

Other configuration settings

Also consider reviewing the following configuration settings that are not security-related but can help ensure the smooth operation of the application:

  • Job Failure Email Policy - consider enabling emails sent to the Application Maintainer (or System Administrator)
  • Creator Metadata Text / Company Metadata Text - used to populate metadata fields in exported documents such as Excel
  • License Expiration Reminder Threshold
  • Performance Statistics Maximum Age - consider setting to 0 to improve server performance when performance tracking is not needed

Run the Symphonyhealth check to identify other potential issues or suggestions.

Was this article helpful?

We're sorry to hear that.

Powered by Zendesk