This article gives security recommendations for On-premises Board installations.
Use this article as a security baseline for Board software installations. Your IT and security teams must review each setting and decide whether the setting is suitable for your environment.
This article covers:
Purpose and scope
These recommendations apply to the web server that hosts Board Web and to related application settings.
The recommendations do not replace your company security policies. Your IT and security teams are responsible for assessing the security impact of each setting in your environment.
Web server security
Board recommends deploying Board Web under Microsoft IIS for on-premises installations.
Use IIS to manage secure browser access to Board Web in a standard Windows Server environment. IIS lets you configure HTTPS bindings, SSL certificates, authentication, and application pool settings.
When you publish the Board Web site, bind an SSL certificate to the host name. This protects communication between client browsers and the web server through encryption.
Use a certificate that meets your company security requirements. Your IT and security teams must review the final IIS configuration and make sure it follows your company security policies.
Encryption
Use TLS 1.2 or higher to secure communication.
Disable outdated protocols on the server that runs Board Web and Board Engine:
SSL 2.0
SSL 3.0
TLS 1.0
TLS 1.1
Make sure Microsoft .NET Framework supports strong cryptography.
Windows uses the Secure Channel library to configure these settings. Starting with Windows Server 2016, TLS 1.2 is enabled by default. Always verify the current configuration in your environment.
Also review the cipher suites negotiated by the server. Remove deprecated cipher suites when your company security policy requires it.
Recommended TLS 1.2 cipher suites
Use strong TLS 1.2 cipher suites, such as:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Recommended TLS 1.3 cipher suites
Use strong TLS 1.3 cipher suites, such as:
TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
Folder permissions
When you configure the Board Web site folder, grant permissions to the application pool identity.
The application pool identity usually belongs to the IIS_IUSRS Windows group.
Use these permissions as a baseline.
Folder | Required permissions | Reason |
|---|---|---|
Main Board Web folder, such as | Read, Read and execute, List folder contents | Board Web must read and run the application files. |
| Full control | Board Web must write log files and generate the certificate used to sign the JWT token that secures communication with Board Engine. |
You can change the default logging folders for Board Web and its components in the related .config files
Mitigate IIS tilde enumeration
IIS tilde enumeration can expose short file names. To mitigate this risk, disable 8.3 file name creation.
Run this command in an elevated Command Prompt:
fsutil.exe behavior set disable8dot3 1You can also set this registry key to 1:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3Name
Review this change with your IT team before you apply it. The setting can affect applications that depend on 8.3 file names.
Configure IIS response and debug settings
Step 1: Remove the Server response header
You can remove the Server response header to reduce the amount of IIS information exposed in HTTP responses.
Open "IIS Manager".
Select the Board Web site.
Open "Configuration Editor".
In "Section", select "system.webServer", "security", and then "requestFiltering".
Set "removeServerHeader" to
True.Apply the change.
Step 2: Disable debug mode
Disable debug mode for the Board Web application.
Open "IIS Manager".
Select the Board Web site.
Open "Configuration Editor".
In "Section", select "system.web".
Set "compilation debug" to
False.Apply the change.
Do not override the Content Security Policy
Do not create a custom Content Security Policy header in IIS for the Board Web site.
Board sets the Content Security Policy at code level. If you override the Content Security Policy in IIS, Board Web might not work correctly.
Configure Board Engine security settings
Make sure the following Board Engine security settings are in place:
Setting | Recommended value or action | Notes |
|---|---|---|
| Configure this file in the Board path, usually | Use this file to control allowed extract paths. |
| Set to | This file is usually in the Board installation path. |
License Level Check | Set to "High". | Review the setting with your Board Administrator. |
Manage Password | Enable this setting. | Review the setting with your Board Administrator. |
Web Application Firewall (WAF)
Board strongly recommends deploying a Web Application Firewall in front of the Board Web server, especially when Board Web is exposed to the Internet.
A Web Application Firewall inspects HTTP and HTTPS traffic. A tuned Web Application Firewall can block malicious requests before the requests reach IIS or Board Web.
The Web Application Firewall should run in reverse proxy mode or be integrated at the load balancer or edge layer.
Examples include:
Azure Application Gateway WAF
Azure Front Door WAF
F5 ASM
Cloudflare WAF
Web Application Firewall rollout
Introduce a Web Application Firewall in phases. Do not enable blocking mode in production before you validate normal Board traffic.
Blocking mode can affect valid Board traffic, including API calls and authentication flows.
Phase 1: Use detection mode
Start with Detection, Monitoring, or Audit mode.
In this phase, the Web Application Firewall inspects traffic and logs potential threats. The Web Application Firewall does not block requests.
Keep this mode active long enough to capture normal traffic patterns, such as:
User authentication
Cube execution and data refresh
Data extract operations
Administrative activities
Peak usage periods, such as month-end processing
Avoid short observation windows. Board traffic can vary by workload and timing.
Phase 2: Analyze logs and tune rules
Review Web Application Firewall logs to identify:
False positives
Rules that are triggered during normal operations
Anomalous patterns that can indicate real threats
Pay special attention to:
Encoded characters in requests
JSON payload inspection
JWT token exchanges
API endpoints used for communication between Board Web and Board Engine
If you find false positives:
Apply scoped exclusions for specific URLs, parameters, or rule IDs.
Avoid disabling full rule groups unless required.
Document each exclusion and the reason for the exclusion.
Phase 3: Move to prevention mode
After validation and tuning, switch the Web Application Firewall to Prevention or Blocking mode.
When possible:
Enable blocking by rule group instead of enabling all blocking at the same time.
Move to blocking mode during a low-traffic period.
Monitor logs closely during the first days after activation.
Keep a rollback plan ready in case valid traffic is affected.
Web Application Firewall protections
Configure the Web Application Firewall to protect against common web risks, such as:
OWASP Top 10 vulnerabilities, including SQL injection, Cross-Site Scripting, and command injection
HTTP protocol violations and malformed requests
Known attack signatures
Automated bot traffic
Brute force login attempts
Abuse of exposed endpoints
Use managed rule sets, such as the OWASP Core Rule Set. Keep the rule sets updated.
TLS handling with a Web Application Firewall
If TLS ends at the Web Application Firewall:
Enforce TLS 1.2 or higher.
Align cipher suites with your company security baseline.
Re-encrypt traffic between the Web Application Firewall and IIS when possible.
Do not lower security between the Web Application Firewall and backend servers.
Rate limiting and denial-of-service protection
Enable rate limiting to reduce the risk of:
Brute force login attempts
Credential stuffing
Layer 7 denial-of-service attacks
Set thresholds based on expected traffic volume and normal usage patterns.
Sudden spikes in POST requests or authentication attempts should trigger throttling or blocking rules.
IP filtering and geo restrictions
Where applicable, add these controls:
Restrict administrative endpoints to trusted IP ranges.
Use IP reputation filtering.
Apply geo restrictions when the application is intended for defined regions.
These controls support authentication and authorization. These controls do not replace authentication and authorization.
Header and response integrity
Make sure the Web Application Firewall does not reintroduce HTTP headers that you removed in IIS, such as the Server header.
Do not override security headers that Board defines at application level, such as the Content Security Policy.
Overriding these headers can affect Board Web functionality.
Logging, Monitoring and Ongoing Maintenance
Enable detailed Web Application Firewall logging.
Integrate logs with a central monitoring tool or SIEM (Security Information and Event Management) system where possible.
Review logs regularly for:
Blocked requests
Repeated attack patterns
Rule trigger frequency
Behavioral anomalies
Web Application Firewall configuration is not a one-time task. Repeat a validation cycle after:
Board upgrades
Infrastructure changes
Authentication changes
New API introductions