DocSpace Security Guide

Introduction

ONLYOFFICE provides a wide range of security tools to keep your data safe and to ensure secure collaboration online. This guide describes all the features that allow you to increase the security level of your DocSpace.

Besides of that, you can explore some common security technologies, principles, and certain services to ensure maximum security of your server.

General DocSpace security

Some DocSpace features are recognized as industry standards in the field of security: HTTPS, backup, own SMTP server, LDAP.

Secure HTTPS protocol

ONLYOFFICE allows you to encrypt your traffic using HTTPS protocol. You can easily create a CA-signed certificate on letsencrypt.org and switch your DocSpace to HTTPS with a single command or apply your own certificates.

Read the corresponding instructions for Docker, Linux, Windows.

Regular backups

Your can back up your data both manually and automatically to avoid data loss. The Backup/Restore features are available in the DocSpace Settings.

To learn more about the backup and restore options, please read this article.

Own SMTP server

In ONLYOFFICE DocSpace, the default server for user notification is the ONLYOFFICE SMTP server. For higher security, we recommend to use your own SMTP server, so that your messages won’t pass through any third-party services.

To learn more on how to set up SMTP Server, please read this article.

LDAP for access centralization

You can easily import the necessary users and groups from your LDAP server (e.g. OpenLDAP Server or Microsoft Active Directory) to your DocSpace.  The newly created users, in turn, don't need to memorize new passwords and logins because they will sign in to DocSpace using their credentials stored on your LDAP Server.

For more details, please read this article.

Secure access

The Security section of DocSpace Settings allows you to control access to your DocSpace and monitor the activity of all users.

Password strength

Strong passwords can help prevent unauthorized access to your date. In DocSpace, you can set requirements for the password length and determine the character set that must be used in the password: capital letters, digits, special characters.

Learn more about password strength settings.

Two-factor authentication

Two-factor authentication ensures more secure DocSpace access. When two-factor authentication is enabled, a user can access the DocSpace data after entering their regular email and password or signing in via a social media account and typing in a code generated by the authenticator app.

To learn more on how to use two-factor authentication, read the following article.

Other access settings

• Specify the trusted mail domains that can be used for user self-registration in your DocSpace. Learn more.
• IP security settings allows you to restrict access to your DocSpace based on the IP addresses by allowing access to the DocSpace from trusted networks only. Learn more.
• Protect your DocSpace against brute-force attacks by setting up  the limit of unsuccessful login attempts by the user. Learn more.
• Use the Session Lifetime feature to set a time limit during which the DocSpace users will need to enter their DocSpace credentials again in order to access the DocSpace. Learn more.
• You can also manually log out from all active sessions on any device using the corresponding feature in your profile. Learn more.

Login and action monitoring

Easily track the latest user login activity including successful logins and failed attempts using the Login History section of Settings. The Audit Trail section allows you to browse through the list of the latest changes (creation, modification, deletion etc.) made by users to the files and folders in your DocSpace. Learn more.

Secure storage

Password for external links

When creating external links to public, custom, or form filling rooms, you can protect them with a password. For the public or custom room shared via a link, you can also enable the Restrict file content copy, file download and printing option to disable downloads of files and folders. Additional links can be limited by time period.

Learn more about external links.

Virtual Data Rooms for sensitive data

Virtual Data Rooms provide advanced file security for storing and sharing of confidential business information. The following security features for working with data are available in a Virtual Data room: setting the lifetime of files, prohibition on copying and downloading files, setting watermarks.

• File lifetime - Set file lifetime to automatically delete the files in this room after a defined period.
• Restrict copy and download - Enable this setting to disable downloads and content copying for users with the "Viewer" role.
• Add watermarks to documents - Protect all documents in this room with watermarks.

Learn more about Virtual Data Rooms.

Permission management

You can assign different permission levels that define what actions with files are available for the user within a room. For example, viewers can only view docs, editors can perform all editing operations with the existing files, content creators can create and upload new files and folders. Learn more.

Secure work with documents

When co-editing documents, apply a number of security features to restrict access or editing abilities for other users and to prevent the unwanted changes to data.

Document versions

View version history to know exactly which changes have been made. Restore one of the previous versions of the document if necessary. Learn more.

Document password protection

Protect documents with passwords to make sure that no-one can access your files without receiving a password from you. Learn more.

Protect workbooks, sheets, ranges

When working with spreadsheets, you can protect the entire workbook, certain sheets or cell ranges as well as hide formulas or objects. Learn more.

JWT protection

To protect documents from unauthorized access, ONLYOFFICE editors use the JSON Web Token (JWT). The token is added in the configuration when the Document Editor is initialized and during the exchange of commands between inner ONLYOFFICE Docs services. The secret key is used to sign the JSON web token and validate the token upon the request to ONLYOFFICE Docs.

Basic security principles

You can also consider using some general principles of server security as well as third-party services and tools not related to the ONLYOFFICE products. Below, you can see some common examples and tips which can be helpful.

Disabling root access

To avoid data leaks, it is better to disallow logging as root as the root user has full access to all data of the system. This can be done via server’s terminal, by setting the root login permission to No.

Closing all unnecessary ports

You should keep open only the ports you need for portal functioning, as extra open ports can be the cause of data leaks. Use the netstat utility to view all open ports and their associated software.

Setting up a firewall

A firewall allows or blocks incoming and outgoing network traffic based on the set of predefined rules. In Linux, the firewall is the part of the kernel (netfilter), but you need to install an utility for managing it, for example, UFW for Debian or firewalld for RHEL.

Following the least privilege principle

Assign only the permissions that are minimally necessary to perform specific tasks, preventing users from accessing sensitive areas they do not need.

Using SSH for remote OS administration

When administering the server remotely, use the secure SSH protocol. Although this protocol is reliable, you can further strengthen the protection by using SSH keys instead of a password.

Using Fail2ban to secure your login

Fail2ban can be used to protect your server from brute force attacks. It monitors log files and blocks connections if there are too many failed login attempts.

Enabling SELinux or App Armor

Enable security modules which protect your server against misconfigured or compromised programs. On RHEL-based systems, SELinux is used. On Debian-based systems, you can use AppArmor.