ONLYOFFICE provides many ways to ensure that your portal is properly protected. In this guide, all the features and tools that can enhance the security level of a portal, sensitive data, and work in the cloud and desktop editors are presented.

SSL certificate is a digital certificate that authenticates a website's identity and enables an encrypted connection. You can generate an SSL certificate or upload a third-party one using the Control Panel.

Certificate Generation

The Let’s encrypt service is used to provide CA-signed certificates.

To generate a new certificate,

1. open the HTTPS page in the COMMON SETTINGS section on the left sidebar,
2. click the GENERATE AND APPLY button. A popup message box will appear informing that the certificate and private key are successfully generated.

Control Panel and portal will be restarted and become unavailable during this process. It can take up to 5 minutes. Once the certificate installation process is over, your portal will be available over HTTPS.

Certificate Upload

To upload a third-party certificate (e.g. Amazon or GoDaddy),

1. open the HTTPS page in the COMMON SETTINGS section on the left sidebar,
2. click the Plus button next to the CRT certificate field and select your .crt certificate to upload it,
3. click the Plus button next to the HTTPS key field and select your private .key key to upload it,
   Before uploading, please make sure that the private key is not encrypted. If you have a password-protected .key file, you will need to decrypt it first.
4. once the .crt and .key files are uploaded, click the APPLY button at the bottom of the page.

After that your Control Panel and portal will be restarted and become unavailable during this process. It can take up to 5 minutes. Once the certificate installation process is over, your portal will be available over HTTPS. The domain name that your certificate was issued for is now displayed in the Generated on domain section of the HTTPS page in the Control Panel.

Once you’ve generated a certificate or bought one and uploaded it, you can check your security level using the SSL Labs service or some other service of the same kind. Your security level must be not lower than A.

To learn more about switching to HTTPS, please, read this article.

The automatic backup can be enabled in the Control Panel. It also can be a good decision to make copies of the portal using third-party services from time to time.

To turn the Automatic bakckup on,

1. switch to the Backup page in the COMMON SETTINGS section on the left sidebar and find the Automatic backup section,
2. click the Disabled switcher to enable the feature,
   
3. select the necessary Storage for the backup files (the available options are Amazon AWS S3, Google, Rackspace, and Selectel cloud storage services or other WebDAV services, except for the Temporary storage which is only available in the Data Backup section),
4. specify the time interval at which backups should be created: Every day, Every week, or Every month with an indication of the necessary part of the time period,
5. set The maximal number of backup copies to be stored by selecting the necessary value (from 1 to 30) from the corresponding drop-down list,
6. check the Include Mail in backup box if you want to backup the Mail data as well,
7. click the SAVE button.

Backups will be created automatically with the specified periodicity.

To learn more about the backup and restore options, please, read this article.

Portal access rules must be set up before adding users to the portal. It can be done via the portal Portal Access page. You can reach the page in the following way: Settings > Security > Portal access.

You can restrict the portal access by determing the password settings: Adjusting number of password characters, Requiring inclusion of capital letters, and Digits and special characters in users’ passwords.

The two-factor authentication is available for portal login. It can be set to use an application - Authy or Google Authenticator, the second is highly recommended. The other way is the 2FA via SMS. To use it, you need to use SMC, Clickatell or Twillio (They can be turned on the Thrid-Party Services page of the Integration tab, using the API key of the corresponding service).

As some of the mass mail domains have known security issues, you can specify the trusted mail domains that can be used for registration. To turn this function on, in the Trusted mail domain settings, you need to select the Custom domains checkbox and provide trusted domains names in the appeared fields.

To set a whitelist for trusted users’ IPs, use the IP Security feature.

The ONLYOFFICE Workspace also has the Session Lifetime feature. Enabling it, you can set the session duration for each user after which the automatic log-out will be committed.

To learn more on how to control portal access, please, read this article.

You can import user credentials from your LDAP server. It can be done via the Control Panel, in the Portal Settings section, on the LDAP page.

Turn the Enable LDAP Authentication switch on, then provide the following data:

• your server information, as URL address,
• port number that is used to access the LDAP server,
• the path to directory with users data (User DN) that you want to import,
• the user filter, if you need to import only certain users from that directory and the login attribute value.
  

Importing groups is performed the same way as you import users from your LDAP server.

You can also synchronize the LDAP server data with the ONLYOFFICE portal to make it correctly visible in user profiles.

To learn more on how to import users and groups using LDAP Server, please, read this article.

In the ONLYOFFICE Workspace the default server for user notification (for example, about portal or community updates, document access grant or poject changes) is the ONLYOFFICE SMTP server. For higher security, we recommend to use your own SMTP server, so that your messages won’t pass through any third-party services.

To do so, follow the instructions below:

1. Open the Settings module, then in the Integration section, open the SMTP Settings page.
2. Specify the SMTP server domain and port.
3. Specify login credentials
4. Specify the sender name for recipients and the sender email address for recipients.
5. OPTIONAL. For better security, if your server supports it, select the Enable SSL checkbox.
   

After setting up the SMTP server settings, try to send a test mail, by clicking the Send Test Mail button. If the letter is delivered successfully, click the Save button.

To learn more on how to set up SMTP Server, please, read this article.

Using the ONLYOFFICE Workspace you can easily track user actions and logins. You can see the list of users actions and logins using the Control Panel.

The login information is kept on the Login History page:

To view the detailed statistics for the latest half year click the Download and open report button. The report will open in an .xlsx spreadsheet (LoginHistory_ReportStartDate-EndDate.xlsx).

The login history report includes the following details: user IP address, Browser and Platform which were being used when the registered event occurred, Date and time of the event, name of the User who made an attempt to log in/log out, portal Page where the action has been performed, specific Action (for example, Login Fail. Associated Social Account Not Found).

The actions history is kept on the Audit Trail page:

To view the detailed statistics for the latest half year click the Download and open report button. The report will open in an .xlsx spreadsheet (AuditTrail_ReportStartDate-EndDate.xlsx).

The audit trail report includes the following details: user IP address, Browser and Platform which were being used when the registered event occurred, Date and time of the event, name of the User who performed the operation, portal Page where the action has been performed, generic Action Type (for example, download, attach, updated access), specific Action (for example, Projects [Product development and promotion]. Tasks [Distribute coupons]. Status Updated: Closed ), Product and Module that the changed entity is referred to.

It is also possible to set the storage period for both Login history and Audit trail on the corresponding pages.

To avoid data leaks, it is better to disallow logging as root as the root user has full access to all data of the system. This can be done via server’s terminal, by setting the root login permission to No.

You should keep open only the ports you need for portal functioning, as extra open ports can be the cause of data leaks. The list of necessary ports for ONLYOFFICE Workspace functioning is here.

For data protection, if some of the users have poor internet connection, you can adjust the file versioning, using the Settings section of the Documents module. It is possible to keep all the intermediate versions and allow to automatically create copies of the updated files or just update the existing files after applying changes. You can read more here.

You should provide access to documents only to authorized members of certain working groups. You can adjust access level, by clicking the Share button near the required document. In the opened window you can add users and set their access level including:

• Read Only,
• Filling Forms,
• Custom Filter,
• Commenting,
• Reviewing,
• Full Access.

Developers also can set up the document permission levels separately and more detailed: forbid access to document history, content copying, document download e.t.c. More information about config document access parameters can be found here.

It is also possible to set the portal access rights. You can restrict access to certain modules for different users and groups, using the Settings module. You need to open the Access Rights page from the Security section. There you can adjust administrators and change their access rights. Also, you can grant or deny access to certain modules lower on that page.

In ONLYOFFICE every user can use private rooms to create secure workspace for working with documents. The Private Room is a section in Documents. The .docx, .xlsx and .pptx office files in a private room are ecrypted with the AES-256 encryption algorithm.

To work with private rooms,

1. enable the feature in the Control Panel,
2. download the desktop editor and connect it to the cloud on the application main page.

You can work within your private room on portal, using the appropriate section in the Documents module. You may share documents from your private room the same way you usually share documents on portal.

ONLYOFFICE has a feature of data encryption, that can be managed using the Control Panel on server version.

Encryption allows to convert data for confidential and secure storage. ONLYOFFICE encryption is based on a Encrypt-then-MAC type of encryption (AES-256-CBC + HMAC-SHA256) of the entire body of data. It is compliant with AES-256 international data encryption standard.

To prepare the portal for encryption, you need to:

1. Sign in to your portal and click the Control Panel icon on the Start Page.
   Alternatively, you can go to the portal Settings and select the Control Panel link on the left-side panel.
2. Switch to the Backup section and backup data.
3. Disable the Automatic Data Backup feature.
4. Select the Local storage option for both Connect storage for static data and Connect storage as CDN.
5. Make sure there is enough space on your hard drive.

After the preliminary preparations are ready, you can proceed to the next step.

To encrypt the storage, you need to:

1. Switch to the Storage section in the Control Panel.
2. Check the Notify users that the portal will be unavailable checkbox to notify all active users via email when the encryption process starts.
   Upon the successful completion of the encryption process, all active users will also receive email notifications. If an error occurs during the encryption process, then all administrators (regardless of the Notify users option) will receive email notifications of the unsuccessful encryption process.
3. Click the Encrypt storage button and then OK to launch the encryption process.
   When encryption is enabled, a newly created backup copy of the data archive will contain decrypted files. When such a copy is restored, the files will be encrypted on the disk again.

The time required to complete the procedure depends on the data volume. All portals will be unavailable during the encryption process. As soon as the encryption is over, the portal data will be available for work.

To decrypt the storage, you need to:

1. Switch to the Storage section in the Control Panel.
2. Check the Notify users that the portal will be unavailable checkbox to notify all active users via email when the decryption process starts.
   Upon the successful completion of the decryption process, all active users will also receive email notifications. If an error occurs during the decryption process, then all administrators (regardless of the Notify Users option) will receive email notifications of the unsuccessful decryption process.
3. Click the Decrypt storage button and then OK to launch the decryption process.

The time required to complete the procedure depends on the data volume. All portals will be unavailable during the encryption process. As soon as the encryption is over, the portal data will be available for work.