40.9 Security
40.9.1 Overview ¶
In the Security area you define program-wide security rules: minimum encryption standards for server connections, marking of downloaded files, protection against zip bomb attacks as well as a list of file types that may never be saved or printed.
40.9.2 Transport Encryption ¶
| Option |
Description |
| Enforce TLS 1.2 or higher |
Connections to mail servers and SQL servers may only use TLS 1.2 or higher. Older TLS versions are rejected |
Note: This option affects all connections - incoming email accounts, outgoing SMTP accounts, Microsoft 365, database connections, download URLs of the Download task.
Recommendation: Leave enabled. Older TLS versions are classified as insecure. Only disable if an old internal system absolutely must be used and no alternative exists.
40.9.3 Saved Files ¶
| Option |
Description |
| Apply Mark-of-the-Web |
Downloaded and saved files receive a “Mark-of-the-Web” marker so that Windows shows a security warning when opening |
Use case: Attachments from emails land in an archive folder. The Mark-of-the-Web (MoTW) ensures that Office documents open in Protected View - which blocks macros and automatic connections on first open.
40.9.4 ZIP Extraction ¶
Protection against so-called “zip bomb” attacks - maliciously crafted ZIP archives that become extremely large after extraction and can fill up disk space.
| Field |
Description |
| Maximum extracted size (MB) |
Threshold in megabytes; if the ZIP exceeds it, the program cancels extraction (range 1-1,048,576 MB) |
| Maximum number of files |
Threshold for the number of files in the ZIP (range 1-10,000,000) |
Recommendation: Keep the default values. They are high enough for real supplier ZIPs but low enough to detect attacks.
40.9.5 Global File Type Blocks ¶
Two lists that apply program-wide:
| Field |
Description |
| Never save |
File extensions that may not be saved in any task, semicolon-separated (e.g. exe;dll;iso) |
| Never print |
File extensions that may not be printed in any task (e.g. exe;zip;iso) |
Use case: On processing servers, an executable file (.exe, .scr, .dll) should never be written to the file system - even if a profile would configure that by mistake. With the global block you prevent data flow of potentially dangerous file types.
Note: The block acts in addition to the attachment filters of individual tasks. Even if a profile wanted to save a file with a blocked extension, the global list blocks the operation.
40.9.6 Tip ¶
- The global blocks are a last line of defense. Rely primarily on well-configured attachment filters per task - the blocks only catch what slips through