Security Considerations
The following section discusses some security considerations that can be taken into account when planning your environment.
Service Accounts
Review the topic Accounts used in a K2 Installation for details of the various accounts used in a K2 installation and some practice recommendations for these accounts to comply with the STRIDE security model .
Kerberos vs K2 Pass-Through Authentication
When planning an environment whether it be Standalone, Distributed or Farm, the topic of a secure method of authentication is of paramount importance. When it comes to the K2 product stack as a whole, there are two available options: Kerberos and K2 Pass-Through Authentication.
From a K2 perspective it is recommended that Kerberos authentication be used as a the primary form of authentication to pass user credentials between physical or logical machine boundaries. If Kerberos is not available or cannot be configured, K2 Pass-Through Authentication can be used.
SmartForms Authentication
K2 smartforms uses blackpearl security mechanisms for users (more on that in the topic SmartForms Authentication), but can also be set up to allow anonymous access to sites, Views or Forms. The two methods of allowing anonymous access are:
Separation of the Designer and Runtime sites
An option is to separate the SmartForms sites (Designer and Runtime) on different physical machines in an environment. This allows for an extra layer of security, so that if a site or machine is brought down by an attack, the other K2 components are able to continue function. One draw back of such an approach is the performance impact when separating components across multiple machines. It is recommended that if this approach is taken, adequate resources are applied to the machines that will host theses sites and network communication between them, to ensure acceptable levels of performance.
K2 for SharePoint
When considering security with K2 for SharePoint, the focus should be placed on SharePoint itself. Ensure that all necessary rights and permissions are set up correctly and any SharePoint security requirements are met prior to integrating with K2.
Post-installation Security configuration
After K2 is installed, additional Post Installation Security Considerations can be applied to lock down a K2 environment.