UiPath Orchestrator Guide

Deployment and Configuration Considerations

Password Policy

The default password policy states that all user passwords should contain at least 8 characters and at least one letter and a digit. This can be changed and made more complex in the Settings page, on the Security tab. For more information, see the Settings Description topic.

Encrypting the Web.config File

Encrypt the SecureAppSettings section of the Web.config file. To see how this can be done, please see the Encrypting Web.config Sections topic.

Disabling the Auto-complete Feature in Your Browser

The auto-complete feature available in most web browsers is not completely safe. To make sure that nobody can discover your Orchestrator login password, it is recommended that you disable the aforementioned functionality in your preferred browser.

If you are using Internet Explorer 11:

  1. In Internet Explorer, click Tools > Internet Options. The Internet Options window is displayed.
  2. In the Content tab, select Settings. The AutoComplete Settings window is displayed.
  3. Clear the User names and passwords on forms check box.
  4. Click OK. Your settings are saved.

Changing the Default System Admin Password

Change the default system administrator password (that was communicated to you by our team). You can do this by editing the user profile information. For more information, see Managing tenants.

Not Selecting the Remember Me Check Box

When you first log in to Orchestrator, do not select the Remember Me password. This helps you log out of the current session every time.

Limiting the Cookie Session Timeout Period

By default, the authorization cookie expires after 60 minutes. You can limit this time by changing the value of the Auth.Cookie.Expire parameter, in the Web.config file.

Using Trusted SSL Certificates

While enforcing an HTTPS connection is important, just as important is to have an SSL certificate from a trusted provider.

Additionally, you can remove the HTTP binding:

  1. Open IIS.
  2. In the Connections panel, navigate to the Sites folder.
  3. Click the Orchestrator site. The Actions panel is updated accordingly.
  4. Click Bindings. The Site Bindings window is displayed.
  5. Click the HTTP binding and then Remove. The HTTP binding has been deleted.

Adding Cache-Control

We recommend adding security caching directives, so as to hide sensitive information that may be displayed in HTTP headers. Ideally, all responses should return the following HTTP headers:

Cache-control: no-store, no-cache, must-revalidate,private,s-maxage=0
Pragma: no-cache

To add these headers, just add them to the Web.config file, in the customHeaders section, in the following format:

<add name="Cache-control" value="s-maxage=0">

Disabling the exceptionless.io Service

Exceptionless.io is a service which provides real-time error reporting for applications. While used, it might reveal where UiPath is installed. To avoid these callback requests it is recommended to disable it:

  1. Open the UiPath.Service.Host.exe.config file from UiPath installation folder with a text editor (Notepad++, etc.)
  2. Navigate to the <exceptionless apiKey="API_KEY_HERE" /> section and add enabled="false" so that it looks like this:
<exceptionless apiKey="API_KEY_HERE" enabled="false"/>
  1. Save the changes and close the file.
  2. Restart the UiRobot service.