All
development has been done and planning to GO-Live? Stop thinks about security. Security is
the major concern for any web application and it should be well implemented to
avoid any vulnerability, security itself is a very big topic and difficult to
implement from all aspect but yes we can secure our site as much as possible.
development has been done and planning to GO-Live? Stop thinks about security. Security is
the major concern for any web application and it should be well implemented to
avoid any vulnerability, security itself is a very big topic and difficult to
implement from all aspect but yes we can secure our site as much as possible.
Is your
Sitecore application secure? Ask this question again and again, what all are
the check-list have followed for better security of the system?
Sitecore application secure? Ask this question again and again, what all are
the check-list have followed for better security of the system?
Even if your
Sitecore solution does not require authentication for users of the managed
websites, you should consider Sitecore security when designing your
information architecture.
Sitecore solution does not require authentication for users of the managed
websites, you should consider Sitecore security when designing your
information architecture.
Here I am listing some checklist that should be implemented before GO-LIVE.
1.
Protect your user password policy: enforce user to enter the strong
password. Please refer the blog for complete details: http://sitecoresolution.ashishbansal.digital/2014/05/sitecore-security-password-expiration.html
Protect your user password policy: enforce user to enter the strong
password. Please refer the blog for complete details: http://sitecoresolution.ashishbansal.digital/2014/05/sitecore-security-password-expiration.html
2.
Ensure you changed the default admin
password: Changing
the password prevents unauthorized users from using the default password to
access the admin account
Ensure you changed the default admin
password: Changing
the password prevents unauthorized users from using the default password to
access the admin account
Step
1.
Login
with admin user:
Login
with admin user:
2.
Go
to security editor >
Go
to security editor >
3.
Go
to user manager >
Go
to user manager >
3.
Restrict Anonymous Access to Sitecore
Folders from IIS:
Restrict Anonymous Access to Sitecore
Folders from IIS:
We should restrict
following folders
following folders
·
/App_Config
/App_Config
·
/sitecore/admin
/sitecore/admin
·
/sitecore/debug
/sitecore/debug
·
/sitecore/shell/WebService
/sitecore/shell/WebService
Below are the
steps to change the permission level of this
folder:
steps to change the permission level of this
folder:
1.
Open
the IIS > run> inetmgr
Open
the IIS > run> inetmgr
2.
Navigate
to the Web Sitesyour instance namefolder name.
Navigate
to the Web Sitesyour instance namefolder name.
3.
Double-click
Authentication under feature view.
Double-click
Authentication under feature view.
4.
Disable
the anonymous user
Disable
the anonymous user
4.
Ensure your login page on https: you
can use If you do need HTTPS on some (but not all) of your
website’s pages you might also want to consider the SSL Redirector module
on the Sitecore marketplace. It allows serving of content items over HTTPS
encryption by adding the template to the templates of the items you wish to be
encrypted.
Ensure your login page on https: you
can use If you do need HTTPS on some (but not all) of your
website’s pages you might also want to consider the SSL Redirector module
on the Sitecore marketplace. It allows serving of content items over HTTPS
encryption by adding the template to the templates of the items you wish to be
encrypted.
5.
Ensure that Client RSS Feeds is
disabled if there is sensitive information: just disable the client rss feed setting from webconfig
Ensure that Client RSS Feeds is
disabled if there is sensitive information: just disable the client rss feed setting from webconfig
6.
Ensure that the only way to upload
files is from the Media Library: by disabled the Upload Watcher the files that are placed in the /upload folder
are not automatically uploaded to the Media Library.
Ensure that the only way to upload
files is from the Media Library: by disabled the Upload Watcher the files that are placed in the /upload folder
are not automatically uploaded to the Media Library.
7.
Ensure the correct license file on
the production server:
Install the correct license in each environment. Most important, do not
install a license that allows content management in a content delivery
environment. An improper license can increase the solution’s vulnerability to
attack.
Ensure the correct license file on
the production server:
Install the correct license in each environment. Most important, do not
install a license that allows content management in a content delivery
environment. An improper license can increase the solution’s vulnerability to
attack.
8.
Ensure to follow best practice if importing
users from another system.
Ensure to follow best practice if importing
users from another system.
9.
Ensure your custom error on:
Remember to update your
production web.config to <customErrors mode=”RemoteOnly” />.
This will allow to you have a friendly error message to your site visitors
should an error occur.
Ensure your custom error on:
Remember to update your
production web.config to <customErrors mode=”RemoteOnly” />.
This will allow to you have a friendly error message to your site visitors
should an error occur.
10.
Ensure your custom administrative
pages are fully protected never leave these pages unprotected.
Ensure your custom administrative
pages are fully protected never leave these pages unprotected.
11.
Prevent Cross Site Scripting (XSS)
Attacks”: Cross Site
Scripting (XSS) attacks are when a user submits HTML, script or SQL code to
your site via form fields. Client-side validation should prevent malicious data
being entered, but remember that this relies on JavaScript, which is trivial to
disable in the browser. Add the following attribute to the <httpRuntime>
element in your web.config file to enable request validation:
Prevent Cross Site Scripting (XSS)
Attacks”: Cross Site
Scripting (XSS) attacks are when a user submits HTML, script or SQL code to
your site via form fields. Client-side validation should prevent malicious data
being entered, but remember that this relies on JavaScript, which is trivial to
disable in the browser. Add the following attribute to the <httpRuntime>
element in your web.config file to enable request validation:
12.
Ensure that security rights is
assigned to roles and not to users.
Ensure that security rights is
assigned to roles and not to users.
13.
Ensure that home item permission is
Heavily restricted of each managed site, and grant access rights to its
children and descendants instead.
Ensure that home item permission is
Heavily restricted of each managed site, and grant access rights to its
children and descendants instead.
14.
Use UserSwitcher wherever required
instead of SecurityDisabler when editing programmatically.
Use UserSwitcher wherever required
instead of SecurityDisabler when editing programmatically.
15.
All non-implemented membership provider
methods should throw non-supported exceptions
All non-implemented membership provider
methods should throw non-supported exceptions
16.
Create the roles in Sitecore Domain
instead of specific domain
Create the roles in Sitecore Domain
instead of specific domain
17.
Use locally managed domains in the
case of a multiple site implementations in single Sitecore instance.
Use locally managed domains in the
case of a multiple site implementations in single Sitecore instance.
18.
Turn off Auto Complete of Username in the Login Page
Turn off Auto Complete of Username in the Login Page
You can specify that Sitecore should not complete the username of
users automatically when they log in. This is useful, for example, if you do
not want user names to be disclosed when content authors log into Sitecore on a
shared or public computer. In addition, you can disable the Remember me checkbox.
users automatically when they log in. This is useful, for example, if you do
not want user names to be disclosed when content authors log into Sitecore on a
shared or public computer. In addition, you can disable the Remember me checkbox.
·
To disable
auto complete of user names, open the web.config file and set the Login.DisableAutoComplete
setting to
true. This disables autocomplete on the Sitecore login forms on the /sitecore/login/default.aspx
and /sitecore/admin/login.aspx pages.
To disable
auto complete of user names, open the web.config file and set the Login.DisableAutoComplete
setting to
true. This disables autocomplete on the Sitecore login forms on the /sitecore/login/default.aspx
and /sitecore/admin/login.aspx pages.
·
To disable
the Remember me checkbox on the login page, open the web.config
file and set
the Login.DisableRememberMe setting to true. This also ignores any existing Remember Me cookies,
and all users have to log in again
To disable
the Remember me checkbox on the login page, open the web.config
file and set
the Login.DisableRememberMe setting to true. This also ignores any existing Remember Me cookies,
and all users have to log in again
Hope this
will help you.
will help you.
Happy
Sitecore J
Sitecore J