Friday, May 8, 2015

Think before GO-Live - Check Sitecore Security First

All development has been done and planning to GO-Live? Stop thinks about security. Security is the major concern for any web application and it should be well implemented to avoid any vulnerability, security itself is a very big topic and difficult to implement from all aspect but yes we can secure our site as much as possible.

Is your Sitecore application secure? Ask this question again and again, what all are the check-list have followed for better security of the system?

Even if your Sitecore solution does not require authentication for users of the managed websites, you should consider Sitecore security when designing your information architecture.

 Here I am listing some checklist that should be implemented  before GO-LIVE.

1.       Protect your user password policy: enforce user to enter the strong password. Please refer the blog for complete details:

2.       Ensure you changed the default admin password: Changing the password prevents unauthorized users from using the default password to access the admin account
1.        Login with admin user:

2.        Go to security editor >
3.        Go to user manager >

3.       Restrict Anonymous Access to Sitecore Folders from IIS:
We should restrict following folders
·         /App_Config
·         /sitecore/admin
·         /sitecore/debug
·         /sitecore/shell/WebService
Below are the steps to change the permission  level of this folder:
1.        Open the IIS > run> inetmgr
2.        Navigate to the Web Sites\your instance name\folder name.
3.        Double-click Authentication under feature view.
4.        Disable the anonymous user

4.       Ensure your login page on https: you can use If you do need HTTPS on some (but not all) of your website’s pages you might also want to consider the SSL Redirector module on the Sitecore marketplace. It allows serving of content items over HTTPS encryption by adding the template to the templates of the items you wish to be encrypted.
5.       Ensure that Client RSS Feeds is disabled if there is sensitive information: just disable the client rss feed setting from webconfig

6.       Ensure that the only way to upload files is from the Media Library: by disabled the Upload Watcher the  files that are placed in the /upload folder are not automatically uploaded to the Media Library.

7.       Ensure the correct license file on the production server:  Install the correct license in each environment. Most important, do not install a license that allows content management in a content delivery environment. An improper license can increase the solution’s vulnerability to attack.
8.       Ensure to follow best practice if importing users from another system.
9.       Ensure your custom error on: Remember to update your production web.config to <customErrors mode="RemoteOnly" />. This will allow to you have a friendly error message to your site visitors should an error occur.

10.   Ensure your custom administrative pages are fully protected never leave these pages unprotected.
11.   Prevent Cross Site Scripting (XSS) Attacks”: Cross Site Scripting (XSS) attacks are when a user submits HTML, script or SQL code to your site via form fields. Client-side validation should prevent malicious data being entered, but remember that this relies on JavaScript, which is trivial to disable in the browser. Add the following attribute to the <httpRuntime> element in your web.config file to enable request validation:
12.   Ensure that security rights is assigned to roles and not to users.
13.   Ensure that home item permission is Heavily restricted of each managed site, and grant access rights to its children and descendants instead.
14.   Use UserSwitcher wherever required instead of SecurityDisabler when editing programmatically.
15.   All non-implemented membership provider methods should throw non-supported exceptions
16.   Create the roles in Sitecore Domain instead of specific domain
17.   Use locally managed domains in the case of a multiple site implementations in single Sitecore instance.
18.   Turn off Auto Complete of Username in the Login Page
You can specify that Sitecore should not complete the username of users automatically when they log in. This is useful, for example, if you do not want user names to be disclosed when content authors log into Sitecore on a shared or public computer. In addition, you can disable the Remember me checkbox.
·         To disable auto complete of user names, open the web.config file and set the Login.DisableAutoComplete setting to true. This disables autocomplete on the Sitecore login forms on the /sitecore/login/default.aspx and /sitecore/admin/login.aspx pages.
·         To disable the Remember me checkbox on the login page, open the web.config file and set the Login.DisableRememberMe setting to true. This also ignores any existing Remember Me cookies, and all users have to log in again

Hope this will help you.

Happy Sitecore J