Think before GO-Live - Check Sitecore Security First
All development has been done and planning to GO-Live? Stop thinks about security. Security is the major concern for any web application and it should be well implemented to avoid any vulnerability, security itself is a very big topic and difficult to implement from all aspect but yes we can secure our site as much as possible.
Is your Sitecore application secure? Ask this question again and again, what all are the check-list have followed for better security of the system?
Even if your Sitecore solution does not require authentication for users of the managed websites, you should consider Sitecore security when designing your information architecture.
Here I am listing some checklist that should be implemented before GO-LIVE.
1. Protect your user password policy: enforce user to enter the strong password. Please refer the blog for complete details: http://sitecoresolution.blogspot.in/2014/05/sitecore-security-password-expiration.html
2. Ensure you changed the default admin password: Changing the password prevents unauthorized users from using the default password to access the admin account
1. Login with admin user:
2. Go to security editor >
3. Go to user manager >
3. Restrict Anonymous Access to Sitecore Folders from IIS:
We should restrict following folders
Below are the steps to change the permission level of this folder:
1. Open the IIS > run> inetmgr
2. Navigate to the Web Sites\your instance name\folder name.
3. Double-click Authentication under feature view.
4. Disable the anonymous user
4. Ensure your login page on https: you can use If you do need HTTPS on some (but not all) of your website’s pages you might also want to consider the SSL Redirector module on the Sitecore marketplace. It allows serving of content items over HTTPS encryption by adding the template to the templates of the items you wish to be encrypted.
5. Ensure that Client RSS Feeds is disabled if there is sensitive information: just disable the client rss feed setting from webconfig
6. Ensure that the only way to upload files is from the Media Library: by disabled the Upload Watcher the files that are placed in the /upload folder are not automatically uploaded to the Media Library.
7. Ensure the correct license file on the production server: Install the correct license in each environment. Most important, do not install a license that allows content management in a content delivery environment. An improper license can increase the solution’s vulnerability to attack.
8. Ensure to follow best practice if importing users from another system.
9. Ensure your custom error on: Remember to update your production web.config to <customErrors mode="RemoteOnly" />. This will allow to you have a friendly error message to your site visitors should an error occur.
10. Ensure your custom administrative pages are fully protected never leave these pages unprotected.
12. Ensure that security rights is assigned to roles and not to users.
13. Ensure that home item permission is Heavily restricted of each managed site, and grant access rights to its children and descendants instead.
14. Use UserSwitcher wherever required instead of SecurityDisabler when editing programmatically.
15. All non-implemented membership provider methods should throw non-supported exceptions
16. Create the roles in Sitecore Domain instead of specific domain
17. Use locally managed domains in the case of a multiple site implementations in single Sitecore instance.
18. Turn off Auto Complete of Username in the Login Page
You can specify that Sitecore should not complete the username of users automatically when they log in. This is useful, for example, if you do not want user names to be disclosed when content authors log into Sitecore on a shared or public computer. In addition, you can disable the Remember me checkbox.
· To disable auto complete of user names, open the web.config file and set the Login.DisableAutoComplete setting to true. This disables autocomplete on the Sitecore login forms on the /sitecore/login/default.aspx and /sitecore/admin/login.aspx pages.
· To disable the Remember me checkbox on the login page, open the web.config file and set the Login.DisableRememberMe setting to true. This also ignores any existing Remember Me cookies, and all users have to log in again
Hope this will help you.
Happy Sitecore J