This blog post provides information about some best practices at the application level and the server level which can be applied on a Sitecore CMS based implementations. Note that few of these may not be specific to Sitecore and could apply to any web-based application.
- Change the Sitecore default “Admin” password. If possible disable and create named Administrator accounts.
- Delete any default users and roles (excluding Everyone, anonymous etc)
- Create specific roles for specific areas. ex: Author users belonging to one region may not need edit access to author content in other regions.
- Implement Sitecore permissions at the Role/Group level and consider nested roles. Add users to groups and roles instead of assigning permissions directly to users. Disable inheritance if possible.
- Configure separate permissions for “Home” item and the items beneath, as in most cases authors do not update Home.
- Minimize the number of users with Sitecore Administrator role.
- Configure separate web database for CM (Preview) and CD (Live). Leverage Publishing target feature to implement this.
- If possible disable Publish Site option or control it, since the Site-wide publishing will result in the publishing of unexpected/premature content and will severely degrade the performance on content delivery servers due to a large number of publishing actions.
- Implement Continuous Integration for development and deployments. Continuous Integration has many benefits and helps build an effective end product.
- Enable SSL enforcement for all the servers. Leverage URL Rewite (IIS) module to redirect any http request to https.
- Turn off autocomplete and Remember me for the CMS login page.
- Open the sitecore.config file and set the “Login.DisableAutoComplete” Setting to “True”
- Sitecore has many powerful administrative tools. All these tools are with in the “Sitecore” folder under the Website(<Webroot>) folder(https://<mywebsite.com>/sitecore/xxx). Disable access to sitecore folder with in the website folder on all Content Delivery Servers. There are a couple ways of doing it.
- Use IP address and domain restrictions feature in IIS to limit the access to sitecore folder to “Localhost”. Doing this will only allow you to access these tools from with in the server.
- Navigate to “Website Root” > Sitecore/Admin Folder and Disable all the .aspx by renaming them to .disabled.
- Disable Anonymous Authentication under IIS Settings for the following folders with in the webRoot.
- To deny anonymous users access to the folder, open IIS >> Web Sites >> sitecorwebsite >> click <folder name> >> on the middle pane Double Click on Authentication > Click on Anonymous Authentication > Disable (from the right pane>. Repeat the same process for all the folders mentioned above.
- Change Hash algorithm for password encryption. Open web.config file and in the <membership> node, set the hashalgorithmType to SHA512.
- Disable WebDAV on Content Delivery servers (not on Content Management). To disable WebDAV, Go to the location where website files are located >> <website>\App_Config\Sitecore\CMS.Core >> Rename the file Sitecore.WebDAV.config to Sitecore.WebDAV.config.disabled (for sitecore9) , for Sitecore8.xx this file is located in <website>\App_Config\Include.
- Secure the file upload functionality by-
- Disabe Script and Execute permissions to the upload folder. To perform this activity, Open IIS and navigate to <Website>/upload >> Feature view >> Double Click Handler Mappings >> on the Actions Pane select “Edit Feature Permissions” >> Clear Script & Execute check boxes.
- Disable the Upload Watcher by opening Web.config and remove the following from <system.webServer><modules> section:
1<span class="tag"><add</span> <span class="atn">type</span><span class="pun">=</span><span class="atv">"Sitecore.Resources.Media.UploadWatcher,Sitecore.Kernel"</span> <span class="atn">name</span><span class="pun">=</span><span class="atv">"SitecoreUploadWatcher"</span><span class="tag">/></span>
- Change the default Sharedsecret value for Media request protection feature (on both CM and CD Servers). Go to folder <Website>\App_Config\Sitecore\CMS.Core and find the file Sitecore.Media.RequestProtection.config. Modify the default hash value to a random string in the Media.RequestProtection.SharedSecret. Ensure this new value is same across all the servers in multi server setup.
There are many other aspects to consider while securing the host where application is installed and many other parameters to look at right from the network stand point to application stand point. However, implementing certain security best practices will help reduce the extent on damage caused due to exploitation.