Sitecore Security - Beyond the hardening guide

-
SecureAs with any publicly (or internally) accessible web application, it is vitally important to make sure that your Sitecore installation is appropriately configured to protect it against attacks from malicious forces on the net.

The primary reference to follow when configuring the security of your Sitecore instance is of course the Sitecore Security Hardening Guide.  However there are a few additional steps that you should consider following when configuring Sitecore to provide additional security against some known attack vectors where your Sitecore installation may be vulnerable.  All the recommendations and issues listed below appear to still be valid as of Sitecore v7.1

Extra restrictions on the /sitecore folder on delivery servers

The Hardening Guide recommends restricting Anonymous user access to the /sitecore/admin, /sitecore/debug and /sitecore/shell/WebService folders.  
My recommendation on delivery server instances is to go further and restrict anonymous access to all parts of the /sitecore folder apart from /sitecore/service.  This protects against other known and potentially unknown attack vectors within the Sitecore folder files.  One example I have seen documented is a insecure direct object reference attack which can allow a complete server compromise.  Restricting anonymous access to the /sitecore folder protects against this.

Dan McGuane from Sitecore Australia has pointed out to me that Sitecore does use the following path if you attempt to display a content item outside of a site root, which depending on how you structure content on your site may be impacted by this change (the user would get a 401 error): /Sitecore/content/globals/{item name} -- however this is not something that we would generally do in a Sitecore implementation.

Note when exposing the Sitecore Item Web API to external users you may also need to allow some additional anonymous user access, however you should very carefully read the associated documentation to understand how to configure it's specific security settings.

Disable XmlControls on delivery servers

Another potential vulnerability which can affect Sitecore installations is an XSS vulnerability which could allow an attacked to insert content such as iFrames into URLs being served by Sitecore.  This opens the possibility of an attacker directing a user to a URL on your site, but actually serving their site instead, which could obviously be a serious issue.

The attack is based on Sitecore's XmlControls functionality, although these are used in some parts of the Sitecore shell, this vector can easily be closed by an additional Sitecore configuration step in public facing sites.  In the <sites> section of Sitecore configuration,  include the attribute disableXmlControls="true" for each publicly accessible site.

Never make your Management server publicly accessible

This recommendation is really related to the two issues listed above, but I always in the strongest possible terms recommend to people not to allow public access to the Sitecore management server (yes, including having a single all-in-one Sitecore server acting as both management and delivery roles).  The management server is designed to allow access for people to manage content and does not appear to be sufficiently secure.

Instead, restrict access to this server to only a set of known good IP addresses via a firewall, establish a secure VPN bridge from your internal network into the hosting environment where you management server resides, or consider hosting the authoring server on your enterprise's internal network.

Don't Panic

I don't want this article to come across as saying that Sitecore isn't a secure system, however like every other system it needs to be properly configured to minimise security risks.

I believe the above steps that aren't yet documented in Sitecore's security documentation will make your installation even more secure, and I'm happy to report that our Sitecore installations have passed multiple external penetration tests with flying colours!

Comments

  1. Unknown30 September 2014 at 21:46

    Excellent advice regarding XML Control XSS vulnerability.

    ReplyDelete

Post a Comment

Popular posts from this blog

Sitecore - multi-site or multi-instance?

-
Image
I have been asked by a number of different people recently about when it is appropriate to maintain a number of different websites on a single Sitecore instance, versus deploying multiple Sitecore instances (on the same or separate hardware) to keep sites separate. As is usually the case, the answer is "it depends", but there are some key conditions that can lead to a clear choice between one over the other. Single Instance In the single instance approach, there is a single installation of Sitecore that hosts all of an organisations sites. This means that there is one IIS website hosting Sitecore per server all sharing the same Sitecore configuration and content. Pros Single set of user access credentials for access to all sites If you are not using LDAP integration for login to your Sitecore instance (or using some other customisation such as federated security through something like ADFS), having a single instance lets you use the same set of Sitec
Read more

Setting up TDS to work with Azure DevOps

-
Image
We recently had the challenge of moving across a legacy project, that we inherited, to run on Azure DevOps.  This project is five or six years old and still leverages TDS for packaging Sitecore items. Helpfully the code repository already had a copy of the nuget package contents checked in and referred to by the TDS project files, however this was designed to use an older version of visual studio (2015) than we had available as a part of the default Microsoft supplied build agent (2019).  In addition we needed to make sure the build agent was able to use our TDS license keys. Setting up the TDS license The old HedgeHog documentation has some good info on how to set up TDS to run on a build server.  This states to set up two environment variables: TDS_Owner and TDS_Key with the license information that the TDS tool will look for at runtime. Our first attempt to follow this instruction for DevOps was to create a powershell task to set the variables - task: PowerShell@2 displayName:
Read more

Cloud hosting Sitecore - High Availability

-
Image
The approach to hosting web facing systems has changed significantly over the last few years, with virtual machines almost completely replacing physical infrastructure.  These private cloud virtual server farms allowed server instances to be built and run on consolidated hardware, simplifying purchasing for IT departments.  This cloud computing pattern is generally known as Infrastructure as a Service (IaaS), and it simplified the way that physical hardware was purchased, whilst supporting the same approach to building and deploying applications that had been used before.  Public cloud hosted IaaS platforms remove the purchasing requirements, whilst providing a high degree of flexibility in how services are hosted, however IT teams still had to install and configure operating systems and other system software like content management and database systems the same way as with traditional environments.   Amazon Web Services and Microsoft Azure are currently the two leading IaaS cloud
Read more