Wednesday, October 27, 2010

Securing Sitecore Admin


One of the frequent questions I am hearing besides development related stuff is configuration related. In Sitecore world, there is always plenty of options available for you in terms of configuring your production environment. Not to get carried away, but this is really a critical aspect, especial for large enterprises. When your product cannot be flexible enough to be decoupled in components, this may represent quite a challenge. Systems forcing large footprint are more difficult to maintain, backup, secure, etc.
With Sitecore, you can pretty much create a lightweight Content Delivery instance by cutting down the configuration and files to mere 50 Mb quite with a little bit of effort. This will create a more manageable and secure environment, but what if you don’t want to go through this exercise?

A quick and proven way to handle this it rely on native IIS securing features. With IIS7 you can do that even easier. What you can do is simply deny access to /sitecore folder based on IP restrictions.

1. Make sure you have “IP Security” feature installed for IIS:


2. Locate your site in IIS, select /sitecore folder:


3. On the Features view, select “IP Address and Domain Restrictions”:


4. Configure any allow/deny rules you want:


Isn’t it easy?


Ivan Buzyka said...

If we restrict access to whole "/sitecore" folder it can block some application for some users under that, so they will not be able to get working site, as I understand.
That's very useful functionality but it should be used carefully.

Alex Shyba said...

Hi Ivan,

Thanks, yes, you are absolutely correct.

For example, service pages under \sitecore\service\ should be moved out and appropriate settings in web.config adjusted.

Also, this applies to a content delivery instance only, where access to Sitecore shell is restricted by license anyways.