Sitecore Best Practice Series:

 

Sitecore Security Best Practices

 

# Description Rationale
1 Assign Access Restrictions to Roles instead of users Reduces security maintenance costs.
2 Utilize access right inheritance rather than assigning them explicitly Reduces security maintenance costs.
3 Utilize locally managed domains in single-server multi-site Sitecore implementations Restricts access of each website to its own domain, reducing the security risks.
4 Create new Roles in Sitecore domain Sitecore domain roles are invisible to all other domains, enhancing the security.
5 Prevent configuration files being served by the server Exposing Sitecore configuration setting present a high security risk.
6 Make sure the /data folder is not accessible by anonymous used Data folder stores information that may assist intruders in finding vulnerabilities, restricting access to this folder eliminates such security risk
7 Enforce the “need-based” security principle Need-based security principle states that all access rights should initially be denied and only particular one ones, that are required – given.
8 Remove inheritance rather than explicitly denying access rights Sitecore items inherit Allow permissions from their parents, removing the inheritance will remove all such rights.
9 Disable the default “admin” user and create a new one with administrator privileges Default “admin” account has more than just administrator privileges; for instance, it is the only account that can ignore workflows by default.
10 Trap code exceptions as close as possible to the source. Reduces security risk of error exposure.
11 Separate CM from CD servers Content Delivery servers should be tightly hardened which is not acceptable in the Content Management environment.