Sitecore Best Practice Series:

 

Sitecore Security Best Practices

 

#PracticeRationale
1. Use publish:begin or publish:end events to clear custom cachesUse Sitecore caching as much as possible to avoid redundancy and unnecessary usage of additional resources, however, if custom ASP.NET caching is used, unlike Sitecore cache, it is not cleared automatically with a publish, therefore, a custom “cache clearer” should be triggered before or after the publish. If makes functional sense, it helps storing custom caches using Sitecore caching facilities, which removes the need for creating custom cache management functionality.
2. Separate CM from CD servers in productionContent Delivery servers should be tightly hardened for security, which is not acceptable in the Content Management environment.
3. Trap code exceptions as close as possible to the sourceThis practice helps reduce the security risk of error exposure.
4. Disable the default “admin” user and create a new one with administrator privilegesThe default “admin” account has more than just administrator privileges; for instance, it is the only account that can ignore workflows by default. Disabling it also increases security by changing the username, which is 50% of the login information.
5. Remove inheritance rather than explicitly denying access rightsSitecore items inherit Allow permissions from their parents, removing the inheritance will remove all such rights, simply the security model, and make it easier to troubleshoot security issues.
6. Enforce the “need-based” security principleNeed-based security principle states that all access rights should initially be denied and only particular one ones, that are required – given. This principle help reduce security risk.
7. Make sure the /data folder is not accessible by anonymous usersData folder stores information that may assist intruders in finding vulnerabilities, restricting access to this folder eliminates this security risk.
8. Prevent configuration files from being served by the IISFiles in the App_Config folder are restricted by default; be careful about creating other setting files outside of that folder.
9. Create new Roles in Sitecore domainsSitecore domain roles are invisible to all other domains, enhancing security.
10. Use individual security domains for each websiteRestricts access of each website to its own domain, reducing security risks.
11. Use access right inheritance instead of assigning rights explicitlyReduces security maintenance costs.
12. Assign access restrictions to roles instead of usersReduces security maintenance costs.

%d bloggers like this: