Securing the Sitecore Admin Interface

It has become fairly commonplace to hear that yet another corporate or government website has been hacked. Despite these news stories, many Sitecore customers fail to secure the most generic entry point into their environment, the client interface. Sitecore strongly recommends limiting access to this interface on every content server to only authorized personnel. In this blog we will review several approaches to accomplishing this in your environment. 

Implement IP-based security restrictions

This method limits access to Sitecore client interface to specific IP addresses. It’s a good approach if you have a limited number of authors and their IP addresses do not change.

Install “IP and Domain Restrictions” feature 

1. On the taskbar, click Server Manager.
2. In Server Manager, click the Manage menu, and then click Add Roles and Features.
3. In the Add Roles and Features wizard, click Next. Select the installation type and click Next. Select the destination server and click Next.
4. On the Server Roles page, expand Web Server (IIS), expand Web Server, expand Security, and then select IP and Domain Restrictions. Click Next.
   
5. On the Select features page, click Next.
6. On the Confirm installation selections page, click Install.

Add IP restrictions in IIS on /sitecore/admin, /sitecore/login, /sitecore/shell folders and to the /sitecore/default.aspx

1. Open Internet Information Services (IIS) Manager:
   • For Windows Server 2012 or Windows Server 2012 R2 – On the taskbar select Server Manager, select Tools and then Internet Information Services (IIS) Manager.
   • For Windows Server 2008 or Windows Server 2008 R2 – On the taskbar click Start, point to Administrative Tools and then select Internet Information Services (IIS) Manager.
2. In the Connections pane, expand the server name, expand Sites, and then site, application or Web service for which you want to add IP restrictions.
3. In the Home pane, double-click the IP Address and Domain Restrictions feature.

   

4. In the IP Address and Domain Restrictions feature, click Add Deny Entry… in the Actions pane.

   

5. Enter the IP address that you wish to deny, and then click OK.

   

To learn more about IP restriction in IIS follow reference this Microsoft article.

Disable Anonymous access in IIS

This method adds additional layer of protection by requesting authentication from users who try to access Sitecore client interface. Follow the steps below to implement it.

• Open the IIS.
• Navigate to the Web Sites\Default Web Site\App_Config folder.

  

• In Features View, double-click Authentication.
• In the Authentication window, select Anonymous Authentication and in the Actions panel, click Disable.

  

• Repeat these steps for /sitecore/admin, /sitecore/login, /sitecore/shell folders and to the /sitecore/default.aspx page.

Disable Sitecore system pages via URL Rewrite module

This is my personal favorite because it’s the fastest to implement and completely blocks out all Sitecore system requests on content delivery server. You will need to have URL Rewrite module installed.

Add the following snippet to your web.config file

It will redirect visitors requesting any of /sitecore/admin, /sitecore/login, /sitecore/debug and /sitecore/shell to the home page of the website.

We always recommend customers to check Sitecore’s website for the latest best practices put. You can find the guidelines for security hardening version 8.2 here.

For the complete security audit, architecture and performance assessment of your Sitecore instance reach out to our experts.

Ben Novoselsky

Ben Novoselsky, PhD, is a certified Sitecore and SharePoint consultant and architect with 15+ years of experience.