Security considerations

Current version: 8.1

Sitecore recommends that you follow all the security hardening instructions described in our documentation. In addition, the way you implement your Sitecore solution has a significant effect on the security of your website and it may require additional security-related coding and configuration.

Sitecore is not responsible for the security of any other software products that you use with your website. We strongly recommend that you install every available service pack and update for all of the software products that you use.

If you would like to receive notifications about new security bulletins, you can subscribe to the Security Bulletins RSS Feed.

General security recommendations

Although Sitecore can run on several different operating systems, we recommend that you use the newest operating systems, supported by Sitecore, with the most up-to-date security features. Use the Windows update/Automatic update service to keep all your client computers and servers up to date with the most recent security updates and service packs.

You should also create a disaster recovery plan to ensure the rapid resumption of services should a disaster occur. The recovery program should include:

  • A plan for acquiring new or temporary equipment.

  • A plan for restoring backups.

  • Testing the recovery plan.

Change the administrator password

As an extra layer of protection, Sitecore recommends that you create a new administrator account, with a unique name, and delete the out-of-the-box administrator account.

Before you deploy your Sitecore installation, you must change the administrator password to a strong password. Changing the password prevents unauthorized users from using the default password to access the admin account.

Enforce a strong password policy

Sitecore leverages the Microsoft ASP.NET Membership Provider as the out-of-the-box user management system. Sitecore recommends that you change the password policies to one that works for your organization.

In the web.config file, in the <membership> section, you can set the following properties:

  • minRequiredPasswordLength

  • minRequiredNonAlphanumericCharacters

  • maxInvalidPasswordAttempts

  • passwordAttemptWindow

  • passwordStrengthRegularExpression

For more information about these properties, see Microsoft’s documentation:

Separate your content management and content delivery servers

As part of a defence in depth strategy, you should aim to reduce the surface area of your deployment.

Sitecore therefore recommends that you deploy separate content management (internal only) and content delivery (internet facing) servers in a production environment. Furthermore, you should not expose your content management environment to the internet.

If you have to expose your content management environment to the internet, you must:

  • Use HTTPS to secure the content management server.

  • Consider using IP Filtering to allow only whitelisted clients to connect to the Content Management environment

    or

  • Consider using the Dynamic IP Address Restrictions feature that is available in IIS.

Protect the connectionstrings section in the web.config file

Sitecore stores sensitive information in the web.config file in the <connectionStrings> section.

You should encrypt the <connectionStrings> section to prevent this information from being exposed if the web.config file is accessed without authorization.

The Microsoft ASP.NET IIS Registration Tool (aspnet_regiis.exe) can be used to encrypt this section with the –pe or –pef options.

Important

The Microsoft ASP.NET IIS Registration Tool uses the machine key to perform the encryption and therefore you must separately encrypt the web.config file on each computer that you install Sitecore on.

For more information about ASP.NET IIS Registration Tool, see Microsoft’s documentation:

MongoDB

MongoDB can be secured at the network level by default. However, you should follow MongoDB’s best practices to harden the security of your Sitecore installation.

For more information about MongoDB security, visit:

Do you have some feedback for us?

If you have suggestions for improving this article,