Platform Administration and Architecture

Deny anonymous users access to a folder

Abstract

How to deny anonymous Sitecore users access to key folders and a guide to what folders should be secured.

Applies to

All core roles except Content Management.

Sitecore Installation Framework

Anonymous users access to folders is not disabled by default.

Azure Toolkit

Anonymous user access to folders is disabled by default.

You can improve security if you prevent anonymous users from accessing certain key folders. In the Internet Information Services (IIS) manager, you should prevent anonymous users from accessing the following folders:

  • /App_Config

  • /sitecore/admin

  • /sitecore/debug

  • /sitecore/login

  • /sitecore/shell/WebService

To deny anonymous users access to a folder:

  1. Open IIS.

  2. Navigate to Web Sites\Default Web Site\App_Config.

  3. In the App_Config folder, in the IIS section, double-click Authentication.

    deny-anon-users1.png
  4. In the Authentication folder, click Anonymous Authentication and in the Actions panel, click Disable.

    deny-anon-users-21.png
  5. Restart IIS.

Repeat this procedure for the admin folder (/sitecore/admin), the debug folder (/sitecore/debug), and the Webservice folder (/sitecore/shell/WebService).