Restrict access to the client


How to restrict access to Sitecore client with IP Security or by disabling anonymous access.

Applies to

All Core roles except Content Management.

Sitecore Installation Framework

Anonymous users access to folders is not disabled by default.

Azure Toolkit

Anonymous user access to folders is disabled by default.

Unauthorized access to Sitecore client is a potential security risk, and we recommend that you prevent access to it on all instances where you do not need it.

You can restrict access to the client in following ways:

  • Disable IIS anonymous access.

  • Disable Forms authentication.

To restrict access to the client, disable IIS anonymous access:

  1. Open the IIS Manager application.

  2. To see a list of all you IIS websites, in the Connections pane, double-click the name of your server and then double-click the Sites icon.

  3. Double-click the website of the role you want to configure.

  4. Click the first folder or file from this list:

    • <webroot>\App_Config\

    • <webroot>\sitecore\admin\

    • <wwwroot>\sitecore\debug\

    • <webroot>\sitecore\login\

    • <webroot>\sitecore\shell\

    • <webroot>\sitecore\default.aspx

    • <webroot>\sitecore modules\debug\

    • <webroot>\sitecore modules\Shell\

    • <webroot>\xsl\


    To select a file instead of a folder, right-click the role website and click Switch to Content View to see the website files. Then click the file, right-click the role website again, and click Switch to Feature View.

  5. In the center application pane, in the ASP.NET section, double-click the .NET Authorization Rules icon.

    Screenshot showing how to access the IIS .NET Authorization Rules for a folder or a file.
  6. In the Actions pane, click Add Deny Rule.

    Screenshot showing how to add an IIS Deny Rule to a folder or a file.
  7. In the Add Deny Authorization Rule window, select All anonymous users and click OK.

    Screenshot showing how to configure an IIS Deny Rule for a folder or file.
  8. Repeat steps 5 to 7 for all the listed folders and files in step 4.

  9. In the Connections pane, click the name of your server.

  10. To restart IIS and activate your configurations, in the Actions pane, in the Manage Server section, click Restart .


This procedure creates a directory-specific web.config file for each folder and file. If you prefer to keep all your configurations in the application-specific <wwwroot>\Web.config file, see the Microsoft documentation on How To Make Application and Directory-Specific Configuration Settings in an ASP.NET Application.

If you disable Forms authentication, Sitecore will not handle any requests for authentication.

To disable Forms authentication:

  1. Open the <webroot>\Web.config file.

  2. Locate the authentication node.

  3. Change the mode attribute from Forms to None.

    <authentication mode="None">