Securing Experience Manager
Apply vendor best practices to all application roles, storage roles, and indexes. The following list of tasks are specific to Sitecore.
Application roles
The XP Single topology technically supports a combined Content Delivery/Content Management role. This combination is not recommended in a production environment.
Secure the Content Delivery role
The following tasks apply to all core roles:
- Allowing or denying users access to web resources
- Change the administrator password
- Disable administrative tools
- Disable client RSS feeds
- Disable SQL Server access from XSLT
- Enable HTTPS for core roles
- Enable HTTPS for Content Search
- Increase login security
- Limit access to .XML, .XSLT, and .MRT files
- Change the hash algorithm for password encryption
- Protect media requests
- Remove header information from responses sent by your website
- Secure the file upload functionality
- Limit access to PhantomJS
- Secure Sitecore.Services.Client
- Secure the Telerik controls
- IP hashing
- Enforce a strong password policy
- Protect the connection string passwords from unauthorized access
The following additional tasks should be performed on the Content Delivery role:
Enabling FIPS is no longer mandatory. Only enable it if you're legally required to do so.
Secure the Content Management role
The following tasks apply to all core roles:
- Allowing or denying users access to web resources
- Change the administrator password
- Disable administrative tools
- Disable client RSS feeds
- Disable SQL Server access from XSLT
- Enable HTTPS for core roles
- Enable HTTPS for Content Search
- Increase login security
- Limit access to .XML, .XSLT, and .MRT files
- Change the hash algorithm for password encryption
- Protect media requests
- Remove header information from responses sent by your website
- Secure the file upload functionality
- Limit access to PhantomJS
- Secure Sitecore.Services.Client
- Secure the Telerik controls
- IP hashing
- Enforce a strong password policy
- Protect the connection string passwords from unauthorized access
The following additional task should be performed on the Content Management role:
Enabling FIPS is no longer mandatory. Only enable it if you're legally required to do so.
Secure the Content Publishing role
The following tasks should be performed on the Content Publishing role:
Storage Roles
Web database
No additional Sitecore-specific tasks.
Master database
No additional Sitecore-specific tasks.
Core database
No additional Sitecore-specific tasks.
Private Session State Store
No additional Sitecore-specific tasks.
Shared Session State Store
No additional Sitecore-specific tasks.
Forms database
No additional Sitecore-specific tasks.
Indexes
Web index
No additional Sitecore-specific tasks.
Master index
No additional Sitecore-specific tasks.
Core index
No additional Sitecore-specific tasks.