Securing Experience Platform
Apply vendor best practices to all application roles, storage roles, and indexes. The following list of tasks are specific to Sitecore.
Application roles
xDB Processing
The following tasks apply to all core roles:
- Change the administrator password
- Disable administrative tools
- Disable client RSS feeds
- Disable SQL Server access from XSLT
- Enable HTTPS for core roles
- Enable HTTPS for Content Search
- Increase login security
- Limit access to .XML, .XSLT, and .MRT files
- Change the hash algorithm for password encryption
- Protect media requests
- Remove header information from responses sent by your website
- Secure the file upload functionality
- Limit access to PhantomJS
- Secure Sitecore.Services.Client
- Secure the Telerik controls
- IP hashing
- Enforce a strong password policy
- Protect the connection string passwords from unauthorized access
The following additional tasks should be performed on the xDB Processing role:
- Configure API authentication keys in a scaled environment
- Enforce HTTPS for the xDB Processing service end point
- Restrict access to the client
Enabling FIPS is no longer mandatory. Only enable it if you're legally required to do so.
xConnect Collection service
The following tasks apply to all XP Service roles:
xConnect Collection Search service
The following tasks apply to all XP Service roles:
- Enable client certificate authentication
- Enforce HTTPS for XP service roles
- Protect the connection string passwords from unauthorized access
The following additional tasks should be performed on the xConnect Collection Search service role:
Reference Data service
The following tasks apply to all XP Service roles:
Marketing Automation Operations service
The following tasks apply to all XP Service roles:
Marketing Automation Reporting service
The following tasks apply to all XP Service roles:
Marketing Automation Engine
xConnect Search Indexer
The following additional tasks should be performed on the xConnect Search Indexer role:
EXM Dispatch
The following tasks apply to all core roles:
- Change the administrator password
- Deny anonymous users access to a folder
- Disable administrative tools
- Disable client RSS feeds
- Disable SQL Server access from XSLT
- Enable HTTPS for core roles
- Enable HTTPS for Content Search
- Increase login security
- Limit access to .XML, .XSLT, and .MRT files
- Change the hash algorithm for password encryption
- Protect media requests
- Remove header information from responses sent by your website
- Secure the file upload functionality
- Limit access to PhantomJS
- Secure Sitecore.Services.Client
- Secure the Telerik controls
- IP hashing
- Enforce a strong password policy
- Protect the connection string passwords from unauthorized access
The following additional tasks should be performed on the EXM Dispatch role:
Enabling FIPS is no longer mandatory. Only enable it if you're legally required to do so.
Storage roles
xDB Collection database
SQL provider
The following additional tasks can be performed on the xDB Collection database:
xDB Processing Tasks database
No additional Sitecore-specific tasks.
xDB Processing Pools database
No additional Sitecore-specific tasks.
xDB Reference Data database
No additional Sitecore-specific tasks.
xDB Reporting database
No additional Sitecore-specific tasks.
Marketing Automation database
No additional Sitecore-specific tasks.
Message Bus
No additional Sitecore-specific tasks.
EXM database
No additional Sitecore-specific tasks.
Indexes
xDB index
No additional Sitecore-specific tasks.
FXM Master index
No additional Sitecore-specific tasks.
FXM Web index
No additional Sitecore-specific tasks.
Master Marketing Assets index
No additional Sitecore-specific tasks.
Web Marketing Assets index
No additional Sitecore-specific tasks.
Master Marketing Definitions index
No additional Sitecore-specific tasks.
Web Marketing Definitions index
No additional Sitecore-specific tasks.
Suggested Test index
No additional Sitecore-specific tasks.
Testing index
No additional Sitecore-specific tasks.