Restrict access to the client

Current version: 8.2

Applies to

All Core roles except Content Management.

Sitecore Installation Framework

Anonymous users access to folders is not disabled by default.

Azure Toolkit

Anonymous user access to folders is disabled by default.

Unauthorized access to Sitecore client is a potential security risk, and we recommend that you prevent access to it on all instances where you do not need it.

You can restrict access to the client in following ways:

  • Disable IIS anonymous access for Sitecore 8.2 update 2 and earlier.

  • Disable IIS anonymous access for Sitecore 8.2 update 3 and later.

  • Disable Forms authentication for Sitecore 8.2 update 3 and later.

Disable IIS anonymous access for Sitecore 8.2 update 2 and earlier

To restrict access to the client, disable IIS anonymous access:

  1. Open the IIS Manager application.

  2. To see a list of all you IIS websites, in the Connections pane, double-click the name of your server and then double-click the Sites icon.

  3. Double-click the website of the role you want to configure.

  4. Click the first folder or file from this list:

    • <webroot>\App_Config\

    • <webroot>\sitecore\admin\

    • <wwwroot>\sitecore\debug\

    • <webroot>\sitecore\login\

    • <webroot>\sitecore\shell\

    • <webroot>\sitecore\default.aspx

    • <webroot>\sitecore modules\debug\

    • <webroot>\sitecore modules\Shell\

    • <webroot>\xsl\

    Note

    To select a file instead of a folder, right-click the role website and click Switch to Content View to see the website files. Then click the file, right-click the role website again, and click Switch to Feature View.

  5. In the center application pane, in the IIS section, double-click the Authentication icon.

    Screenshot showing how to access the IIS authentication settings for a folder or a file.
  6. On the Authentication list, click Anonymous Authentication.

  7. In the Actions pane, click Disable.

    Screenshot showing how to change the IIS anonymous authentication settings for a folder or a file.
  8. Repeat steps 5 to 7 for all the listed folders and files in step 4.

  9. In the Connections pane, click the name of your server.

  10. To restart IIS and activate your configurations, in the Actions pane, in the Manage Server section, click Restart.

Disable IIS anonymous access for Sitecore 8.2 update 3 and later

To restrict access to the client, disable IIS anonymous access:

  1. Open the IIS Manager application.

  2. To see a list of all you IIS websites, in the Connections pane, double-click the name of your server and then double-click the Sites icon.

  3. Double-click the website of the role you want to configure.

  4. Click the first folder or file from this list:

    • <webroot>\App_Config\

    • <webroot>\sitecore\admin\

    • <wwwroot>\sitecore\debug\

    • <webroot>\sitecore\login\

    • <webroot>\sitecore\shell\

    • <webroot>\sitecore\default.aspx

    • <webroot>\sitecore modules\debug\

    • <webroot>\sitecore modules\Shell\

    • <webroot>\xsl\

    Note

    To select a file instead of a folder, right-click the role website and click Switch to Content View to see the website files. Then click the file, right-click the role website again, and click Switch to Feature View.

  5. In the center application pane, in the ASP.NET section, double-click the .NET Authorization Rules icon.

    Screenshot showing how to access the IIS .NET Authorization Rules for a folder or a file.
  6. In the Actions pane, click Add Deny Rule.

    Screenshot showing how to add an IIS Deny Rule to a folder or a file.
  7. In the Add Deny Authorization Rule window, select All anonymous users and click OK.

    Screenshot showing how to configure an IIS Deny Rule for a folder or file.
  8. Repeat steps 5 to 7 for all the listed folders and files in step 4.

  9. In the Connections pane, click the name of your server.

  10. To restart IIS and activate your configurations, in the Actions pane, in the Manage Server section, click Restart .

Note

This procedure creates a directory-specific web.config file for each folder and file. If you prefer to keep all your configurations in the application-specific <wwwroot>\Web.config file, see the Microsoft documentation on How To Make Application and Directory-Specific Configuration Settings in an ASP.NET Application.

Disable Forms authentication for Sitecore 8.2 update 3 and later

If you disable Forms authentication, Sitecore will not handle any requests for authentication.

To disable Forms authentication:

  1. Open the <webroot>\Web.config file.

  2. Locate the authentication node.

  3. Change the mode attribute from Forms to None.

    RequestResponse
    <authentication mode="None">
    

Do you have some feedback for us?

If you have suggestions for improving this article,