Restrict access to the client
Applies to |
All Core roles except Content Management. |
Sitecore Installation Framework |
Anonymous users access to folders is not disabled by default. |
Azure Toolkit |
Anonymous user access to folders is disabled by default. |
Unauthorized access to Sitecore client is a potential security risk, and we recommend that you prevent access to it on all instances where you do not need it.
You can restrict access to the client in following ways:
-
Disable IIS anonymous access for Sitecore 8.2 update 2 and earlier.
-
Disable IIS anonymous access for Sitecore 8.2 update 3 and later.
-
Disable Forms authentication for Sitecore 8.2 update 3 and later.
Disable IIS anonymous access for Sitecore 8.2 update 2 and earlier
To restrict access to the client, disable IIS anonymous access:
-
Open the IIS Manager application.
-
To see a list of all you IIS websites, in the Connections pane, double-click the name of your server and then double-click the Sites icon.
-
Double-click the website of the role you want to configure.
-
Click the first folder or file from this list:
-
<webroot>\App_Config\
-
<webroot>\sitecore\admin\
-
<wwwroot>\sitecore\debug\
-
<webroot>\sitecore\login\
-
<webroot>\sitecore\shell\
-
<webroot>\sitecore\default.aspx
-
<webroot>\sitecore modules\debug\
-
<webroot>\sitecore modules\Shell
\ -
<webroot>\xsl\
NoteTo select a file instead of a folder, right-click the role website and click Switch to Content View to see the website files. Then click the file, right-click the role website again, and click Switch to Feature View.
-
-
In the center application pane, in the IIS section, double-click the Authentication icon.
-
On the Authentication list, click Anonymous Authentication.
-
In the Actions pane, click Disable.
-
Repeat steps 5 to 7 for all the listed folders and files in step 4.
-
In the Connections pane, click the name of your server.
-
To restart IIS and activate your configurations, in the Actions pane, in the Manage Server section, click Restart.
Disable IIS anonymous access for Sitecore 8.2 update 3 and later
To restrict access to the client, disable IIS anonymous access:
-
Open the IIS Manager application.
-
To see a list of all you IIS websites, in the Connections pane, double-click the name of your server and then double-click the Sites icon.
-
Double-click the website of the role you want to configure.
-
Click the first folder or file from this list:
-
<webroot>\App_Config\
-
<webroot>\sitecore\admin\
-
<wwwroot>\sitecore\debug\
-
<webroot>\sitecore\login\
-
<webroot>\sitecore\shell\
-
<webroot>\sitecore\default.aspx
-
<webroot>\sitecore modules\debug\
-
<webroot>\sitecore modules\Shell\
-
<webroot>\xsl\
NoteTo select a file instead of a folder, right-click the role website and click Switch to Content View to see the website files. Then click the file, right-click the role website again, and click Switch to Feature View.
-
-
In the center application pane, in the ASP.NET section, double-click the .NET Authorization Rules icon.
-
In the Actions pane, click Add Deny Rule.
-
In the Add Deny Authorization Rule window, select All anonymous users and click OK.
-
Repeat steps 5 to 7 for all the listed folders and files in step 4.
-
In the Connections pane, click the name of your server.
-
To restart IIS and activate your configurations, in the Actions pane, in the Manage Server section, click Restart .
This procedure creates a directory-specific web.config
file for each folder and file. If you prefer to keep all your configurations in the application-specific <wwwroot>\Web.config
file, see the Microsoft documentation on How To Make Application and Directory-Specific Configuration Settings in an ASP.NET Application.
Disable Forms authentication for Sitecore 8.2 update 3 and later
If you disable Forms authentication, Sitecore will not handle any requests for authentication.
To disable Forms authentication:
-
Open the
<webroot>\Web.config
file. -
Locate the
authentication
node. -
Change the
mode
attribute fromForms
toNone
.RequestResponse<authentication mode="None">