Login security<\/strong><\/p>\n We must use the strong password policy recommended by MSDN in order to avoid hacking the password by hackers. Change\u00a0Hash algorithm\u00a0for password encryption. Open web. Config file and in the <membership> node, set the\u00a0hash algorithm Type to SHA512.<\/p>\n We must change the administrator password to a strong password. Changing the password prevents unauthorized users from using the default password to access the admin account. \u00a0If possible disable and create named Administrator accounts.<\/p>\n Turn of remember me for login page. On the Sitecore Identity Server role, open sitecore\/Sitecore.Plugin.IdentityServer\/Config\/identityServer.xml<\/em>\u00a0file and set the\u00a0Allow Remember Login\u00a0setting to\u00a0false. This also ignores any existing\u00a0Remember me\u00a0cookies, and all users have to log in again.<\/p>\n Deny anonymous users access to key folder<\/strong>s<\/p>\n It is important to disable\u00a0the Anonymous Authentication\u00a0under IIS Settings for the following folders within the Sitecore Website.<\/p>\n Below is an example way to disable it,<\/em><\/p>\n Disable client RSS feeds<\/strong><\/p>\n In case of our Sitecore installation contains sensitive information that you want to protect, you should disable the Sitecore client RSS feeds. If an unauthorized user gains access to the URL of a client RSS feed, they can follow the link and view all the content contained in the client feed even though their own security permissions do not give them access to this item. The users who are subscribed to Sitecore client RSS feeds have direct access to the item given as RSS feed to them and they will not have to identify themselves to the Sitecore security system when they view the feed.<\/p>\n To disable the Sitecore client RSS feed:<\/strong><\/p>\n <add verb=”*” path=”sitecore_feed.ashx” type=”Sitecore.Shell.Feeds.FeedRequestHandler, Sitecore.Kernel”\/><\/em><\/p>\n Secure the file upload functionality<\/strong><\/p>\n Below are the steps to deny both\u00a0Script\u00a0and\u00a0Execute\u00a0permissions for the upload folder,<\/p>\n Disable SQL Server access from XSLT<\/strong><\/p>\n Sitecore includes an xslExtension<\/strong> helper for use with SQL Server. You can disable it either when we are not using it or not using Sitecore XSLT renderings.<\/p>\n To disable the xslExtension<\/strong> helper:<\/p>\n <configuration xmlns:patch=”http:\/\/www.sitecore.net\/xmlconfig\/”><\/p>\n <sitecore><\/p>\n <!– disable XSLT security issue see https:\/\/doc.sitecore.net\/sitecore_experience_platform\/setting_up_and_maintaining\/security_hardening\/configuring\/disable_sql_server_access_from_xslt –><\/p>\n <xslExtensions><\/p>\n <extension type=”Sitecore.Xml.Xsl.SqlHelper, Sitecore.Kernel”><\/p>\n <patch:delete\/><\/p>\n <\/extension><\/p>\n <\/xslExtensions><\/p>\n <\/sitecore><\/p>\n <\/configuration><\/p>\n Secure Telerik controls<\/strong><\/p>\n Sitecore uses some UI controls from Telerik. These controls are only used in a Content Management environment.<\/p>\n <add name=”Telerik_Web_UI_DialogHandler_aspx” verb=”*” preCondition=”integratedMode” path=”Telerik.Web.UI.DialogHandler.aspx” type=”Telerik.Web.UI.DialogHandler” \/><\/p>\n <add name=”Telerik_Web_UI_SpellCheckHandler_axd” verb=”*” preCondition=”integratedMode” path=”Telerik.Web.UI.SpellCheckHandler.axd” type=”Telerik.Web.UI.SpellCheckHandler” \/><\/p>\n <add name=”Telerik_Web_UI_WebResource_axd” verb=”*” preCondition=”integratedMode” path=”Telerik.Web.UI.WebResource.axd” type=”Telerik.Web.UI.WebResource” \/><\/p>\n In the\u00a0web.config\u00a0file, in the appSettings section, create a node for the Telerik configuration encryption keys:<\/p>\n <appSettings><\/p>\n <add key=”Telerik.AsyncUpload.ConfigurationEncryptionKey” value=”YOUR_ENCRYPTION_KEY_HERE” \/><\/p>\n <add key=”Telerik.Upload.ConfigurationHashKey” value=”YOUR_ENCRYPTION_KEY_HERE” \/><\/p>\n <add key=”Telerik.Web.UI.DialogParametersEncryptionKey” value=”YOUR_ENCRYPTION_KEY_HERE” \/><\/p>\n <\/appSettings><\/p>\n Limit access to certain file types<\/strong><\/p>\n Sitecore recommends to improve the security of your Sitecore installation, edit the\u00a0web.config\u00a0file, and disable the\u00a0web.config\u00a0file with EXM settings.<\/p>\n <system.webServer><\/p>\n <handlers><\/p>\n <add path=”*.xml” verb=”*” type=”System.Web.HttpForbiddenHandler” name=”xml (integrated)” preCondition=”integratedMode”\/><\/p>\n <add path=”*.xslt” verb=”*” type=”System.Web.HttpForbiddenHandler” name=”xslt (integrated)” preCondition=”integratedMode”\/><\/p>\n <add path=”*.config.xml” verb=”*” type=”System.Web.HttpForbiddenHandler” name=”config.xml (integrated)” preCondition=”integratedMode”\/><\/p>\n <add path=”*.mrt” verb=”*” type=”System.Web.HttpForbiddenHandler” name=”mrt (integrated)” preCondition=”integratedMode”\/><\/p>\n This restricts access to all XML, XSLT, and MRT files.<\/p>\n Protect PhantomJS<\/strong><\/p>\n PhantomJS<\/strong> is a third-party program is used to generate screenshots of web pages on the Sitecore CMS and EXM. We can improve the security around PhantomJS<\/strong> by limiting its permissions, and disabling it on roles where it is not needed.<\/p>\n Copy<configuration xmlns:patch=”http:\/\/www.sitecore.net\/xmlconfig\/” xmlns:role=”http:\/\/www.sitecore.net\/xmlconfig\/role\/” xmlns:security=”http:\/\/www.sitecore.net\/xmlconfig\/security\/”><\/p>\n <sitecore><\/p>\n <setting name=”ContentTesting.PhantomJS.ExecutablePath” value=”C:\\phantomjs\\phantomjs.exe” \/><\/p>\n <\/sitecore><\/p>\n <\/configuration><\/p>\n Protect media requests<\/strong><\/p>\n The media request protection feature is used to restrict the media URLs that contain dynamic image-scaling parameters. This ensures that the server only spends resources and disk space on valid image-scaling requests.<\/p>\n You can make your solution even more secure and use the Sitecore media request protection feature optimally if you patch the\u00a0Sitecore.Media.RequestProtection.config\u00a0file.<\/p>\n To optimize the media request protection feature:<\/p>\n <configuration\u00a0xmlns:patch=”http:\/\/www.sitecore.net\/xmlconfig\/”><\/p>\n <sitecore><\/p>\n <settings><\/p>\n <setting\u00a0 name=”Media.RequestProtection.SharedSecret” value=”YourRandomGeneratedString”\/><\/p>\n <\/settings><\/p>\n <\/sitecore><\/p>\n <\/configuration><\/p>\n Remove header information from responses sent by your website<\/strong><\/p>\n By removing the X-Aspnet-Version HTTP header information from each web page, it will save a little bandwidth and also ensures that we are not broadcasting which version of ASP.NET using. To remove the X-Aspnet-Version HTTP header from each response from ASP.NET, add the following code to the\u00a0web.config\u00a0file.<\/p>\n <system.web><\/em><\/p>\n \u00a0 <httpRuntime enableVersionHeader=”false” \/><\/em><\/p>\n <\/system.web><\/em><\/p>\n By removing the X-Powered-By HTTP header, we are not broadcasting which version of ASP.NET using. To remove the X-Powered-By HTTP header from each response from ASP.NET, add the following code to the\u00a0web.config\u00a0file:<\/p>\n <system.webServer><\/em><\/p>\n \u00a0 <httpProtocol><\/em><\/p>\n \u00a0\u00a0\u00a0 <customHeaders><\/em><\/p>\n \u00a0\u00a0\u00a0\u00a0\u00a0 <remove name=”X-Powered-By” \/><\/em><\/p>\n \u00a0\u00a0\u00a0 <\/customHeaders><\/em><\/p>\n \u00a0 <\/httpProtocol><\/em><\/p>\n <\/system.webServer><\/em><\/p>\n Author:<\/strong> Prabhu Ranganathan, Sitecore Specialist<\/p>\n\n
\n
![\"Deny](\"http:\/\/www.skybridgeinfotech.com\/blog\/wp-content\/uploads\/2021\/07\/Deny-anonymous-users-access-to-key-folders.png\")
<\/p>\n\n
![\"Sitecore](\"http:\/\/www.skybridgeinfotech.com\/blog\/wp-content\/uploads\/2021\/07\/Sitecore-Anonymous-Authentication-under-IIS-Settings.png\")
<\/p>\n\n
![\"all](\"http:\/\/www.skybridgeinfotech.com\/blog\/wp-content\/uploads\/2021\/07\/all-authentication-methods-available-on-your-Web-Server.png\")
<\/p>\n\n
![\"Restart](\"http:\/\/www.skybridgeinfotech.com\/blog\/wp-content\/uploads\/2021\/07\/Restart-IIS-Skybrige-infotech.png\")
<\/p>\n\n
\n
\n
\n
\n
![\"Secure](\"http:\/\/www.skybridgeinfotech.com\/blog\/wp-content\/uploads\/2021\/07\/Secure-the-file-upload-functionality.png\")
<\/p>\n\n
![\"the](\"http:\/\/www.skybridgeinfotech.com\/blog\/wp-content\/uploads\/2021\/07\/the-Script-and-Execute-check-boxes.png\")
<\/li>\n<\/ol>\n\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
Sitecore 9.x Security Hardening | Sitecore CMS Development Company in USA India<\/a><\/em><\/h3>\n