This is the first post in a series discussing security considerations and approaches for websites driven by the Sitecore CMS. The topic of discussion today is set-up and infrastructure.
Top ten Sitecore security dos and don’ts
1.Content authors should not be using the same installation as the actual website. The CMS should sit behind the firewall and publish content to the web server nodes.
2.The database and the CMS should reside on different servers. This physical separation reduces impact if there is a breach.
3.On the SQL Database, create a specific access account for Sitecore, and provide users with only the required privileges (db_datareader, db_datawriter, execute permissions on stored procedures, etc).
4.The Sitecore Data Folder should reside in an area that is not directly accessible via the web. This prevents unwanted access to files and forces all visitors to retrieve the files through the security rules enforced by the CMS.
5.If you’re using Sitecore 6 on IIS 6, note that there is bug in IIS and a default configuration value that may allow access to your web.config file. To prevent this, be sure your web.config contains the following code in the FilterUrlExtensions section:
</p> <span desc=”Blocked extensions that do not stream files (comma separated)” class=”mceItemParam”></span>*</param>
