This is the second post in a series discussing security considerations and approaches for websites driven by the Sitecore CMS. The topic of discussion today is content authors and the security implications of allowing many people to update your website.
Top 3 considerations for Sitecore security controls & policies
1.How good are your password policies for your CMS?
By giving access to the CMS, you are assuming a certain level of trust. However, like any password-secured system, your first line of defense is to follow best practices for password strength and expiration. By using the Active Directory Module for authentication, you can leverage the policies that you have (hopefully) adopted in the organization. If Active Directory is not an option, we can help you to set up custom validation rules in the Sitecore CMS itself to enforce password policies.
2.Give access to only what is required
Content authors should not be given carte blanche. A user’s ability to enter HTML code and upload files are key concerns. Once these permissions have been enabled, you open yourself up to accidental or malicious cross-site scripting, viruses and other dangers. At minimum, carefully control what file types are allowed for upload. This can remove some dangers (for example, do not allow the upload of executables).
3.Validation
Sitecore 6 includes some excellent capability for creating custom validation rules and mechanisms. In many circumstances, you are required to give content authors access to HTML coding or file uploads, but you can also design validation rules that check for violations of security policies. Some examples include checking of all .doc or .pdf files for the word “confidential”, scanning the HTML with external validation services or stripping all SCRIPT tags from HTML.
While I have focused on content authors in this post, the other major danger from within the organization is the CMS development team. Writing “good” code, code that is not vulnerable to attack is an important task – is something that I will cover later in the series. In the next post, I’ll be discussing security issues relating to accessing content, who is allowed to see what. Some key areas in this discussion are security models, personalized content and considerations for search engines.
