Saturday, October 5, 2013

QuickStart: Securing Sitecore

Sitecore is built on the standard .NET Membership Provider.  As such developers will be familiar with how it functions under the hood as far as creating user, profiles and roles.  However, it can become a little more complex when dealing with securing content.  Content needs to be viewed and edited by users who log into the Sitecore Admin, whether it be the page editor, content editor, or media library.  As well, content needs to be viewed and edited by users accessing the public website.  This can be confusing especially if you have not mapped out a roles matrix first.  This Quickstart will help walk you through the steps you need to ensure you have a secure sitecore installation.

Ensure before going to Production that you follow the checklist at the end of this blog post to ensure you have secured your Sitecore Installation.

1) Develop a role matrix

Roles are used to determine which of people will be responsible for reading/editing/publishing content.  Depending on your implementation, certain people may only be able to accessing certain content.
Some may access the page editor, while others need the content editor, and still others need the desktop.  
  
 It is very tempting especially when working with small companies to map users to their access.  Joe is the one uploading pdf files and editing content. Mark will will be the one proof-reading the content and then publishing it.  Rather, Joe is a content editor and Mark is a publisher.  So your role matrix would be:

Role
-----
Admin
ContentEditor
Publisher

RolePermissions
-----------------
/sitecore/content             Admin                          Read/Write/Publish/Admin/Delete
/sitecore/content             ContentEditor               Read/Write/Publish

User Roles
------------
Joe                     ContentEditor
Mark                 Publisher


Production Promotion Security Checklist

1) Important Sitecore provides a default “Admin” user which has unrestricted access. By default, this user has the password “b” (lower case, single letter). You should change the password associated with this account and store the password in a secure location.
2) Ensure /Sitecore is in the robots.txt file
3) Ensure you register your site with webtools and exclude this path there as well.
4) Log in as a user of each role and double check that you cannot read/edit specific content you have secured.  The access viewer can help ensure you see a sea of red.


No comments:

Post a Comment