How to secure your Umbraco CMS platform


A 10 point plan for securing Umbraco CMS

Our security series leads us to look at what easy steps can be taken to lower the risk and impact of an attack on Umbraco 7.4.

Just for total clarification, the steps outlined in the article are specifying best practice and will lower the ‘percentage of risk’ considerably if the platform is compromised. 

1. Password Storage

From Umbraco version 7.3 the platform uses the ASP.Net Identity as the authentication mechanism for back office users. This means passwords by default are hashed with HMAC-SHA256 and the salt is 128bit. 
Please note, you could have a lower standard if you have ‘useLegacyEncoding’ set to ‘true’.

2. Period of activity logout

By default users are logged out of the Umbraco interface after 20 minutes of inactivity, this can be configured to be shorter/longer.

3. Remove the threat of “ClickJacking”

ClickJacking is a manipulative technique where the website user is fooled into clicking on something other than what the user is actually intending on clicking. This can be accomplished by the attacker using multiple transparent or opaque layers. 

Adding the below code to the <system.webServer> section of web.config file will prevent the hackers from framing your application

<httpProtocol>  
 <customHeaders>     
<add name="X-Frame-Options" value="DENY" />    
</customHeaders>  
</httpProtocol>  


4. Password security

Within Umbraco you can specify the password length and whether the password must contain a special character. I would highly recommend a length of at least 12 characters. 

The CMS also reduces the possibility of retrieving passwords by using a password format like ‘Hashed’ and even having the option of enabling the question-and-answer feature. 

Please note though, some security questions such as ("What was the name of your first dog?") are not supported and considered not secure by Umbraco.

5. Lock account after ‘x’ password attempts

And with minimal effort, it is possible to lock the account for specified duration after a specified number of failed login attempts. By default 10 incorrect login attempts(number configurable if this is required) will lock out the user to avoid ‘brute force’ attacks. Be aware Umbraco only feature an indefinite account lock but unlike licenced platforms such as Sitefinity, they support a lock time frame feature. 

6. IP Restriction

You can go a step ahead by restricting access to the login of your site through the firewall to certain IP. This can be done via IIS.

Alternatively, this can be done via the web.config file with something similar to:

<location path="umbraco">
    <system.webServer>
          <security>
            <ipSecurity allowUnlisted="false">
               <clear/>
               <add ipAddress="80.212.7.43" allowed="true"/>                 
            </ipSecurity>
          </security>
    </system.webServer>
</location>


7. Utilise SSL

HTTPS can be activated by merely adding the SSL certificate to IIS webserver by just modifying the configuration value. 

8. User Types within Umbraco

You can see their default permissions in the "User types" folder as well if you have not done so already.
Administrator - The administrator has every possible permission and can do anything when editing nodes in the content section.

Writer - By default the writer has the "Browse node", "Create", "Send to publish" and "Update" permissions. So the writer has very limited options and is not allowed to do much other than browse nodes, create nodes and them request that items are published. This means that the writer can't publish anything directly without an approver.

Editor - By default the editor has permissions to "Audit trail", "Browse node", "Copy", "Delete", "Move", "Create", "Public access", "Publish", "Rollback", "Send to translation", "Sort" and "Update". Unlike the Writer the editor is allowed to publish a content item/node without approval from someone else. The editor role can do everything that is needed to successfully create a piece of content and publish it on the website without any restrictions.

Translator - By default the translator has permission to "Browse" and "Update" nodes. The translator is thereby only allowed to browse and update nodes.

To create and give much more flexibility, I would create more ‘user types’ than the ones listed above and use a back-office plugin named User Group Permissions which allows permissions to be set on content nodes by user type rather than by individual users.

 

9. Keeping system up-to-date

Keeping the system-up-to-date, sounds like a no-brainer but you could be surprised how far behind you are. Checkout our own CMS timeline to review all the latest versions of Umbraco. These new version releases fix security flaws in the previous version. 

An example,of this is on March 1, 2016, Umbraco released a hotfix to address a major security vulnerability patched in Umbraco versions 4.50 through 4.7.1.1. 

What’s also great to see is that when these critical security bugs are found, Umbraco make every effort to release patches to all of the versions rather than the latest version to help your site stay safe.


10. Listening to the community

With Umbraco being open source, there is a very active and strong developer community which is always on the lookout for vulnerabilities. You need to keep yourself updated about these threats, security issues and action the appropriate Umbraco hotfixes or version upgrades. I would recommend that you follow @umbracoproject on twitter for updates on this nature.

Consultation and a Security Review

Doing these 10 points above should help secure your Umbraco site and is a great starting point. Moving forward you may want to do more and do your due-diligence that your platform is as secure it could be.

Quba can review your current site to illustrate your strengths and weaknesses. We can provide recommendations that will increase security and ensure best practice is adhered to if required physically perform the upgrades and execute delivery. 

Call: 0114 279 7779 or Email: hello@quba.co.uk to speak to a Quban if you require any guidance on this topic.

06 Feb

2017
Chris Bainbridge
Estimated read time:
 words,  minutes

Signup to receive these articles straight to your inbox.