How to secure your Sitefinity CMS platform


A 10 point plan for securing Sitefinity CMS

We have taken a look at plans to secure Kentico & Sitecore, this article now focuses on the quick wins and first pass audit you can execute to ensure your Sitefinity CMS is secure.

Just for total clarification, the steps outlined in the article are specifying best practice and will lower the ‘percentage of risk’ considerably if the platform is compromised. 

For our overall thoughts on Sitefinity and it’s latest release, click here.

1. Configure the password format

When creating a user, the developers can specify how the password is stored in the database. You can choose between the following values of the “MembershipPasswordFormat”:

  • Clear
  • Hashed
  • Encrypted

For more information about each value, read here. It’s important that this is configured appropriately and does have a knock on effect on ‘Point 6 - Password recovery email’


2. Configure the self-logout dialogue recurrence

Use this procedure to configure when and whether the self-logout dialogue is displayed. 

Generally, this dialogue notifies users whether someone else is using their credentials to log in Sitefinity, with a message noting that Someone is already logged in under this username and a button to Log the other user off and enter.

3. Turn-off auto complete of login ‘usernames’

Depending on requirements you may want to disable the browser autofill for the login fields. 

Clicking on the following article will provide step-by-step details on how to perform this.

4. Secure permissions for modules

Sitefinity CMS can automatically demand permissions when using modules, provided that your developers configure and use these in development. We often see this as a common issue when we perform code audits of Sitefinity sites, especially if the work carried out has been completed by non-certified Sitefinity developers. 

Here are some examples that the developer may have to undertake in order to have a secured module:

  • Decide which data items (model items) to secure and what security actions to perform on them.
  • Choose from the built-in permission sets or create new to suit your needs.
  • Decide on the permissions inheritance, if you are going to use granular permissions.
  • Implement “SecuredObject” on your secured model classes.
  • Make your providers initialize the security root.
  • Secure provider methods with attributes. 
  • If you are not using OpenAccess, implement security hooks in your provider decorator.
  • Make your queries hide elements that do not have the view permission.

5. Lock account after X password attempts

In Sitefinity CMS, each user is allowed a limited amount of failed logins for a specified attempt time window. When the limit is exceeded, the user gets locked, and cannot log in until the attempt window expires. The lockout can be caused by either a wrong password or wrong password answer inputs.

For example, the provider is configured to allow a maximum of 5 login attempts for a window of 10 minutes. A user tries to login at 12:00 PM and fails. The start of the attempt window is 12:00 PM. If the user fails to login 4 more times before 12:10 PM, the user will get locked out. If the user gets locked out, he will be able to log in after the attempt window expires – after 12:10 PM.

6. Password recovery email

Within Sitefinity there are 2 options, either the more universal setting ‘Password Reset’ when a user requests their password, a new password is generated and then sent to them. 

Or, Setting ‘Password Retrieval’ indicates that Sitefinity CMS must retrieve the original password and send it to the user. Please be aware that the default ‘password format’ is Hashed - the most secure one and as hashed passwords cannot be retrieved, Sitefinity will reset the password and send a new one. If you want to retrieve the current password, ‘password format’ must be set to Encrypted or Clear rather than Hashed.

7. Use an SSL for the login page

Secure Sockets Layer (SSL) is a protocol that provides communication security over the network. SSL is useful when you have sensitive information, such as login credentials or credit card information, transferred over the network. It is invaluable to keep this information secure over the web. 

How to configure and install an SSL can be found here

8. The Role Manager

To allows you to grant or deny certain permissions within the Sitefinity UI to a role that user account is tied to.

A page displaying all permissions, grouped in categories, appears:

  • If a role has permission for a certain action, the system displays  in column Allow.
  • If a role does not have permission for a certain action, nothing is displayed in column Allow.
  • If a role is explicitly denied permission for a certain action, the system displays a column Deny and displays in the column.

For more information about implicit and explicit denial of permissions, see the Sitefinity documentation on permissions

9. Keeping the system up-to-date

Keeping the system up-to-date by applying the latest hotfixes.

Another great resource to find further information about security updates can be found on Sitefinity’s own knowledge base.

10. Sitefinity Workflow

Applying a workflow allows you to manage the lifecycle of content items and pages. By default, you use the standard lifecycle workflow but you have the flexibility to create one or two level of approval for managing the lifecycle of content items and pages. Alternatively, you can upload your custom workflow.

The table below is an example of workflow types, the steps and permission rights involved:

Type of workflow

Lifecycle steps

Rights

Standard lifecycle management

Create and Publish

All users with proper permissions.

Approval before publishing

Create and Send for Approval » Publish

Create and send for approval

 

All users with proper permissions

 

Publish

 

Users set as approvers when you defined the workflow.

2 levels of approval before publishing

Create and Send for Approval » Send for Publishing » Publish

Create and send for approval.

 

All users with proper permissions

Send for publishing.

 

Users set as first level of approvers when you defined the workflow.

 

Publish.

Users set as the second level of approvers when you defined the workflow.

 

10. Consultation and a Security Review

Doing these 10 points above will help secure your Sitefinity site and is a great starting point. Moving forward you may want to do more and do your due-diligence that your platform is as secure it could be.

Quba can review your current site to illustrate your strengths and weaknesses.
We can provide recommendations that will increase security and ensure best practice is adhered to if required physically perform the upgrades and execute delivery. 

Call: 0114 279 7779 or Email: hello@quba.co.uk to speak to a Quban if you require any guidance on this topic.

27 Jan

2017
Chris Bainbridge
Estimated read time:
 words,  minutes

Signup to receive these articles straight to your inbox.