Most of the security best practices for the installation can be found in the install guides. As for user security, give users only as much access as they need to accomplish there jobs.
Some Best Practices:
Effectively structure your document types
Utilize the content start node and media start node for all users
Only give users access to sections they must have ( Non admins this should be everything but content and media)
Remove context menu items from users they should not use (manage hostnames etc)
Remove "delete" context menu item from writers
Disable a user when they no longer require access.
Advanced Best Practices
Separate your admin from the production servers and use Firewalls. Look under load balancing for more info.
I have read those, thank you Chris for the fast reply. I was looking for something more detailed, those are general. Especially from the infrastructure point of view (as the ones listed under Advanced best practices). For example, I've noticed some umbraco sites don't have the "XSLT" folder, or at least I receive a 404 error. How do they do that?
The xslt folder by default will return a 404 error since there is no "default" document found. You should get a 404 error on you xslt folder as well if you are not hitting a specific file.
Not sure about hiding or blocking the xslt folder entirely since your web application needs to be able to read those files in order to display the site. And the presentation layer runs under the same account as someone hitting a specific file from there browser.
I've seen the xslt errors on our.umbraco.org site as well so not sure if they have even resolved it. I'll let other's chime in on that.
I do know you can change the location of the /umbraco folder in the web.config under appsettings
Security Best Practices?
Are there any Security Best Practices or Guidelines for deploying an umbraco website? Honestly, I coulnd't find anything relevant in the wiki/forum.
thanks,
Nico.
Most of the security best practices for the installation can be found in the install guides. As for user security, give users only as much access as they need to accomplish there jobs.
Some Best Practices:
Advanced Best Practices
Those are just a few off the top of my head.
-Chris
I have read those, thank you Chris for the fast reply. I was looking for something more detailed, those are general. Especially from the infrastructure point of view (as the ones listed under Advanced best practices). For example, I've noticed some umbraco sites don't have the "XSLT" folder, or at least I receive a 404 error. How do they do that?
thanks.
Nico.
The xslt folder by default will return a 404 error since there is no "default" document found. You should get a 404 error on you xslt folder as well if you are not hitting a specific file.
Not sure about hiding or blocking the xslt folder entirely since your web application needs to be able to read those files in order to display the site. And the presentation layer runs under the same account as someone hitting a specific file from there browser.
I've seen the xslt errors on our.umbraco.org site as well so not sure if they have even resolved it. I'll let other's chime in on that.
I do know you can change the location of the /umbraco folder in the web.config under appsettings
<add key="umbracoPath" value="/umbraco" />
I know that folder is hidden more commonly.
-Chris
is working on a reply...