Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Nicolás Lope de Barrios 21 posts 42 karma points
    Jun 15, 2010 @ 22:58
    Nicolás Lope de Barrios
    0

    Security Best Practices?

    Are there any Security Best Practices or Guidelines for deploying an umbraco website? Honestly, I coulnd't find anything relevant in the wiki/forum.

    thanks,

    Nico.

  • Chris Dunn 210 posts 401 karma points
    Jun 15, 2010 @ 23:11
    Chris Dunn
    0

    Most of the security best practices for the installation can be found in the install guides.  As for user security, give users only as much access as they need to accomplish there jobs.

    Some Best Practices:

    • Effectively structure your document types
    • Utilize the content start node and media start node for all users
    • Only give users access to sections they must have ( Non admins this should be everything but content and media)
    • Remove context menu items from users they should not use (manage hostnames etc)
    • Remove "delete" context menu item from writers
    • Disable a user when they no longer require access.

    Advanced Best Practices

    • Separate your admin from the production servers and use Firewalls.  Look under load balancing for more info.
    • Utilize Active Directory/LDAP for user provider

    Those are just a few off the top of my head.

    -Chris

     

  • Nicolás Lope de Barrios 21 posts 42 karma points
    Jun 15, 2010 @ 23:26
    Nicolás Lope de Barrios
    0

    I have read those, thank you Chris for the fast reply. I was looking for something more detailed, those are general. Especially from the infrastructure point of view (as the ones listed under Advanced best practices). For example, I've noticed some umbraco sites don't have the "XSLT" folder, or at least I receive a 404 error. How do they do that?

    thanks.
    Nico.

  • Chris Dunn 210 posts 401 karma points
    Jun 15, 2010 @ 23:50
    Chris Dunn
    0

    The xslt folder by default will return a 404 error since there is no "default" document found.  You should get a 404 error on you xslt folder as well if you are not hitting a specific file.

    Not sure about hiding or blocking the xslt folder entirely since your web application needs to be able to read those files in order to display the site.  And the presentation layer runs under the same account as someone hitting a specific file from there browser.

    I've seen the xslt errors on our.umbraco.org site as well so not sure if they have even resolved it.  I'll let other's chime in on that.

    I do know you can change the location of the /umbraco folder in the web.config under appsettings

    <add key="umbracoPath" value="/umbraco" />

    I know that folder is hidden more commonly.

    -Chris

Please Sign in or register to post replies

Write your reply to:

Draft