I wanted to share here some good work we shared on the Rackspace developer blog last week about Sitecore security hardening.
If one is pursuing security hardening for Sitecore, the whole piece is worth reading, but it’s particularly targeting those looking for repeatable, scripted processes to apply the website configs and IIS changes that secure Sitecore to a general standard.
We get a ton of use out of this unified PowerShell script that applyies the standards from the Sitecore Security Hardening Guide: unified PowerShell script for Sitecore security hardening.
We’ve also posted to GitHub the necessary .config patches for the security hardening:
- increase login security
- remove the PhantomJS pipeline processor
- patch the SharedSecret related to Media requests.
The “unified” PowerShell script follows a pattern of downloading the .config and copies it to proper directory in the Sitecore installation:
# this .config is what we're applying: https://gist.github.com/grant-killian/b64aa6cabd18e9b0097257ee4a2dc614 $downLoadURI = "https://gist.githubusercontent.com/grant-killian/b64aa6cabd18e9b0097257ee4a2dc614/raw" $downLoadPath = "C:\localStaging\Rackspace.SecurityHardening.Step5.IncreaseLoginSecurity.config" Invoke-WebRequest -Uri $downLoadURI -OutFile $downLoadPath Copy-Item -Path $downLoadPath -Destination $rackspaceInclude #we use a "Z.Rackspace" directory under /app_config/include
This PowerShell isn’t the end of the process of securing a Sitecore implementation, but more just a start. Sitecore publishes these recommendations as part of their best practices, and what we’ve done at Rackspace it taken those recommendations and scripted them for ease of deployment across a spectrum of environments. We’ve made slight adjustments here and there to suit our perspective and experience, as there is rarely a one size fits all solution to this kind of work.