Prev Next

Print

The following sub-sections describe how to set appropriate security settings when running Sitecore V5.  These settings are most appropriate for production servers.

1.  Set Root Folder Permissions

The ASPNET user (known as the Network Service user on Windows 2003) must have “List Folder Contents” permissions from file system root folder (e.g. "d:\") and down to the site’s installation folder.

• NOTE:
  
  If anonymous access to the site has been allowed in IIS Management Console and impersonation has been enabled in web.config with the following: 
  
  <identity impersonate="true" />
  
  it is necessary to grant “List Folder Contents” permissions to Internet Guest User (IUSR_<MachineName>) instead of ASPNET user.

2.  Set Indexes Folder Permissions

The ASP.NET user must have the modify access rights to the /indexes directory under the web root.

3.  Move the Data Folder

We strongly recommend moving the data folder to a non-public area.

• NOTE:
  
  If you do not move the data folder, visitors will be able to download any of the files contained in this directory by typing a direct URL to the file.  Many of the files in the data folder contain sensitive information that should not be available to unauthorized access. 

To protect this sensitive information, move the data folder to a non-public area of the disk. Remember to set read/write rights for the ASPNET,IUSR_<MachineName>, or Network Service user on the data folder (see the Data, Upload, and Layout Folders Settings section below).

Once moved, you'll need to configure Sitecore to select data from the new location by modifying the DataFolder setting in the web.config file (located in the root directory of your site). 

 <setting name="DataFolder" value="d:\data" /> 

Update the following keys to point to the new data directory location:

• AuditFile 
  
  <setting name="AuditFile" value="d:\data\audit.txt" />
   
• LicenseFile
  
  <setting name="LicenseFile" value="d:\data\license.xml" />
   
• Log4Net
  
  <setting name="LogFolder" value="d:\data\logs" />
  
  ...
  
  <log4net>
      <!-- LOGGING SETTINGS
           The file element defines the location of the log files. This location must
           be the same as the setting in LogFolder. The file element is a relative or
           absolute path that always uses slashes (/) as separators. A valid file
           element for a relative path would be:
          
             <file value="/data/logs/log" />
            
           A valid element for an absolute path would be:
          
             <file value="C:/inetpub/wwwroot/data/logs/log" />
            
           For further information refer to the Log4Net documentation.
      -->
      <appender name="LogFileAppender" type="log4net.Appender.SitecoreLogFileAppender">
        <file value="d:/data/logs/log" />
   
• PackagePath 
  
  NOTE: due to an error in the packager, use double backslash \\ in any absolute paths.
  
  <setting name="PackagePath" value="d:\\data\\sitecore.net\\packages" />
  
  NOTE: If you use absolute path in PackagePath setting, you will get the “Empty string is not allowed” error on Browse button click. However, you can type the name of the package in the textbox and install the package.
  
  

NOTE: If you use Firebird databases, you should modify connection strings so they point to correct location of database files.

Please read more about configuring Firebird here:

http://sdn.sitecore.net/Products/Sitecore%20V5/Configuring%20Sitecore/Configuring%20Firebird.html

4.  Set Execute Permissions on the Upload Folder

You should set the Execute Permission to None in the IIS MMC in order to prevent the execution of an uploaded file on the server side when a user attempts to download it. Choose properties for the upload folder in IIS MMC.

5.  Data, Upload, Temp, Debug, Layouts and xsl Folders Settings

To allow upload and modification of the site, Read/Write rights must be set for the following folders:

• /data
• /upload
• /temp (if this directory does not exists immediatly after installation, create it).
• /sitecore/shell/Applications/debug (if this directory does not exists immediatly after installation, create it).
• /sitecore/shell/Controls/debug (if this directory does not exists immediatly after installation, create it). 
• /layouts (only if you need to develop & change layouts on the live site).
• /xsl (only if you need to develop & change xsl files on the live site).

(If you create custom XML controls, all directories specified in the ControlSources section of the web.config must be applied with a debug folder that should have read/write rights.)  

NOTE: You should have moved the location of the data folder by now (see the Move the Data Folder section above).

To set the security settings on these folders do the following:

• Use the Windows Explorer to right-click the designated folder. 
• Select properties.
• Click on the security tab and add a new user (click Add ...).
• This user type should be ASPNET/Network Service and IUSR_<MachineName>.
• Set read/write security rights for both users.
• Remove the “everyone” user, if set.
• Perform this step for each folder.

NOTE: The screenshot above applies to Windows 2000 only.

6.  Protect the Admin and Debug Folders

Sitecore contains various administrative, debugging information, and profiling aspx pages. They are located in the /sitecore/admin and /sitecore/debug folders. Those folders should be protected by removing anonymous access in the IIS manager.

Prev Next