Disable administrative tools

Abstract

How to secure the administrative tools in Sitecore.

Sitecore contains a number of helpful administrative tools. While these tools can be useful when troubleshooting issues in a production environment, we recommend that you disable them when you are not using them.

Important

You must never enable these administrative tools in a Content Delivery environment, or in a Content Management environment that is exposed to the internet.

To disable an administrative tool:

  1. In the <Webroot>/sitecore/admin folder, locate the relevant file.

  2. Add .disabled at the end of the existing file name:

    For example:

    Old name: logs.aspx

    New name: logs.aspx.disabled

You can disable the following ASPX pages:

  • Cache.aspx

  • DBCleanup.aspx

  • dbbrowser.aspx

  • ShowServicesConfig.aspx

  • eventqueuestats.aspx

  • FillDB.aspx

  • InstallLanguage.aspx

  • Jobs.aspx

  • LinqScratchPad.aspx

  • Logs.aspx

  • MediaHash.aspx

  • PackageItem.aspx

  • PathAnalyzer.aspx

  • Pipelines.aspx

  • PublishQueueStats.aspx

  • RawSearch.aspx

  • RebuildKeyBehaviorCache.aspx

  • RebuildReportingDB.aspx

  • RedeployMarketingData.aspx

  • RemoveBrokenLinks.aspx

  • restore.aspx

  • SecurityTools.aspx

  • serialization.aspx

  • SetSACEndpoint.aspx

  • ShowConfig.aspx

  • SqlShell.aspx

  • stats.aspx

  • unlock_admin.aspx

The following administrative tools are disabled by default:

  • FillDB.aspx

  • Unlock_admin.aspx

  • SqlShell.aspx

Secure the SqlShell.aspx tool

The SqlShell.aspx tool is a very powerful tool for which some extra rules apply.

To control the availability of the SqlShell.aspx tool, you can create an empty file in the <Webroot>/sitecore/admin folder called enabled or disabled. This file must not have an extension and does not need to contain any information. These files are not part of the default Sitecore installation.

When you run the SqlShell.aspx tool, it checks for these files.

If there is no enabled or disabled file:

  • The tool is available if you are using HTTPS.

  • The tool is not available if you are using HTTP.

If there is an enabled file:

  • The tool is available if you are using either HTTPS or HTTP.

If there is a disabled file:

  • The tool is not available if you are using either HTTP or HTTPS.

Important

To prevent anyone from accessing the SqlShell.aspx tool, we recommend that you create a disabled file.