1-888-365-2779
+1-888-365-2779
Try Now
More in this section

Forums / Developing with Sitefinity / Security Issues

Security Issues

7 posts, 0 answered
  1. Todd
    Todd avatar
    8 posts
    Registered:
    14 Aug 2007
    30 Aug 2007
    Link to this post
    Sitefinity currently does not have a feature to expire passwords after say 30-45 days.  Is there currently any plans to add this feature,  or through code could I possible check LastPasswordChangedDate in table telerik_Users and require the user to change their password?  If the second option is possible could you possibly submit sample code how this could be accomplished?
     
    Our network administrators also have concerns about the folder named myproject/Sitefinity for the administration piece.  Is it possible to change the directory named Sitefinity  to something else.  I have tried changing all references to this directory in the web.config file but I still receive errors when accessing the administration portion of Sitefinity.

    Thanks

    Todd
  2. Bob
    Bob avatar
    330 posts
    Registered:
    30 Dec 2016
    31 Aug 2007
    Link to this post
    Hello Todd,

    Sitefinity uses ASP.Net Membership Services for authentication and user management. We supply built in data providers for Membership, Role and Profile modules but you are not limited to use them. In version 3.1 we will provide extended support for Active Directory and Windows Token Provider. Also Sitefinity 3.1 will support multiple Membership providers within a single application. This will allow you to completely separate public and administrative users. For example, you will be able to set Active Directory provider for administrative users and SQL provider for public users.

    Currently, there is a known issue with our SQL Membership provider. It does not respect the number of unsuccessful attempts set for login. This problem is already fixed and will be available with the next release in about a month. As workaround you could use SqlMembershipProvider provided with .Net framework 2.0 if you are using SQL Server but you won’t be able to take advantage of automatic database upgrades in the feature.

    For your second question, unfortunately it is not possible to change the name of the Sitefinity folder. We may provide this ability in some of the next versions though this will not really solve the problem as the new name can be easily discovered. A better approach would be to restrict the access to this folder to a certain IP address or allow access through VPN only.

    Regards,
    Bob
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  3. Todd
    Todd avatar
    8 posts
    Registered:
    14 Aug 2007
    31 Aug 2007
    Link to this post
    Within the documentation for migrating projects to a production server, it states that if you wanted to disable to administration for Sitefinty, Sitefinity folder just needs to be deleted.  I removed the Sitefinity folder and when I tried accessing the the default page for my website I received and error describing that file Sitefinity/cmsentrypoint.aspx could not be located.  Is this a known issue or am I doing something incorrectly.
  4. Pierre
    Pierre avatar
    433 posts
    Registered:
    16 Feb 2006
    01 Sep 2007
    Link to this post
    How to protect my Sitifinity folder with access through VPN only ?. Explain more please. 

  5. Bob
    Bob avatar
    330 posts
    Registered:
    30 Dec 2016
    02 Sep 2007
    Link to this post
    Hi Todd and Romi,

    First let me clarify this because it seems there is some misleading here. The access to Sitefinity folder should not be limited as this will cause in malfunction of the entire site. You can limit the access or completely delete the Admin folder within Sitefinity folder. This is the folder that conations all the administrative pages and controls.

    Todd, where did you read this in the documentation? We should correct it immediately.

    Romi, you can filter the allowed IP address for Admin folder within Internet Information Server. Please see IIS documentation for details. So you can allow IPs from your LAN only and when you need access from outside your LAN you can set VPN to your Local Area Network. Some VPN servers allow you to connect through web browser so you do not need to install VPN client.

    Regards,
    Bob
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  6. Sean
    Sean avatar
    271 posts
    Registered:
    31 May 2006
    04 Sep 2007
    Link to this post
    Hi Bob,

    It is on Page 27 under the header Migrating Projects to the Production Web Server of the User Manual that states to delete the Sitefinity Folder.

    Cheers
    Sean
  7. Sonya
    Sonya avatar
    231 posts
    Registered:
    24 Sep 2012
    04 Sep 2007
    Link to this post
    Hi Sean,
    Hi Todd,

    Thank you for bringing our attention to this misleading information in the User Manual. We will correct it and it will be renewed for the upcoming release. 


    Kind regards,
    Sonya
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
Register for webinar
7 posts, 0 answered