+1-888-365-2779
Try Now
More in this section

Forums / General Discussions / How do I secure the Sitefinity back end pages?

How do I secure the Sitefinity back end pages?

34 posts, 0 answered
  1. Dan Sorensen
    Dan Sorensen avatar
    256 posts
    Registered:
    13 Aug 2010
    25 Apr 2012
    Link to this post
    I have seen various forum threads on this topic, but most are very, very old. What are the current best practices 5.x to secure the Sitefinity backend pages from hackers?

    - I have seen some say apply SSL to the /Sitefinity folder via IIS, but then others say that causes issues with themes that are located in App_Data

    - I have seen some posts say that backend pages are forced to http not https unless some setting is enabled for each individual page.

    Any updates to these practices? What do you do to keep your site secure?
  2. Andrei
    Andrei avatar
    24 posts
    Registered:
    22 Jan 2011
    25 Apr 2012
    Link to this post
    Good question.
  3. Peter
    Peter avatar
    42 posts
    Registered:
    22 Aug 2011
    04 May 2012
    Link to this post
    I am also curious. What is the best way?

    Regards,
    Peter
  4. MB
    MB avatar
    302 posts
    Registered:
    09 Jan 2005
    05 May 2012
    Link to this post
    Telerik seem to indicate their preference with their own site - try to access the sitefinity folder of this site and you get a 403 forbidden - which would seem to suggest they may be applying an IIS whitelist to that page or section of the site.
  5. Owain
    Owain avatar
    110 posts
    Registered:
    17 Jan 2012
    08 May 2012
    Link to this post
    Interesting question and also something that would be good to see answered.
    What I have seen in the past is a key being required when accessing a admin backend. It would be good if sitefinity built something like this in to its site.
    e.g. if you try to access www.mydomain.com/sitefinity it would just point you back to the home page, if however you entered www.mydomain.com/sitefinity?myKey you would get the admin login page.

  6. Peter
    Peter avatar
    42 posts
    Registered:
    22 Aug 2011
    08 May 2012
    Link to this post
    I tried the solution in this article. When I am going to my site http://www.domain.com/sitefinity I am still redirected to http://www.domain.com/Sitefinity/Authenticate/SWT?etc (mention the http). When I try to login (through http) I am getting an error  "Missing configuration for the requesting relying party "https://www.domain.com".  When I replace the http in the url through https, it works! Why is it not redirected immediately to https?

  7. Peter
    Peter avatar
    42 posts
    Registered:
    22 Aug 2011
    11 May 2012
    Link to this post
    @Telerik, what do you suggest for securing backend pages? Or is the suggestion in the article mentioned in the previous message the way to go (and if so, how can the mentioned issue be fixed)?
  8. MB
    MB avatar
    302 posts
    Registered:
    09 Jan 2005
    19 May 2012
    Link to this post
    FWIW: This is my current solution,  courtesy  of Telerik support.
    This is basically a 4/5 implementation of the method I used on previous V3 sites.

    IIS IP Address restrictions:
    --------------------------------------
    /Sitefinity
    - Add Address Whitelist for Folder
    - Access for unspecified Clients = Deny    (Feature Settings at Folder)

    /Sitefinity/Services
    - Access for unspecified Clients = Allow    (Feature Settings at Folder)

    Of course, Security restrictions are always a ‘YMMV’ solution, and I can only vouch for it working my own sites, but so far it gives me what I need:
    - Anonymous users can access the public site
    - White-listed addresses can access the admin site
    - Non-listed addresses get a 403 forbidden if they try to access the admin site
  9. Dan Sorensen
    Dan Sorensen avatar
    256 posts
    Registered:
    13 Aug 2010
    21 May 2012
    Link to this post
    So if I understand this right, there is no SSL solution for Admin access? The Sitefinity folder will be open to man in the middle attacks unless we restrict access to it on an IP basis and then use something like a VPN tunnel to reach it remotely?

    I really hope there is something better than that, but I at least need to know if what I stated above is true so that we can plan accordingly.
  10. MB
    MB avatar
    302 posts
    Registered:
    09 Jan 2005
    21 May 2012
    Link to this post
    @Dan

    Just to be clear about my current solution - this is a specific approach I took (to emulate what I had been doing in the past with V3) and tech support gave me guidance on that request.

    I didn't ask 'what is the best solution?' and it may well not be the best... I simply asked 'how do I do use IIS IP whitelists with V5?'.

    However, I've actually encountered an issue with it since, and am currently trying to resolve it... I'll update if/when I do.
  11. Tony
    Tony avatar
    20 posts
    Registered:
    12 Oct 2012
    22 May 2012
    Link to this post
    We use an F5 appliance, Big IP for load balancing and SSL offloading... We're getting a new wildcard cert for our domain soon.. I had intended on using our appliance to force SSL on all page requests with /sitefinity.  As long as I don't write a rule to force them back to HTTP if they go to a page without /sitefinity I'm thinking it should keep them in HTTPS which is preferable because editing a lot of content types remove the /sitefinity from the url.  If they happened to go back to the public site they would probably stay in HTTPS but considering it's only my admin users I'm not too concerned about that.  When we get this cert and I apply a solution I'll post back.  I know it's not exactly a universal solution but then again a simple Big IP irule like this could probably be written in IIS URL Rewriting pretty easy to accomplish the same thing. 
  12. Dan Sorensen
    Dan Sorensen avatar
    256 posts
    Registered:
    13 Aug 2010
    22 May 2012
    Link to this post
    Tony - I am pretty certain that the Sitefinity backend will revert to HTTP on each click, even if you start with HTTPS.
  13. Tony
    Tony avatar
    20 posts
    Registered:
    12 Oct 2012
    22 May 2012
    Link to this post
    Well one of the good things about Big IP is that as far as the Sitefinity servers are concerned all requests are coming from the Big IP load balancing IPs in HTTP traffic (which looks funny on my IIS logs when 99.9% of the traffic came from one of two IPs).  This has its advantages for me potentially forcing SSL as Sitefinity will most likely be unaware it's even occurring.  However a major disadvantage of using this load balancer is licensing and the load balancing module in Sitefinity, or so we speculate with the significant admin performance issues we experience in our current environment. 

    Anyways it'll be worth a shot for me, but if it can't be replicated with something like IIS rewrite it won't be a very good solution for anyone who doesn't already have a need for one of these appliances in their enterprise.  Has anyone tried URL Rewrite though to see if it can force SF HTTPS on specific rules?  If it did force SSL and it only reverted back to HTTP on various content edits you could circumvent that with an additional rule that looks for /Action/Edit and the various other requests.  What I'm concerned about is when my browser calls something like /Telerik.Web.UI.Webresource.axd.. I believe Big IP would let me circumvent most of the forces to SSL, but I'm not entirely sure if it would force a web service like that.. I'm thinking it all depends on session management and how our appliance deals with calls like that from the same session.. Sounds like my whole theory could be busted before I even try it, but it won't hurt anything to give it a shot.
  14. Dan Sorensen
    Dan Sorensen avatar
    256 posts
    Registered:
    13 Aug 2010
    22 May 2012
    Link to this post
    From the little I have learned through trial and error I think you are on the right track. I'm coming to the same conclusions. I'm just surprised that there isn't more information published about the best practices of securing Sitefinity. Hopefully someone who has secured a Sitefinity site will see this thread and add some additional knowledge.
  15. MB
    MB avatar
    302 posts
    Registered:
    09 Jan 2005
    23 May 2012
    Link to this post
    FWIW: http://www.sitefinity.com/sitefinity

    This *appears* to indicate Telerik are using IP Whitelisting on their own site.
  16. Juliana
    Juliana avatar
    2 posts
    Registered:
    05 Feb 2008
    26 Dec 2012
    Link to this post
    Have you got any updates on it?
  17. Georgi
    Georgi avatar
    3583 posts
    Registered:
    28 Oct 2016
    26 Dec 2012
    Link to this post
    Hello,

    Yes, this(white-listing) is the preferable way, if you can't trust even user/roles with CMS Backend access rights. For more protected logins you can also use the Claims implementation and make sure to put the Tokens issuer behind a firewall or under SSL.

    Regards,
    Georgi
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  18. MB
    MB avatar
    302 posts
    Registered:
    09 Jan 2005
    26 Dec 2012 in reply to Georgi
    Link to this post

    FWIW: My current solution is detailed at the end of the following thread.

    http://www.sitefinity.com/developer-network/forums/general-discussions-/securing-sf-admin-area

    Basically, it's an example of using IIS url rewrite module to white-list the Sitefinity authentication page (which you can't do using the simple IP restriction module).

    Unfortunately, I don't know if this is sufficient to truly secure the back-end, but it's at least better than leaving the login available to anonymous login attempts.

  19. Marko
    Marko avatar
    148 posts
    Registered:
    30 Jul 2008
    13 Feb 2013
    Link to this post

    Any new information on this?  I see that this post has been last updated on 1/25/2013:

    Securing a Sitefinity Backend with SSL

    ...and I was initially comforted to finally see an official set of instructions on this from Telerik, but alas, it didn't work.  :-(

    First, the instructions weren't clear on whether you should leave "https://localhost/etc." or change to "https://www.mysite.com/etc."  (in steps 1 and 2).  After I changed those from localhost to www.mysite.com it started looking more promising.  I got the login page.  However, after authenticating succesfully, I receive the error:

     Missing configuration for the requesting relying party "http://www.mysite.com".

    Upon closer inspection, the URL in the address bar is:

    https://www.mysitecom/Sitefinity/Authenticate/SWT?realm=http%3a%2f%2fwww.mysite.com%2f&redirect_uri=%2fsitefinity&deflate=true

    Changing that manually to

    https://www.mysitecom/Sitefinity/Authenticate/SWT?realm=https%3a%2f%2fwww.mysite.com%2f&redirect_uri=%2fsitefinity&deflate=true

    ...seems to work, and I'm able to get past the login screen.  I tried editing a page.  It switches back to http, but upon publishing, goes back to https when displaying the backend.  I suppose that's OK.

    The main concern for me is to protect the login page (even if the rest of backend goes over HTTP).  It seems weird that we should be having to beg and plead Telerik to allow us to log in our site editors SECURELY.  I've been with Sitefinity since version 3.2, and this STILL hasn't been addressed.  At least back then, I could insert my own code into Login.aspx and enforce ssl.  Now, that's a lot more complicated.

    So... Long story short... Is it still preferred to do IP white-listing or should we follow the instructions outlined by Telerik at the link above?  If latter, then how should those settings be changed so that they work correctly?

  20. Stefani Tacheva
    Stefani Tacheva avatar
    718 posts
    Registered:
    06 Dec 2016
    18 Feb 2013
    Link to this post
    Hello Marko,

    Thank you for the information. I have made some changes to the KB article. For your convenience please refer to:

    Securing a Sitefinity Backend with SSL

    Note that if you change the realm to realm="https://localhost" you will be automatically redirected to https://localhost/Sitefinity/Authenticate/SWT?realm=https%3a%2f%2flocalhost&redirect_uri=%2fsitefinity%2f&deflate=true when you enter http://localhost/sitefinity

    If you want to change all backend pages to require SSL, please execute the following source code:

    Code-behind file:
    protected void SubmitButton_Click(object sender, EventArgs e)
            {
                UserManager manager = UserManager.GetManager();
        
                var objUser = manager.GetUser("admin");
        
                var validate = SecurityManager.AuthenticateUser(UserManager.GetDefaultProviderName(), "admin", "password", false);
        
                bool authenticated = validate == UserLoggingReason.Success;
        
                var sslOn = SSLSettings.SelectedValue == "On";
                var app = App.WorkWith().Pages();
                var pages = app.LocatedIn(Telerik.Sitefinity.Fluent.Pages.PageLocation.Backend).Get();
        
                foreach (var page in pages)
                {
                    if (page.Page != null)
                    {
                        page.Page.RequireSsl = sslOn;
                    }
                }
        
                TransactionManager.CommitTransaction(app.GetManager().TransactionName);
            }
        }

    Please make the necessary changes in the username and password. This code will authenticate a specific user and will turn on the REQUIRE SSL property for all backend pages after the button is clicked.

    Aspx file:
    <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="SetSSLPages.aspx.cs" Inherits="COFSitefinity5.SetSSLPages" %>
        
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
        
    <head runat="server">
        <title></title>
    </head>
    <body>
        <form id="form1" runat="server">
        <div>
            
        <asp:RadioButtonList ID="SSLSettings" runat="server">
            <asp:ListItem Text="Turn SSL On" Value="On" Selected="True"></asp:ListItem>
            <asp:ListItem Text="Turn SSL Off" Value="Off"></asp:ListItem>
        </asp:RadioButtonList>
        
        <br />
        
        <asp:Button ID="SubmitButton" runat="server" Text="Update Backend Pages"
                onclick="SubmitButton_Click" />
        
        </div>
        </form>
    </body>
    </html>

    Build the project and run the form by right-click on the form and selecting View in browser. After that select Turn on SSL and click the button.

    Greetings,
    Stefani Tacheva
    the Telerik team
  21. Marko
    Marko avatar
    148 posts
    Registered:
    30 Jul 2008
    19 Feb 2013 in reply to Stefani Tacheva
    Link to this post
    Stefani Tacheva said:Hello Marko,

    Note that if you change the realm to realm="https://localhost" you will be automatically redirected to https://localhost/Sitefinity/Authenticate/SWT?realm=https%3a%2f%2flocalhost&redirect_uri=%2fsitefinity%2f&deflate=true when you enter http://localhost/sitefinity

    Stefani, this makes it sound like it's optional to change realm="https://..."  and that you could leave it as realm="http://..."  But if you do that, it simply doesn't work.  You get an error.  So, either I'm missing something, or the documentation is still not clear.

    Second...  Are we LITERALLY supposed to put "localhost" or adapt to our site domain name (e.g. realm="https://www,mysite.com")?  This is also not clear.  It seems that if you leave http://localhost everything works fine on a non-SSL site.  But if you follow Telerik's instructions on securing the backend, and you enter https://localhost, things don't work a real site unless you LITERALLY enter realm="https://www.mysite.com/..."

  22. Marko
    Marko avatar
    148 posts
    Registered:
    30 Jul 2008
    22 Feb 2013
    Link to this post

    One more question.  If I don't want to protect the entire backend with SSL, but only the login screen, would I only do steps 1 and 2?  What about step 4?

    My main goal is to protect the login process so that the username and password aren't transmitted in clear-text.  Once a user is inside the backend, it could go over HTTP and i don't see much of a problem with that.

    Is that possible?

  23. Stefani Tacheva
    Stefani Tacheva avatar
    718 posts
    Registered:
    06 Dec 2016
    23 Feb 2013
    Link to this post
    Hi,

    If you enter http://localhost/sitefinity, you won't be redirected to https://localhost/Sitefinity/Authenticate/SWT?realm=https%3a%2f%2flocalhost&redirect_uri=%2fsitefinity%2f&deflate=true if you do not change the realm. Not everyone want to use http://localhost/sitefinity and https://localhost/sitefinity and the same time, this is the reason why we inform our clients that they have a choice, whether they want  to change or not change the realm.

    Regarding the other question that you have, you need to go through steps 1,2 and 4. Do note execute the code in step 3. If you have executed it, you could change the require ssl value to false and execute it again. When your backend pages do not require ssl, after you enter your username and password you will go over HTTP in the backend of Sitefinity.

    Kind regards,
    Stefani Tacheva
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  24. Marko
    Marko avatar
    148 posts
    Registered:
    30 Jul 2008
    25 Feb 2013 in reply to Stefani Tacheva
    Link to this post

    Hmm... Thanks, but i need a clarification on this:

     

    Stefani Tacheva said:
    When your backend pages do not require ssl, after you enter your username and password you will go over HTTP in the backend of Sitefinity.
     

    Will the username and password be transmitted over HTTP or HTTPS, in this case?  My question was basically trying to determine if the username and password will be sent over encrypted/ssl/https protocol when steps 1,2, and 4 are done, backend pages are set to require SSL = false.

  25. Stefani Tacheva
    Stefani Tacheva avatar
    718 posts
    Registered:
    06 Dec 2016
    27 Feb 2013
    Link to this post
    Hi,

    You need to set:
    requireHttps="true"

    in you web.config file. Then your username and password will be send over HTTP.

    All the best,
    Stefani Tacheva
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  26. Marko
    Marko avatar
    148 posts
    Registered:
    30 Jul 2008
    07 Mar 2013
    Link to this post

    Thanks, Stefani.  I configured it that way, in addition to steps 1, 2, and 4 from the documentation, and everything seems to be running fine.

    But allow me to once again express my dissatisfaction with how this is setup:

    You have to enter host-header-specific information (https://www.mysite.com) in 3 places when configuring this (the web.config, security.config, and workflow URL under advanced settings).  All this for a simple site just to enable SSL for backend?  How come we don't have to specify anything for leaving it over port 80?  In other words, you can just leave http://localhost in web.config and security.config, and you can leave web workflow base url blank?  Even though the site has been configured to work with www.mysite.com in IIS?  That's how it should work with SSL, too.  It should be that simple.

    My point is that there should be a simple setting for "I want to enforce backend over SSL" or "Ensure backend login over SSL" or something like that, and Sitefnity would take care of the rest, like it does with port 80.

    For those of you who feel the same way as I do, please vote in PITS on this issue.

    I've been using Sitefinity since version 3.2, and it's really time for this feature to be included in regular CMS configuration.

  27. NK
    NK avatar
    82 posts
    Registered:
    15 Apr 2010
    12 Mar 2013 in reply to Marko
    Link to this post

    Hi Stefani,

    I am about to implement backend SSL. Would you tell me how to implement your code in submit (login) button.

    It would be great if you can tell step by step to place your code in.

     

    Thank you,

    NK 

  28. Atanas Valchev
    Atanas Valchev avatar
    414 posts
    Registered:
    04 Jan 2016
    12 Mar 2013
    Link to this post
    Hi,

    You need to run the code for the backend pages only once. After that, all back pages will be using https. After that in the web.config modify the

    <federatedAuthentication>
            <wsFederation passiveRedirectEnabled="true" issuer="http://localhost" realm="http://localhost" requireHttps="true"/>
            <cookieHandler requireSsl="false"/>
          </federatedAuthentication>
    As noted in the KB, linked in the previous replies. The last thing to do would be to add the relying party in the security config file.

    Greetings,
    Atanas Valchev
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  29. NK
    NK avatar
    82 posts
    Registered:
    15 Apr 2010
    12 Mar 2013 in reply to Atanas Valchev
    Link to this post

    Atalas,

    Thank you for replying.

     

    Would you tell me how to put the following code to where and how, before I run it once:

    protected void SubmitButton_Click(object sender, EventArgs e)
            {
                UserManager manager = UserManager.GetManager();
        
                var objUser = manager.GetUser("admin");
        
                var validate = SecurityManager.AuthenticateUser(UserManager.GetDefaultProviderName(), "admin", "password", false);
        
                bool authenticated = validate == UserLoggingReason.Success;
        
                var sslOn = SSLSettings.SelectedValue == "On";
                var app = App.WorkWith().Pages();
                var pages = app.LocatedIn(Telerik.Sitefinity.Fluent.Pages.PageLocation.Backend).Get();
        
                foreach (var page in pages)
                {
                    if (page.Page != null)
                    {
                        page.Page.RequireSsl = sslOn;
                    }
                }
        
                TransactionManager.CommitTransaction(app.GetManager().TransactionName);
            }
        }

    I could not figure out?

     

    Thnk you for helping,

    NK

  30. Atanas Valchev
    Atanas Valchev avatar
    414 posts
    Registered:
    04 Jan 2016
    12 Mar 2013
    Link to this post
    Hi,

     Make sure that your site is on IIS and has bindings for http and https. Place that code in the codebehind of an aspx page and replace the admin and password credentials with the administrator credentials for your site. Build the application and access the page. That the code will be executed and  the backend pages will require ssl.

    Greetings,
    Atanas Valchev
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
34 posts, 0 answered
1 2