+1-888-365-2779
Try Now
More in this section

Forums / General Discussions / Some random questions

Some random questions

9 posts, 0 answered
  1. Jeff
    Jeff avatar
    27 posts
    Registered:
    18 Jun 2008
    18 Jun 2008
    Link to this post
    Well, I had spent about a good 30 minutes writing up a detailed thread about some questions I had but apparently took too long writing the message and my login timed out and I lost all the text. I knew I should have copied the text before I tried to post it.

    LicenseFile.xml:
    Why  wasn't this wasn't stored in a config file? I don't know how your company handles registration of the software, but I'm not particularly fond of having our registration and license key stuck out on the internet visible to anyone that knows we're using Sitefinity for our CMS solution.

    Sitefinity Folder:
    Is there any way to relocate this folder from where it's normally supposed to be at? Right now this is the biggest security risk we have on our website even with all of our CMS admins having extremely strong passwords. Had I been consulted about this software before we began implementing it, I would have told the management to find different software.

    Sorry for being short, I'm just not wanting to spend a ton of time writing all of this over again.
  2. Jeff
    Jeff avatar
    27 posts
    Registered:
    18 Jun 2008
    18 Jun 2008
    Link to this post
    Oh, I forgot to mention in the Sitefinity folder section - we're trying to relocate the folder behind the firewall to either a different site on the same server (perhaps changing the port number) or relocating it off the server entirely and running it on another dedicated CMS management server.
  3. Nikifor
    Nikifor avatar
    232 posts
    Registered:
    18 May 2013
    19 Jun 2008
    Link to this post
    Hi Jeff,

    Actually the license file does not contain any sensitive information for you or for us. This is self-generated random key which just represents your order. You are right that it can be read easily, but this code is not valuable to anyone.
    If that is of great concern to you, there is an option to hide the license file in your project's App_Data folder which has restricted access by default. Here is what you can do to protect your license file:
    1. Place the LicenseFile.xml in the project App_Data folder.
    2. Add this line to the application web.config, section <cms>:

    <cms defaultProvider="Sitefinity"    
       useStrictLanguageVersions="true"  
       pageExtension=".aspx"    
       projectName="X"    
       disabled="false"    
       licenseFile="~/App_Data/LicenseFile.xml"    
       pageEditorUIMode="Overlay">   
       <providers>  
       <clear />  
       ...  

    Hope this helps.

    Best wishes,
    Nikifor
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  4. Jeff
    Jeff avatar
    27 posts
    Registered:
    18 Jun 2008
    19 Jun 2008
    Link to this post
    Ah, well that's good to know about the license file. I was just more worried that people could wander the web and grab the license key and get full rights on the trial or something if they found the key. That wasn't a huge concern really, just something I noticed that seemed odd.

    Any thoughts about the Sitefinity folder question? That's really the more important of the two. With the API exposed I might be able to do something to allow the folder to be relocated. Not sure, I haven't looked at the API very much since we deployed it. My boss requested I research into being able to move it, we're all a bit uneasy about it being out on the web like it is.
  5. UI Crew
    UI Crew avatar
    99 posts
    Registered:
    24 Sep 2012
    20 Jun 2008
    Link to this post
    Hi Jeff,

    We are doing exactly what you are wishing to do with absolutely no problems thus far... here is our senario:

    On the internet we have the Sitefinity website (we'll refer to it as "Public Site") and database minus the ~/Sitefinity/Admin folder. Sitefinity doesn't actually need the Admin folder to run - it will run happily without it and this stops anyone getting into the CMS Admin on the web.

    Everything in the site has workflow turn on fully, eg. pages, news etc. The public site is running the Telerik asp.net membership provider to authenticate public users for secure sections of the site.

    We have a another copy of exactly the same Sitefinity site running inside the corporations network with the admin folder included but it is connecting through the corporate firewall to the public site's database. This is were all the content editing is done. It has integrated auth turn on and runs the Telerik Active Directory providers to authenticate CMS admin users as well as Telerik asp.net providers so that we can see the public registered users.

    So 2 sites sharing exactly the same database one out on the web with no ~/Sitefinity/Admin folder the other safely tucked away inside the corporate network with the ~/Sitefinity/Admin folder.

    We are running Sitefinity 3.2 SP2 and fully utilising the Images and documents module for all multimedia, docs, images so that if anyone uploads an image it goes into the db and is instantly available to both sites.

    Once a piece of content is approved and published via the workflow it is then seen on the public site.

    Works a treat and is quite secure.

    Nothing tricky to it - you still have to have the ~/Sitefinity folder and everything it it bar the /admin folder.

    Like Telerik mentioned - cause your licence.xml is only useful for one domain there is hardly any point in anyone stealing it.

    One other question you may ask - We only have one licence how do we get around the 2 sites issue: There is 2 possibilities here

    1. Your SItefinity licence can be used more than once if you access the internal site via IP rather than domain name. So out on the internet you run it under your licenced domain but internally people access the cms admin via an IP address.

    2. (And this is the method we use) Your Sitefinity licence allows you to run as many sites on subdomains of your licenced domain as you like so your public site runs on www.domain.com and you setup the internal site on a subdomain of your licenced domain - eg. cms.domain.com - in our case we have just got an internal dns rule setup for cms.domain.com.

    Any questions let them fly.

    I think there is some forum posts on this somewhere but I couldn't find them for you.

    Thanks

    Seth
  6. Jeff
    Jeff avatar
    27 posts
    Registered:
    18 Jun 2008
    20 Jun 2008
    Link to this post
    Outstanding! Thank you all very much for the help in this matter!!
  7. Nikifor
    Nikifor avatar
    232 posts
    Registered:
    18 May 2013
    23 Jun 2008
    Link to this post
    Hi Jeff,

    Thank you very much for the useful answer Seth. We appreciate your contribution to the Sitefinity Community and we updated your Telerik account.

    All the best,
    Nikifor
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  8. SelAromDotNet
    SelAromDotNet avatar
    912 posts
    Registered:
    18 Jul 2012
    22 Jul 2008
    Link to this post
    i'm wanting to accomplish this same thing, and I see how it would work with all of the content in the databases, but what about file uploads and documents? we are not using the images and documents library, but rather link directly to pdf and image files in a a "files" and "images" folder we've created. there's probably no way to do this the way I want but is it possible to do the above scenario and cross upload files to the appropriate locations?

    I'm thinking maybe I could use ftp or something, but that's a lot of manual code... but then again I only have three modules so far...

    what other alternatives are there to securing access to administration? is there a way to make it so that it can only be accessed if you are inside our network? that would be ideal!
  9. Yasen
    Yasen avatar
    121 posts
    Registered:
    18 May 2013
    29 Jul 2008
    Link to this post
    Hi SelArom,

    Yes, there is a way to restrict access only to users within the network.
    In fact, you can use any security options that IIS and Windows provide.
    Please, refer to this document for IIS 5.x security, and more specifically, the 8th rule: "Set IP/DNS Address restrictions for your web site if you wish to filter which IP Addresses can access your site..."

    A detailed explanation of IIS security is also available in the blog series below.
    The last paragraph of part 1 - "What about the web sites?" gives some ideas about securing a website folder:

    http://www.windowsecurity.com/articles/Installing_Securing_IIS_Servers_Part1.html
    http://www.windowsecurity.com/articles/Installing_Securing_IIS_Servers_Part2.html
    http://www.windowsecurity.com/articles/Installing_Securing_IIS_Servers_Part3.html

    I hope you find these articles helpful.

    Regards,
    Yassen
    the Telerik team

    Check out Telerik Trainer, the state of the art learning tool for Telerik products.
Register for webinar
9 posts, 0 answered