Hi everyone, I'm a new SiteFinity owner and am implementing this for my client. I am in the very early stages and am trying to get my setup as secure as possible whilst meeting my clients requirements.
I've been reading Gabes post on SiteFinityWatch named "How to secure Sitefinity’s Administrative UI" so far I have created a new administrator user with a different name than admin, deleted the original admin user and have applied a more complex requirement for passwords in general.
The site will have a registration process that will allow anonymous users to create accounts and I'm going to auto assign them to a role such as "users" or some other such role name. Two of Gabes suggestions confuse me as in one hand he advises to cut off the ~/sitefinity directory to anyone outside of the internal network (using a simple httpmodule) but then suggests renaming login.aspx to obscurelogin.aspx which is in the sitefinty folder? Surely it can only be one or the other if my client is to allow anonymous users to create accounts and therefore hit the login url from the web.config file which is currently set to ~/sitefinity/login.aspx?
What feels natural to me is to create a page group named account that contains login.aspx, register.aspx, forgotpassword.aspx, changepassword.aspx and editprofile.aspx and just handle it all myself, is it OK to modify the default login url to a custom page outside of ~/sitefinity in the web.config file and thus stop using the ~/sitefinity/login.aspx, perhaps even deleting it?
Also in this thread, thread
SelArom suggests that cutting outside users off from the SiteFinity folder might not be such a good idea? Has this been confirmed or is it OK to just ban all users outside of the internal network access to the sitefinity folder?
Loving the product so far and am looking forward to hopefully contributing more in the future,