Forums

Skip Navigation LinksHome / Developer Network / Forums / Sitefinity 3.x: Security > Securing the Administrator Module

Securing the Administrator Module

Feed from this thread
  • jkregala Intermediate avatar

    Posted on Oct 20, 2009 (permalink)

    Greetings Telerik team!

    I believe this is a matter of urgency. We are currently undergoing the final stages of evaluating Sitefinity CMS against other available CMS's in the market. I just would like to ask if it would be possible to SEPARATE the Administrator Module (where developers log-in and do their thing with the site) from the parts of the site that is available to the public eye.

    Upon checking the physical files, we noticed that the "Sitefinity" folder where the admin module is cradled INSIDE a specific web project's main folder. We wanted to have a sort of "untraceable" access for the admin module in order to further enhance the security of our sites (our specific concern is dictionary attack). If potential hackers had NO way to even access the log-in for the admin module, don't you think it would be very much unlikely for them to hack their way in?

    FYI, we tried affixing "Sitefinity/Admin/Default.aspx" to the URL's of the websites in your "Showcase" section (to REALLY test how secure Sitefinity is) and in quite a number of instances, we were able to access the Log-in page! We even alerted one website to change their default credentials for the admin account because apparently, we were accidentally able to log-in!

    Thanks, I hope you have available options for this concern. :)

    Reply

  • Ivan Dimitrov Ivan Dimitrov admin's avatar

    Posted on Oct 20, 2009 (permalink)

    Hello Jan Kenneth Regala,

    Backend and frontend of Sitefinity are two different parts and each of them can use Different Membership provider for access. Also each part can be restricted based on roles. The easiest way to restrict the backend from a public view is creating IP blocking/filtering from IIS server ( 15seconds.com). You can easily create an IHttpHandler and apply custom filtering by path and IP as shown below:

    public class HttpModule : IHttpHandler
    {
        public HttpModule()
        {
            //
            // TODO: Add constructor logic here
            //
        }
     
        #region IHttpHandler Members
     
        public bool IsReusable
        {
            get { return true; }
        }
     
        public void ProcessRequest(HttpContext context)
        {
               // you can get the requested path here
            HttpContext current = HttpContext.Current;
            string userIp = current.Request.ServerVariables["REMOTE_ADDR"];
            if (userIp == "127.0.0.1")
            {
                context.Response.Redirect("http://www.telerik.com");
            }
        }
     
        #endregion
    }

    Also you can change the path of Sitefinity folders so that it will not be accessible from domain/Sitefinity/Login.aspx. I hope this helps.

    All the best,
    Ivan Dimitrov
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.

    Reply

  • jkregala Intermediate avatar

    Posted on Oct 20, 2009 (permalink)

    Thank you for that response Mr. Ivan Dimitrov, it was certainly most illuminating. However, a more concrete measure we need is for the "Sitefinity" folder to be completely absent from the web site's physical folder and placed on a location away from the actual site so it would be virtually impossible for attackers to access the admin module.

    To make it clearer, the "Sitefinity" folder would be physically separated from the Web Site folder but still be accessible from the browser as if it was still located inside it. I hope it can be done.

    Thank you so much! We deeply appreciate your timely replies. :)

    Reply

  • Ivan Dimitrov Ivan Dimitrov admin's avatar

    Posted on Oct 20, 2009 (permalink)

    Hi Jan Kenneth Regala,

    Unfortunately you cannot separate the path outside of the website due to internal dependencies.

    All the best,
    Ivan Dimitrov
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.

    Reply

  • jkregala Intermediate avatar

    Posted on Oct 20, 2009 (permalink)

    That's rather unfortunate. But I hope in future releases that feature would be available already because we have decided just minutes ago to choose Sitefinity for our websites! :)

    Notably, the CMS we used before Sitefinity, Microsoft CMS 2002, has this feature enabled regardless of how outdated it is. So here's to hoping Telerik would have this feature available in the future.

    Reply

    • Register for webinar
Skip Navigation LinksHome / Developer Network / Forums / Sitefinity 3.x: Security > Securing the Administrator Module