How do I secure the Sitefinity back end pages?

Posted by Community Admin on 03-Aug-2018 00:22

How do I secure the Sitefinity back end pages?

All Replies

Posted by Community Admin on 25-Apr-2012 00:00

I have seen various forum threads on this topic, but most are very, very old. What are the current best practices 5.x to secure the Sitefinity backend pages from hackers?

- I have seen some say apply SSL to the /Sitefinity folder via IIS, but then others say that causes issues with themes that are located in App_Data

- I have seen some posts say that backend pages are forced to http not https unless some setting is enabled for each individual page.

Any updates to these practices? What do you do to keep your site secure?

Posted by Community Admin on 25-Apr-2012 00:00

Good question.

Posted by Community Admin on 04-May-2012 00:00

I am also curious. What is the best way?

Regards,
Peter

Posted by Community Admin on 05-May-2012 00:00

Telerik seem to indicate their preference with their own site - try to access the sitefinity folder of this site and you get a 403 forbidden - which would seem to suggest they may be applying an IIS whitelist to that page or section of the site.

Posted by Community Admin on 08-May-2012 00:00

Interesting question and also something that would be good to see answered.
What I have seen in the past is a key being required when accessing a admin backend. It would be good if sitefinity built something like this in to its site.
e.g. if you try to access www.mydomain.com/sitefinity it would just point you back to the home page, if however you entered www.mydomain.com/sitefinity?myKey you would get the admin login page.

Posted by Community Admin on 08-May-2012 00:00

I tried the solution in this article. When I am going to my site www.domain.com/sitefinity I am still redirected to www.domain.com/.../SWT the http). When I try to login (through http) I am getting an error  "Missing configuration for the requesting relying party "https://www.domain.com".  When I replace the http in the url through https, it works! Why is it not redirected immediately to https?

Posted by Community Admin on 11-May-2012 00:00

@Telerik, what do you suggest for securing backend pages? Or is the suggestion in the article mentioned in the previous message the way to go (and if so, how can the mentioned issue be fixed)?

Posted by Community Admin on 19-May-2012 00:00

FWIW: This is my current solution,  courtesy  of Telerik support.
This is basically a 4/5 implementation of the method I used on previous V3 sites.

IIS IP Address restrictions:
--------------------------------------
/Sitefinity
- Add Address Whitelist for Folder
- Access for unspecified Clients = Deny    (Feature Settings at Folder)

/Sitefinity/Services
- Access for unspecified Clients = Allow    (Feature Settings at Folder)

Of course, Security restrictions are always a ‘YMMV’ solution, and I can only vouch for it working my own sites, but so far it gives me what I need:
- Anonymous users can access the public site
- White-listed addresses can access the admin site
- Non-listed addresses get a 403 forbidden if they try to access the admin site

Posted by Community Admin on 21-May-2012 00:00

So if I understand this right, there is no SSL solution for Admin access? The Sitefinity folder will be open to man in the middle attacks unless we restrict access to it on an IP basis and then use something like a VPN tunnel to reach it remotely?

I really hope there is something better than that, but I at least need to know if what I stated above is true so that we can plan accordingly.

Posted by Community Admin on 21-May-2012 00:00

@Dan

Just to be clear about my current solution - this is a specific approach I took (to emulate what I had been doing in the past with V3) and tech support gave me guidance on that request.

I didn't ask 'what is the best solution?' and it may well not be the best... I simply asked 'how do I do use IIS IP whitelists with V5?'.

However, I've actually encountered an issue with it since, and am currently trying to resolve it... I'll update if/when I do.

Posted by Community Admin on 22-May-2012 00:00

We use an F5 appliance, Big IP for load balancing and SSL offloading... We're getting a new wildcard cert for our domain soon.. I had intended on using our appliance to force SSL on all page requests with /sitefinity.  As long as I don't write a rule to force them back to HTTP if they go to a page without /sitefinity I'm thinking it should keep them in HTTPS which is preferable because editing a lot of content types remove the /sitefinity from the url.  If they happened to go back to the public site they would probably stay in HTTPS but considering it's only my admin users I'm not too concerned about that.  When we get this cert and I apply a solution I'll post back.  I know it's not exactly a universal solution but then again a simple Big IP irule like this could probably be written in IIS URL Rewriting pretty easy to accomplish the same thing. 

Posted by Community Admin on 22-May-2012 00:00

Tony - I am pretty certain that the Sitefinity backend will revert to HTTP on each click, even if you start with HTTPS.

Posted by Community Admin on 22-May-2012 00:00

Well one of the good things about Big IP is that as far as the Sitefinity servers are concerned all requests are coming from the Big IP load balancing IPs in HTTP traffic (which looks funny on my IIS logs when 99.9% of the traffic came from one of two IPs).  This has its advantages for me potentially forcing SSL as Sitefinity will most likely be unaware it's even occurring.  However a major disadvantage of using this load balancer is licensing and the load balancing module in Sitefinity, or so we speculate with the significant admin performance issues we experience in our current environment. 

Anyways it'll be worth a shot for me, but if it can't be replicated with something like IIS rewrite it won't be a very good solution for anyone who doesn't already have a need for one of these appliances in their enterprise.  Has anyone tried URL Rewrite though to see if it can force SF HTTPS on specific rules?  If it did force SSL and it only reverted back to HTTP on various content edits you could circumvent that with an additional rule that looks for /Action/Edit and the various other requests.  What I'm concerned about is when my browser calls something like /Telerik.Web.UI.Webresource.axd.. I believe Big IP would let me circumvent most of the forces to SSL, but I'm not entirely sure if it would force a web service like that.. I'm thinking it all depends on session management and how our appliance deals with calls like that from the same session.. Sounds like my whole theory could be busted before I even try it, but it won't hurt anything to give it a shot.

Posted by Community Admin on 22-May-2012 00:00

From the little I have learned through trial and error I think you are on the right track. I'm coming to the same conclusions. I'm just surprised that there isn't more information published about the best practices of securing Sitefinity. Hopefully someone who has secured a Sitefinity site will see this thread and add some additional knowledge.

Posted by Community Admin on 23-May-2012 00:00

FWIW: http://www.sitefinity.com/sitefinity

This *appears* to indicate Telerik are using IP Whitelisting on their own site.

Posted by Community Admin on 26-Dec-2012 00:00

Have you got any updates on it?

Posted by Community Admin on 26-Dec-2012 00:00

Hello,

Yes, this(white-listing) is the preferable way, if you can't trust even user/roles with CMS Backend access rights. For more protected logins you can also use the Claims implementation and make sure to put the Tokens issuer behind a firewall or under SSL.

Regards,
Georgi
the Telerik team
Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 26-Dec-2012 00:00

FWIW: My current solution is detailed at the end of the following thread.

http://www.sitefinity.com/developer-network/forums/general-discussions-/securing-sf-admin-area

Basically, it's an example of using IIS url rewrite module to white-list the Sitefinity authentication page (which you can't do using the simple IP restriction module).

Unfortunately, I don't know if this is sufficient to truly secure the back-end, but it's at least better than leaving the login available to anonymous login attempts.

Posted by Community Admin on 13-Feb-2013 00:00

Any new information on this?  I see that this post has been last updated on 1/25/2013:

Securing a Sitefinity Backend with SSL

...and I was initially comforted to finally see an official set of instructions on this from Telerik, but alas, it didn't work.  :-(

First, the instructions weren't clear on whether you should leave "https://localhost/etc." or change to "https://www.mysite.com/etc."  (in steps 1 and 2).  After I changed those from localhost to www.mysite.com it started looking more promising.  I got the login page.  However, after authenticating succesfully, I receive the error:

 Missing configuration for the requesting relying party "http://www.mysite.com".

Upon closer inspection, the URL in the address bar is:

www.mysitecom/.../SWThttp%3a%2f%2fwww.mysite.com%2f&redirect_uri=%2fsitefinity&deflate=true

Changing that manually to

www.mysitecom/.../SWThttps%3a%2f%2fwww.mysite.com%2f&redirect_uri=%2fsitefinity&deflate=true

...seems to work, and I'm able to get past the login screen.  I tried editing a page.  It switches back to http, but upon publishing, goes back to https when displaying the backend.  I suppose that's OK.

The main concern for me is to protect the login page (even if the rest of backend goes over HTTP).  It seems weird that we should be having to beg and plead Telerik to allow us to log in our site editors SECURELY.  I've been with Sitefinity since version 3.2, and this STILL hasn't been addressed.  At least back then, I could insert my own code into Login.aspx and enforce ssl.  Now, that's a lot more complicated.

So... Long story short... Is it still preferred to do IP white-listing or should we follow the instructions outlined by Telerik at the link above?  If latter, then how should those settings be changed so that they work correctly?

Posted by Community Admin on 18-Feb-2013 00:00

Hello Marko,

Thank you for the information. I have made some changes to the KB article. For your convenience please refer to:

Securing a Sitefinity Backend with SSL

Note that if you change the realm to realm="https://localhost" you will be automatically redirected to https://localhost/Sitefinity/Authenticate/SWT?realm=https%3a%2f%2flocalhost&redirect_uri=%2fsitefinity%2f&deflate=true when you enter http://localhost/sitefinity

If you want to change all backend pages to require SSL, please execute the following source code:

Code-behind file:
protected void SubmitButton_Click(object sender, EventArgs e)
        
            UserManager manager = UserManager.GetManager();
    
            var objUser = manager.GetUser("admin");
    
            var validate = SecurityManager.AuthenticateUser(UserManager.GetDefaultProviderName(), "admin", "password", false);
    
            bool authenticated = validate == UserLoggingReason.Success;
    
            var sslOn = SSLSettings.SelectedValue == "On";
            var app = App.WorkWith().Pages();
            var pages = app.LocatedIn(Telerik.Sitefinity.Fluent.Pages.PageLocation.Backend).Get();
    
            foreach (var page in pages)
            
                if (page.Page != null)
                
                    page.Page.RequireSsl = sslOn;
                
            
    
            TransactionManager.CommitTransaction(app.GetManager().TransactionName);
        
    

Please make the necessary changes in the username and password. This code will authenticate a specific user and will turn on the REQUIRE SSL property for all backend pages after the button is clicked.

Aspx file:
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="SetSSLPages.aspx.cs" Inherits="COFSitefinity5.SetSSLPages" %>
    
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    
<head runat="server">
    <title></title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
        
    <asp:RadioButtonList ID="SSLSettings" runat="server">
        <asp:ListItem Text="Turn SSL On" Value="On" Selected="True"></asp:ListItem>
        <asp:ListItem Text="Turn SSL Off" Value="Off"></asp:ListItem>
    </asp:RadioButtonList>
    
    <br />
    
    <asp:Button ID="SubmitButton" runat="server" Text="Update Backend Pages"
            onclick="SubmitButton_Click" />
    
    </div>
    </form>
</body>
</html>

Build the project and run the form by right-click on the form and selecting View in browser. After that select Turn on SSL and click the button.

Greetings,
Stefani Tacheva
the Telerik team

Posted by Community Admin on 19-Feb-2013 00:00

[quote]Stefani Tacheva said:Hello Marko,

Note that if you change the realm to realm="https://localhost" you will be automatically redirected to https://localhost/Sitefinity/Authenticate/SWT?realm=https%3a%2f%2flocalhost&redirect_uri=%2fsitefinity%2f&deflate=true when you enter http://localhost/sitefinity[/quote]

Stefani, this makes it sound like it's optional to change realm="https://..."  and that you could leave it as realm="http://..."  But if you do that, it simply doesn't work.  You get an error.  So, either I'm missing something, or the documentation is still not clear.

Second...  Are we LITERALLY supposed to put "localhost" or adapt to our site domain name (e.g. realm="www,mysite.com") This is also not clear.  It seems that if you leave http://localhost everything works fine on a non-SSL site.  But if you follow Telerik's instructions on securing the backend, and you enter https://localhost, things don't work a real site unless you LITERALLY enter realm="https://www.mysite.com/..."

Posted by Community Admin on 22-Feb-2013 00:00

One more question.  If I don't want to protect the entire backend with SSL, but only the login screen, would I only do steps 1 and 2?  What about step 4?

My main goal is to protect the login process so that the username and password aren't transmitted in clear-text.  Once a user is inside the backend, it could go over HTTP and i don't see much of a problem with that.

Is that possible?

Posted by Community Admin on 23-Feb-2013 00:00

Hi,

If you enter http://localhost/sitefinity, you won't be redirected to https://localhost/Sitefinity/Authenticate/SWT?realm=https%3a%2f%2flocalhost&redirect_uri=%2fsitefinity%2f&deflate=true if you do not change the realm. Not everyone want to use http://localhost/sitefinity and https://localhost/sitefinity and the same time, this is the reason why we inform our clients that they have a choice, whether they want  to change or not change the realm.

Regarding the other question that you have, you need to go through steps 1,2 and 4. Do note execute the code in step 3. If you have executed it, you could change the require ssl value to false and execute it again. When your backend pages do not require ssl, after you enter your username and password you will go over HTTP in the backend of Sitefinity.

Kind regards,
Stefani Tacheva
the Telerik team

Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 25-Feb-2013 00:00

Hmm... Thanks, but i need a clarification on this:

 [quote]Stefani Tacheva said:
When your backend pages do not require ssl, after you enter your username and password you will go over HTTP in the backend of Sitefinity. [/quote] 

Will the username and password be transmitted over HTTP or HTTPS, in this case?  My question was basically trying to determine if the username and password will be sent over encrypted/ssl/https protocol when steps 1,2, and 4 are done, backend pages are set to require SSL = false.

Posted by Community Admin on 27-Feb-2013 00:00

Hi,

You need to set:

requireHttps="true"

in you web.config file. Then your username and password will be send over HTTP.

All the best,
Stefani Tacheva
the Telerik team
Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 07-Mar-2013 00:00

Thanks, Stefani.  I configured it that way, in addition to steps 1, 2, and 4 from the documentation, and everything seems to be running fine.

But allow me to once again express my dissatisfaction with how this is setup:

You have to enter host-header-specific information (https://www.mysite.com) in 3 places when configuring this (the web.config, security.config, and workflow URL under advanced settings).  All this for a simple site just to enable SSL for backend?  How come we don't have to specify anything for leaving it over port 80?  In other words, you can just leave http://localhost in web.config and security.config, and you can leave web workflow base url blank?  Even though the site has been configured to work with www.mysite.com in IIS?  That's how it should work with SSL, too.  It should be that simple.

My point is that there should be a simple setting for "I want to enforce backend over SSL" or "Ensure backend login over SSL" or something like that, and Sitefnity would take care of the rest, like it does with port 80.

For those of you who feel the same way as I do, please vote in PITS on this issue.

I've been using Sitefinity since version 3.2, and it's really time for this feature to be included in regular CMS configuration.

Posted by Community Admin on 12-Mar-2013 00:00

Hi Stefani,

I am about to implement backend SSL. Would you tell me how to implement your code in submit (login) button.

It would be great if you can tell step by step to place your code in.

 

Thank you,

NK 

Posted by Community Admin on 12-Mar-2013 00:00

Hi,

You need to run the code for the backend pages only once. After that, all back pages will be using https. After that in the web.config modify the

<federatedAuthentication>
        <wsFederation passiveRedirectEnabled="true" issuer="http://localhost" realm="http://localhost" requireHttps="true"/>
        <cookieHandler requireSsl="false"/>
      </federatedAuthentication>
As noted in the KB, linked in the previous replies. The last thing to do would be to add the relying party in the security config file.

Greetings,
Atanas Valchev
the Telerik team
Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 12-Mar-2013 00:00

Atalas,

Thank you for replying.

 

Would you tell me how to put the following code to where and how, before I run it once:

protected void SubmitButton_Click(object sender, EventArgs e)
        
            UserManager manager = UserManager.GetManager();
    
            var objUser = manager.GetUser("admin");
    
            var validate = SecurityManager.AuthenticateUser(UserManager.GetDefaultProviderName(), "admin", "password", false);
    
            bool authenticated = validate == UserLoggingReason.Success;
    
            var sslOn = SSLSettings.SelectedValue == "On";
            var app = App.WorkWith().Pages();
            var pages = app.LocatedIn(Telerik.Sitefinity.Fluent.Pages.PageLocation.Backend).Get();
    
            foreach (var page in pages)
            
                if (page.Page != null)
                
                    page.Page.RequireSsl = sslOn;
                
            
    
            TransactionManager.CommitTransaction(app.GetManager().TransactionName);
        
    

I could not figure out?

 

Thnk you for helping,

NK

Posted by Community Admin on 12-Mar-2013 00:00

Hi,

 Make sure that your site is on IIS and has bindings for http and https. Place that code in the codebehind of an aspx page and replace the admin and password credentials with the administrator credentials for your site. Build the application and access the page. That the code will be executed and  the backend pages will require ssl.

Greetings,
Atanas Valchev
the Telerik team
Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 12-Mar-2013 00:00

Thank you for fast replying, Atanas. I am a bit new to sitefinity version 5.0.

I went thru the project in Visual Studio, I could not find the login page .aspx or any aspx.cs file. Moreover, I could not find any .aspx page, but all .svc. How do I place it the to page?

 

Are we talking on the same version of Sitefinity.

 

Thank you for helping,

NK 

Posted by Community Admin on 15-Mar-2013 00:00

Hello,

I am attaching a sample that will help you set ssl for all frontend pages. Add it to your project, include it in the solution, build it. After that access the page, select ssl for frontend pages and turn it on. 

All the best,
Atanas Valchev
the Telerik team
Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 15-Mar-2013 00:00

We are trying to set up the backend SSL on a test box (with a self signed certificate) just to make sure we can get this working for when our site goes live.

On a fresh 5.3 site (the version our site was developed on, has a third party plugin that we cannot update yet) which we built fresh, we get the following error when following steps 1 & 2 when we try to access the https://address/sitefinity page:

Server Error in '/' Application.
ID1056
Description:
 An unhandled exception occurred during
the execution of the current web request. Please review the stack trace
for more information about the error and where it originated in the
code.
Exception Details:
 System.InvalidOperationException: ID1056
Source Error:
An unhandled exception was generated during the execution of the current
web request. Information regarding the origin and location of the
exception can be identified using the exception stack trace below.
Stack Trace:
[InvalidOperationException: ID1056]
Telerik.Sitefinity.Security.Claims.SitefinityClaimsAuthenticationModule.VerifyProperties() +412
Telerik.Sitefinity.Security.Claims.SitefinityClaimsAuthenticationModule.RedirectToIdentityProvider(String uniqueId, String returnUrl, Boolean persist, Boolean deflate) +35
Telerik.Sitefinity.Security.Claims.SitefinityClaimsAuthenticationModule.RedirectToIdentityProvider(String requestUrl) +162
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +270

Is there something I am missing here that is obvious? (completely likely).

Also, the "key" you are wanting us to use is the Public Key information from the SSL certificate in IIS, correct?

Thank you.
Steve K.

Posted by Community Admin on 20-Mar-2013 00:00

Hi Stephen,

Please check if you have configured your site in the following way.

First we need to have the site set up on IIS using the default ports – 80 for http and 443 for https.
 
After that check the web.config if requirehttps is set to true:

<federatedAuthentication>
        <wsFederation passiveRedirectEnabled="true" issuer="http://localhost" realm="http://localhost" requireHttps="true"/>
        <cookieHandler requireSsl="false"/>
      </federatedAuthentication>

After this is done, one last setting is left. Since the Sitefinity Backend login page is running on https, a new relying party needs to be added in the security.config file. Just copy the already available Relying party in your security.config and add https. You relyingParties section should look something like:

<relyingParties>
        <add key="F033D3A3799B086BCB17ED59CD440F4B9FFB99830D862396ECDBEEBBE70C6487" encoding="Hexadecimal" realm="http://mysite.com" />
        <add key="F033D3A3799B086BCB17ED59CD440F4B9FFB99830D862396ECDBEEBBE70C6487" encoding="Hexadecimal" realm="https://mysite.com " />
    </relyingParties>

If you have other questions or continue to experience problems with configuring this, please, feel free to open a support ticket.

Regards,
Atanas Valchev
the Telerik team
Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

This thread is closed