Sitecore Content Delivery security hardening admin folder - azure

We are using azure webapps for sitecore infrastructure.
We need to apply security hardening on CD i.e. disable the sitecore client access. I had a look at security hardening guide which mentions about disabling annonymous access to sitecore/admin access.
https://doc.sitecore.net/sitecore_experience_platform/security_hardening/deny_anonymous_users_access_to_a_folder
However this is not possible in Azure web-apps as we don't have access to IIS.
What's the best way to resolve this?

Another option is to use request filters. See https://sitecorecommerce.wordpress.com/2015/11/19/block-access-to-sitecore-folder-for-content-delivery-with-requestfilters/
Here's the relevant config from the post:
<system.webServer>
<security xdt:Transform ="Replace" >
<requestFiltering>
<denyUrlSequences>
<add sequence ="/sitecore/" />
<add sequence ="/_Dev/" />
</denyUrlSequences>
</requestFiltering>
</security>
</system.webServer>
Additional references are available here: https://www.iis.net/configreference/system.webserver/security/requestfiltering

you can configure the security configurations in the web.config for your Sitecore CD server. E.g. Add this configuration under the root element at the end of your web.config.
<location path="App_Config">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
</authentication>
<authorization>
<add accessType="Deny" users="*" />
</authorization>
</security>
</system.webServer>
</location>

Related

restricting IP security

Having an issue with restricting IP security.
I have made a web.config file and placed it in the folder I am trying to restrict see below:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<ipSecurity allowUnlisted="false" enableProxyMode="true" denyAction="Forbidden">
<clear />
<add ipAddress="123.456.789" allowed="true" />
</ipSecurity>
</security>
</system.webServer>
</configuration>
I have also adjusted the applicationHost.config to:
<section name="ipSecurity" overrideModeDefault="Allow" />
However when browsing to a file in that folder I get a 403.
I have restarted IIS and IP address is correct.
What am I missing?
Check the client IP (c-ip) in IIS logs and add that to ip - restrictions rules.

Enable cross site access in OK Hosting?

I'm trying to download the bootsrap fonts from a container I have in a site hosted by OK Hosting. I can download the font manually but when using it in a CSS on a page hosted in another server, it fails because cross site access is disabled.
I know OK Hosting uses IIS but they give you a web based control panel.
How do I enable cross site access?
Ok, you just have to add a file called web.config at the root of your site with the following:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
You might also need the following just below the Access-Control-Allow-Origin.
<add name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE,OPTIONS" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />

Why is "SSL Settings" feature delegation disabled by default?

I would like to specify SSL flags in application web.config file. Actually, I would like to get something like this:
<configuration>
...
<location path="">
<system.webServer>
<security>
<access sslFlags="Ssl" />
</security>
</system.webServer>
</location>
<location path="Public">
<system.webServer>
<security>
<access sslFlags="None" />
</security>
</system.webServer>
</location>
...
</configuration>
But I found that "SSL Settings" feature delegation is disabled by default.
So I'm wondering if it's dangerous to enable this or not. I can't imagine why this can be dangerous... But I'm confused with default IIS settings.

Secure elmah directory gets 404?

I've setup ELMAH on a asp.net mvc 3 site with the correct configuration detailed on another SO question here. Everything works great on my local virtual dev IIS server but when I deploy to an IIS server when I try to go to /Admin/Elmah.axd I get the standard IIS "404 - File or directory not found.". Is there an IIS setting I'm missing?
<location path="admin">
<system.web>
<httpHandlers>
<add verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
</httpHandlers>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
You have got to add the httphandler to the System.Webserver part of the web.config so that IIS routes it:
<system.webServer>
<handlers>
<add verb="POST,GET,HEAD" path="admin/elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" name="Elmah"/>
</handlers>
</system.webServer>
I fixed the problem by installing the asp.net mvc elmah controller. You can find it here.

IIS7.5 : How to prevent prompt for credentials when folder blocked by URL Authorization

I managed to secure a folder structure with URL authorization in IIS7 with the following :
<location path="Reports">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
</authorization>
</security>
</system.webServer>
</location>
<location path="Reports/Company1">
<system.webServer>
<security>
<authorization>
<add accessType="Allow" users="User1"/>
</authorization>
</security>
</system.webServer>
</location>
<location path="Reports/Company2">
<system.webServer>
<security>
<authorization>
<add accessType="Allow" users="User2" />
</authorization>
</security>
</system.webServer>
</location>
Now my problem is that when User1 from Company1 tries to access a file from the Company2 folder, it gets prompted for credentials. I would like that he receives an "access denied" message. I tried to add a in the second location tag but without success.
Not possible as far as I can see. You need to at least attempt to verify the user before you can display the access denied (by means of custom errors perhaps). However, before this verification has started, there is also no way to determine which user it is.

Resources