Secure the Telerik controls

Last updated Thursday, August 17, 2017 in Sitecore Experience Platform for Administrator, Developer
Keywords: Security

Sitecore uses some UI controls from Telerik. These controls are only used in a Content Management environment.

Important

If you are running Sitecore 8.2 Update 4 or earlier, you must first apply this critical security hotfix.

If you are running Sitecore 8.2 Update 5 or later, you do not need to install this hotfix.

To reduce the attack surface area:

  1. In all non-Content Management environments, in the web.config file, remove the following nodes:
    <add name="Telerik_Web_UI_DialogHandler_aspx" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.DialogHandler.aspx" type="Telerik.Web.UI.DialogHandler" />
    <add name="Telerik_Web_UI_SpellCheckHandler_axd" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.SpellCheckHandler.axd" type="Telerik.Web.UI.SpellCheckHandler" />
    <add name="Telerik_Web_UI_WebResource_axd" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" />
  2. In a Content Management environment, you must configure the encryption key that is used to secure the Telerik upload control.

    In the web.config file, in the appSettings section, create a node for the Telerik configuration encryption keys:

    For example:

    <appSettings>
    <add key="Telerik.AsyncUpload.ConfigurationEncryptionKey" value="YOUR_ENCRYPTION_KEY_HERE" />
    <add key="Telerik.Upload.ConfigurationHashKey" value="YOUR_ENCRYPTION_KEY_HERE" />
    <add key="Telerik.Web.UI.DialogParametersEncryptionKey" value="YOUR_ENCRYPTION_KEY_HERE" />
    </appSettings>

    Replace the "YOUR_ENCRYPTION_KEY_HERE" placeholder text with a string of characters that are used to secure the Telerik controls.

    The string should be a set of random characters and numbers, with a maximum length of 256 characters. We recommend that you use a minimum of 32 characters.

For more information, see the Telerik documentation.