Restrict access to the client

Last updated Thursday, January 18, 2018 in Sitecore Experience Platform for Administrator, Developer

When you configure servers for different purposes, depending on the role, you may need to disable the Sitecore client. For example, if you configure a content delivery server or processing server it is not necessary to access the client application, so in this case disabling the client is recommended.

To prevent unauthorized access to the Sitecore client interfaces, you need to restrict access on every instance of your content delivery or processing environments.

There are two ways to restrict access to the client:

Implement IP-based security restrictions

To restrict access to client interfaces, you can implement IP-based security restrictions.

Note

The steps you follow to implement IP-based security restrictions vary depending on which operating system you have.

To implement IP-based security restrictions in Windows 7:

  1. Open the Control Panel.
  2. In the Control Panel, click Programs.
  3. Under Programs and Features, click Turn Windows Features on or off.
  4. In the Windows Features window, select IP Security.

    Picture 5

For instructions on how to configure IP-based security restrictions in IIS 7 and later, see http://www.iis.net/ConfigReference/system.webServer/security/ipSecurity.

For instructions on how to configure IP-based security restrictions in IIS 6 and earlier, see http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/128d26dd-decb-42f9-8efb-30724d1a2f29.mspx?mfr=true.

Disable Anonymous IIS access in versions earlier than Sitecore 8.2, Update 3

Another way to restrict access to the client is by disabling Anonymous IIS access to the following folders and files in your Website\sitecore folder:

  • admin folder
  • login folder
  • shell folder
  • default.aspx page

Note

You need to exclude the /sitecore/service folder from the IIS restrictions because it contains several service .ASPX pages that are used when reporting conditions or information back to the web client. For example: 404 Page Not Found and 403 Forbidden

You can move files from the /sitecore/service folder to sit outside the /sitecore folder, but you must also remember to update the following settings in the web.config file: ErrorPage, NoAccessUrl, NoLicenseUrl, LayoutNotFoundUrl, ItemNotFoundUrl, LinkItemNotFoundUrl

To disable Anonymous IIS access:

  1. Open Internet Information Services (IIS).
  2. In IIS, click Features View and then in the Security category, select Authentication.
  3. In your website folder structure, click, for example, the admin folder.

    Picture 7

  4. To set Anonymous Authentication to Disabled, in the Actions panel, click Disable.

Disable Anonymous IIS access in versions later than Sitecore 8.2, Update 3

In Sitecore 8.2, Update 3 and later, Forms authentication is the default setting of authentication in the web.config file. This means that the procedure described above does not work. You can work around this issue in two ways:

  • Disable Forms authentication
  • Restrict access with .Net Authorization

Disable Forms authentication

Disable Forms authentication this way:

  • In the web.config file, change Forms to None in the authentication node:

    <authentication mode="None">

This has an effect for users who need to access the Sitecore client page (such as the "shell" or other pages available after login). These users will meet an access error (error 401).

It is safe to disable Forms authentication for a user (such as the Content Delivery client) that does not need to login or access the client page.

Restrict access with .NET Authorization

You set up .NET Authorization in the Internet Information Services (IIS) manager.

You must deny anonymous access to the following folders and files in your Website\sitecore folder (sitecore in Sitecore 9.0 and later):

  • admin folder
  • login folder
  • shell folder
  • default.aspx page

To deny access in the IIS Manager:

  1. Select each of the items in the list above (three folders and one file) in the IIS Manager.
  2. For each item, click the .NET Authorization Rules:

    Picture 1

  3. Click Add Deny Rule… in the Actions panel:

    Picture 2

  4. Select All anonymous users and OK:

    Picture 3

This creates a directory specific web.config file for each item in the list. How To Make Application and Directory-Specific Configuration Settings in an ASP.NET Application at the Microsoft support site describes how to add these file locations to the application-wide web.config file with nodes similar to this: <location path="sitecore/shell">.

Send feedback about the documentation to docsite@sitecore.net.