To prevent unauthorized access to the Sitecore client interfaces, you need to restrict access on every instance of your content delivery or processing environments.
There are two ways to restrict access to the client:
Implement IP-based security restrictions
To restrict access to client interfaces, you can implement IP-based security restrictions.
The steps you follow to implement IP-based security restrictions vary depending on which operating system you have.
To implement IP-based security restrictions in Windows 7:
- Open the Control Panel.
- In the Control Panel, click Programs.
- Under Programs and Features, click Turn Windows Features on or off.
- In the Windows Features window, select IP Security.
For instructions on how to configure IP-based security restrictions in IIS 7 and later, see http://www.iis.net/ConfigReference/system.webServer/security/ipSecurity.
For instructions on how to configure IP-based security restrictions in IIS 6 and earlier, see http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/128d26dd-decb-42f9-8efb-30724d1a2f29.mspx?mfr=true.
Disable Anonymous IIS access in versions earlier than Sitecore 8.2, Update 3
Another way to restrict access to the client is by disabling Anonymous IIS access to the following folders and files in your Website\sitecore folder:
You need to exclude the /sitecore/service folder from the IIS restrictions because it contains several service .ASPX pages that are used when reporting conditions or information back to the web client. For example: 404 Page Not Found and 403 Forbidden
You can move files from the /sitecore/service folder to sit outside the /sitecore folder, but you must also remember to update the following settings in the
To disable Anonymous IIS access:
- Open Internet Information Services (IIS).
- In IIS, click Features View and then in the Security category, select Authentication.
- In your website folder structure, click, for example, the admin folder.
- To set Anonymous Authentication to Disabled, in the Actions panel, click Disable.
Disable Anonymous IIS access in versions later than Sitecore 8.2, Update 3
In Sitecore 8.2, Update 3 and later, Forms authentication is the default setting of authentication in the
web.config file. This means that the procedure described above does not work. You can work around this issue in two ways:
- Disable Forms authentication
- Restrict access with .Net Authorization
Disable Forms authentication
Disable Forms authentication this way:
- In the
Nonein the authentication node:
This has an effect for users who need to access the Sitecore client page (such as the "shell" or other pages available after login). These users will meet an access error (error 401).
It is safe to disable Forms authentication for a user (such as the Content Delivery client) that does not need to login or access the client page.
Restrict access with .NET Authorization
You set up .NET Authorization in the Internet Information Services (IIS) manager.
You must deny anonymous access to the following folders and files in your Website\sitecore folder (sitecore in Sitecore 9.0 and later):
To deny access in the IIS Manager:
- Select each of the items in the list above (three folders and one file) in the IIS Manager.
- For each item, click the .NET Authorization Rules:
- Click Add Deny Rule… in the Actions panel:
- Select All anonymous users and OK:
This creates a directory specific
web.config file for each item in the list. How To Make Application and Directory-Specific Configuration Settings in an ASP.NET Application at the Microsoft support site describes how to add these file locations to the application-wide
web.config file with nodes similar to this: