As part of a project we're just completing we had the occasion
to review some of the file level security for Umbraco. What
we found was quite encouraging - namely that an Umbraco
installation can be made secure very easily. The one issue
that came up is that a user, following the Umbraco installation
guide, is left with some less than ideal security settings that
could, potentially, result in a compromised installation.
Taking cues from project team members and loads of installation
scenarios, I created the following brief security guide. The
guide is intended to get a new Umbraco installation to a more
secure state than it would be otherwise, it is far from being
comprehensive. As always, we value your input.
<><><><><><><><><><><><><>
Umbraco Security Best Practices for Installations
<><><><><><><><><><><><><>
After an Umbraco installation is completed you may find that
some security settings are left as less than optimal.
Following is a brief guide to making some simple changes that will
help make your Umbraco installation more secure. There are
two sections following; the Quick Guide, which every Umbraco site
owner should read and implement, and the Full Guide outlining
additional steps to be considered.
Quick Guide:
1. Set (or reset) Acl's as follows:
a. For the web site's Application Pool Identity :
i. Generally the Application Pool's identity is Network
Service, but if you are using shared hosting this may not be the
case
1. From IIS Manager each Application Pool will have
its identity set as a property
ii. Set the Acl for the file <web site
root>\web.config to Read (Make sure to remove Full Control,
Modify, and Write)
iii. Set the Acl for the following directories
to Read (Make sure to remove Full Control, Modify, and Write)
1. <web site root>
2. <web site root>\bin
3. <web site root>\umbraco
iv. For the following directory set the Acl to
Read & Execute
1. <web site root>\app_code
2. <web site
root>\usercontrols
v. For the following directories set the Acl to
Read, Modify
1. <web site root>\config
2. <web site root>\css
3. <web site root>\data
4. <web site
root>\masterpages
5. <web site root>\media
6. <web site root>\python
7. <web site root>\scripts
8. <web site root>\xslt
2. Remove the <web site root>\install directory
3. Set strong passwords for the Umbraco Database User or use
Integrated Security (if using SQL Server or SQL Server Express) to
connect as the web site's Application Pool identity
4. Set strong passwords for Umbraco users
Full Guide:
1. Set Acl's and password recommendations as above
2. Follow the recommendations outlined here http://tehchnet.microsoft.com/en-us/library/dd309461.aspx
for setting secure Acl's
3. Follow the detailed recommendations outlined in this excellent
whitepaper (.NET 2.0) http://msdn.microsoft.com/en-us/library/ms998372.aspx
- most of the recommendations here are implemented by Umbraco and
are applicable to .NET 3.5 as well
Note: This is a brief guide that outlines only the most
basic tasks to help secure your Umbraco installation. In a
production and/or critical environment we strongly recommend using
a hardening protocol (such as the IIS Security Planning Tool or
other available resources) that is outside the scope of this
guide.