10 Rules to make sure your security is set up right

   —   

Setting up your security while you start working on a project may be quite a challenge. You need to make sure that you didn't forget anything. Here are some basics that you should take care of ...

Hi there,

Time to time, we provide support to a client that is all about setting up the web site. The web site is looking pretty and clean, but they somehow forget about setting up the security which puts them in vulnerable position without them even knowing.

Setting up security on the infrastructure level could be a chapter itself, with all the DMZs and stuff, so I will keep this brief so it can cover the most important aspects of it, mostly the ones specific to Kentico CMS, where it can help you or where you should take some steps.

Let's consider the standard scenario where you start working with Kentico CMS and install a sample web site, then just modify it and put it live for the client ...

Rule 1 - Be paranoid

Being paranoid doesn't neccesarily mean that you are considered crazy by others. It may save your data and your job if you consider the effects of somebody breaking into your system. Always proactively search the potential ways how somebody could access your system and close the doors for them. Even though Kentico CMS in comparison to other solutions doesn't have any serious security bugs reported, it doesn't mean it will protect you from allowing the attackers to do something if you configure something improperly.

Rule 2 - Avoid sample users and roles

As you know, our sample web sites come with sample users and roles that anyone can use to demonstrate the features. Since some of them are editors and some of them are global administrators, they may be a potential entry into the system. So the very first thing before you put your site live is making sure that you deleted all the unwanted sample users and roles or at least made sure that they are limited with the permissions you want to.

Rule 3 - Avoid empty or default passwords

Not only with the default installation, but also after your development or testing, you may have some sample users within your database that either do not use any password at all, or use just a simple password, and they may be users with high privileges. Before you put your site live, you should make sure that every user in the database has some password set and that password is complex enough according to the rights the person has. The "public" user is safe and doesn't need any adjustments, it just states for any anonymous user.

Rule 4 - Avoid default or testing e-mails

Sample or testing users may also use sample e-mail addresses or an e-mail address that points to a non-existing domain. That is the case of older versions of Kentico CMS (around 4.x), where the e-mail of sample users was like system@mydomainxy.com. It was OK until the domain was not taken, but later, someone registered the domain name and suddently got spammed from all the sample installations that sent e-mails to that default addressed. Needless to say, this doesn't include just sample workflow notifications and similar e-mails, but also the password reset notifications, which makes the system much more vulnerable if that refers to an account with some admin permissions. That is basically why we changed the default mails to point to localhost.

NOTE: If you use Kentico CMS 4.1 or sooner, make sure you don't have the e-mails <something>@mydomainxy.com in the settings of your users.

One way or another, before you put your site live, you should check if all your users have proper e-mail addresses set and you don't have any users with testing e-mails.

Rule 5 - Secure logon process

Based on how secure you need your web site to be, ou may want to implement SSL for your logon pages. Usage of SSL is sometimes required, because without it, anyone on the line (Man in the middle) can potentially listen to the HTTP request and listen to the value of the password box. Kentico CMS provides two ways:

1) SSL for the live site UI, which you can configure in the document properties, see this for details:

http://devnet.kentico.com/docs/devguide/index.html?ssl_https_support.htm

2) SSL for the admin logon which you can configure in the web.config just by modifying the forms authentication config

<forms loginUrl="CMSPages/logon.aspx" ... requireSSL="true" />

Find more details here: http://msdn.microsoft.com/en-us/library/ff648341.aspx

Rule 6 - Implement secured areas

Your web site may contain information that should just be accessible by someone. In that case, you need to make sure those areas will require authentication and check the permissions accordingly. Kentico CMS provides you with a way how to easily set that up so go ahead and leverage that features:

http://devnet.kentico.com/docs/devguide/index.html?secured_web_site_areas.htm

Rule 7 - Validate and sanitize the inputs

Typical project isn't only a set of defined URLs, but the pages are somehow dynamic based on parameters. Those parameters can be parts of the URL, or the user input from any form. Sanitizing such data can protect you from unwanted Cross Site Scripting (XSS) attacks on your visitors or SQL injection. Kentico CMS allows you to sanitize the macros coming from various sources with SQL injection handling and by means of casting the values to the correct types, e.g. {%newsid|(toint)%}. More about available macro conversions here: http://devnet.kentico.com/docs/devguide/index.html?appendix_a___macro_expressions.htm

In the code and transformations, you can just cast the values with our ValidationHelper class methods, and in transformations, you can encode the HTML code by standard means or with our HTMLHelper class to prevent XSS.

Rule 8 - Protect data and file storage

You may place your hardware into Himalayas, being guarded by an army of robots, but it won't protect your servers from being accessed through the network. You simply cannot just cut off the whole line, because the world needs to see your web site. What you need to do is secure any other possible ways into your project. One of them surely is the FTP connection, which ships the password in a plain text format and was a very bad solution even back in the 90's. You should use at least SCP or SFTP which can be secured. Similar, yet different thing with your SQL server. Why allowing anyone to access it from anywhere if you can restrict it just for access from your specific local IP address where you really use it? Is really any port on your server needed or can it just be port 80 for HTTP requests? Those are the questions you should ask yourselves and consider while planning security around the project itself.

Rule 9 - Watch and check suspicious activities on the web site

Typical attack to your website consists of:
  • Information gathering
  • Attempts to break through the security
  • Harmful actions once the user gets there

Once the hacker performs the harmful action, you may just want to drop the data, because you never know what is left in there if your project is too big and he could just have left there some back door in it. So you need to prevent this in sooner phases of the attack. You can take advantage of Kentico CMS Event log, and identify potential attempts to break the security. If there are too many tries to do something or too many errors logged from a single IP address (or a subset of addresses), it may be the result of a brute force attack to your infrastructure. You should also inform your users to report any suspicious activity like somebody asking their credentials etc. Only that way, you can catch the thief soon enough.

Rule 10 - Backup your project

No matter how secure your web site is, it is possible that it may eventually be hacked. It doesn't have to come from an external source, it may be compromised by your former employee that got access to all your passwords or their IP is still allowed on the firewall. Or it may simply be an attack from somebody way more experienced than anyone else on your site so they can get through your security rules. For those purposes, it is always good to have your backups stored separately, not accessible through network or in the same building, but close enough so you can quickly restore during a tragic event. You can either backup the whole database, or just particular sites or objects with our import/export functionality.

More details on import/export here: http://devnet.kentico.com/docs/devguide/index.html?export_and_import_overview.htm

Rule 1x - Never consider the list of rules final

The list isn't ending, there are numerous other things that you could consider, these are only the basics to make sure the beginner hackers can't get access your project. It is only up to you which are the ways to access your project, and it is up to you to make sure that they are secured ...

We are doing the best we can to provide you with more reminders and ways how to set it up in a easier way, there will be improvements in 6.0, too, but the final action is yours ... ALWAYS!

See you next time ...

Share this article on   LinkedIn

Martin Hejtmanek

Hi, I am the CTO of Kentico and I will be constantly providing you the information about current development process and other interesting technical things you might want to know about Kentico.

Comments

Martin Hejtmanek commented on

Hi,

Sure it is common, Kentico CMS is not an exception, but anyways, people often forget about it.

Yes, the solution may be also two servers, one public and one private, but not everyone has the option to have two servers or wants to buy web farm licence (two servers = web farm), it is more specific than common. The admin UI can be disabled on the public server via web.config key:

<add key="CMSDisableAdministrationInterface" value="true" />

If you follow the implementation rules (e.g. inherit your pages from correct classes), then the security check of the system is performed the same way even if you access the template directly. But if you want to avoid that, you can simply deny access to anyone on that directory to everyone.

Bai Jia Cheng commented on

Hi team,
the issues you raised are quite "common" to all systems, not only Kentico CMS.
Could you please give more advices on CMS Desk, CMS Site Manager, CMS Templates, etc which contains a lot of sensiteive pages? For example keeping some files in CMS Template folder like a logon form may allow to see and access some section that are not protected no?
In that case, does a solution with a "public" server (browsable by any visitor) without CMS Desk, CMS Site Manager, CMS Template folders and another "private" server (only browsable by content manager) with all required folder, both linked to same database won't be a good solution?
Thanks.