Kentico CMS 7.0 Developer's Guide

Securing the CMSHelp folder

Securing the CMSHelp folder

Previous topic Next topic Mail us feedback on this topic!  

Securing the CMSHelp folder

Previous topic Next topic JavaScript is required for the print function Mail us feedback on this topic!  

Kentico CMS comes with an on‑line help reference that is available in the database installer and most parts of the administration interface. Users can view it to access context‑specific information about the current section of the application's interface. By default, any users (including public) can open the HTML content of the on‑line help by entering the appropriate URL, which may not be desirable in certain scenarios, e.g. in the case of high‑security websites or if you are creating a rebranded solution.

 

There are several ways to solve this issue. The simplest is to delete the ~/CMSHelp folder from the project of your production website. This removes the possibility of public users opening the help files, but the on‑line help in the Kentico CMS administration interface will no longer be available.

 

If you wish to keep the on‑line help on your live website, you can limit access to the content of the help folder so that only users with the appropriate authorization are allowed to view it. Follow the steps below to perform the required configuration:

 

1. Edit your application's web.config file.

 

2. Find the <system.webServer> section directly under the web.config root (i.e. not under a specific <location> element).

 

3. Configure the application to handle the requests for the HTML help files:

 

a. One option is to add the runAllManagedModulesForAllRequests attribute to the <modules> element:

 

<system.webServer>
   ...
  <modules runAllManagedModulesForAllRequests="true">
    ...
  </modules>
  ...
</system.webServer>

 

Setting this attribute to true ensures that the CMS application processes all types of requests and requires authentication if needed.

 

b. If you do not want the application to process all additional request types, only .html and .htm, add the following two handlers into the <handlers> element:

 

<handlers>

 
   ...

 
   <add name="HTMLRequestHandler" path="*.html" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" resourceType="Unspecified" preCondition="" />
   <add name="HTMRequestHandler" path="*.htm" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" resourceType="Unspecified" preCondition="" />

 
   ...

 
</handlers>

 

Adjust the path in the scriptProcessor attribute as necessary according to your specific .NET environment.

 

4. Define the authorization rules applied to the content of the CMSHelp folder by adding the following section into your web.config file:

 

<location path="CMSHelp">
    <system.web>
        <authorization>
            <deny users="?"/>
        </authorization>
    </system.web>
</location>

 

The example above only allows authenticated users to access the on‑line help files. Public users cannot reach the files through a direct URL without being prompted to log in. To further increase the security, you can restrict access only for a specific set of roles by editing the <authorization> section as shown below:

 

<authorization>
    <allow roles="GlobalAdmin, CMSDeskAdmin"/>
    <deny users="*"/>
</authorization>

 

This ensures that only users who belong to the given roles (specified by their code names) have access.