Restricting Access to Directories through the web.config file

Mike Bilz asked on July 7, 2017 20:39

Hello Kentico Team,

https://docs.kentico.com/k10/securing-websites/deploying-websites-to-a-secure-environment/restricting-access-to-directories

I have been trying to implement all of the security features that Kentico suggests as a part of going live, but I have found some of the documentation to be a little unhelpful.

The page above mentions that I should disable access to dangerous directories, but doesn't list all of the directories I should disable, and doesn't mention where within the web.config file I should include this code. Is there a complete list of directories I should disable, or is the "CMSSiteUtils" folder the only one I need to worry about?

Also, does it matter where in the web.config file I include this code?

Thanks in advance for your help.

-mike

Recent Answers

Brenden Kehren answered on July 7, 2017 21:34

I have 2 blog posts on security and such regarding the file system approach. Take a look:

https://www.kehrendev.com/blog/brenden-kehren/may-2015/secure-your-kentico-site,-content-and-objects-from

https://www.kehrendev.com/blog/brenden-kehren/june-2017/security-and-folder-permissions-in-kentico

Also if you want to get to a more granular approach, you might want to use web.config in each of the directories you want to restrict or grant access to. For instance, take a look in the /CMSPages directory, there is a web.config file in there which grants and denies access to specific files within that directory. I recommend creating a web.confg for the directories you want to restrict or grant access to. Keep in mind if you get too restrictive, the CMS won't properly function.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.