Sitecore Security Implementation Best Practices

02.10.15   Prasanth Nittala

Part of what makes Sitecore such a dynamic and flexible platform is the ability to customize your implementation to meet your needs. While we’ve already shared some best practices for Development and Template implementation, today we’re sharing information on how to make sure you keep your site’s security in mind when implementing. In today’s world of hacks and security breaches, it’s more important than ever to build out a secure website.

Best practice #1:

Assign security rights to roles, not users.

Reasoning:

Assigning to users will make it difficult to manage security on items as users may be moving between organizations which will require you to change the rights often. However, when you assign rights to a role, you can just assign that role to all the users who would need to access whatever item(s) you apply security rights to.

Impact to site:

Overall implementation, site security, and content editor experience

----------------------------

Best practice #2:

Always use inheritance of rights when applying rights instead of explicitly applying access to each item.

Reasoning:

The more granular and more specific the security requirements, the more work in order to apply the security restrictions on those items. In addition, explicit denial of access cannot be overridden. Instead, if inheritance is used, then it can be broken and allowed for denial for some roles. For example, User AB with role A and role B will not have access to an item that has explicit denial of access set on item for Role A, even though Role B was provided access to the item.

Impact to site:

Overall implementation, site security, and content editor experience.

---------------------------

Best practice #3:

Make sure /data and /indexes folders are not accessible to anonymous users and are outside of the website directory context.

Reasoning:

This provides security for the folders in these directories and the files that reside in these directories.

Impact to site:

Overall implementation and site security

Sitecore is a powerful system, but if not implemented following best practices, you leave your site open to security issues. Want more? Keep an eye out for our upcoming Sitecore Best Practices white paper - set to release next week.