Content Manager security best practices
This topic describes the best practices concerning security for the Content Manager.
- Username and password
-
If somebody wants to get access to your system, the easiest way would be to start with known accounts. Changing the default names at least takes away that possibility. You must therefore always change the default username everywhere.
- Installer log files
-
The installers used for installing the SDL Web products have logging enabled. This has the unfortunate side-effect that most data entered during setup is contained in the log files. This includes sensitive data such as passwords. SDL recommends to remove the log files from the server, but to keep them for later when upgrading to a newer version or when obtaining customer support from SDL Web.
- LDAP authentication
-
When using the LDAP authentication in IIS all passwords must be typed by the users of the system. This means that IIS must be configured to Anonymous authentication. To ensure safe data transport HTTPS can be used for the Web sites. Also, for the communication towards the LDAP-accessible server, LDAPS can be used.
- WebDAV and Business Connector
-
Both WebDAV Connector and Business Connector (deprecated) can use HTTPS as a protocol to ensure encrypted data transport, including user name and password, to the Content Manager.
- Uploading and previewing files
-
SDL Web enables users to upload content into the Content Manager. In some cases, this process involves writing the files into the upload directory of the Web site first. Similarly, SDL Web uses a preview directory for showing binary files in preview mode.
To prevent users from running malicious, executable files they upload, which they could otherwise do by uploading or previewing such an executable file, set both directories to
no executein IIS.Additionally, to enable upload functionality, grant the Network Service users as configured in the Application Pool (
NETWORK SERVICEby default) write access to the folder you configured as the Content Manager Explorer upload directory (defaults to C:\ProgramData\SDL\Upload\).