Content Manager security best practices

This topic describes the best practices concerning security for the Content Manager.

Changing the default username and password

If somebody wants to get access to your system, the easiest way would be to start with known accounts. Changing the default names at least takes away that possibility. You must therefore always change the default username everywhere.

Encrypting user-entered data

Regardless of the authentication method you choose to implement, ensure the safe transport of passwords and other user data over the connection.

  • For browser-based clients, always implement HTTPS in combination with your chosen identity provider. This applies to all providers, and in fact, some providers, such as SAML, require HTTPS.
  • For Windows-based clients, use of Windows Authentication provides sufficient protection. If using LDAP, you should combine with HTTPS encryption.
Removing installer log files

The installers used for installing the Tridion Sites products have logging enabled. This has the unfortunate side-effect that most data entered during setup is contained in the log files. This includes sensitive data such as passwords. RWS recommends to remove the log files from the server, but to keep them for later when upgrading to a newer version or when obtaining customer support from Tridion Sites.

Uploading and previewing files

Tridion Sites enables users to upload content into the Content Manager. In some cases, this process involves writing the files into the upload directory of the website first. Similarly, Tridion Sites uses a preview directory for showing binary files in preview mode.

To prevent users from running malicious, executable files they upload, which they could otherwise do by uploading or previewing such an executable file, set both directories to no execute in IIS.

Additionally, to enable upload functionality, grant the Network Service users as configured in the Application Pool (NETWORK SERVICE by default) write access to the folder you configured as the Content Manager Explorer upload directory (defaults to %PROGRAMDATA%\RWS\Upload\).