Ektron 9.00
WARNING! Securing your Ektron site is critical to you and to anyone using your site. Failure to implement security measures can make your site vulnerable to cyber-attacks and other security threats. You should complete the actions in this section to make Ektron as secure as possible.
A SECURITY UPDATE is available for Ektron versions 8.02, 8.5, 8.6, 8.6.1, 8.7, and 9.00, including all service packs from 8.02 to 9.00 SP1. For information, see Security Update (Releases 8.02 to 9.00 SP1)—October 2013.
IMPORTANT: You should create your own Administrator user and delete the Admin user. Also, delete unnecessary users from Ektron.
NOTE: If you changed the builtin user password during the site setup, you do not need to change it again. See Getting Started with Ektron for additional information. Also, the “builtin” user does not appear in the Users list. This user appears on the application setup screen.
NOTE: If you cannot sign in to Ektron because the builtin user password was changed and you do not know the new password, use the BuiltinAccountReset.exe
utility. This resets your Ektron user / password to Builtin / Builtin. This utility is located in C:\Program Files\Ektron\CMS400versionnumber\Utilities
.
By default, the root folder in Workarea provides the Everyone Group with all permissions except Overwrite Library. You should review the permission needs of the Everyone Group when you add a folder. See Also: Managing Folder and Content Permissions
Click on the Everyone group. The Edit Permissions for Folder "Root" appears.
—Image—
Ektron includes some sample users and sample membership users for evaluation and demonstration purposes. Remove these users when they are no longer needed.
NOTE: Some users in the following lists might not appear in your User list. Also, you might have sample users that appear in your users lists. This depends on the version of the software you have installed.
Ektron Users—See Also: Managing Users and User Groups
Membership Users—See Also: Membership Users and Groups
A group account is an account that more than one person uses to log in to Ektron using the same username and password. This is a serious security issue because it prevents you from tracking user activities in your Workarea. Group accounts violate Ektron's license agreement.
IMPORTANT: Typically, the \workarea\services\ path is used in 3-tier implementations. Review your site architecture and configure access to support accordingly.
You need to restrict services to specific IP addresses in IIS 7.
INETMGR
; IIS Manager appears.You need to restrict Web services to specific IP addresses in IIS 7.
INETMGR
; IIS Manager appears.INETMGR
); IIS Manager appears.In rare cases, user information can be accessed from a browser. If you have the assets and user folders after upgrading beyond Ektron 8.5, you should delete these folders.
Enable only the types of files that your website needs to support.
Ektron strongly recommends configuring SSLSecure Sockets Layer (https), especially if you are using Active Directory integration. SSL encrypts user names and passwords during transmissions to the server that are otherwise sent as clear text to the Ektron server.
If your Web server does not have an SSL certificate installed, you need to install one. When you set up an SSL certificate and configure Ektron to use it, the login page is launched in a Secure Socket Layer. This section explains how to set up SSL for Ektron.
web.config
file and set <add key="ek_UseSSL" value="false" />
to true
.The following measures are also recommended.
web.config
.<add key="ek_EnableCookieEncryption" value="true" />
Enable Captcha for new user signup and other membership features. Captcha prevents automated tools from creating unwanted data and traffic on your site. Set the Membership server controla server control uses API language to interact with the CMS and Framework UI to display the output. A server control can be dragged and dropped onto a Web form and then modified.'s EnableCaptcha
property to true. See Membership Properties.
web.config
, do not use another extension. The .config
extension is secured, but another extension may make the backup file readable. (For example, web.BAK.config
is secured, but web.config.BAK
is NOT!).zip
files on your site.See Extended Log File Format and W3C Extended Log File Format (IIS 6.0)
hklm\software
for non-admin accounts.