Ektron 9.00

Securing Ektron

WARNING! Securing your Ektron site is critical to you and to anyone using your site. Failure to implement security measures can make your site vulnerable to cyber-attacks and other security threats. You should complete the actions in this section to make Ektron as secure as possible.

A SECURITY UPDATE is available for Ektron versions 8.02, 8.5, 8.6, 8.6.1, 8.7, and 9.00, including all service packs from 8.02 to 9.00 SP1. For information, see Security Update (Releases 8.02 to 9.00 SP1)—October 2013.

Changing the Admin password in the Workarea

Changing the Admin Password

IMPORTANT: You should create your own Administrator user and delete the Admin user. Also, delete unnecessary users from Ektron.

  1. In the Workarea, choose Settings > Users.
  2. Click the Admin user.
  3. Click Edit Users.
  4. Enter the new password in the Password and Confirm Password fields.
  5. Click Save.
Changing the builtin password in the Workarea

Changing the Builtin Password

NOTE: If you changed the builtin user password during the site setup, you do not need to change it again. See Getting Started with Ektron for additional information. Also, the “builtin” user does not appear in the Users list. This user appears on the application setup screen.

  1. In the Workarea, choose Settings > Configurations > Setup.
  2. Click Edit.
  3. Find the Built In User field.
  4. Enter the new password in the Password and Confirm Password fields.
  5. Click Update.

    NOTE: If you cannot sign in to Ektron because the builtin user password was changed and you do not know the new password, use the BuiltinAccountReset.exe utility. This resets your Ektron user / password to Builtin / Builtin. This utility is located in C:\Program Files\Ektron\CMS400versionnumber\Utilities.

Changing the Everyone group permissions

Changing the Everyone Group Permissions

By default, the root folder in Workarea provides the Everyone Group with all permissions except Overwrite Library. You should review the permission needs of the Everyone Group when you add a folder. See Also: Managing Folder and Content Permissions

  1. Go to Workarea > Folders > Folders. The View Contents for Folder "Root" appears.
  2. Choose View > Properties.
  3. Choose View Permissions (). The View Permissions for Folder "Root" appears.

  4. Click on the Everyone group. The Edit Permissions for Folder "Root" appears.

    —Image—

  5. Check the permissions that you want and click Update.
Removing sample users and sample membership users

Removing Sample Users and Sample Membership Users

Ektron includes some sample users and sample membership users for evaluation and demonstration purposes. Remove these users when they are no longer needed.

  • CMS users have access to the Workarea and can be content authors, administrators or developers. These people count towards the number of users in your license.
  • Membership users are typically people who only interact with your website but have limited privileges to Ektron. They cannot use the Workarea and do not count towards the number of users in your license.

NOTE: Some users in the following lists might not appear in your User list. Also, you might have sample users that appear in your users lists. This depends on the version of the software you have installed.

Ektron Users—See Also: Managing Users and User Groups

  • jedit
  • tbrown
  • jsmith
  • vs

Membership Users—See Also: Membership Users and Groups

  • jmember
  • member@example.com
  • north
  • supermember
  • west

Removing Ektron Users

  1. In the Workarea, choose Settings > Users.
  2. Check the box next to each user that you want to remove.
  3. Click Delete ().
  4. Click OK.

Removing Membership Users

  1. In the Workarea, choose Settings > Community Management > Memberships > Users.
  2. Check the box next to each user that you want to remove.
  3. Click Delete ().
  4. Click OK.
Disallowing group user accounts

Disallowing Group User Accounts

A group account is an account that more than one person uses to log in to Ektron using the same username and password. This is a serious security issue because it prevents you from tracking user activities in your Workarea. Group accounts violate Ektron's license agreement.

Securing Services

Securing Services

IMPORTANT: Typically, the \workarea\services\ path is used in 3-tier implementations. Review your site architecture and configure access to support accordingly.

You need to restrict services to specific IP addresses in IIS 7.

  1. Choose Start > Run, then type INETMGR; IIS Manager appears.
  2. Go to Your Website > Workarea > services.
  3. Double click on IP Address and Domain Restrictions.
    —Image—

  4. In the Action pane, click Add Allow Entry. The Add Allow Restriction Rule dialog box appears.
  5. Select Specific IP Address and enter the IP address of the Web server and then click OK.
    —Image—

  6. In action pane, click Edit Feature Settings. The Edit IP and Domain Restrictions Settings dialog box appears.
  7. Choose Deny from the drop-down and click OK.
    —Image—

Securing WebServices

Securing WebServices

You need to restrict Web services to specific IP addresses in IIS 7.

  1. Choose Start > Run, then type INETMGR; IIS Manager appears.
  2. Go to Your Website > Workarea > webservices.
  3. Double click on IP Address and Domain Restrictions.
    —Image—

  4. In the Action pane, click Add Allow Entry. The Add Allow Restriction Rule dialog box appears.
  5. Select Specific IP Address and enter the IP address of the Web server and then click OK.
    —Image—

  6. In action pane, click Edit Feature Settings. The Edit IP and Domain Restrictions Settings dialog box appears.
  7. Choose Deny from the drop-down and click OK.
    —Image—

Securing ServerConrolWS.asmx

Securing ServerControlWS.asmx

  1. Run INETMGR (Start > Run then type INETMGR); IIS Manager appears.
  2. Go to Your Website > Workarea.
  3. Click Content View at the bottom of the window.
  4. Right click ServerControlWS.asmx and choose Switch to Features View.
    —Image—

  5. Double click on IP Address and Domain Restrictions.
    —Image—

  6. In the Action pane, click Add Allow Entry. The Add Allow Restriction Rule dialog box appears.
  7. Select Specific IP Address.
  8. Enter the IP address of the Web server and then click OK.
    —Image—

  9. In action pane, click Edit Feature Settings. The Edit IP and Domain Restrictions Settings dialog box appears.
  10. Choose Deny from the drop-down and click OK.
    —Image—

Securing assets and user folders

Securing Assets and User Folders

In rare cases, user information can be accessed from a browser. If you have the assets and user folders after upgrading beyond Ektron 8.5, you should delete these folders.

Defining the default file types for assets

Defining the Default File Types for Assets

Enable only the types of files that your website needs to support.

  1. Go to Workarea > Settings > Configuration > Asset Server Setup.
  2. Click on Edit File Types ().
  3. Add or remove the file types that your website needs, and click Save ().
Enabling firewall use

Enabling Firewall Use

  • Only open port 80 for standard websites. If you enable SSLSecure Sockets Layer (https), open port 443 also.
  • If you need FTP, open port 21, but restrict access to IP addresses that need to FTP access to your server. The same applies for SFTP, FTPES, SSH for their respective ports.
  • Do not open remote desktop ports, SQL ports, SMTP ports, or any other port unless absolutely necessary. Instead, use a VPN tunnel through the firewall for access to these services. Even FTP can be made accessible through a VPN tunnel.
Setting up SSL

Setting Up SSL

Ektron strongly recommends configuring SSLSecure Sockets Layer (https), especially if you are using Active Directory integration. SSL encrypts user names and passwords during transmissions to the server that are otherwise sent as clear text to the Ektron server.

If your Web server does not have an SSL certificate installed, you need to install one. When you set up an SSL certificate and configure Ektron to use it, the login page is launched in a Secure Socket Layer. This section explains how to set up SSL for Ektron.

  • To enable SSL, open your site's web.config file and set <add key="ek_UseSSL" value="false" /> to true.
  • To set up SSL in IIS, see How to Set Up SSL on a Server.
Additional security measures

Additional Security Measures

The following measures are also recommended.

  • Knowledge Base Article: Best Practices for Securing Ektron CMS400.Net
  • Encrypt cookies in web.config.
    <add key="ek_EnableCookieEncryption" value="true" />

  • Enable Captcha for new user signup and other membership features. Captcha prevents automated tools from creating unwanted data and traffic on your site. Set the Membership server controla server control uses API language to interact with the CMS and Framework UI to display the output. A server control can be dragged and dropped onto a Web form and then modified.'s EnableCaptcha property to true. See Membership Properties.

  • Enable IP filtering on all FTP sites, and WWW sites as needed. Use Ipsec filters to accomplish this. See How to configure TCP/IP filtering in Windows 2000.
  • Install needed services only (for example, FTPFile Transfer Protocol, www, SMTPSimple Mail Transport Protocol; an internet standard for electronic mail., NNTPNetwork News Transfer Protocol; used for transporting Usenet articles between news servers.).
  • If you make a backup of web.config, do not use another extension. The .config extension is secured, but another extension may make the backup file readable. (For example, web.BAK.config is secured, but web.config.BAK is NOT!)
  • Remove any test scripts that you may have left on your site.
  • If you zip up databases and code, do not leave the .zip files on your site.
  • Do not use IIS on a domain controller.
  • Never use virtual directories across servers.
  • Never install websites on the system drive.
  • Remove NTFS write permissions wherever possible. See How IT Works: NTFS Permissions.
  • Configure a default website with extremely secure settings (for example, require SSLSecure Sockets Layer (https), Integrated Windows authentication only, accessible from only one IP, NTFS permissions to none on an empty home directory, and so on), then stop the site. This results in a broken default website that 80% of hackers will blindly attack instead of your real website.
  • Configure websites so that the host header matches the site's DNS name. Do this for both HTTP and HTTPSHypertext Transfer Protocol Secure; a combination of HTTP and SSL/TLS protocols providing encrypted communication.. Do not configure the default website with host header. This should prevent 90% of automated hacking tools from working by sending them to your crippled default website. To do this:
    1. Open IIS Manager.
    2. Right-click your website icon.
    3. On the Web Site tab, click Advanced.
    4. Click the IP Address then Edit.
    5. Enter the host header in the Host Header field.
    6. Click OK to save.
  • Enable IIS auditing.
  • Enable W3 extended logging. Verify that the logged information is appropriate. Consider enabling the following items:
    • Date and time
    • IP address of client
    • IP address of server
    • Server port
    • Username
    • HTTP method used to access your site
    • URI Stern
    • URI Query
    • Status of request

    See Extended Log File Format and W3C Extended Log File Format (IIS 6.0)

  • Set permission for IIS logs to system and local administrators only.
  • Remove write permissions to hklm\software for non-admin accounts.
    • Administrators & System: Full
    • Everyone: Read/Execute
  • Restrict NTFS permissions to all executable files on the system.
    • Administrators & System: Full
    • Users: Read/Execute
    • IUSR account: execute permissions sparingly

    See How IT works: NTFS Permissions

  • Restrict NTFS permissions to any script interpreters, such as Perl.
    • Administrators & System: Full
    • Everyone: Read/Execute
    • IUSR account: execute permissions sparingly
  • Ensure that the Everyone group has read-only permissions for these directories.
    • Web root
    • %systemroot%
    • %systemroot%\system32
    • %systemroot%\system32\inetsrv
    • %systemroot%\system32\inetsrv\asp
    • %systemroot%\program files\common files\