How To Improve Your Episerver Administrative Interface’s Security At No Extra Cost

This Episerver Security blog is in continuation to our previous Episerver Security blog on separate editing servers. In the previous blog, we saw how having a separate editing server behind a firewall will help secure your editing interface from unauthorized access. In this blog, we will look at another cost-effective alternative for making your Episerver website's editing interface secure using EPiserver's available features.

Having a separate editing server may not be a "one size fits all" solution for all types of customers. A CMS can be used by a wide range of customers; from single owner businesses and SMB clients to enterprise-class customers. Some customers may prefer to give more value to easy maintenance of their website - and its associated servers/hosting environment- over other aspects of the website while other customers may prefer optimizing the utilization of their existing server resources before investing more in new server capacities.

The good news is Episerver provides an alternative solution to protect the editing interface using secure URLs and ports. All that needs to be done is to designate a port through which administrative interface can be accessed.

Here's how this has to be done:

• Use a Secured Socket Layer (SSL) for accessing the editing interface.
• Assign a specially designated (and restricted) port for accessing the editing interface.
• Configure the editing interface to use a custom path and the assigned port.

Following are the settings that need to be done in the configuration file for designating a port and assigning a custom path for the editing interface.
1. Setup a custom path for the uiURL attribute of application settings element.

uiUrl="~/customPath/"

uiURL would be the actual URL using which the editing interface would be accessed by a user. By giving a custom name to this, we are securing our UI interface from unauthorized access.

A specific port can be designated to the UI folder by setting up a custom URL with a port number for uiURL attribute.
    uiUrl=http://example.com:8888/CustomPath/
Note: The above setup for uiURL is not recommended for multi-site architecture based websites. In such a scenario, our previous recommendation of having a separate editing server would be optimal.

2. Change the virtualPath attribute from the default value to the Custom Path (~/customPath).
<add virtualPath="~/ customPath/" physicalPath="Modules/_Protected" name="ProtectedModules"type="EPiServer.Web.Hosting.VirtualPathNonUnifiedProvider, EPiServer.Framework" />

3. Change the path attribute of location element to the custom path.
<location path=" customPath">

4. Change the path attribute of location element from UI/Admin to the customPath/Admin.
<location path=" customPath/Admin">

5. Change the rootPath attribute of protectedModules element to the custom path.
<episerver.shell>
  <publicModules rootPath="~/modules/" autoDiscovery="Modules" />
  <protectedModules rootPath="~/ customPath/">

6. Add the specially designated (and restricted) port for accessing the editing interface to Internet Information Services(IIS) used by the website.

There are a few other configuration settings which have to be modified when various other Episerver Products, like Commerce and Digital Marketing are used by the website.

With the above setup, you have added another level of security to your Episerver website's administrative interface at no extra cost!

Security is one area where you can never compromise because the damages caused by lack of it could be heavy and irreversible. With Ameex you will find a reliable partner who not only delivers what is asked of us by our customers, but we also provide proactive consulting and solutions to customer's business and security challenges. We see our success in our clients' success!

How we can help you?

At Ameex, we take client security very seriously, so we will always recommend that our clients not only follow the standard best practices, but that they also look at the advanced security options available to them. Feel free to contact our technical team to assist you.