Securing the Edit and Admin Area of Your EpiServer

Authored by Ameex Technologies on 11 Sep 2018

Over the past 11 years of implementing content management systems, and more recently Episerver CMS, we have come up with our basic recommendations that everyone should follow to protect their sites from hackers. Obviously, using strong passwords, applying patches and keeping your server updated are some of our top of mind basic level security best practices. These are practices that almost all clients can perform regardless of budget.  

In addition to the basics, we also recommend more advanced services and setups that have additional costs but provide additional levels of security. These include using a dedicated authoring environment, using a website application firewall/service, using a CDN, or using DR environment in conjunction with a fast DNS service. In this blog, we are going to talk about using a separate content authoring environment for your Episever CMS driven website.

I once had someone recommend that the best way to secure a web server was to unplug it from everything. And while that will work, it will be very difficult for your clients to visit your site. Creating a content authoring environment behind your firewall is the next best thing. By moving all your content authoring behind your firewall, you limit the ability of hackers to gain access to the public site and prevent all public and unauthorized traffic to your authoring environment. This will not only secure your editing environment; it will also reduce the load of the content authors on your display server. Here's how we do it.

Setup your new authoring environment behind your firewall. This should be only accessible via your local network. If you are using a distributed team, or third-party hosting provider, you will need to create a VPN tunnel to the authoring environment for your admins and content contributors.
Setup you your new authoring site. This will be a full copy of your current production environment.
Make sure your new authoring environment is using the same database credentials as your production environment.
See the sample environment layout below:
Episerver Security Blog
On the public-facing server (Web Server 1,[Web Server 2 ..Web Server N if it is in a load balanced scenario]):

  • Remove access to the Episerver Admin Interface
  • Remove any custom Admin plugins used for editing and various other administrative features
  • Ensure that the Default Provider for membership is not Multiplexing if the site is not using it. Ideally Default Provider should be SQL Provider. This will prevent any random Windows User within the server's network from accessing the Episerver Admin Interface.

And that's it. Your biggest expense will be the additional server, but with most people using cloud or VM, that cost will be relatively small. In addition, because this new environment will only be used for content authoring, you can go with a smaller cloud/VM instance. 

How can we help you?

At Ameex, we take client security very seriously, so we will always recommend that our clients not only follow the standard best practices but that they also look at the advanced security options available to them. Feel free to contact our technical team to assist you.