Sitecore Security Hardening Guideline #2

Avatar de Vinicius

In past, the biggest concern were get the wallet stolen as everything about our life, right? And nowadays, what do you think is the biggest one?

YOUR DATA BE EXPOSED! Am I right?

Based on that, Sitecore provide best practices and recommendations that helps you make your installation as secure as possible, and says:

“Sitecore is of course subjected to rigorous testing before each release and any bugs or security threats that may exist are fixed and removed as soon as they are discovered.”

However, don’t think Sitecore itself will take care of everything as your installation has a significant effect on the security of your website.

Assuming you just installed a Sitecore instance,  I have the first security question for you: did you change Admin’s default password? If the answer is NO, please proceed on the steps below, then we can continue 🙂

1. How to change Admin’s default password?

a. Log in to Sitecore by accessing http://[your-Sitecore-instance]/Sitecore

b. As you may know, User name is Admin and  Password is b

Sitecore login page Blog Vinicius Deschamps

c. On Sitecore Launchpad, click Control Panel

Sitecore Experience Platform Control Panel Blog Vinicius Deschamps

d. In the Control Panel, under My Settings section, click Change password

Sitecore Control Panel Change Password Blog Vinicius Deschamps

e. In the Change Password dialog box, enter your current password and enter and confirm your new password, then click Change password

Sitecore Change Password Blog Vinicius Deschamps

f. In the same dialog box, if everything went well you should see a message saying Your password has been changed!, then click Continue

Sitecore your password has been changed Blog Vinicius Deschamps

Quick note: In case you have forgotten the password, you can always fall back on SQL commands like this one which I found here wrote by my colleague Jose Neto.

USE Sitecore_Core

UPDATE dbo.aspnet_Membership
SET [Password]=’qOvF8m8F2IcWMvfOBjJYHmfLABc=’, [PasswordSalt]=’OM5gu45RQuJ76itRvkSPFw==’, [IsApproved] = ‘1’, [IsLockedOut] = ‘0’
WHERE UserId IN (SELECT UserId FROM dbo.aspnet_Users WHERE UserName = ‘sitecore\Admin’)

Well, I would assume you have chosen a complex password for your admin account or at least harden to guess!

And for today’s post, the goal is disable the Auto Complete for UserName field on Sitecore logins pages. Let’s go then!

 2. How to disable Auto Complete for UserName

a. Navigate to [your_Sitecore_Instance]\App_Config, and look for Sitecore.config

App Config Sitecore Config Blog Vinicius Deschamps

b. Open Notepad as Administrator, and navigate to [your_Sitecore_Instance]\App_Config  then open Sitecore.config

c. In Notepad click Edit and Find, type Login.DisableAutoComplete and click Find Next

Login Disable autocomplete Setting Blog Vinicius Deschamps

As you can see the Default value is FALSE, and we want to change it to TRUE

d. Change the value=”false” to value=”true”, then File and Save

Let’s test it! Open a browser and access http://[your-Sitecore-instance]/Sitecore, and click on the User name field

Sitecore login process not working demonstration Blog Vinicius Deschamps

Wait a minute, the autocomplete still there!

3. Troubleshoot Auto Complete of User Names

a. Let’s back to Sitecore Security Hardening page on Turn off auto complete of user names section

Turno off auto complete of user names Blog Vinicius Deschamps

As Sitecore shows, it is a simple action to change from false to true, and didn’t work. So, moving on…

b. Navigate to [your_Sitecore_Instance]\App_Config, and open Sitecore.config

Login Disable Autocomplete Blog Vinicius Deschamps

“If true, an autocomplete=”off” attribute is added on the Sitecore login forms on the /sitecore/login/default.aspx and /sitecore/admin/login.aspx

c. Open a browser and access http://[your-Sitecore-instance]/Sitecore, right click on the page and choose Inspect

Inspect Sitecore Login Blog Vinicius Deschamps

d. On the Inspect box at Elements tab, look for <form method=…. as it was mentioned that an autocomplete=”off” attribute is added into the form if Login.DisableAutoComplete is true

Sitecore login form Blog Vinicius Deschamps

Fair enough! autocomplete=”off” has not been added, and doesn’t work as expected!

I have repeated the same tests in different versions, and on Sitecore 7.5 release 141003 works as you can see in the image below

Sitecore 7.5 Login Page Blog Vinicius Deschamps

In Sitecore 7.5, after set Login.DisableAutoComplete to true we can now see the attribute autocomplete=”off”, and User Name field didn’t complete automatically.

And it seems to be an exclusive thing of /sitecore/login because the /sitecore/admin/login.aspx works just by having the Login.DisableAutoComplete set to true, as you can notice in the image below.

Sitecore 7.5 Inspect Loginform Blog Vinicius Deschamps

 

4. Workaround

After I figured this out and exhaustively test it, I brought this subject to one of my coworkers which is a Sitecore MVP, Rodrigo Peplau, and together we did a further investigation. Then we realized it might be a bug and created a workaround, as you can see in the steps below.

4.1 Sitecore/Login/Default.aspx

a. Navigate to [your_Sitecore_Instance]\sitecore\login, and look for default.aspx

Sitecore Default.Aspx Blog Vinicius Deschamps

b. Open Notepad as Administrator, and navigate to [your_Sitecore_Instance]\sitecore\login, then open default.aspx

c. In Notepad click Edit and Find, type LoginForm and click Find Next

Sitecore default.aspx loginform blog vinicius deschamps

d. Between class=”form-signin” and role=”form” add the follow

autocomplete='<%# Settings.Login.DisableAutoComplete ? “off” : “on” %>’

Entire line should looks like

<form id=”LoginForm” runat=”server” class=”form-signin” autocomplete='<%# Settings.Login.DisableAutoComplete ? “off” : “on” %>’ role=”form” >

e. After modify default.aspx, then File and Save

Let’s test it! Open a browser and access http://[your-Sitecore-instance]/Sitecore, and click on the User name field

Sitecore login process working demonstration Blog Vinicius Deschamps

And fair enough, nothing shows up! Also, I have inspected it and as you can see in the image below the attribute autocomplete=”off” NOW is there!

Sitecore Login Form AutoComplete Off Present Blog Vinicius Deschamps

5. Reporting the bug

Alright! Workaround in place, however wouldn’t be a good idea raise that to Sitecore? Before doing it, why don’t add more MVPs to this discussion, and we pulled Jason St-Cyr into our discussion.

And as expected, with two MVPs on the loop, they brought many thoughts and ideas to the table! After all discussion, Jason St-Cyr said that he will raise a ticket for Sitecore.

As soon as I receive an update, will update this post to let you all know about how things goes!

6. Thanks Rodrigo and Jason

Well, as you noticed two MVPs helped me on this post, so guys a special thanks to both of you, Rodrigo and Jason!

And also a special thanks for you for reading, and I’ll see you on my next post!

UPDATE June 29, 2016

7. Sitecore feedback

As promised, after logging the ticket to Sitecore I just received their feedback as follow:

Edited by Yaroslav Krinitskiy on Monday, June 27, 2016 at 3:09 PM

Hi,

I was able to reproduce your behavior in my own environment and have registered this as a bug in the current version of Sitecore.

As a workaround for the issue, please try updating the \sitecore\login\default.aspx file:

<form id=”LoginForm” autocomplete=”off” . . .

So, our workaround is pretty similar to Sitecore one. However,  by using ours you allow Sitecore to verify if Login.DisableAutoComplete setting is set to on or off.

<form id=”LoginForm” runat=”server” class=”form-signin” autocomplete='<%# Settings.Login.DisableAutoComplete ? “off” : “on” %>’ role=”form” >

Also, as Sitecore was able to reproduce the error a bug is now registered and we should get it fixed very very soon!

Many thanks again for Rodrigo and Jason to all help, and of course for Sitecore in all support and feedback provided.

Hopefully you liked, and I’ll see you on my next post!

Tagged in :

Avatar de Vinicius

2 respostas para “Sitecore Security Hardening Guideline #2”

Deixe um comentário

O seu endereço de e-mail não será publicado. Campos obrigatórios são marcados com *