Sitecore Security Hardening Guideline #2

In past, the biggest concern were get the wallet stolen as everything about our life, right? And nowadays, what do you think is the biggest one?

YOUR DATA BE EXPOSED! Am I right?

Based on that, Sitecore provide best practices and recommendations that helps you make your installation as secure as possible, and says:

“Sitecore is of course subjected to rigorous testing before each release and any bugs or security threats that may exist are fixed and removed as soon as they are discovered.”

However, don’t think Sitecore itself will take care of everything as your installation has a significant effect on the security of your website.

Assuming you just installed a Sitecore instance,  I have the first security question for you: did you change Admin’s default password? If the answer is NO, please proceed on the steps below, then we can continue 🙂

1. How to change Admin’s default password?

a. Log in to Sitecore by accessing http://%5Byour-Sitecore-instance%5D/Sitecore

b. As you may know, User name is Admin and  Password is b

post6_1

c. On Sitecore Launchpad, click Control Panel

post6_2

d. In the Control Panel, under My Settings section, click Change password

post6_3.png

e. In the Change Password dialog box, enter your current password and enter and confirm your new password, then click Change password

post6_4

f. In the same dialog box, if everything went well you should see a message saying Your password has been changed!, then click Continue

post6_5

Quick note: In case you have forgotten the password, you can always fall back on SQL commands like this one which I found here wrote by my colleague Jose Neto.

USE Sitecore_Core

UPDATE dbo.aspnet_Membership
SET [Password]=’qOvF8m8F2IcWMvfOBjJYHmfLABc=’, [PasswordSalt]=’OM5gu45RQuJ76itRvkSPFw==’, [IsApproved] = ‘1’, [IsLockedOut] = ‘0’
WHERE UserId IN (SELECT UserId FROM dbo.aspnet_Users WHERE UserName = ‘sitecore\Admin’)

Well, I would assume you have chosen a complex password for your admin account or at least harden to guess!

And for today’s post, the goal is disable the Auto Complete for UserName field on Sitecore logins pages. Let’s go then!

 2. How to disable Auto Complete for UserName

a. Navigate to [your_Sitecore_Instance]\App_Config, and look for Sitecore.config

post6_6

b. Open Notepad as Administrator, and navigate to [your_Sitecore_Instance]\App_Config  then open Sitecore.config

c. In Notepad click Edit and Find, type Login.DisableAutoComplete and click Find Next

post6_7

As you can see the Default value is FALSE, and we want to change it to TRUE

d. Change the value=”false” to value=”true”, then File and Save

Let’s test it! Open a browser and access http://%5Byour-Sitecore-instance%5D/Sitecore, and click on the User name field

post6_8

Wait a minute, the autocomplete still there!

3. Troubleshoot Auto Complete of User Names

a. Let’s back to Sitecore Security Hardening page on Turn off auto complete of user names section

post6_9

As Sitecore shows, it is a simple action to change from false to true, and didn’t work. So, moving on…

b. Navigate to [your_Sitecore_Instance]\App_Config, and open Sitecore.config

post6_10

“If true, an autocomplete=”off” attribute is added on the Sitecore login forms on the /sitecore/login/default.aspx and /sitecore/admin/login.aspx

c. Open a browser and access http://%5Byour-Sitecore-instance%5D/Sitecore, right click on the page and choose Inspect

post6_11.png

d. On the Inspect box at Elements tab, look for <form method=…. as it was mentioned that an autocomplete=”off” attribute is added into the form if Login.DisableAutoComplete is true

post6_12

Fair enough! autocomplete=”off” has not been added, and doesn’t work as expected!

I have repeated the same tests in different versions, and on Sitecore 7.5 release 141003 works as you can see in the image below

post6_13.png

In Sitecore 7.5, after set Login.DisableAutoComplete to true we can now see the attribute autocomplete=”off”, and User Name field didn’t complete automatically.

And it seems to be an exclusive thing of /sitecore/login because the /sitecore/admin/login.aspx works just by having the Login.DisableAutoComplete set to true, as you can notice in the image below.

post6_19.png

4. Workaround

After I figured this out and exhaustively test it, I brought this subject to one of my coworkers which is a Sitecore MVP, Rodrigo Peplau, and together we did a further investigation. Then we realized it might be a bug and created a workaround, as you can see in the steps below.

4.1 Sitecore/Login/Default.aspx

a. Navigate to [your_Sitecore_Instance]\sitecore\login, and look for default.aspx

post6_14

b. Open Notepad as Administrator, and navigate to [your_Sitecore_Instance]\sitecore\login, then open default.aspx

c. In Notepad click Edit and Find, type LoginForm and click Find Next

post6_16.PNG

d. Between class=”form-signin” and role=”form” add the follow

autocomplete='<%# Settings.Login.DisableAutoComplete ? “off” : “on” %>’

Entire line should looks like

<form id=”LoginForm” runat=”server” class=”form-signin” autocomplete='<%# Settings.Login.DisableAutoComplete ? “off” : “on” %>’ role=”form” >

 

e. After modify default.aspx, then File and Save

Let’s test it! Open a browser and access http://%5Byour-Sitecore-instance%5D/Sitecore, and click on the User name field

post16_18.gif

And fair enough, nothing shows up! Also, I have inspected it and as you can see in the image below the attribute autocomplete=”off” NOW is there!

post6_17.png

5. Reporting the bug

Alright! Workaround in place, however wouldn’t be a good idea raise that to Sitecore? Before doing it, why don’t add more MVPs to this discussion, and we pulled Jason St-Cyr into our discussion.

And as expected, with two MVPs on the loop, they brought many thoughts and ideas to the table! After all discussion, Jason St-Cyr said that he will raise a ticket for Sitecore.

As soon as I receive an update, will update this post to let you all know about how things goes!

6. Thanks Rodrigo and Jason

Well, as you noticed two MVPs helped me on this post, so guys a special thanks to both of you, Rodrigo and Jason!

And also a special thanks for you for reading, and I’ll see you on my next post!

UPDATE June 29, 2016

7. Sitecore feedback

As promised, after logging the ticket to Sitecore I just received their feedback as follow:

Edited by Yaroslav Krinitskiy on Monday, June 27, 2016 at 3:09 PM

Hi,

I was able to reproduce your behavior in my own environment and have registered this as a bug in the current version of Sitecore.

As a workaround for the issue, please try updating the \sitecore\login\default.aspx file:

<form id=”LoginForm” autocomplete=”off” . . .

So, our workaround is pretty similar to Sitecore one. However,  by using ours you allow Sitecore to verify if Login.DisableAutoComplete setting is set to on or off.

<form id=”LoginForm” runat=”server” class=”form-signin” autocomplete='<%# Settings.Login.DisableAutoComplete ? “off” : “on” %>’ role=”form” >

Also, as Sitecore was able to reproduce the error a bug is now registered and we should get it fixed very very soon!

Many thanks again for Rodrigo and Jason to all help, and of course for Sitecore in all support and feedback provided.

Hopefully you liked, and I’ll see you on my next post!

Advertisements

One thought on “Sitecore Security Hardening Guideline #2

  1. Pingback: Sitecore UserName & Password Hardening | Horizontal Integration

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s