Thursday , 13 May 2021
Breaking News

How to secure Sitefinity’s Administrative UI

Sitefinity’s Administrative Web Interface is accessed by adding /Sitefinity to the web site’s URL.  Users are then required to provide a valid username & password to gain entry to Sitefinity.  By default, Sitefinity’s administrative username is set to admin.

A few customers have expressed concern that this does not offer enough protection from malicious users or bots.  If an attacker knows a web site is using Sitefinity then they also know the login URL and the admin username. The only thing that remains is the admin password. 

This article explains how Sitefinity (and ASP.NET) help protect your web site.  This article also suggests a few techniques for adding additional layers of protection to Sitefinity’s Administrative UI.

Here are some very general password guidelines:

  • Passwords should be at least 8 characters longer.  The longer the better…
  • Passwords should be mixed-case
  • Passwords should contain a mixture of numbers & letters
  • Passwords should not use common words

A good password makes it difficult to randomly stumble into the right combination of numbers & letters.  To further discourage these brute force attacks, Sitefinity’s Membership Provider will (by default!) temporarily lock out accounts that have too many failed password attempts. 

Sitefinity comes included with RadControls for ASP.NET AJAX.  Included in this suite of controls is a Captcha control.  This control can be added to Sitefinity’s login to prevent bots from auto-submitting the login form.  Captcha discourages attackers from using automated brute force or dictionary attacks to discover the admin password.  Bypassing Captcha requires human intervention or a more sophisticated automated tool.

By default Sitefinity’s administrative user is named admin.  Using Sitefinity’s Administrative UI a new administrative user can be created and the old admin user deleted.  This makes it harder to guess the administrative user login.

1.  Create a new administrative user and make this user a member of the administrators role. 

2.  Log out and then login using this new administrative user. 

3.  Test thoroughly before removing the original admin user!

4.  Before the the old admin user can be deleted this account must be removed from the administrators role. 

5.  After this role has been removed the original admin user can be deleted.

Sitefinity’s administrative login can be guessed because all Sitefinity web sites use the very same login URL.  The login URL can be changed by renaming Sitefinity’s Login page:

  1. Rename ~/Sitefinity/Login.aspx to ~/Sitefinity/ObscureLogin.aspx
  2. Rename ~/Sitefinity/Login.aspx.cs to ~/Sitefinity/ObscureLogin.aspx.cs
  3. Rename ~/Sitefinity/App_LocalResources/Login.aspx.resx to ~/Sitefinity/App_LocalResources/ObscureLogin.aspx.resx

Sitefinity’s Administrative UI can now only be accessed using a special login URL:

http://yourwebsite.com/Sitefinity/ObscureLogin.aspx

Any other URL will attempt to redirect to ~/Login.aspx (which no longer exists) and will throw a 404 error.  The user will need to know the login URL before they gain access to Sitefinity’s Admin. UI.

[email protected] ekis.jamel