Vulnerability in EPiServer.Forms

Try our conversational search powered by Generative AI!

Securing Edit and Admin

Product version:

EPiServer CMS 5 R2 SP2

Document version:


Document last saved:


EPiServer CMS allows relocation of the edit and admin folders and configurable http ports, to make it harder for intruders to try to access sensitive resources.

This document contains instructions on how to secure the UI folder (which contain the EPiServer editor and administration interfaces) and also how to ensure that the application will continue to work even if the UI folder is moved to a new location.

Table of Contents

How to Secure the UI Folder

By default the edit and admin folders of EPiServer CMS 5 R2 are located in the program files folder on the machines C:\ drive and are linked with Virtual Path Providers.

Follow the steps below to secure edit/admin and its ports on a default installation of EPiServer CMS R2 and later:

  1. UI Folder

    a). Change the uiUrl attribute of the siteSettings element in the web.config file. If you wish to secure the UI folder on another port other to that the site is running on - add an absolute url including a port other than 80 (or a port the applicaiton is running on)
    see below:
     uiUrl="~/newuipath/"  or:uiUrl=http://localhost:8888/newuipath/
    b.) Change the UI provider virtualpath attribute from the previous value for example. "~/UI" to "~/newuipath".

    <add name="UI" virtualPath="~/newuipath/" physicalPath="C:\Program Files\EPiServer\CMS\5.2.375.236\application\UI" type="EPiServer.Web.Hosting.VirtualPathNonUnifiedProvider,EPiServer" />
    c.) Change the location element path attribute from UI to newuipath see below for an example:
    <location path="newuipath">

    d.) Change the location element path attribute from UI/admin to newuipath/admin
    <location path="newuipath/admin">


  2. Add a specially designated (and restricted) port for access in the Internet Information Services (IIS) for the site (used for the UI folder in the step 1 above - port 8888 is used for uiUrl). Access to this port could then be restricted. (This step can be omitted if you are only wish to change the folders)

The default location ui folder contains admin and edit folders :


 C:\Program Files\EPiServer\CMS\5.2.375.226\Application\UI



Using SSL (Secure Sockets Layer) to secure the Web site and/or UI folder is possible - see the information in the following links:

Block access by IP or to add SSL
In order to block access by IP (or to add SSL) you will need to move the UI folder from to the site root so that you can set security in IIS.
Changed physicalPath= to site root
for example


The uiUrl Properties in the EPiServer Settings object


Gets or sets the URL to the relocateable UI folder. It must be a Web URL, and may include scheme and port. It must be a Web URL, and include the path to the site root. It is only to be used to generate direct references to the site in external locations. For references from a page, use root-relative URLs and ResolveUrl etc as appropriate.


The EPiServer.Web namespace contains the following classes that may be of interest if migrating from EPiServer 4.62:


Implements UrlSegment-based URL rewriting. In EPiServer4 similar functionality was implemented by FriendlyUrlModule, ExternalUrlModule and SpiderSupport along with functions in PropertyLongString and PropertyUrl et. al. The functions of ExternalUrlModule is taken over by the built-in ASP.NET 2.0 UrlMappingCollection and the urlMappings configuration section in Web.config. SpiderSupport implemented various functionality, including: - Shadow folders, where a folder suffixed by _ could take precedence over the standard. This is replaced by a configurable Virtual Path Provider. - Edit/Admin port restriction enforcement - this is moved to Edit/Admin. - css/js template-based fixup - this is no longer necessary due to rearchitecting for 2.0 FriendlyUrlModule handled redirection for various reasons as well as rewriting for friendly url:s. This functionality is taken over by UrlRewriteModule along with a Response.Filter stream-filter named UrlRewriteFilter which will fixup outgoing HTML to use the proper form for urls, thus taking over the function of the corresponding code in PageBase and the PropertyXXX-classes. PageBase handled redirection to friendly url's if an old-style url was used, this is now handled here. All EPiServer code behind UrlRewriteModule/UrlRewriteFilter will assume and depend on only using url's with query-string parameters identifying the page and the language (i.e. id=, epslanguage=). This specialization of the UrlRewriteModuleBase implements the EPiServer default scheme for mapping from and to UrlSegment-based URL's, but can be replaced transparently with any other consistent and correct mapping.


Responsible for raising appropriate events for mapping between internal and external formats of the request URLs. Will parse outgoing HTML, and incoming and outgoing special urls and parameter strings, raising the appropriate events implemented by the implementation derived classes. It is this modules responsibility to identify all necessary urls for rewriting in one or the other direction. The descendant class must provide the actual rewriting functionality.

 Note: Information concerning the classes above (and other all classes) exist online in the EPiServer CMS SDK.