November Happy Hour will be moved to Thursday December 5th.
AI OnAI Off
Securing / Limiting access to Episerver editing
You can add rewrite rule in web.config to allow defined whitelisted IP addresses access to cms.
Your admin url /episerver will be restricted by whitelisted IP addresses.
Apr 22, 2021 3:44
There's many options
- IP restriction. If you're in the DXP that needs to be done in the web.config (https://world.episerver.com/documentation/developer-guides/digital-experience-platform/dxc-security/restricting-environment-access/) but if you're not you can do it on IIS or your WAF.
- Custom WAF rules by Episerver https://world.episerver.com/blogs/reis-holmes/dates/2020/4/web-application-firewall-waf-rules/ which would mean no deployment
- Using roles or visitor groups. You could deny all anonymous access to the website, then only allow authorized users so anyone acessing needs to login. You could also use the visitor group criteria pack to IP restrict if needed if not wanting to force logins https://world.episerver.com/add-ons/visitor-group-criteria-pack/ just set up a VG and then apply as permissions on your page/site.
I would suggest where possible not doing things requring config changes as in my experiences external IPs aren't always fixed and upkeep can become a nightmare
Edited,
Apr 22, 2021 11:43
Hi All,
Looking for best practice on securing or limiting access to internal users to the episerver login page for editors.
The site is currently publically available and the login is linked to active directory.
We could possibly implement MFA, I have seen a couple of implementations in episerver blogs but it will take work.
Would limiting by internal IP address be possible? Perhaps a reverse proxy?
Wondering what others have done in similar circumstances.
Thanks,
Paul