Securing / Limiting access to Episerver editing

Vote:
 

Hi All,

Looking for best practice on securing or limiting access to internal users to the episerver login page for editors.

The site is currently publically available and the login is linked to active directory. 

We could possibly implement MFA, I have seen a couple of implementations in episerver blogs but it will take work.

Would limiting by internal IP address be possible? Perhaps a reverse proxy?

Wondering what others have done in similar circumstances.

Thanks,

Paul

#253707
Apr 21, 2021 22:47
Vote:
 

You can add rewrite rule in web.config to allow defined whitelisted IP addresses access to cms.

Your admin url /episerver will be restricted by whitelisted IP addresses. 

#253742
Apr 22, 2021 3:44
Vote:
 

There's many options

  1. IP restriction. If you're in the DXP that needs to be done in the web.config (https://world.episerver.com/documentation/developer-guides/digital-experience-platform/dxc-security/restricting-environment-access/) but if you're not you can do it on IIS or your WAF. 
  2. Custom WAF rules by Episerver https://world.episerver.com/blogs/reis-holmes/dates/2020/4/web-application-firewall-waf-rules/ which would mean no deployment
  3. Using roles or visitor groups. You could deny all anonymous access to the website, then only allow authorized users so anyone acessing needs to login. You could also use the visitor group criteria pack to IP restrict if needed if not wanting to force logins https://world.episerver.com/add-ons/visitor-group-criteria-pack/ just set up a VG and then apply as permissions on your page/site.

I would suggest where possible not doing things requring config changes as in my experiences external IPs aren't always fixed and upkeep can become a nightmare

#253761
Edited, Apr 22, 2021 11:43
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.