How to disable CMS edit/admin mode on "public facing" servers in a load balanced environment

Vote:
 

Having a load balanced environment with two public-facing servers, we want to disable all the EPi system pages (/util, /Episerver etc.).

After reading and trying out the solution (the one in the end) mentioned in this article we realized that it isn't appicable on CMS 7.

 

Our requirements:

If editors/admin try to reach edit/admin UI on front servers we want them to get 404.
If someone try to reach "site.com/util/login.aspx" / "site.com/EPiServer" on front servers we want them to get 404.

Here's what we did so far:

EPiServerFramework.config
//virtualPathProvider/add[name='ProtectedAddons']: Change the attribute virtualPath from "~/EPiServer/" to using guid. Ex: "~/0EB7F8D8-D5F8-4481-B9BF-3457A4B1F677/"

//virtualPathProvider/add[name='UI']: Change the attribute virtualPath from "~/EPiServer/CMS/" to using guid. Ex: "~/0EB7F8D8-D5F8-4481-B9BF-3457A4B1F677/CMS/"

//virtualPathProvider/add[name='UtilFiles']: Removed this provider from configuration.

episerver.config
//sites/site/siteSettings: For each specified site we changed attribute "uiUrl" from "~/EPiServer/CMS/" to using guid. Ex: "~/0EB7F8D8-D5F8-4481-B9BF-3457A4B1F677/CMS/"

web.config
//system.web/customErrors: Attribute "mode" set to "RemoteOnly". To only work with remote requests and not local.

//system.web/customErrors: Added element <error statusCode="404" redirect="/404/" /> to redirect users to our 404 page.

//location[path="/EPiServer"]: Changed from "EPiServer" to using guid. Ex: "0EB7F8D8-D5F8-4481-B9BF-3457A4B1F677"

//location[path="/EPiServer/CMS/admin"]: Changed from "EPiServer/CMS/admin" to using guid. Ex: "0EB7F8D8-D5F8-4481-B9BF-3457A4B1F677/CMS/admin"

//location[path="util"]: Removed this element.

//episerver.shell/protectedModules: Changed attribute "rootPath" from "~/EPiServer/" to using guid. Ex: "~/0EB7F8D8-D5F8-4481-B9BF-3457A4B1F677/"

//episerver.packaging: Changed attribute "protectedVirtualPath" from "~/EPiServer/" to using guid. Ex: "~/0EB7F8D8-D5F8-4481-B9BF-3457A4B1F677/"

Of course you'll still be able to find the system pages using the GUID, but the risk someone finding that out is very small.

So my questions is if someone has accomplished this in a better way, or have any input on improvments or obvious shortcoming of this way of solving the problem?

 

/M

#74855
Sep 10, 2013 12:43
Vote:
 

Hi,

There is a simple solution in IIS, you can block request to /ui and /util: Open IIS-> yoursite-> Request Filtering ->URL

Hope this helps.

#74947
Sep 12, 2013 9:10
This thread is locked and should be used for reference only. Please use the Episerver CMS 7 and earlier versions forum to open new discussions.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.