Securing your Sitecore 9 XP PaaS Installation

You’ve painstakingly architected your Sitecore 9 installation on PaaS. You’ve gone to all the trouble to think about scalability, usability, portability… all the -ITYs. But what about securITY? 

Sitecore comes with two standard cloud deployment models: Infrastructure-as-a-Service (IaaS) utilizing virtual machines, and Platform-as-a-Service (PaaS), utilizing Azure’s “ready made” environment. Like IaaS, PaaS includes infrastructure - servers, storage, and networking - but also middleware, development tools and database management systems.

Currently, deploying Sitecore XP to an Azure PaaS environment is a popular option. Here we attempt to boil down the key Sitecore PaaS security checks you should be executing.

Take Advantage of ARM Template Security Offerings

Sitecore 9 PaaS deployments via an Azure Marketplace ARM (Azure Resource Manager)  template come with some level of security by default. For example, the Sitecore roles use SSL with client certificate validation to communicate with each other and the certificate validation process requires the set up of a secure client certificate as part of any Azure installation.

The Azure Marketplace ARM template also requires strong passwords for all databases and Azure SQL server only allows connections from Azure IP's making it somewhat harder to compromise. The Azure SQL password policy is:

• Latin lowercase letters (a through z)
• Base 10 digits (0 through 9)
• Non-alphanumeric characters such as: exclamation point (!), dollar sign ($), number sign (#), or percent (%).
• Passwords must be a minimum of 8 characters long
• Passwords can be up to 128 characters long

Remember, that if you are downloading and configuring your own custom Quick Start template, it is important to make sure you are utilizing as much basic security as possible. 

In addition to the above, using the Azure Marketplace ARM template and associated Sitecore WebDeploy packages (WDPs) will provide you with the following security hardening measures:

xConnect Role Secured via SSL Client Certificate

The xConnect server roles support an additional layer of security, known as SSL Client Certificate Authentication. The xConnect web services use server-to-server communication and are non-interactive. This means the client certificate allows Content Management and other server roles to connect securely to Web API services using a client certificate and a pre-shared key, or thumbprint.

Database Firewall Enabled

Following standard Azure operating procedure, when the new Azure SQL instance is created, the database firewall is set up to block all access to the public endpoint for the server.

Azure Search & Redis Require API keys

Azure Search and Redis require API keys which are generated and set by the template.

Make Additional Azure and Sitecore Enhancements

While one size doesn’t fit all in terms of hardening unique PaaS installations, there are a few basic additional hardening steps that users would be advised to take or check they are covered via any ARM deployment technique, The following is not an exhaustive list; refer to the official security tasks documentation to review all steps to consider.

• Consider the implementation of a CDN/WAF offering (e.g. Fastly) with inherent DDoS prevention capabilities or utilizing default Azure offerings like the Azure Application Gateway with the WAF tier
• Lock down access to all content management, processing and reporting environments using IP whitelisting
• Limit access to Sitecore pages on content delivery instances using URL Rewrite rules or by denying anonymous access in the web . config file.
• Disable administrative tools by adding .disabled to the tools filename
  • • The administrative tools are found in the <webroot>\sitecore\admin\ folder and its subfolders
• Ensure all application connections are enabled for only HTTPS - ensure your web . config file has the correct related URL Rewrite rules to prevent HTTP connectivity
• Use a strong password policy, for all Azure SQL user accounts (handled by default on Azure Marketplace ARM deployments)
• Disable the default administrator account and create new admin accounts with new strong passwords for all of the accounts
  • • The default Administrator password is changed by default when deploying via Azure Toolkit - enforced by ARM template
• Remove all remaining test administrator accounts
• Ensure all cookies are enabled with the “Secure” flag
• Remove unnecessary header information using the web . config file. Headers are a way to tell browsers information about the server they’re connecting to. Exposing too much information to end users could give attackers clues about how best to attack your site. It’s best to remove the following headers:
  • X-Aspnet-Version HTTP
  • X-Powered-By HTTP
  • X-AspNetMvc-Version HTTP
  • Server
• Scan your website using a tool like securityheaders.com to see what headers are missing from the best practices

Take Advantage of Default Azure Security Offerings

The Azure platform comes with a suite of strong security and audit tools which help make it possible to create secure Sitecore solutions on the secure Azure PaaS platform. The following tools can be enabled (with the right subscription level) in Azure to provide confidentiality, integrity, and availability of customer data, while also enabling transparent accountability:

Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud.

Azure Monitor maximizes the availability and performance of your applications and services by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments.

Application Insights is an extensible Application Performance Management (APM) service for web developers. Application Insights can be used to monitor a live Sitecore application and automatically detect performance anomalies. It also includes powerful analytics tools to help diagnose errors and issues.

Create Policies and Documentation

Now comes the part many don’t want to hear. You need policies. It may put a bad taste in some mouths, but policies can be helpful when done for the right reasons.

Where security is a key component of your website, standard IT and development policies and clear documentation are essential. For example, when operating in a cloud environment where elasticity can be used to scale out services, written policies and procedures handling scalability thresholds and monitoring processes will help make things much easier over time and satisfy a large number of standard compliance demands.

There is also no shortcut to executing standard routines around reviewing official security documentation and update notifications. Take time to regularly review and subscribe to Sitecore security bulletins and plan for a thorough analysis of the official Sitecore security guide and Azure security documentation.

Sitecore 9 PaaS Security Hardening Is Possible

CMS software can be complex, no matter how tech savvy you are. Sitecore is no different, and implementing a best-practice secure PaaS installation can require help from the experts. The tips above will help you secure your Sitecore 9 XP PaaS installation, but it’s okay if you need some personalized help to make sure your application and underlying cloud architecture is as safe as possible.

Get in touch with Engine Room if you’d like us to take a look at your installation and make sure it’s as secure as it can be. We can’t wait to work with you.