Disabling unnecessary services and keeping the system up-to-date
You should enable only those services, which your web application needs. Otherwise, you provide more opportunities for attackers to infiltrate your system. Many services are installed by default, so you should take care to disable those you do not actually need.
Server security
If you run your web applications locally on your own servers, then you should check which services run on your server and IIS. Then turn off everything your web application does not need. You should also patch your operating system and server regularly. When a serious security issue is announced, you should patch your system as soon as possible, because attackers are usually able to exploit the flaws within 24 hours.
If your web applications run on remote servers (webhosting, cloud, etc.), you need to trust your provider to ensure the server security.
Xperience security
Restrict public access to unused files and routes under the administration application’s /CMSPages and /CMSModules/<some module>/CMSPages paths. The following example restricts the public access for the GetCMSVersion.aspx route:
<location path="CMSPages/GetCMSVersion.aspx">
<system.webServer>
<security>
<authorization>
<remove users="public" roles="" verbs="" />
<add accessType="Allow" users="*" roles=""/>
</authorization>
</security>
</system.webServer>
</location>
Hotfixing
We recommend installing hotfixes only when you need them – in cases when the hotfix repairs bugs that are causing you problems. You can install hotfixes using KIM or download them from Xperience DevNet.