Note: This guide describes Kentico CMS version 7. Unfortunately, we cannot support this guide from version 8 forward. Go to latest documentation

Skip to end of metadata
Go to start of metadata

It is recommended that you allow users to access only those directories they actually need. This means that you must forbid access to the chosen directories for all users that do not need them. This can be configured in the web.config file. This example forbids access to the CMSSiteUtils directory for all unauthorized users:

<location path="CMSSiteUtils">
    <system.webServer>
        <security>
            <authorization>
                <remove users="*" roles="" verbs="" />
                <add accessType="Allow" users="" roles=""/>
            </authorization>
        </security>
    </system.webServer>
</location>

The CMSSiteUtils directory contains export files and is therefore the most vulnerable and must be protected properly.

Learn how to restrict access to the CMSHelp directory in the Restricting access to the CMSHelp directory topic.

On this page
In this section

Disabling directory browsing

Another important security precaution is to disallow listing of files in directories. This can be set in the IIS (and should be already set as default configuration). It is recommended to disable directory listing for the whole website, although you can also disable this feature only for individual directories. In such case, do not forget to disable directory browsing for the CMSSiteUtils directory.

  1. Open the IIS Manager.
  2. Select the project for which you want to disable the listing of files.
  3. Double-click the Directory Browsing icon in the IIS section.



  4. Click Disable.

It is now not possible to list files in directories on your website.

Disabling unnecessary execution of scripts

You should forbid the execution of scripts where it is not required. This mainly applies to directories with multimedia or directories where you allow uploading of images. This can be set in the IIS, see Edit Feature Permissions for the Handler Mappings Feature (IIS 7) for instructions.

Keeping the web servers clean

The server where your web presentation is located should not contain any other unnecessary data. It is not wise to store any sensitive information there (e.g., database exports).

CDN and external storage

In Kentico, it is possible to store data to Azure blob storage and Amazon S3 storage. Both can be configured to allow public access so that anyone can download files, which were stored in Kentico.

The thing is that, to enable distribution of data over CDN, you need to enable public access to these data. This can pose a security risk, as you do not usually want everyone to be able to download all files from these storages. Therefore, you can set only certain containers (Azure blob) and buckets (Amazon S3) to be publicly available.

You can find more information in the Configuring storage providers topic.

  • No labels