Umbraco tip of the week - security on your live servers

Note: this post is over a year old, it's very likely completely outdated and should probably not be used as reference any more. You have been warned. :-)

This morning, I thought I'd protect my site a little better to get some understanding of what would be required to do so.

First of all, I thought I'd enable Windows authentication om my /umbraco folder. Couldn't be easier, right? Wrong.
Apparently, since I am using the .net 3.5 configuration to run Umbraco in integrated pipeline mode in IIS7, some weird problem was introduced:

iis7formsauth

I could not disable forms authentication on the /umbraco folder. Googling for this, did not get me a lot of good results. However, I finally figured it out and it was actually a quite easy fix, the following section in the web.config needs to be disabled:

 <authentication mode="Forms">
<forms name="yourAuthCookie" loginUrl="login.aspx"
protection="All" path="/" />
</authentication>

After disabling the forms authentication section, I could easily enable Windows authentication on my Umbraco folder and disable anonymous access. Great!

This seems to be an unintentional "bug" that I've submitted (you can vote, if you care) to the core team for future consideration.

After that, I thought I'd also make it impossible to show the debug information on my live site. I had actually linked to an Umbraco book about this in an earlier post, so that should be easy, right? Wrong.

I immediately saw a glaring mistake in the rewrite code, it relied on me having ".aspx" in all of my URL's. But since I have set "useDirectoryUrls" to true (so that none of my pages end in ".aspx"), this would not work.

Maybe this book was written before you could even enable useDirectoryUrls, I'm not sure. I've made a new wiki article for it though.

The solution is as follows, any URL with a querystring in it, starting with umbDebug should be rewritten:

<!-- Prevent the umbDebug querystrings from being used -->
<add name="nodebug"
virtualUrl="(.*)umbDebug.*"
rewriteUrlParameter="IncludeQueryStringForRewrite"
redirect="Application"
destinationUrl="~$1"
ignoreCase="true" />

Updated: Or... as Dirk and Shannon point out, in Umbraco 4 you can just disable the debugging by using:

<add key="umbracoDebugMode" value="false" />
Sebastiaan Janssen

Dutch guy living in (and loving) Copenhagen, working at Umbraco HQ. Lifehacker, skeptic, music lover, cyclist, developer.

 

4 comments on this article

Avatar for Shannon Deminick Shannon Deminick | July 13 2009 08:38
Doesn't UmbDebug get disabled when you set your umbracoDebugMode = false in your web.config?

Avatar for Chris Houston Chris Houston | July 16 2009 10:32
Hi Sebastiaan,

An interesting blog post, Umbraco security is something I was thinking about looking into further as it gains in popularity it will only be a matter of time when someone tries to hack it, and if there is a weekness in the core it is likely to exist for all installations.

A little side note, as your website is currently all in English you might like to change your date format to display in English also, it seems to be the only part of your site not in English :)

Cheers,

Chris

Avatar for Tom Tom | November 7 2011 03:02
I'm trying to get umbraco to work using mixed mode auth.. i.e. using windows authentication by default and if it can't authenticate, redirect the user to a login form for AD auth.. just wondering if you guys had any hints to get windows auth working?

Avatar for Agnes Agnes | July 3 2013 02:50
Guild Wars 2 Gold PC at GameSpy - Check out the latest cheap GW2 Gold cheats, cheat codes, walkthroughs, guides, videos and more!IGN is the Buy Guild Wars 2 Gold (PC) resource with reviews, wikis, videos, trailers, screenshots, cheats, walkthroughs, previews,news and release dates.