Kentico CMS security facts



Similar documents
Criteria for web application security check. Version

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

Application Security Testing. Generic Test Strategy

Thick Client Application Security

Magento Security and Vulnerabilities. Roman Stepanov

Where every interaction matters.

Client logo placeholder XXX REPORT. Page 1 of 37

Columbia University Web Security Standards and Practices. Objective and Scope

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

TIBCO Spotfire Platform IT Brief

Secure development and the SDLC. Presented By Jerry

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Web Plus Security Features and Recommendations

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Secret Server Qualys Integration Guide

05.0 Application Development

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

Sitefinity Security and Best Practices

SECURING SELF-SERVICE PASSWORD RESET

Web Application Guidelines

AD Self Password Reset Installation and configuration

FileCloud Security FAQ

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

White Paper BMC Remedy Action Request System Security

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

What is Web Security? Motivation

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Xerox DocuShare Security Features. Security White Paper

MySQL Security: Best Practices

Columbia University Web Application Security Standards and Practices. Objective and Scope

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

DOS ATTACKS USING SQL WILDCARDS

Configuring CQ Security

MS Enterprise Library 5.0 (Logging Application Block)

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

How To Secure Your Data Center From Hackers

PowerLink for Blackboard Vista and Campus Edition Install Guide

Administration Guide. . All right reserved. For more information about Specops Password Sync and other Specops products, visit

TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM

e-governance Password Management Guidelines Draft 0.1

Contents. Before You Install Server Installation Configuring Print Audit Secure... 10

The Top Web Application Attacks: Are you vulnerable?

SSL BEST PRACTICES OVERVIEW

HOW TO CONFIGURE SQL SERVER REPORTING SERVICES IN ORDER TO DEPLOY REPORTING SERVICES REPORTS FOR DYNAMICS GP

ADO and SQL Server Security

Server Security. Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Aliases 4

An Insight into Cookie Security

Adobe Systems Incorporated

RFG Secure FTP. Web Interface

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

Online Vulnerability Scanner Quick Start Guide

CrashPlan Security SECURITY CONTEXT TECHNOLOGY

OFFICE OF KNOWLEDGE, INFORMATION, AND DATA SERVICES (KIDS) DIVISION OF ENTERPRISE DATA

Oracle WebCenter Content

NeoMail Guide. Neotel (Pty) Ltd

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

REDCap Technical Overview

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Using different Security Policies on Group Level for AD within one Portal. SSL-VPN Security on Group Level. Introduction

Owner of the content within this article is Written by Marc Grote

Essential IT Security Testing

RemotelyAnywhere. Security Considerations

DEPLOYMENT GUIDE Version 2.1. Deploying F5 with Microsoft SharePoint 2010

Single Sign-On Guide for Blackbaud NetCommunity and The Patron Edge Online

qliqdirect Active Directory Guide

Testing the OWASP Top 10 Security Issues

Web Application Security

Web Application Security

Web Application Vulnerability Testing with Nessus

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

2: Do not use vendor-supplied defaults for system passwords and other security parameters

RoomWizard Synchronization Software Manual Installation Instructions

Spigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS

Web application security

Sonian Getting Started Guide October 2008

Cloud Services. Sharepoint. Admin Quick Start Guide

Managing Qualys Scanners

CCM 4350 Week 11. Security Architecture and Engineering. Guest Lecturer: Mr Louis Slabbert School of Science and Technology.

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Credit Card Security

DigiCert User Guide. Version 4.1

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Central Agency for Information Technology

Blue Jeans Network Security Features

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Passing PCI Compliance How to Address the Application Security Mandates

Five Steps to Improve Internal Network Security. Chattanooga ISSA

Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

Kerberos. Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, BC. From Italy (?).

User Management Guide

Transcription:

Kentico CMS security facts ELSE 1 www.kentico.com

Preface The document provides the reader an overview of how security is handled by Kentico CMS. It does not give a full list of all possibilities in the described topics. Instead, it focuses on the most common scenarios and gives the reader the whole picture from a broad perspective. To fully understand this document, basic knowledge of Kentico CMS is required. The last part of the document introduces new features which will be part of the next version of Kentico CMS. Elements which mitigate the risk of security vulnerabilities in Kentico CMS Kentico software is continually integrating security elements into its SDLC (software development life cycle): 1. The design of each new module/functionality is reviewed by a security expert according to various security standards. 2. All developers and testers are continually trained in order to write secure code. Some of the used practices can be found in the Kentico CMS Security White Paper. 3. All our production code is reviewed by a Technical leader, the CTO and a Security expert (in this order). 4. All our functionality is verified by QA (quality assurance) tests. Among other things, these tests are focused on security. 5. Within the development department, there is one internal security team which periodically searches for security flaws in Kentico CMS code and its functionality. 6. Both the production and development versions of Kentico CMS are periodically scanned by an automatic Web application security tool. Currently, we are using Acunetix web vulnerability scanner for this purpose. 7. Every released version of Kentico CMS contains several new security features and enhancements (see the last chapter for details on what the next version of Kentico CMS will bring). 8. All security vulnerabilities found in production code are fixed within 7 days. SSL support Kentico CMS supports SSL (HTTPS) on both the live site and in the administration interface. SSL support can be set up for the whole system or only for certain parts. We also support SSL accelerators. 2 www.kentico.com

Authentication Picture 1: SSL accelerator scenario By default, Kentico CMS uses the ASP.NET Forms authentication mechanism. We built our own ASP.NET membership provider in order to give you the ability to use standard ASP.NET membership controls for sign up, log in and log out. Also, Kentico CMS offers authentication against Active directory (Windows authentication). You can even combine these two authentication types. You can also use the following 3 rd party services for authentication: - Windows live ID - Open ID - Facebook connect - LinkedIn PASSWORDS IN THE KENTICO CMS DATABASE Kentico CMS offers the following options for storing users passwords in the database: - Plain text (not recommended) - Hashed in MD5 - Hashed in SHA1 - Hashed in SHA2 - Hashed in SHA2 with salt (recommended) The recommended solution is to store data hashed in SHA2 with salt, this is also the default option. There is also a need to store different types of passwords in Kentico CMS, for example the password of a SMTP server or a SharePoint server. These passwords must be retrievable, so they cannot be hashed. Instead of that, they are encrypted in the database using asymmetric cryptography. PASSWORD POLICY Kentico CMS provides the ability to force users to set up their password according to the following rules: 3 www.kentico.com

- Minimum length of the password. - Minimum number of non-alphanumeric characters in the password. - Passwords must match a certain format specified by a regular expression. Authorization Kentico CMS has three different user interfaces: - Live site Front end for site visitors. - CMS Desk Administration of one certain site. The place where content is edited. - Site manager Administration of the whole CMS platform. The place where sites are managed. Kentico CMS divides users on the following levels: - Public user has permissions to see live unsecured resources (pages, documents, images ) on the live site, represents a site visitor who hasn t logged in. - Authenticated user a logged in site visitor, can see some secured resources on the live site (depending on assigned roles). - Editor has access to CMS Desk on the assigned sites. - Sites administrator have access to CMS Desk on all sites within the system. They can manage all objects of all sites but don t have access to Site Manager. - Global administrator have access to Site manager. User with all permissions. Picture 2: User levels The Public user, Sites administrator and Global administrator user types have permissions determined by their user level. The other two types, Authenticated users and Editors, are more flexible and their permissions are determined by their roles. 4 www.kentico.com

USER ROLES Each user can belong to any number of roles, their relationship is N:M. The roles are related N:1 to sites, every role belongs to a certain site. PERMISSIONS & UI ELEMENTS Permissions for the whole system are manageable in one place in the Administration interface. They are role based you cannot assign specific permissions to a user directly, you always need to assign the user to a role and then give the role certain permission(s). There are two types of permissions: - Functional (permissions) Permission check is done after the user performs a given action. If the action is not permitted, an error message is shown in the interface. - Visual (UI elements) Permission check is done during the page rendering. If a certain action is not available, the corresponding action button/link is not rendered and the user doesn t see it in the interface. There are two standard permissions read and modify (manage). Also, many modules have their own specific set of permissions for better granularity or for better handling of special scenarios. For example, the Users module has the special permission Manage user roles which allows a given role to add or remove a user from/to a role. There are also modules, for example the Forum module, where you can specify a special set of permissions directly in the module s configuration and even from the live site. It is assumed that these modules will be managed directly by Authenticated users who don t have access to the Administration interface (CMS Desk). DOCUMENT ACLS Every document (page) created in Kentico CMS has its own ACL (access control list). In this list you can specify which roles are permitted to read, modify, create, delete or destroy (delete permanently) the current document or its child documents. Protection There are lots of features in Kentico CMS which help an administrator protect the production site against various attacks. First of all, you can disable the whole administration interface for a production site. After that, even if the administration account is compromised, nobody can damage the site through the administration. BANNED IPS The Banned IPs module is useful when you want to prevent users with certain IP addresses from accessing or using your website in a certain way. This typically happens when a user posts offensive material on a website (e.g. on a forum), harasses site members or behaves in some other unwanted way. IP banning can also be used to restrict access to your 5 www.kentico.com

websites from certain areas of the world. These bans can be set either for individual websites or globally for all websites in the system. E-MAIL CONFIRMATION OF USER ACTIONS Certain actions, such as a password reset or newsletter subscription, need approval via the given user s e-mail. This prevents unauthorized people from performing these actions and as a side effect, it informs the victim about potential abuse. FLOOD PROTECTION This feature prevents users from sending too many messages in modules such as Forums or Message boards within a short period of time. You can specify the minimum interval during which users cannot send new messages. EVENT LOG Every exception/error in Kentico CMS is logged into the Kentico CMS event log. From this log, administrators can analyse what is happening when someone tries to attack their web site. Among other things, the following information can be found there: - Successful and unsuccessful login into the system - User password change - Errors during SQL query execution (allows you to detect SQL injections) - Access to non-existing pages - Unauthorized manipulation with page parameters CAPTCHA Completely automated public Turing test to tell computers and humans apart (CAPTCHA) helps you distinguish between people and computer programs (bots/spiders). Kentico CMS offers two types of CAPTCHA tests. The first one is in the form of text rendered as an image which must be entered by the user. Unfortunately, this test can be forged through OCR technology. The second one is a logical CAPTCHA, which tests the user using easy math or logic problems. URL HASHES Almost every URL in Kentico CMS is protected by a special parameter in the URL a hash. This hash is calculated from the given URL parameters and it ensures that the parameters are not changed by a user. If a given hash is not equal to the hash generated for the original URL parameters, the request is not processed. New features and enhancements for Kentico CMS 7 In the next version of Kentico CMS, we are preparing several new features which make your web sites even more secure. The following list describes a few of them: 6 www.kentico.com

- Invalid password attempts It will be possible to specify the maximum number of login attempts. If a user exceeds the specified number, their account will be locked. - Password expiration you will be able to specify an interval for which passwords will be valid. Then, a user will be forced to change the password. - Screen locking Similar feature to operation system lock. After a specified time interval, the active window locks and users will have to enter a valid password in order to work with the system again. - Ability to enforce password policy - There will be a possibility to force users to change their password right after logging in. Otherwise, they will not be able to use the system. - Built in protection against Clickjacking Clickjacking is a relatively new kind of attack. This attack displays the victim s website in an iframe on the attacker s site.. Kentico CMS adds a special HTTP header to each page to ensure that the page cannot be rendered in an iframe on a different domain. - Autocomplete All log-in forms will not remember previous input values, the autocomplete feature in these from will be disabled by default. 7 www.kentico.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information