Sunday, August 14, 2011

Securing CMS

Only a short one today.  At work we had an issue that we needed to secure our CMS to only be available for internal access. I had a few ideas, but after some research I found something very cool that was apart of IIS (6 and 7).  There is an option to secure a site or directory (or application) to only certain IP's. Its called "IPv4 Address and Domain Restrictions".

The reason why I'm blogging about this is because this is an easy way of adding an extra layer of security to a normal CMS.  Most CMS's are available for running locally, and this means that they are something that can be easily access, and the code can be analysed.  From a security point of view, this is a concern.  To mitigate against this, securing the main administration directories (login etc) using the IP restrictions in IIS adds an extra layer to the security of the application.

The easiest way to use this is to deny all access, and then only allow the IP's that you want to access the directory (usually internal and one or two external IP's).

Hope this helps.

No comments:

Post a Comment