Security and hardening best practices for hosting Sitecore on AWS
AWS offers a broad selection of compliant services that meet various regulatory standards such as HIPAA, FedRAMP, FISMA, NIST SP 800-171 and PCI-DSS amongst others. We are seeing an increasing interest in Healthcare providers using Sitecore wanting to leverage the broad range of services available on AWS. Sitecore XP is a digital marketing platform of choice that empowers marketers with comprehensive digital marketing tools, a 360 degree view of the customer needs, and machine learning-generated insights. Consumers are increasingly selecting a hospital, researching healthcare professionals, or booking appointments using digital channels that are easily managed and supported by Sitecore XP.
However, a secure and compliant hosting service for Sitecore requires understanding best practices and secure engineering practices. In our earlier blog on hosting Sitecore on AWS we describe how to develop a Multi-AZ hosting enclave within a VPC. This post is about common security best practices to help secure the Sitecore XP platform. Hardening of your Sitecore architecture will vary on the server role and you should refer to the Hardening guide provided by Sitecore. However, here are some quick and easy tips to help you get started and reduce risk factors in Sitecore setup and configuration. In general, we want to do the following:
- Deny anonymous users access to a folder
- Use SSL for any login pages along with turning off auto complete of user names
- Change the password hash algorithm to SHA512 from SHA1
- On Content Delivery Servers disable the administrative tools
- If your Sitecore implementation contains sensitive data then make sure to disable the client RSS feeds
- Disable WebDAV on your CD servers except for the Content Management Server if applicable
- Protect the upload folder functionality or at least restrict to the following:
o Deny Script and Execute permissions
o Disable the Upload Watcher to allow files to be uploaded through a Sitecore client
o Restrict file types from being uploaded
- Move the data and indexes folder outside of the website root folder
- Limit access to XML files including XSLT and MRT files
- Disable the xslExtension to prevent SQL Server access from XSLT
- On the CD servers remove the PhantomJS exe to prevent screenshots and also disable the getScreenshotUrl pipeline from launching the PhantomJS process
- Protect and Optimize media requests by restricting media URLs that contain dynamic image scaling parameter
- Remove header information from responses sent by the website. Remove the following headers:
o Remove the X-Aspnet-Version HTTP header
o Remove the X-Powered-By HTTP header
o Remove the X-AspNetMvc-Version HTTP header
- Lastly use only HTTPS on your Sitecore instances
There are a number of other security and operations best practices that are made easy on AWS. Implementing patching and vulnerability scanning using EC2 Systems Manager and AWS Inspector; and continuous threat monitoring and intelligence using Amazon GuardDuty.
About stackArmor
stackArmor is a Sitecore certified provider and is staffed with experienced cloud solution architects that have many years of experience in cloud migration and operations, cybersecurity and devops solutions for security focused customers. We provide certified Sitecore developers and administrators to help meet your Sitecore WCMS needs. Our experts help protect you from the cyberthreat challenges through systems engineering best practices developed over decades while working with US Federal Agencies requiring compliance with NIST, HIPAA, FFIEC, FISMA, FedRAMP, DHS and DISA.
https://stackarmor.com/hosting-sitecore-on-aws/
