Recently I read an EPiServer forum post about securing EPiServer edit and admin mode. If I understood the post correctly then there is a public facing EPiServer site, using the standard SQL providers. The requirement was to prevent access to edit and admin mode to all but a restricted set of IP addresses.

This is quite easily achieved by following these steps:

IIS 6

  • Under your site > Create a virtual directory name that matches /path/to/your/UI (e.g. /epiUI/)
  • Ensure the virtual directory points to an EMPTY directory on your machine
  • Right click on new folder > Click "Properties"
  • "Directory Security" Tab
  • "IP address and domain name restrictions" > Edit button
  • Edit IP restrictions as appropriate
  • Click OK
  • Click OK to close the "Properties" window

IIS 7

  • Under your site > Create a virtual directory name that matches /path/to/your/UI (e.g. /epiUI/)
  • Ensure the virtual directory points to an EMPTY directory on your machine
  • Click the newly folder created folder
  • Double click "IP Address and Domain Restrictions" (if you do have have access to this feature see my other post which describes how to enable features in IIS 7 amongst other things)
  • Under actions > Click "Edit Feature settings"
  • In "Access for unspecified clients" select Deny > Click OK
  • Under actions > Click > Add Allow Entry
  • Add IP entries or ranges as appropriate
  • Click OK

If you try to access the restricted folder and are denied access then you will get a HTTP 403.6 error. In the light of recent Microsoft Security Announcements you should monitor for this error and take appropriate action.

You may need to restart you site/IIS for the changes to take effect.

Comments

Recommendations for you