Changing the admin password

NOTE: If you changed the admin password during site setup, you do not need to change it again.

IMPORTANT: You should create your own Administrator user and delete the Admin user. Also, delete unnecessary users from Ektron.

1. In the Workarea, choose Settings > Users.
2. Click the Admin user.
3. Click Edit Users.
4. Enter the new password in the Password and Confirm Password fields.
5. Click Save.

Changing the builtin password

NOTE: If you changed the builtin user password during the site setup, you do not need to change it again. See Editing the builtin username and password for additional information. Also, the “builtin” user does not appear in the Users list. This user appears on the application setup screen.

1. Workarea > Settings > Configurations > Setup.
2. Click Edit.
3. Find the Built In User field.
4. Enter the new password in the Password and Confirm Password fields.
5. Click Update.

   NOTE: If you cannot sign in to Ektron because the builtin user password was changed and you do not know the new password, use the BuiltinAccountReset.exe utility. This resets your Ektron user / password to Builtin / Builtin. This utility is located in C:\Program Files (x86)\Ektron\CMS400versionnumber\Utilities.

Changing the everyone group permissions

By default, the root folder in Workarea provides the Everyone Group with all permissions except Overwrite Library. You should review the permission needs of the Everyone Group when you add a folder. See also: Managing folder and content permissions.

1. Go to Workarea > Folders > Folders. The View Contents for Folder "Root" appears.
2. Choose View > Properties.
3. Choose View Permissions (). The View Permissions for Folder "Root" appears.

4. Click on the Everyone group. The Edit Permissions for Folder "Root" appears.

   —Image—

   

5. Check the permissions that you want and click Update.

Removing sample users and sample membership users

Ektron includes sample CMS users and membership users for evaluation and demonstration purposes. Remove these users when they are no longer needed.

• CMS users have access to the Workarea and can be content authors, administrators or developers. These users count towards the number of users in your license.
• Membership users are typically people who only interact with your website but have limited privileges to Ektron. They cannot use the Workarea and do not count towards the number of users in your license.

NOTE: Some users in the following lists might not appear in your user list. Also, you might have sample users that appear in your users lists. This depends on your Ektron version.

Ektron users. See also: Managing users and user groups

• jedit
• tbrown
• jsmith
• vs

Membership users. See also: Membership users and groups

• jmember
• [email protected]
• north
• supermember
• west

Removing Ektron users

1. In the Workarea, choose Settings > Users.
2. Check the box next to each user that you want to remove.
3. Click Delete ().
4. Click OK.

Removing membership users

1. In the Workarea, choose Settings > Community Management > Memberships > Users.
2. Check the box next to each user that you want to remove.
3. Click Delete ().
4. Click OK.

Disallowing group user accounts

A group account is an account used by more than one person to log in to Ektron using the same username and password. This is a serious security issue because it prevents you from tracking user activities in your Workarea. Group accounts violate Ektron's license agreement.

Securing services

IMPORTANT: Typically, the \workarea\services\path is used in 3-tier implementations. Review your site architecture and configure access to support accordingly.

You need to restrict services to specific IP addresses in IIS 7.

1. From the Windows Start menu, choose Run, then type INETMGR. If you're using Windows 8 or 2012, press the Windows key () /Q then enter INETMGR. IIS Manager appears.
2. Go to your website > Workarea > services.
3. Double click IP Address and Domain Restrictions.
   —Image—

   

4. In the Action pane, click Add Allow Entry. The Add Allow Restriction Rule dialog box appears.
5. Select Specific IP Address, enter the IP address of the Web server, and click OK.
   —Image—

   

6. In action pane, click Edit Feature Settings. The Edit IP and Domain Restrictions Settings dialog box appears.
7. Choose Deny from the drop-down and click OK.
   —Image—

   

Securing WebServices

You need to restrict Web servicesEktron Windows Service uses Windows Web Services to perform these activities: • Schedules the future publication and removal of content. • Transmits notifications that a sync should be started between the staging and production servers. • In the 3-Tier feature, transfers data between servers. to specific IP addresses in IIS 7.

1. From the Windows Start menu, choose Run, then type INETMGR. If you're using Windows 8 or 2012, press the Windows key () /Q then enter INETMGR. IIS Manager appears.
2. Go to your website > Workarea > webservices.
3. Double click on IP Address and Domain Restrictions.
   —Image—

   

4. In the Action pane, click Add Allow Entry. The Add Allow Restriction Rule dialog box appears.
5. Select Specific IP Address, enter the IP address of the Web server, then click OK.
   —Image—

   

6. In action pane, click Edit Feature Settings. The Edit IP and Domain Restrictions Settings dialog box appears.
7. Choose Deny from the drop-down and click OK.
   —Image—

   

Securing ServerControlWS.asmx

1. From the Windows Start menu, choose Run, then type INETMGR. If you're using Windows 8 or 2012, press the Windows key () /Q then enter INETMGR. IIS Manager appears.
2. Go to your website > Workarea.
3. Click Content View at the bottom of the window.
4. Right click ServerControlWS.asmx and choose Switch to Features View.
   —Image—

   

5. Double click IP Address and Domain Restrictions.
   —Image—

   

6. In the Action pane, click Add Allow Entry. The Add Allow Restriction Rule dialog box appears.
7. Select Specific IP Address.
8. Enter the IP address of the Web server and then click OK.
   —Image—

   

9. In action pane, click Edit Feature Settings. The Edit IP and Domain Restrictions Settings dialog box appears.
10. Choose Deny from the drop-down and click OK.
    —Image—

    

Securing assets and user folders

As of version 8.50, user data is no longer indexed directly under the Assets folder. The /users/ folder may expose user data, such as your users email addresses, when browsing to this folder. Prevention was made within the Ektron handlers to address this issue in version 8.00, but you should review and remove the following folder [site root]\Assets\users if you have version 8.50 or later. If the users folder exits, you should delete it.

Defining the default file types for assets

Enable only file types that your website needs to support.

1. Go to Workarea > Settings > Configuration > Asset Server Setup.
2. Click Edit File Types ().
3. Add or remove file types that your website needs.
4. Click Save ().

Enabling firewall use

• Only open port 80 for standard websites. If you enable SSLSecure Sockets Layer (https), open port 443 also.
• If you need FTP, open port 21, but restrict access to IP addresses that need to FTP access to your server. The same applies for SFTP, FTPES, SSH for their respective ports.
• Do not open remote desktop ports, SQL ports, SMTP ports, or any other port unless absolutely necessary. Instead, use a VPN tunnel through the firewall for access to these services. Even FTP can be made accessible through a VPN tunnel.

Setting up SSL

Ektron strongly recommends configuring a secure socket layer (SSLSecure Sockets Layer (https)), especially if you are using Active Directory integration. SSL encrypts user names and passwords during transmissions to the Ektron server that are otherwise sent as clear text. See Updating web.config to use SSL.

If your Web server does not have an SSL certificate, install one. If you set up an SSL certificate and configure Ektron to use it, the login page is launched in a Secure Socket Layer.

After completing this procedure, the Ektron Workarea and your website require the https protocol—URLs beginning with http no longer work.

To set up SSL for Ektron:

Prerequisite 

Your server has an SSL certificate. See http://technet.microsoft.com/en-us/library/cc731977%28v=ws.10%29.aspx.

1. Open the siteroot\web.config file.
2. Set the value of ek_UseSSL to true.
3. Set the value of ek_SSL_Port to the server port that you want to use for SSL communications.
4. Set the value of ek_ecom_ComplianceMode to true.
5. Save siteroot\web.config.
6. Configure IIS so that your site uses SSL only. To do this:
   1. Open IIS Manager.
   2. Select your Ektron website.
   3. From the right panel, select Bindings.
   4. Click Add.
   5. In the Type drop-down, choose https.
   6. In the SSL certificate drop-down, choose your server's SSL certificate.
   7. Click OK.
   8. From the IIS Manager's center panel, click SSL settings.
   9. Check Require SSL.

   See also:  How to Set Up SSL on a Server.

7. If you are using a self-signed certificate, follow these additional steps.

   1. Open IIS Manager.
   2. Select your Ektron website.
   3. From the right panel, select Bindings.
   4. Select https and click Edit.
   5. On the Edit Site Binding screen, click View....
   6. On the General tab, copy the value next to Issued by.
      —Image—

      

   7. Open your Windows host file.
   8. Insert the URL copied in Step 7f.

Additional security measures

The following measures are also recommended.

• Encrypt cookiesData related to a user and Web browsing activity, such as login information, shopping cart data, and other data. in web.config.

  <add key="ek_EnableCookieEncryption" value="true" />

  NOTE: After making this change, you must reset IIS.

• Enable Captcha for new user signup and other membership features. Captcha prevents automated tools from creating unwanted data and traffic on your site. Set the Membership server controlA server control uses API language to interact with the CMS and Framework UI to display the output. A server control can be dragged and dropped onto a Web form and then modified.'s EnableCaptcha property to true. See Membership Properties.

• Enable IP filtering on all FTP sites, and WWW sites as needed. Use Ipsec filters to accomplish this. See How to configure TCP/IP filtering in Windows 2000.
• Install needed services only (for example, FTPFile Transfer Protocol, www, SMTPSimple Mail Transport Protocol; an internet standard for electronic mail., NNTPNetwork News Transfer Protocol; used for transporting Usenet articles between news servers.).
• If you make a backup of web.config, do not use another extension. The .config extension is secured, but another extension may make the backup file readable. (For example, web.BAK.config is secured, but web.config.BAK is not!)
• Remove test scripts you may have left on your site.
• If you zip up databases and code, do not leave .zip files on your site.
• Do not use IIS on a domain controller.
• Never use virtual directories across servers.
• Never install websites on the system drive.
• Remove NTFS write permissions wherever possible. See How IT Works: NTFS Permissions.
• Configure a default website with extremely secure settings (for example, require SSLSecure Sockets Layer (https), Integrated Windows authentication only, accessible from only one IP, NTFS permissions to none on an empty home directory, and so on), then stop the site. This results in a broken default website that 80% of hackers will blindly attack instead of your real website.
• Configure websites so that the host header matches the site's DNS name. Do this for both HTTP and HTTPSHypertext Transfer Protocol Secure; a combination of HTTP and SSL/TLS protocols providing encrypted communication.. Do not configure the default website with host header. This should prevent 90% of automated hacking tools from working by sending them to your crippled default website. To do this:
  1. Open IIS Manager.
  2. Right-click your website icon.
  3. On the Web Site tab, click Advanced.
  4. Click the IP Address then Edit.
  5. Enter the host header in the Host Header field.
  6. Click OK to save.
• Enable IIS auditing.
• Enable W3 extended logging. Verify that the logged information is appropriate. Consider enabling the following items:
  • Date and time
  • IP address of client
  • IP address of server
  • Server port
  • Username
  • HTTP method used to access your site
  • URI Stern
  • URI Query
  • Status of request

  See Extended Log File Format and W3C Extended Log File Format (IIS 6.0).

• Set permission for IIS logs to system and local administrators only.
• Remove write permissions to hklm\software for non-admin accounts.
  • Administrators & System: Full
  • Everyone: Read/Execute
• Restrict NTFS permissions to all executable files on the system.
  • Administrators & System: Full
  • Users: Read/Execute
  • IUSR account: execute permissions sparingly

  See How IT works: NTFS Permissions.

• Restrict NTFS permissions to any script interpreters, such as Perl.
  • Administrators & System: Full
  • Everyone: Read/Execute
  • IUSR account: execute permissions sparingly
• Ensure that the Everyone group has read-only permissions for these directories.
  • Web root
  • %systemroot%
  • %systemroot%\system32
  • %systemroot%\system32\inetsrv
  • %systemroot%\system32\inetsrv\asp
  • %systemroot%\program files\common files\