November 27, 2018

Sitecore CD Hardening via Release Deployments

November 27, 2018


Sitecore CD Hardening via Release Deployments

Security hardening on your CD servers is an absolute must.  It should not be an afterthought and you should address it early so that you're not trying to cram it in just before go-live.

In the days before automated deployments, CD hardening would involve manually manipulating the IIS folder level permissions on each CD server in your environments. With automated deployments, we can make this much easier!

Which Sitecore Version are We Deploying?

Take note of which version of Sitecore you are working with.  Prior to Sitecore 8.2, Update 3, you are still limited to manipulating IIS folder level permissions.  You can also handle this with configuration, but that's outside the scope of this post.  With Sitecore 8.2, Update 3 and newer, we have the option of changing the forms authentication mode in order to secure the server.

Disable Forms Authentication

The simple way to disable access to your Sitecore interface is to change the authentication mode from "Forms" to "None" in your web.config:


Easy enough to do on each of your CD servers, right?  But we want to automate that with our deployments.

Azure Devops and Web.config Tranforms

Using a web.config transform, we can target the "authentication" node and change the value to "None." 

What about local development though? 

When developing locally, you can use the "Debug" solution configuration that lets the web.config use the "Forms" setting when developing locally. This is exactly how Sitecore ships out of the box.

Use the "Release" solution configuration to set a transform on that element to change it to a token value.  Note: This assumes you are using the "Release" configuration when building your solution in Azure Devops (was VSTS). 

Why a token value instead of just setting it to "None"? 

We are utilizing (mostly) clean deploys.  When deploying, we wipe the web root and install all of Sitecore and our custom code and configuration from scratch.  Additionally, we deploy the same set of files to every server.  Different values for the tokens are controlled via variables and variable groups in Azure Devops. We expect this token value to be replaced at the time the release is generated and deployed to our different environments.

Putting it Together

So, we have a Web.Release.config file in our solution that looks like this:


In Azure Devops, we have a Variable Group for our CM servers that has the same "#{AuthenticationMode}" token with a value of "Forms":

Sitecore CM Server Role Variables


Additionally, in Azure Devops, we have another Variable Group for our CD servers that has the "#{AuthenticationMode}" token with a value of "None":

Sitecore CD Server Role Variables


When the release is built, use the Replace Tokens task in your release definition to process all your config files and replace the tokens with values from your Azure Deveops Variables Library.

Summary

Security hardening is an important task that shouldn't be overlooked and shouldn't be pushed to the end of your development cycle.  Consider security early and keep yourself and your clients out of the news.

Additional Reading

Sitecore - Deny anonymous users access to a folder

Sitecore - Restrict access to the client

Visual Studio Marketplace - Replace Tokens Task

January 31, 2018

Craig Taylor Wins Sitecore "Most Valuable Professional" Award

January 31, 2018


Craig Taylor wins Sitecore Most Valuable Professional Award

Atlanta, GA — January, 31st, 2018 — Craig Taylor has been named a "Most Valuable Professional (MVP)" in the Technology category by Sitecore®, the global leader in experience management software. Craig was one of only 208 Technology MVPs worldwide to be named a Sitecore MVP this year.

Now it its 12th year, Sitecore's MVP program recognizes individual technology, strategy, and commerce advocates who share their Sitecore passion and expertise to offer positive customer experiences that drive business results. The Sitecore MVP Award recognizes the most active Sitecore experts from around the world who participate in online and offline communities to share their knowledge with other Sitecore partners and customers.

I'm truly honored that Sitecore recognized me as an MVP in the Sitecore community for the fifth straight year! I'm surrounded by some amazingly talented co-workers at Avanade and supported by an amazing Sitecore community. I feel like I'm in great company and am continually pressed to keep the high standards demonstrated by the other Sitecore MVPs. (Craig Taylor, Sitecore Architect, Avanade Inc.)

"The Sitecore MVP awards recognize and honor those individuals who make substantial contributions to our loyal community of partners and customers," said Pieter Brinkman, Sitecore Senior Director of Technical Marketing. "MVPs consistently set a standard of excellence by delivering technical chops, enthusiasm, and a commitment to giving back to the Sitecore community. They truly understand and deliver on the power of the Sitecore Experience Platform to create personalized brand experiences for their consumers, driving revenue and customer loyalty."

The Sitecore Experience Platform™ combines web content management, omnichannel digital delivery, insights into customer activity and engagement, and strategic digital marketing tools into a single, unified platform. Sitecore Experience Commerce™ 9, released in January 2018, is the only cloud-enabled platform that natively integrates content and commerce so brands can fully personalize and individualize the end-to-end shopping experience before, during, and after the transaction. Both platforms capture in real time every minute interaction—and intention—that customers and prospects have with a brand across digital and offline channels. The result is that Sitecore customers are able to use the platform to engage with prospects and customers in a highly personalized manner, earning long-term customer loyalty.

Craig is a five time Sitecore Technology MVP and is a skilled, senior IT professional with over sixteen years of professional experience in Web technologies. He is an expert in architecting and leading teams in delivering Sitecore CMS solutions. Craig has a consistent record of delivering successful software implementations that are on-time and on-budget.

More information can be found about the MVP Program on the Sitecore MVP site: http://www.sitecore.net/mvp