Security hardening on your CD servers is an absolute must. It should not be an afterthought and you should address it early so that you're not trying to cram it in just before go-live.
In the days before automated deployments, CD hardening would involve manually manipulating the IIS folder level permissions on each CD server in your environments. With automated deployments, we can make this much easier!
Which Sitecore Version are We Deploying?
Take note of which version of Sitecore you are working with. Prior to Sitecore 8.2, Update 3, you are still limited to manipulating IIS folder level permissions. You can also handle this with configuration, but that's outside the scope of this post. With Sitecore 8.2, Update 3 and newer, we have the option of changing the forms authentication mode in order to secure the server.Disable Forms Authentication
The simple way to disable access to your Sitecore interface is to change the authentication mode from "Forms" to "None" in your web.config:Easy enough to do on each of your CD servers, right? But we want to automate that with our deployments.
Azure Devops and Web.config Tranforms
Using a web.config transform, we can target the "authentication" node and change the value to "None."What about local development though?
When developing locally, you can use the "Debug" solution configuration that lets the web.config use the "Forms" setting when developing locally. This is exactly how Sitecore ships out of the box.
Use the "Release" solution configuration to set a transform on that element to change it to a token value. Note: This assumes you are using the "Release" configuration when building your solution in Azure Devops (was VSTS).
Why a token value instead of just setting it to "None"?
We are utilizing (mostly) clean deploys. When deploying, we wipe the web root and install all of Sitecore and our custom code and configuration from scratch. Additionally, we deploy the same set of files to every server. Different values for the tokens are controlled via variables and variable groups in Azure Devops. We expect this token value to be replaced at the time the release is generated and deployed to our different environments.
Putting it Together
So, we have a Web.Release.config file in our solution that looks like this:In Azure Devops, we have a Variable Group for our CM servers that has the same "#{AuthenticationMode}" token with a value of "Forms":
Additionally, in Azure Devops, we have another Variable Group for our CD servers that has the "#{AuthenticationMode}" token with a value of "None":
When the release is built, use the Replace Tokens task in your release definition to process all your config files and replace the tokens with values from your Azure Deveops Variables Library.
Summary
Security hardening is an important task that shouldn't be overlooked and shouldn't be pushed to the end of your development cycle. Consider security early and keep yourself and your clients out of the news.Additional Reading
Sitecore - Deny anonymous users access to a folderSitecore - Restrict access to the client
Visual Studio Marketplace - Replace Tokens Task