Admin security?

Topics: Administration, Core
Aug 17, 2012 at 12:20 AM

Where can I find documentation about how secure Orchard is?

Does the system lock down an ID if the wrong password is attempted?  I'd expect it to, for example, lock for 30 minutes after 5 bad attempts.

On other tools, we could use IIS to lock the admin directory for access only by certain domains or with a certificate. However, with Orchard, there is no "Admin" directory.

I guess another way to ask my question... how does one harden and secure an Orchard site?


Aug 17, 2012 at 3:05 AM

I'm not sure if there is documentation dedicated to the security of Orchard, but I can probably help answer some questions.  

How secure Orchard is will depend mostly on how you deploy it, and what kind of access you give to your users.  In other words, while Orchard is setup out of the box to comply with many of the OWASP security guidelines, there are things that are dependent on you.  For example, setting up SSL, and making sure that you don't grant admin privileges to  the wrong person.  

I think it might be a good idea for someone to work on some good Orchard security guidelines, but for now I'll just hone in on your questions about logging in to access the admin area.  Out of the box, Orchard requires a user to have the "Access Admin Panel" permission granted to the role that they are assigned to.  The great thing about Orchard though, is it's flexibility.  So, if you want to attach some more advanced security checks, it wouldn't be hard to do by implementing a module.  You can implement your own MembershipProvider that overrides the default one, and customize away.  All without changing core code.  (See OrchardSuppressDependency attribute)

I think if you're going to work to harden your Orchard implementation though, I would start with the OWASP list and make sure you're doing your due dilligence when it comes to things like SSL, user/permissions management, etc.  Basically, hit the weakest links in the chain first.  Make sure your servers and databases have good perimeter security.  No use in spending time with extra security checks if someone can just pick up your database and walk out with it, haha.  

Let me know if you run into some more specific questions though.  



Sep 29 at 6:43 PM
I have one question regarding security implementations in Orchard 2.
Recently, I found OWASP ASP.NET MVC Boilerplate (official page), which has a lot of security related optimizations for default ASP.NET MVC projects in Visual Studio.
OWASP is some kind "standard for security" and therefore their recommendations counts.
I'm wondering if Orchard 2 will have all security related configurations/code/... identical as OWASP ASP.NET MVC Boilerplate?