These Powershell scripts will perform some simple checks to see if the sites provided confirm to Sitecore's Hardening recommendations.
This is primarily done be evaluating a Http Status code response to files and URLs a visitor should not have access to.
The rules for hardening have come from Sitecore's documentation: https://doc.sitecore.com/developers/82/sitecore-experience-platform/en/security-hardening.html
Not all hardening recommendations can be tested without actually hacking a site. This is not something we want to do.
- Sitecore Version: Attempt to load the Sitecore Version from
/sitecore/shell/sitecore.version.xml - Sitecore Simple File Check: Checks for
webedit.css,default.jsanddefault.css - Deny Anomous Access
- Increase login security
- Limit access to .XML, .XSLT, and .MRT files
- Remove header information from responses sent by your website
- Use HTTPS on all your Sitecore instances
- Change the hash algorithm for password encryption
- Disable administrative tools
- Disable client RSS feeds
- Disable WebDAV
- Secure the file upload functionality
- Improve the security of the website folder
- Disable SQL Server access from XSLT
- Secure the Telerik control
- PhantomJS and security hardening
- Protect media requests
# Usage
# report.ps1 -Url -Format (Console, Html, Csv)
# Quick console report
report.ps1 https://yoursite.com
# Detailed Html Report
report.ps1 -Url https://yoursite.com -Format Html
If you are running this script from a computer that is in a location that has been whitelisted you might get false positives.
i.e. The site grants access to /sitecore/login from your offices IP address which average users should not have access to
See \examples\report-example.ps1 for the most recent example script
Import-Module .\src\sitecore-hardening-report.psm1
$Urls = @(
"https://sitecore.com"
)
Invoke-ConsoleReport -Urls $Urls
Invoke-HtmlReport -Urls $Urls -OutputFolderPath "c:\temp\" -SplitResults $false
Invoke-HtmlReport -Urls $Urls -OutputFolderPath "c:\temp\" -SplitResults $true
Invoke-CsvReport -Urls $Urls -CsvFilePath "c:\temp\report.csv" -DetailedReport $false
