Tightenting Community Server Control Panel Security

written by Ryan Olshan on Sunday, September 17 2006

By default, the web.config file of Community Server allows any registered user access to the Control Panel, including Setup.aspx and 2 pages hidden from the Control Panel UI that have functionality. To prevent registered users from accessing these files and the Control Panel, change web.config in /ControlPanel to the below. Before doing so, it's a good idea to create a role called ResourceOwner and assign it to all blog authors and file and photo gallery owners as the below change will not allow any of them access to modify their blogs and photo and file galleries since they aren't in the list of allowed roles that can access the Control Panel.

<!-- Admin configuration -->

 

<configuration>

  <system.web>

    <authorization>

      <allow roles="SystemAdministrator,BlogAdministrator,ForumsAdministrator,Moderator,GalleryAdministrator,FileAdministrator,ReaderAdministrator,MembershipAdministrator,ResourceOwner" />

      <deny users="*" />

    </authorization>

  </system.web>

 

  <location path="settings.aspx">

    <system.web>

      <authorization>

        <allow roles="SystemAdministrator" />

        <deny users="*" />

      </authorization>

    </system.web>

  </location>

 

  <location path="Setup.aspx">

    <system.web>

      <authorization>

        <allow roles="SystemAdministrator,BlogAdministrator,ForumsAdministrator,GalleryAdministrator,FileAdministrator,ReaderAdministrator,MembershipAdministrator" />

        <deny users="*" />

      </authorization>

    </system.web>

  </location>

 

  <location path="license.aspx">

    <system.web>

      <authorization>

        <allow roles="SystemAdministrator" />

        <deny users="*" />

      </authorization>

    </system.web>

  </location>

</configuration>

Kick this post on .NET Kicks

posted in:

Technology and tagged as:

1 Comment

Similar Posts

  1. Tweaking Community Server Out of the Box
  2. Forms authentication and images/style sheets
  3. Redirecting Community Server Blogs

Comments

  • Dave Burke on on 9.21.2006 at 11:36 AM

    Dave Burke avatar

    Hey, Ryan! Thanks for this post. I wanted to link to it in today's Daily News but wanted to verify that all registered users had access to setup.aspx and the other items you mentioned before doing so. I'll ping you back on this as soon as I can get to it. Thanks again.

Post a comment