# Security Sitecore PowerShell Extensions (SPE) is a powerful administrative tool that requires proper security configuration. This guide provides comprehensive security documentation to help you secure your SPE installation. {% hint style="danger" %} **Critical Warning:** SPE is a powerful tool that should NEVER be installed on Content Delivery (CD) instances or internet-facing servers. Always implement security best practices and follow the principle of least privilege. {% endhint %} ## Quick Start New to SPE security? Start here: 1. [**Getting Started**](https://doc.sitecorepowershell.com/security/getting-started) - Essential security setup for new installations 2. [**Security Policies**](https://doc.sitecorepowershell.com/security/security-policies) - Understand the SPE security model 3. [**Security Checklist**](https://doc.sitecorepowershell.com/security/security-checklist) - Validate your deployment before going live ## Security Documentation ### Core Security Topics #### [Security Policies](https://doc.sitecorepowershell.com/security/security-policies) Understand the two-layer security model that governs SPE: * Application Pool Service Account (OS-level access) * Sitecore User Account (API-level access) * Application and menu item security * Best practices for both security contexts #### [Session Elevation (UAC)](https://doc.sitecorepowershell.com/security/session-elevation) Configure User Account Control to require reauthentication: * How Session Elevation works * Elevation actions (Allow, Block, Password, Confirm) * Token configuration and expiration * Environment-specific recommendations * Interface behaviors (Console, ISE, Content Editor) #### [Web Services Security](https://doc.sitecorepowershell.com/security/web-services) Control external access to SPE through web services: * Service descriptions and security implications * Enable/disable individual services * HTTPS and requireSecureConnection * Role-based authorization * Configuration examples for different scenarios ### Hardening and Protection #### [File Upload Restrictions](https://doc.sitecorepowershell.com/security/file-upload-restrictions) Prevent malicious file uploads: * File type restrictions (extensions and MIME types) * Upload location restrictions * Dangerous file types to never allow * Configuration examples * Testing upload restrictions #### [Delegated Access](https://doc.sitecorepowershell.com/security/delegated-access) Grant controlled privilege escalation: * How delegated access works * Configuration steps * Use cases (publishing, reports, bulk operations) * Script implementation patterns * Security best practices and monitoring #### [IIS-Level Security](https://doc.sitecorepowershell.com/security/iis-security) Add defense in depth at the web server level: * Deny anonymous access * Windows Authentication * IP address restrictions * SSL/TLS requirements * Request filtering and URL rewrite rules ### User Management #### [Users and Roles](https://doc.sitecorepowershell.com/security/users-and-roles) Manage Sitecore users and roles: * Bulk user operations * Role queries and management * Item Access Control Lists (ACL) * Active Directory integration * PowerShell examples for user management ### Deployment and Operations #### [Minimal Web Service Deployment](https://doc.sitecorepowershell.com/security/minimal-deployment) Deploy only what's needed for CI/CD: * Required files for web services only * Disable UI components * Configuration for automation scenarios * Security best practices * Common deployment patterns #### [Logging and Monitoring](https://doc.sitecorepowershell.com/security/logging-and-monitoring) Track security events and detect incidents: * What gets logged * Log levels and configuration * Real-time monitoring strategies * Log analysis examples * Integration with SIEM systems * Security metrics and dashboards ### Validation and Compliance #### [Security Checklist](https://doc.sitecorepowershell.com/security/security-checklist) Comprehensive validation before deployment: * Pre-deployment validation * Configuration checklist * Testing procedures * Environment-specific checklists * Post-deployment monitoring * Emergency procedures ## Security by Environment ### Development Environment **Priority:** Productivity with basic security **Recommendations:** * Session Elevation: Relaxed (Allow or long timeouts) * Web Services: Enable as needed for testing * Logging: DEBUG level for troubleshooting * IP Restrictions: Not required **Start here:** [Getting Started - Development](https://doc.sitecorepowershell.com/getting-started#development-environment) ### QA/Staging Environment **Priority:** Match production security for testing **Recommendations:** * Session Elevation: Password or Confirm (5-15 minute timeout) * Web Services: Match production configuration * Logging: INFO level * IP Restrictions: Optional **Start here:** [Getting Started - QA/Staging](https://doc.sitecorepowershell.com/getting-started#qastaging-environment) ### Production Environment **Priority:** Maximum security **Recommendations:** * Session Elevation: Password or Confirm (3-5 minute timeout) * Web Services: Only handleDownload, client, execution (disable remoting) * Logging: INFO or WARN level * IP Restrictions: Recommended * HTTPS: Required **Start here:** [Security Checklist - Production](https://doc.sitecorepowershell.com/security-checklist#production-environment) ### CI/CD Environment **Priority:** Automation with strict access control **Recommendations:** * Minimal Deployment: Use minimal package * Remoting: Enabled with IP restrictions * Web Services: Only required services * Logging: INFO level with monitoring * HTTPS: Required **Start here:** [Minimal Deployment](https://doc.sitecorepowershell.com/security/minimal-deployment) ## Security Layers (Defense in Depth) SPE security uses multiple layers for comprehensive protection: ``` 1. Network Security - Firewall rules - VPN/private network - Not internet-facing 2. IIS-Level Security - Deny anonymous access - IP restrictions - HTTPS requirements - Request filtering 3. Sitecore User Security - Role-based access control - Application-level permissions - Item-level security 4. SPE Security Hardening - Session Elevation (UAC) - Web service controls - File upload restrictions - Delegated access controls 5. Logging and Monitoring - Comprehensive logging - Real-time alerting - Regular audit reviews - SIEM integration ``` Each layer provides additional protection. If one layer is compromised, others provide continued security. ## Common Security Scenarios ### Scenario 1: Locking Down Production CM **Goal:** Secure SPE for production content management server **Steps:** 1. Review [Security Policies](https://doc.sitecorepowershell.com/security/security-policies) to understand the model 2. Configure [Session Elevation](https://doc.sitecorepowershell.com/security/session-elevation) with 5-minute Password timeout 3. Disable unnecessary [Web Services](https://doc.sitecorepowershell.com/security/web-services) 4. Configure [IIS Security](https://doc.sitecorepowershell.com/security/iis-security) to deny anonymous access 5. Enable [Logging and Monitoring](https://doc.sitecorepowershell.com/security/logging-and-monitoring) 6. Complete the [Security Checklist](https://doc.sitecorepowershell.com/security/security-checklist) ### Scenario 2: Setting Up CI/CD Automation **Goal:** Enable remote automation from build servers **Steps:** 1. Use [Minimal Deployment](https://doc.sitecorepowershell.com/security/minimal-deployment) package 2. Enable Remoting in [Web Services](https://doc.sitecorepowershell.com/security/web-services) with specific user 3. Configure [IIS Security](https://doc.sitecorepowershell.com/security/iis-security) with IP restrictions to build servers 4. Configure [File Upload Restrictions](https://doc.sitecorepowershell.com/security/file-upload-restrictions) for packages only 5. Set up [Logging and Monitoring](https://doc.sitecorepowershell.com/security/logging-and-monitoring) for automation activity 6. Test with [Security Checklist - CI/CD](https://doc.sitecorepowershell.com/security-checklist#cicd-environment) ### Scenario 3: Delegating Report Access **Goal:** Allow content authors to run administrative reports **Steps:** 1. Understand [Delegated Access](https://doc.sitecorepowershell.com/security/delegated-access) concepts 2. Create delegated access configuration for reporting role 3. Configure impersonated user with read-only administrative access 4. Test report access as content author 5. Monitor usage via [Logging and Monitoring](https://doc.sitecorepowershell.com/security/logging-and-monitoring) ### Scenario 4: Identity Server Integration (Sitecore 9.1+) **Goal:** Configure SPE with Sitecore Identity Server **Steps:** 1. Enable `Spe.IdentityServer.config` 2. Configure [Session Elevation](https://doc.sitecorepowershell.com/security/session-elevation) with Confirm action (not Password) 3. Test Console and ISE with federated authentication 4. Configure [Web Services](https://doc.sitecorepowershell.com/security/web-services) if needed ## Security Best Practices Summary ### ✅ Do * **Always** deny anonymous access at IIS level * **Always** use Session Elevation (UAC) in production * **Always** require HTTPS for any enabled web services * **Always** follow principle of least privilege * **Always** monitor logs for suspicious activity * Only enable web services you specifically need * Use short session elevation timeouts in production (3-5 minutes) * Restrict SPE access to trusted administrators only * Configure file upload restrictions when upload service is enabled * Regular security audits and role membership reviews * Document your security configuration * Test security in non-production before deploying ### ❌ Don't * **Never** install SPE on Content Delivery (CD) servers * **Never** expose SPE to internet-facing servers * **Never** use `elevationAction="Allow"` in production * **Never** enable all web services "just in case" * **Never** grant broad role access (e.g., "Everyone") * **Never** allow dangerous file types (.exe, .dll, .ps1, .bat) * Don't skip Session Elevation configuration * Don't ignore failed authentication attempts in logs * Don't use administrator accounts for automation * Don't forget to configure authorization when enabling remoting ## Quick Reference ### Configuration Files | File | Purpose | Documentation | | -------------------------------------------------- | --------------------------- | --------------------------------------------------------------------------------------------------------------- | | `App_Config\Include\Spe\Spe.config` | Core SPE configuration | [Web Services](https://doc.sitecorepowershell.com/security/web-services) | | `App_Config\Include\Spe\Spe.IdentityServer.config` | Identity Server integration | [Getting Started](https://doc.sitecorepowershell.com/getting-started#identity-server-configuration-sitecore-91) | | `App_Config\Include\Spe\Custom\*.config` | Your security patches | All topics | | `sitecore modules\PowerShell\Services\web.config` | IIS-level security | [IIS Security](https://doc.sitecorepowershell.com/security/iis-security) | ### Security Policies Location | Policy | Location | Documentation | | ----------------------- | ------------------------------------------------------------------- | ---------------------------------------------------------------------------------- | | Application Visibility | `core:\content\Applications\PowerShell` | [Security Policies](https://doc.sitecorepowershell.com/security/security-policies) | | Menu Item Security | `core:\content\Applications\Content Editor\Context Menues\Default\` | [Security Policies](https://doc.sitecorepowershell.com/security/security-policies) | | Script Library Security | Item-level security on scripts | [Users and Roles](https://doc.sitecorepowershell.com/security/users-and-roles) | | Delegated Access | SPE configuration items | [Delegated Access](https://doc.sitecorepowershell.com/security/delegated-access) | ### Default Roles | Role | Default Access | Recommendation | | ----------------------------------------- | ----------------------- | ---------------------------------- | | `sitecore\Developer` | Console, ISE | Keep restricted to developers only | | `sitecore\Sitecore Client Users` | ListView, Runner | Appropriate for content authors | | `sitecore\Sitecore Client Authoring` | Reports | Appropriate for content authors | | `sitecore\PowerShell Extensions Remoting` | Remoting (when enabled) | Use custom role instead | ## Getting Help ### Documentation Navigation * **New to SPE Security?** Start with [Getting Started](https://doc.sitecorepowershell.com/security/getting-started) * **Deploying to production?** Use the [Security Checklist](https://doc.sitecorepowershell.com/security/security-checklist) * **Setting up automation?** See [Minimal Deployment](https://doc.sitecorepowershell.com/security/minimal-deployment) * **Need to debug?** Check [Logging and Monitoring](https://doc.sitecorepowershell.com/security/logging-and-monitoring) * **Configuring a specific feature?** See topic-specific guides below ### Support Resources * **GitHub Issues:** [SitecorePowerShell/Console](https://github.com/SitecorePowerShell/Console/issues) * **Slack:** #module-spe on Sitecore Community Slack * **Documentation:** [Full SPE Documentation](https://doc.sitecorepowershell.com/readme) ### Security Incident Response If you suspect a security breach: 1. Immediately lock down SPE using [Emergency Procedures](https://doc.sitecorepowershell.com/security-checklist#emergency-procedures) 2. Review logs using [Logging and Monitoring](https://doc.sitecorepowershell.com/security/logging-and-monitoring) guidance 3. Document the incident 4. Contact your security team 5. Report to SPE maintainers if it's a product vulnerability ## Additional Resources ### Related Documentation * [Installation](https://github.com/SitecorePowerShell/Book/blob/master/installation.md) - Initial SPE installation * [Interfaces](https://doc.sitecorepowershell.com/interfaces) - Console, ISE, and Interactive Dialogs * [Remoting](https://doc.sitecorepowershell.com/remoting) - Using SPE Remoting for automation * [Modules](https://doc.sitecorepowershell.com/modules) - Integration points and features * [Appendix - Security Cmdlets](https://doc.sitecorepowershell.com/appendix/security) - PowerShell security commands ### External References * [Sitecore Security Best Practices](https://doc.sitecore.com/xp/en/developers/latest/platform-administration-and-architecture/security.html) * [OWASP Top 10](https://owasp.org/www-project-top-ten/) * [Principle of Least Privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege) ## Version-Specific Notes ### Sitecore 9.1+ with Identity Server Enable the Identity Server configuration: * File: `App_Config\Include\Spe\Spe.IdentityServer.config` * Purpose: Prevents infinite loop in SPE Console * Use `elevationAction="Confirm"` instead of "Password" ```xml /sitecore%20modules/PowerShell ``` ### Sitecore XM Cloud Consult the latest SPE documentation for XM Cloud-specific security configurations. *** **Remember:** Security is not a one-time configuration. Regular reviews, monitoring, and updates are essential to maintaining a secure SPE installation. **Last Updated:** 2025 **Maintained By:** SPE Community