Getting Started

This guide helps you quickly secure your Sitecore PowerShell Extensions installation with essential security configurations.

Critical Security Warnings

Never install SPE in internet-facing environments!

  • DO NOT install on Content Delivery (CD) instances

  • DO NOT deploy on servers facing the Internet

  • DO NOT expose SPE endpoints to untrusted networks

SPE is a powerful development and administration tool intended for Content Management (CM) servers in protected internal networks only.

Quick Security Checklist

Before deploying SPE to any environment beyond your local development machine, complete these essential steps:

✓ Environment Assessment

✓ Web Services Security

By default, all SPE web services are disabled except those required for the Sitecore UI. Keep them disabled unless you have a specific need.

✓ User Access Control

✓ Application Pool Security

✓ Content Editor Security

Initial Configuration Steps

Step 1: Review Default Settings

The default security configuration is found in:

  • App_Config\Include\Spe\Spe.config

Do not modify this file directly. Instead, create configuration patch files.

Step 2: Create Your Security Patch

Create a new configuration file: App_Config\Include\Spe\Custom\Spe.Custom.config

Example: Basic production security configuration:

<configuration xmlns:patch="https://www.sitecore.net/xmlconfig/">
  <sitecore>
    <powershell>
      <!-- Session Elevation (UAC) -->
      <userAccountControl>
        <tokens>
          <token name="Console">
            <patch:attribute name="expiration">00:05:00</patch:attribute>
            <patch:attribute name="elevationAction">Password</patch:attribute>
          </token>
          <token name="ISE">
            <patch:attribute name="expiration">00:05:00</patch:attribute>
            <patch:attribute name="elevationAction">Password</patch:attribute>
          </token>
          <token name="ItemSave">
            <patch:attribute name="expiration">00:05:00</patch:attribute>
            <patch:attribute name="elevationAction">Password</patch:attribute>
          </token>
        </tokens>
      </userAccountControl>

      <!-- Ensure web services remain disabled -->
      <services>
        <remoting enabled="false" />
        <restfulv1 enabled="false" />
        <restfulv2 enabled="false" />
        <fileDownload enabled="false" />
        <fileUpload enabled="false" />
        <mediaDownload enabled="false" />
        <mediaUpload enabled="false" />
      </services>
    </powershell>
  </sitecore>
</configuration>

Step 3: Configure IIS Authentication

Protect the SPE services directory at the IIS level.

Edit sitecore modules\PowerShell\Services\web.config:

<configuration>
  <system.web>
    <authorization>
      <deny users="?" />
    </authorization>
  </system.web>
</configuration>

This denies anonymous access to all SPE web services.

Step 4: Test Your Configuration

  1. Log in as a non-administrator user

  2. Verify you cannot access the PowerShell Console

  3. Verify you cannot access the PowerShell ISE

  4. Log in as an administrator

  5. Verify Session Elevation prompts appear when expected

  6. Test that scripts execute successfully after elevation

Environment-Specific Recommendations

Development Environment

For local development machines, you may use relaxed settings:

<token name="Console">
  <patch:attribute name="expiration">01:00:00</patch:attribute>
  <patch:attribute name="elevationAction">Allow</patch:attribute>
</token>

Never use elevationAction="Allow" in non-development environments!

QA/Staging Environment

Use the same strict security as production, but you may extend session timeouts slightly for testing convenience:

<token name="Console">
  <patch:attribute name="expiration">00:15:00</patch:attribute>
  <patch:attribute name="elevationAction">Password</patch:attribute>
</token>

Production Environment

Use the strictest settings:

<token name="Console">
  <patch:attribute name="expiration">00:05:00</patch:attribute>
  <patch:attribute name="elevationAction">Password</patch:attribute>
</token>

For Azure AD/SSO environments, use:

<token name="Console">
  <patch:attribute name="elevationAction">Confirm</patch:attribute>
</token>

Identity Server Configuration (Sitecore 9.1+)

If using Sitecore 9.1 or later with Identity Server, enable this configuration file:

File: App_Config\Include\Spe\Spe.IdentityServer.config

This prevents infinite loops in the SPE Console when using OWIN cookie authentication.

Next Steps

After completing the initial setup:

  1. Review the Security Policies to understand the security model

  2. Configure Session Elevation for your environment

  3. If you need external access, carefully review Web Services security

  4. Learn about User and Role Management and Delegated Access

  5. Complete the Security Checklist before deployment

Common Mistakes to Avoid

Don't install on CD servers - SPE is for CM only ❌ Don't expose to the internet - Keep SPE behind firewalls ❌ Don't use Allow elevation in production - Always require password or confirmation ❌ Don't enable unnecessary web services - Only enable what you specifically need ❌ Don't grant broad access - Limit to administrators only ❌ Don't skip session elevation - UAC is critical for production environments

Getting Help

If you need assistance with SPE security:

PreviousSecurityNextSecurity Policies

Last updated