Minimal Deployment
For CI/CD and automation environments where you only need SPE web services (without the full UI), a minimal deployment reduces the attack surface while maintaining remote automation capabilities.
Overview
The minimal deployment includes only the files necessary to support SPE web services, removing all UI components (Console, ISE, Content Editor integrations).
Benefits:
Smaller attack surface
Fewer files to maintain
Faster deployment
Ideal for build/deployment servers
Only what's needed for automation
Limitations:
No PowerShell Console
No PowerShell ISE
No Content Editor integration
No Reports UI
Web services only (Remoting)
Use Cases
CI/CD Environments
Scenario: Build servers need to execute deployment scripts remotely.
Requirements:
Remoting service
Minimal file footprint
No interactive UI
Automated Content Deployment
Scenario: Automated systems deploy content packages to Sitecore.
Requirements:
Remote script execution
File upload capability
Package installation commands
Headless/API-Only Instances
Scenario: Sitecore instances that serve as API backends without content authoring.
Requirements:
Remote automation capability
No UI overhead
Security-focused configuration
Required Files
Core Files
App_Config\Include\Spe\Spe.config
Core configuration
✓ Yes
App_Config\Include\Spe\Spe.Minimal.config
Minimal deployment config
✓ Yes
bin\Spe.dll
Main assembly
✓ Yes
bin\Spe.Abstractions.dll
Abstractions assembly
✓ Yes
Web Service Files
sitecore modules\PowerShell\Services\web.config
IIS configuration
✓ Yes
sitecore modules\PowerShell\Services\RemoteAutomation.asmx
Remoting service
✓ Yes
sitecore modules\PowerShell\Services\RemoteScriptCall.ashx
RESTful/file services
✓ Yes
Excluded Files (Not Needed)
The following are NOT included in minimal deployment:
❌ PowerShell Console UI files ❌ PowerShell ISE files ❌ Content Editor integration files ❌ Report UI files ❌ Gutter renderers ❌ Ribbon extensions ❌ All UI-related files in sitecore modules\Shell\PowerShell\
Installation Steps
Option 1: Using Minimal Package
SPE provides a pre-built minimal package: SPE.Minimal-6.x.zip
Download
SPE.Minimal-8.x.zipfrom SPE releasesExtract to your Sitecore instance
Enable disabled config files (see below)
Configure security settings
Test connectivity
Option 2: Manual Installation
Deploy required files using your favorite scripting language.
Step 3: Disable UI Control Sources
Create a config patch to disable UI control sources:
File: App_Config\Include\Spe\Custom\Spe.DisableUI.config
<configuration xmlns:patch="https://www.sitecore.net/xmlconfig/">
<sitecore>
<controlSources>
<source mode="on" namespace="Spe.Client.Controls" assembly="Spe">
<patch:delete />
</source>
<source mode="on" namespace="Spe.Client.Applications"
folder="/sitecore modules/Shell/PowerShell/" deep="true">
<patch:delete />
</source>
</controlSources>
</sitecore>
</configuration>Configuration
Enable Remoting Service
By default, Remoting is disabled. Enable it with proper security:
File: App_Config\Include\Spe\Custom\Spe.Remoting.config
<configuration xmlns:patch="https://www.sitecore.net/xmlconfig/">
<sitecore>
<powershell>
<services>
<!-- Enable remoting with HTTPS requirement -->
<remoting>
<patch:attribute name="enabled">true</patch:attribute>
<patch:attribute name="requireSecureConnection">true</patch:attribute>
<!-- Clear default authorization -->
<authorization>
<patch:delete />
</authorization>
<!-- Add specific service account -->
<authorization>
<add Permission="Allow" IdentityType="User" Identity="sitecore\automation-user" desc="CI/CD automation account" />
</authorization>
</remoting>
<!-- Optionally enable file operations for package deployment -->
<fileDownload>
<patch:attribute name="enabled">true</patch:attribute>
</fileDownload>
<fileUpload>
<patch:attribute name="enabled">true</patch:attribute>
</fileUpload>
</services>
</powershell>
</sitecore>
</configuration>Secure Web Services
File: sitecore modules\PowerShell\Services\web.config
<configuration>
<system.web>
<authorization>
<!-- Deny anonymous access -->
<deny users="?" />
</authorization>
</system.web>
<system.webServer>
<security>
<!-- Require HTTPS -->
<access sslFlags="Ssl" />
<!-- Optional: IP restrictions for build servers -->
<ipSecurity allowUnlisted="false">
<add ipAddress="10.0.0.100" allowed="true" desc="Build Server 1" />
<add ipAddress="10.0.0.101" allowed="true" desc="Build Server 2" />
</ipSecurity>
</security>
</system.webServer>
</configuration>Testing the Deployment
Verify Minimal Installation
# Test from remote machine using SPE Remoting module
Import-Module SPE
# Create session
$session = New-ScriptSession `
-Username "sitecore\automation-user" `
-Password "SecurePassword123!" `
-ConnectionUri "https://sitecore-instance.local"
# Test script execution
$result = Invoke-RemoteScript -Session $session -ScriptBlock {
Get-Item -Path "master:\content\home" | Select-Object -ExpandProperty Name
}
Write-Host "Result: $result" -ForegroundColor Green
# Close session
Stop-ScriptSession -Session $sessionSecurity Best Practices
Minimal Deployment Security Checklist
Recommended Security Layers
Network - Firewall rules, VPN if possible
IIS - IP restrictions, Windows Auth (optional), HTTPS
Sitecore - Specific user accounts with minimal roles
SPE - requireSecureConnection, file upload restrictions
Monitoring - Comprehensive logging and alerts
Troubleshooting
Remoting connection fails
Possible causes:
Remoting service not enabled
User not in authorization list
HTTPS required but using HTTP
Anonymous access denied but not providing credentials
IP address blocked
Solution: Check configuration, verify credentials, ensure HTTPS.
UI elements still appear
Cause: controlSources not disabled in configuration.
Solution: Verify Spe.DisableUI.config patch is present and loading.
Related Topics
Web Services Security - Detailed web service configuration
IIS Security - IIS-level hardening
File Upload Restrictions - Configure upload limits
Security Checklist - Validation checklist
Logging and Monitoring - Monitoring remote operations
Remoting - Using SPE Remoting features
References
Last updated