Configuring Security Settings in Umbraco: A Comprehensive Guide

Introduction:

In today’s digital landscape, ensuring the security of your content management system is paramount. Umbraco provides a robust set of security configurations that allow administrators to fine-tune user management, password policies, and session handling. This guide will walk you through the security settings available in Umbraco, providing detailed explanations and examples to help you secure your CMS effectively.

Overview of Security Settings:

The security settings in Umbraco are designed to cover various aspects of user and member management, from keeping users logged in to defining strict password rules. Below is a default configuration example for the security settings: (This needs to be added on appsettings.json)

"Umbraco": {
  "CMS": {
    "Security": {
      "KeepUserLoggedIn": false,
      "HideDisabledUsersInBackOffice": false,
      "AllowPasswordReset": true,
      "AuthCookieName": "UMB_UCONTEXT",
      "AuthCookieDomain": "",
      "UsernameIsEmail": true,
      "UserPassword": {
        "RequiredLength": 10,
        "RequireNonLetterOrDigit": false,
        "RequireDigit": false,
        "RequireLowercase": false,
        "RequireUppercase": false,
        "HashAlgorithmType": "PBKDF2.ASPNETCORE.V3",
        "MaxFailedAccessAttemptsBeforeLockout": 5
      },
      "MemberPassword": {
        "RequiredLength": 10,
        "RequireNonLetterOrDigit": false,
        "RequireDigit": false,
        "RequireLowercase": false,
        "RequireUppercase": false,
        "HashAlgorithmType": "PBKDF2.ASPNETCORE.V3",
        "MaxFailedAccessAttemptsBeforeLockout": 5
      },
      "UserDefaultLockoutTimeInMinutes": 43200,
      "MemberDefaultLockoutTimeInMinutes": 43200,
      "AllowConcurrentLogins": false
    }
  }
}

Root Level Security Settings:

At the root level, you can configure several key aspects of security. Here’s a breakdown of each setting and its implications:

1. Keep User Logged In:

• Description: Controls whether users remain logged in after a period of inactivity.
• Default: false
• Details: When set to false, users are logged out after a specified time of inactivity. This time span can be adjusted using the TimeOut key in the global settings.

2. Hide Disabled Users in BackOffice:

• Description: Determines if disabled users are visible in the backoffice.
• Default: false
• Details: When set to true, disabled users are hidden, preventing their reactivation and the creation of identical usernames.

3. Allow Password Reset:

• Description: Enables or disables the password reset feature.
• Default: true
• Details: When true, users can reset their passwords if forgotten. Disabling this at the UI and API level can be done by setting this to false.

4. Auth Cookie Name:

• Description: Defines the name of the authentication cookie set in the browser.
• Default: UMB_UCONTEXT
• Details: This cookie is used to maintain user sessions in the backoffice.

5. Auth Cookie Domain:

• Description: Specifies the domain for the authentication cookie.
• Default: Empty (defaults to the current domain)
• Details: This setting is useful for multi-domain environments.

6. Username is Email:

• Description: Determines if the username is the same as the email address.
• Default: true
• Details: When true, the username is hidden and always matches the email address. When false, username and email can be separate.

7. User Password Settings:

These settings allow administrators to define password policies for users to enhance security.

a. Required Length

• Description: Minimum length of the user password.
• Default: 10

b. Require Non-Letter or Digit

• Description: Requires at least one non-letter or digit character in the password.
• Default: false

c. Require Digit

• Description: Requires at least one digit in the password.
• Default: false

d. Require Lowercase

• Description: Requires at least one lowercase letter in the password.
• Default: false

e. Require Uppercase

• Description: Requires at least one uppercase letter in the password.
• Default: false

f. Hash Algorithm Type

• Description: Specifies the hashing algorithm used for storing passwords.
• Default: PBKDF2.ASPNETCORE.V3
• Options: PBKDF2.ASPNETCORE.V3, PBKDF2.ASPNETCORE.V2, HMACSHA256, HMACSHA1

g. Max Failed Access Attempts Before Lockout

• Description: Number of failed login attempts before the user is locked out.
• Default: 5

8. Member Password Settings:

These settings are identical to the user password settings but apply to members of the site.

9. User Default Lockout Time in Minutes:

• Description: Duration a user is locked out after exceeding the maximum failed login attempts.
• Default: 43200 (30 days)

10. Member Default Lockout Time in Minutes:

• Description: Duration a member is locked out after exceeding the maximum failed login attempts.
• Default: 43200 (30 days)

11. Allow Concurrent Logins:

• Description: Controls whether a user can have multiple simultaneous sessions.
• Default: false
• Details: When set to false, users are prevented from having concurrent logins, enhancing security by ensuring only one session per user at any given time.

Conclusion:

Configuring the security settings in Umbraco is essential for protecting your CMS from unauthorized access and ensuring a secure user experience. By understanding and utilizing these settings, you can tailor the security features to meet your specific needs and maintain a robust security posture. With the settings outlined in this guide, you can effectively manage user sessions, enforce strict password policies, and control user visibility within the backoffice. Always review and adjust these settings as needed to align with your organization’s security requirements.