If you could add something to Kentico, what would it be and why?

Whitelist IP's through CMSSiteManager

Ability to Whitelist IPs for CMSDesk/CMSSiteManager access.  Possibly even extend Whitelist to User Roles.

46 votes
Vote
Sign in
(thinking…)
Password icon
Signed in as (Sign out)
You have left! (?) (thinking…)
Beau shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

7 comments

Sign in
(thinking…)
Password icon
Signed in as (Sign out)
Submitting...
  • Michael Morris commented  ·   ·  Flag as inappropriate

    How does one create a global ban rule for every IP? There is no subnet mask or CIDR notation entry that I see?

    There are many scenarios under which client IT departments would like multiple levels of restriction, including restricting admin login to a select few IP's. This is a common request throughout my career that Kentico should support.

  • Beau commented  ·   ·  Flag as inappropriate

    It's basically a means to eliminate a few extra steps with the client, and be able to have a platform that will be easier for other developers to pick up easily should we need to reassign a developer to it. This would also help in the case of dynamic IP's from having to mess with a config file too much, which would bring down the entire site. We also implement a multiple instance scenario with a staging and production link. Having this so that we can simply sync the sites instead of having to mess with individual config files would reduce maintenance time.

  • Jason Sherrill commented  ·   ·  Flag as inappropriate

    Michal,

    The current built-in functionality that you referenced in the documentation applies to the entire site rather than just the /admin folder, correct? If that is correct, then this functionality does not address the original requester's use case, which is to limit access to the administration area to just specific IP addresses. In this use case, the user still wants the world to be able to reach the public facing areas of the website, but there reduce the attack surface area of the site by limiting access to the /admin folder to only requests that originate from allowed IP addresses. This can be done currently via IIS, but I believe the suggestion is to allow management of this from within the CMS itself.

  • AdminMichal Kadák (E-commerce and Platform Product Owner, Kentico) commented  ·   ·  Flag as inappropriate

    Hi,

    Could you please share with me the scenario when you need to set a range of IP addresses which are permitted to access Kentico admin interface?

    Currently you can use the banned IP application by creating a global BAN rule for every IP and site rule that will allow specific IPs using "Allow IP address for this site if the IP address is banned globally" option. Please see https://docs.kentico.com/display/K9/Banning+IP+addresses

    Isn't this feature sufficient?

    Thank you

    Regards,

    Michal Kadak
    Platform Product Owner

  • Jason Sherrill commented  ·   ·  Flag as inappropriate

    I presume that what you mean is to manage IP-based restrictions through the CMS instead of through web.config for controlling which clients can reach the /admin section?

    Based on that assumption, this would definitely be a nice additional feature since it would eliminate the need for us to manage this security layer through web.config files and would also better support multi-site installations of Kentico.

  • Anonymous commented  ·   ·  Flag as inappropriate

    I would allow the administrator to restrict access to the web site or CMS desk to a range of IP addresses (block all IP addresses except for a defined range).

Feedback and Knowledge Base