Continuing from last month's post, in this entry I'm looking in-depth at KInspector's modules, what they do, and when they're most useful.
Broadly, the three categories KInspector separates its content into are:
- Instance Setup - controls used when performing actions on a Kentico instance.
- These are meant to be the only items that actually modify the site's data.
- Analysis - controls for scanning and debugging existing Kentico sites
- This is further broken up into:
- General
- Consistency Issues
- Content
- Database
- Event Log
- Online Marketing
- Performance
- Sadly they're not filterable by those groups, but it's open source, so maybe someone will add that in later.
- Analysis - Security - A subset of Analysis separated out because it handles specifically website security issues.
This month, I'm going to focus on the first and third of these - Analysis is the largest section and I think it warrants its own "part 2.5".
Instance Setup
These are just a few utility methods for doing various tasks. If you have KInspector access you almost certainly have file/DB access and CMS Desk access, so I think these are less useful, but if you have an issue in the site and can't get in the CMS Desk, this can be a handy way to make changes without having to know where in the database to actually flip the correct bits. They're also useful if you have a ton of them active and don't want to click Stop/Disable on each individually.
I've filtered out the ones that aren't available in Kentico 11 - There's only a few, and they're not really worth touching upon here.
- [Setup] Assign all sites domain alias 'localhost'
- Versions: 8.0-11. Of course you can do this in the Sites interface, but if you've got a lot of sites it can be handy. Careful that it deletes existing 'localhost' aliases, so if you have custom mappings in the Sites interface it'll delete them.
- [Setup] Disable enabled SMTP servers
- Versions: 8.0-11. Disables both the Settings and SMTP servers application lists. Note that this edits the server name, appending '.disabled'.
- [Setup] Disable enabled Staging servers
- Versions: 8-11. Disables the staging servers, useful if the site is breaking due to misconfigured staging. Appends '.disabled' so you can see what it did. Also note that you won't be able to access the Staging Server UI because all of the Staging servers will be disabled - you'll have to re-enable a staging server in Kentico first.
- [Setup] Disable enabled Web farm servers
- Versions: 8-11. Like the others, this appends 'disabled' to the display name, so you can identify the ones it adjusted.
- [Setup] Reset Global administrator
- Versions: 7-11. Finds the Global Administrator user by ID (53) and clears their password and enables them if they're disabled. You could just do this in the DB, of course.
- [Setup] Stop all sites
- Versions: 8-11. Just like clicking 'Stop' on each site.
Analysis - Security
While called Analysis, this section is much more specific than the main general "Analysis" section I'm putting off discussing this time. This section is specifically things that revolve around vulnerabilities and security settings.
- [Security] ClickJacking Protection
- Versions: 7-11. This just warns you if you have CMXFrameOptionsExcluded set in the web config (if that field isn't set, Kentico forces same-origin iframes.).
- [Security] Flood Protection
- Versions: 7-11. This just checks for CMSFloodProtectionEnabled and CMSChatEnableFloodProtection, two Kentico settings.
- [Security] Password policy settings
- Versions: 7-11. This module checks your password policies, makes sure they're enforced, and verifies that your passwords are using good encryption.
- [Security] Security settings
- Versions: 7-11. This is just a security output to let you read through your settings and see what Kentico recommends. It won't show any settings that it sees as already set to the recommended value (except the ones that instruct you to manually check, which it will always show). I don't always go with its recommendations, but a good pre-go-live step on any new website is to run this scan and, if it *doesn't* match, have a reason for why.
- [Security] Security settings in web.config
- Versions: 7-11. Checks various web.config settings - viewstate validation, debug, authentication, session renewal, that sort of thing. As in the previous module, this is just one to read through and, if any setting isn't going to be set to their value, know what the value does and why you're setting it differently.
- [Security] SSL used for Administrative Interface
- Versions: 7-11. Literally just checks the "Use SSL in Administration" flag in Settings. Use SSL.
- [Security] Transformation analyzer
- Versions: 7-11. This is an interesting one, that scans your transformations for accessors that might be part of XSS vulnerabilities in your transformations, as well as any deprecated custom macros. It just uses regex to scan for any instances of cookie access, GetScripts, QueryString access, things like that. So it doesn't actually verify any vulnerabilities, it just points you to spots that you should manually verify. It's a good starter point, and I recommend running the same searches it does in your custom code (CookieHelper.GetValue, currenturl, URLHelper.GetQuery, URLHelper.GetQueryValue, ScriptHelper.GetScript, QueryHelper.GetString, Request.QueryString).
- [Security] Users with empty passwords
- Versions: 6-11. [If you're running an actual Kentico 6 site, stop reading this and upgrade your Kentico installation] This module is a simple one that checks for users without passwords. Handy for when you're about to go live and want to make sure people aren't going to be able to just sign in without credentials.
- [Security] Users with plaintext passwords
- Versions: 6-11. By default, passwords are encrypted. Don't change that. But if you do, here's a module to go help you fix it - just because you change the encryption doesn't change it on existing users.
- [Security] WebPart analyzer
- Versions: 7-11. And finally, this one does a similar scan as the other two analyzers above: SQL injection, Custom Macros, and XSS vulnerabilities, but focuses in on web parts. I actually find this one pretty good for browsing through and making sure that all of the macros and code it points out are safe.
That's enough for now. Next time I'll be doing the same reviews of the main Analysis category, which has most of the features of KInspector I actually use regularly.