Locking down your Content Delivery servers so external users can’t access your content management capabilities and Admin pages is one of the top security steps you need to undertake when deploying a new Sitecore environment.
The first step is to implement IP-based security restrictions:
Instructions for IIS 7 and greater are as follows: https://docs.microsoft.com/en-us/iis/configuration/system.webServer/security/ipSecurity/
The second step is disabling Anonymous IIS access:
This can be achieved by changing the authentication mode in the web.config to none:
Or by disabling anonymous access to the following via IIS:
- admin folder
- login folder
- shell folder
- default.aspx page
One of the benefits of Sitecore 9 is that for XM1 and XP1 deployments the authentication node is already set to none for the Content Delivery Server. For XP0, as this is intended for development environments, if you attend to use it for a CD role you will need to set the mode to none (It is not recommended to use XP0 if you have anything beyond a Development Server, use XM1 or XP1 as its intended).