Having a load balanced environment with two public-facing servers, we want to disable all the EPi system pages (/util, /Episerver etc.).
After reading and trying out the solution (the one in the end) mentioned in this article we realized that it isn't appicable on CMS 7.
If editors/admin try to reach edit/admin UI on front servers we want them to get 404.If someone try to reach "site.com/util/login.aspx" / "site.com/EPiServer" on front servers we want them to get 404.
Here's what we did so far:
EPiServerFramework.config//virtualPathProvider/add[name='ProtectedAddons']: Change the attribute virtualPath from "~/EPiServer/" to using guid. Ex: "~/0EB7F8D8-D5F8-4481-B9BF-3457A4B1F677/"
//virtualPathProvider/add[name='UI']: Change the attribute virtualPath from "~/EPiServer/CMS/" to using guid. Ex: "~/0EB7F8D8-D5F8-4481-B9BF-3457A4B1F677/CMS/"
//virtualPathProvider/add[name='UtilFiles']: Removed this provider from configuration.
episerver.config//sites/site/siteSettings: For each specified site we changed attribute "uiUrl" from "~/EPiServer/CMS/" to using guid. Ex: "~/0EB7F8D8-D5F8-4481-B9BF-3457A4B1F677/CMS/"
web.config//system.web/customErrors: Attribute "mode" set to "RemoteOnly". To only work with remote requests and not local.
//system.web/customErrors: Added element <error statusCode="404" redirect="/404/" /> to redirect users to our 404 page.
//location[path="/EPiServer"]: Changed from "EPiServer" to using guid. Ex: "0EB7F8D8-D5F8-4481-B9BF-3457A4B1F677"
//location[path="/EPiServer/CMS/admin"]: Changed from "EPiServer/CMS/admin" to using guid. Ex: "0EB7F8D8-D5F8-4481-B9BF-3457A4B1F677/CMS/admin"
//location[path="util"]: Removed this element.
//episerver.shell/protectedModules: Changed attribute "rootPath" from "~/EPiServer/" to using guid. Ex: "~/0EB7F8D8-D5F8-4481-B9BF-3457A4B1F677/"
//episerver.packaging: Changed attribute "protectedVirtualPath" from "~/EPiServer/" to using guid. Ex: "~/0EB7F8D8-D5F8-4481-B9BF-3457A4B1F677/"
Of course you'll still be able to find the system pages using the GUID, but the risk someone finding that out is very small.
So my questions is if someone has accomplished this in a better way, or have any input on improvments or obvious shortcoming of this way of solving the problem?
There is a simple solution in IIS, you can block request to /ui and /util: Open IIS-> yoursite-> Request Filtering ->URL
Hope this helps.