Selecting an Enterprise Content Management (CMS) – Part 2

In continuation to my previous article on – “Selecting a Content Management System that supports Your Business”, I thought of writing this article on selecting an Enterprise CMS. Now days, Mobile, Big Data and E-Commerce are causing drastic changes in the business landscape and all those companies who ignored their online presence are at the risk of losing customers and revenue. That is why many companies are looking to invest in Content Management Systems.

In my view, the business objective is to extend the reach and engagement of the customers, and the system must be secure and flexible enough to cater to the changing business needs.

In this article, I have tried to explain the following key considerations while choosing a Content Management System:-

  1. Enterprise hosting
  2. Security
  3. Performance
  4. Scalability

Hosting Environment

When it comes to configuring your hosting environment, there are many options and possibilities depending on number of expected visitors during peak traffic loads, application size in terms of number of pages and content items, business logic computations, security considerations, the business cost of application downtime, etc.

There can be scenarios where a single machine hosts many websites and the same machine runs both the web application and the database. However, this type of configuration is more suitable for development environments and not recommended for production environments.

The more available RAM for the SQL Server, the better your website will perform. That is because you will have more memory available for data caching. It is a good idea to use multiple high-speed hard drives for the database server. Dedicate one drive to store database logs, another for data files, another for temporary storage (e.g. tempdb) and another for the server operating system. One of those hard disks can be used to store regular backups of the database or it can be dedicated to backup storage. Note that those are just performance optimization tips for the SQL Server. You can start with a common hard drive for everything, and then offset the load on different hard drives for better I/O of the server as database size and number of queries grow.

Load-Balanced Environment

If you are having two or more web application servers, it is always recommended to host these servers in a load-balanced environment with one dedicated database server and a second one on standby in a failover configuration. This configuration provides better performance during peak traffic load times and eliminates the single point of failure on your application and database servers.

It is also possible to achieve a highly available and scalable environment by eliminating all single points of failure, including the load balancer. The recommended practices are-

  1. Always store the code base on a distributed file system.
  2. Use load balancers and firewalls configured in High-Availability mode (Active/Passive)
  3. Configure output and client-side caching
  4. Use a Content Delivery Network (CDN) for static content and cache everything on the CDN’s front edge servers.

Security

Security is the major concern that needs to be taken into account as it covers the software, environment, people and processes. The focus must be given on data and application security and no organization can compromise on these concerns. The recommended practices are-

  1. Check for Authentication and Single Sign-0n (SSO) mechanism of the CMS
  2. Check for the compliance of the CMS with the industry standards (For E.g. – Compliance with FIPS – Federal Information Processing Standards)
  3. Check for common threats (For E.g. – OWASP threats) that whether the CMS is capable enough to address these types of security threats.

Performance

Users have ever-increasing expectations about browsing speed. Performance is a critical responsibility shared by the application, the hardware, the developers and the administrators. Hitting load-time goals at the desired millisecond level can only be achieved with alignment between software features, optimization best practices and the right hosting solution.

A content management system is at the centre of this entire process. Your CMS must enable developers to gain full control over how the HTML, CSS and JavaScript are handled, provide configuration options to administrators at the granular level, and facilitate caching at scale and expose APIs and mechanisms that align any custom development with the core framework.

The challenge is to achieve a very dynamic content management in the backend, while appearing static to visitors, regardless of the scale of content, users or hardware.

The CMS that you selected must provide the following:-

  1. Rich configuration options for browser and output caching.
  2. Sophisticated content-aware cache invalidation mechanisms.
  3. Tight integrations with various storage cloud providers.
  4. Scalability to cater hundreds of concurrent users.

Scalability

It is not uncommon for a business to have to scale to thousands of users, and while this is a good problem to have, it usually requires thinking in terms of scaling up with hardware, which should not break your bank if you have the right software optimizations in place.

Having the right load balancing support is crucial to meeting those scalability demands—and load balancing is not only responsible for routing different people to different servers. Its main, yet very subtle, responsibility is to provide the integrity of content and sessions regardless of how the load-balancer distributes the requests.

The selected CMS should take care of output cache synchronization and should support various hardware devices and software frameworks.

An important aspect of large-scale projects is to separate the staging servers from the production servers and enabling content authors to prepare and synchronize content on an as-needed basis, usually in low traffic time-frames.

At last, I want to mention that the CMS, which you have chosen for your organization, must adheres to the above basic considerations.

SharePoint Design Manager – Add an App Page Issue

Recently, I was working on creating a custom master page for Office 365 Application (SharePoint Online). I created Site and System Master Pages using Design Manager and customized as per the business requirements.

Issue – It was very interesting to see that when you create a custom master page using Design Manager, the “Add an App” Page will not show the complete list of apps or will not allow you to add the apps. Sometimes, you will see “Noteworthy” apps only or “Working on it” message.

How to Fix this issue:-

Make sure your master page includes the following placeholders and that each of them is not set to Visible=False. However, if you have implemented custom breadcrumb, you might need to hide any of the particular placeholders. For that, include a HTML element like <div> and apply the “style=display:none”, as shown below:-

  • DeltaPlaceHolderLeftNavBar
  • PlaceHolderLeftNavBar
  • DeltaPlaceHolderPageTitleInTitleArea
  • PlaceHolderPageTitleInTitleArea

Once I added the above highlighted code-snippet in system master page file, the Apps you can add started showing up again. 🙂

Hope this helps SharePoint developers 🙂

Selecting a Content Management System that supports your Business

Recently, one of the customer asked for a Content Management System (CMS), and being a SharePoint developer and consultant, I proposed SharePoint Server as CMS. Afterwards, by analysing different CMS in the market, I thought of writing this article and will focus mainly on a CMS named – “Sitefinity” (http://www.sitefinity.com/).

Why Invest in a CMS?

Before deciding to buy a Content Management System (CMS), you want to get a clear idea of how a new platform will support your business goals. What kind of technology do you need to look for? Moreover, is it possible to predict what will work and what will not in a year?

What to look for

The key parameters that I think should be taken into consideration when choosing a CMS are-

  1. Managing experiences
  2. Extensibility and integration with key business systems
  3. Costs and pricing models
  4. Multi-device strategies
  5. Content creation and multi-channel publishing
  6. Governance and reporting tools

Managing experiences

Questions to consider:-

  1. What does my customer journey look like and where are the digital touchpoints?
  2. How does the CMS support personalization?
  3. How does the CMS support content through multiple channels?
  4. How does the CMS allow me to track and report user behaviour?
  5. How will the CMS become an asset in my overall customer experience management?

Extensibility and integration with key business systems

Questions to consider:-

  1. Is the CMS designed to integrate out of the box?
  2. Is it possible to integrate user data with analytics from other platforms?
  3. How often will I need to update and integrate with new applications?
  4. How often will I need to update functionalities?
  5. Which business systems do I need to integrate with?
  6. How many of my required functionalities are standard in the CMS?
  7. Will I have the support of in-house developers or will I need to buy outside help when integrating or developing? 

Costs and pricing models

Questions to consider:-

  1. What is the total cost of ownership, including licences, support, development, hosting?
  2. Does the license scale with additional servers without adding extra cost?
  3. What is the cost of upgrades and if applicable new modules?
  4. What will it cost you to maintain and support your mobile endeavours.
  5. What kind of licensing model will fit your organization


Multi-device strategies

While deciding for multiple devices, the first and foremost should be always mobile and tablets. Start with implementing the mobile touchpoints where you gain the most. When looking at a new enterprise CMS, look at how it can support customer experience management with respect to mobile. You want to look at whether the backend allows you to track, assess, develop, test and preview on multiple devices.

Content creation and multi-channel publishing

Questions to consider:-

  1. How user-friendly is the dashboard?
  2. How easy is it to create new content?
  3. Can you manage the customer journey?
  4. How easily can the content be reused and published in multiple channels? 

Governance and reporting tools

Questions to consider:-

  1. How user-friendly is the dashboard?
  2. How seamless is the back-end user experience?
  3. Can you set up user administration that fits your organization?
  4. What kind of workflows can you set up?
  5. Is the CMS born with quality management and reporting tools, or does it integrate easily with third party tools?

Summary: I would suggest the following steps, which needs to be followed before buying a CMS:-

  1. Define goals and strategies
  2. Define your business case
  3. Know your data or content
  4. Talk to your users
  5. Organisation and governance
  6. Resources
  7. Requirements

 About Sitefinity

Sitefinity is a Web Content Management System (Licensed, free for a limited time) of the company Telerik. It is much like SharePoint Server and having almost all the features required for a content management system.

Below are some of the important links for Sitefinity:-

  1. Sitefinity Support – http://www.telerik.com/support/sitefinity
  2. Sitefinity System Requirements – http://www.sitefinity.com/resources/system-requirements

If you will download the free trial, you will be given a Project Manager called “Sitefinity CMS Project Manager” in which you can create multiple projects or applications.

 

In addition, for custom development, Sitefinity provides an addin called “Sitefinity Thunder” which will be added in Visual Studio:-

 

OWASP Security in SharePoint

OWASP stands for “Open Web Application Security Project”. This article will list all the possible threats or risks which a SharePoint server can have and their preventive measures.

Most of these threats and their preventive measures are available in the internet but here I have tried to put them together in one place.

Risk 1 – Injection

Threat: Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.

Prevention: Use SharePoint safe API such as list and libraries, user profile service and business data connectivity, and this will avoid direct connection to SQL databases and LDAP. For custom components, use CAML Queries that will interact with SQL Database as an interpreter and will not be directly queried to the SQL server.

Risk 2 – Cross-Site Scripting (XSS)

Threat: XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser that can hijack user sessions, deface web sites or redirect the user to other malicious sites.

Prevention: Properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed using HTML Escape before Inserting Untrusted Data into HTML Element Content or HTML encode/decode utility of SharePoint. Along with this, use positive or “whitelist” input validation as it helps in protecting against XSS. Take into consideration the Content Security Policy (CSP) to defend against XSS across the site.

Risk 3 – Broken Authentication and Session Management

Threat: Application functions related to authentication and session management are often not implemented correctly thereby allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities.

Prevention: Use claimed based authentication and default SharePoint Session management to meet the authentication and session management requirements defined in OWASP’s Application Security Verification Standard areas V2 (Authentication) and V3 (Session Management).

Risk 4 – Insecure Direct Object References

Threat: A direct object reference occurs when a reference is exposed to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

Prevention: For preventing the insecure direct object references, use the SharePoint security permission level as mentioned below:

  • Check access. – Each use of a direct object reference from an untrusted source must include an access control check to ensure the user is authorized for the requested object.

Risk 5 – Cross-Site Request Forgery (CSRF)

Threat: A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests that the vulnerable application thinks are legitimate requests from the victim.

Prevention: For preventing the Cross site Request Forgery; follow the steps mentioned below:

  • SharePoint will implement Form Digest control on each custom page.
  • Send the query (i.e. AllowUnsafeUpdates property will be set to true while updating objects) with every post back or web service request
  • Validate the query before acting on the post back or web service request

Risk 7 – Insecure Cryptographic Storage

Threat: Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes.

Prevention: To prevent Insecure Cryptographic storage, follow the steps mentioned below:

  • Identify all sensitive data and encrypt it even when it is stored on a hard drive.
  • Ensure that sensitive data cannot be overwritten.
  • Keep secrets such as proprietary algorithms, encryption keys even from the administrator.
  • Identify sensitive data read into memory, overwrite it with random data and use strong encryption to safeguard it.

Risk 8 – Failure to Restrict URL Access

Threat: Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway.

Prevention: To prevent Failure to Restrict URL Access, use appropriate permissions or Access Control settings to disallow anonymous reading. Do not allow read permissions of any sensitive data files to anonymous web visitor user. SharePoint will define/configure the list of file types available for remote reading on the server.

Risk 9 – Insufficient Transport Layer Protection

Threat: Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly.

Prevention: Identify all components and the versions that are being used and consider all the dependencies. Monitor the security of these components in public databases, project mailing lists, and security mailing lists, and keep them up to date. Establish security policies governing component use, such as requiring certain software development practices, passing security tests, and acceptable licenses. Consider adding security wrappers around components to disable unused functionality and/ or secure weak or vulnerable aspects of the component.

Risk 10 – Invalidated Redirects and Forwards

Threat: Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

Prevention: Avoid usage of redirects and forwards. If the above is used, then do not involve user parameters in calculating the destination. If the destination parameters cannot be avoided, ensure that the supplied value is valid, and authorized for the user.

SharePoint Branding – Hiding Header/Footer in Dialogs (Modal-Popup)

Recently, I was working in an Office 365 application and wanted to open a modal-pop on the click of an anchor tag from a custom publishing page. The requirement was to show a new item form in the modal pop-up. Although, I worked on this kind of requirement back in SharePoint 2010, but not in Office 365.

SharePoint allows us to hide elements from dialogs, however the CSS class to change such elements has changed from SharePoint 2010 to SharePoint 2013 & Office 365.

So, for example, when we create a custom master page, we usually add custom header and footer to System Master Page. This starts appearing the modal-pop which is not required. So the solution for this problem is:-

  1. In SharePoint 2010, the CSS class name was “s4-notdlg”. This class needs to be added to an HTML element which we want to hide in the modal-pop.
  2. In SharePoint 2013 or Office 365, we use the same method, just a different CSS class “ms-dialogHidden”.

NOTE:-

  1. You can add the ms-dialogHidden class to any HTML element in your Master Pages and Page Layouts.
  2. If you have created separate master pages for Site and System (Option available in site Settings Master Page), then you need to specify this class in System Master Page HTML.

SharePoint Search Index Partition Error

Recently, the client reported that search service application has stopped working in the production server and that they are not getting the search results. When I checked the search service application, under Search Application Topology section, I saw Search Index partition error – a yellow triangle. This definitely meant something is wrong with Index partition in that particular server.

Try the following steps before resetting the search index:-

  1. Clear the SharePoint Server Cache. Follow this article for detailed steps – Clearing the Configuration Cache
  2. Restart the ‘SharePoint Server Search 15’ service (services.msc) listed under Services(Local).
  3. Reset search index (Option available on left in Search Service Application Configuration Page)

The above steps needs to be performed on all the servers in the farm which are running Search service (Not on WFE, as hopefully on WFE Search Service Application is not running).

If Indices are not corrupted and nothing serious has happened to your search, after clearing cache and restarting the service, your Topology should show up just fine with tick marks under all the components. After this, do a full crawl and everything should start working as before.

This worked for me and hope it helps many 🙂

The last option for this issue is – Rebuild or Recreate the whole search service.