After days or months hard work, are you ready to publish your MapGuide application to the public world? If your answer is yes and you don't want your MapGuide site exposed to the hackers for their entertainment, please wait a minute and read this blog first J
Maybe you have known that we have very convenient test page to test most functionalities of MapGuide Enterprise/OpenSource. I mean the MapAgent, you can access it from http://servername/mapguideopensource/mapagent/index.html. But it is also very dangious for a public MapGuide site, even the "Anonymous" user account has access to the HTTP test pages with the default security setup. Server Admin allows someone to take the MG server offline without having to enter any credentials. Is it terrible? To disable the HTTP test pages, you can remove it from the public website, just delete the HTTP test pages (www/mapagent/*.html, *.js, *.php).
Here are a few another suggestions for hardening the security on a production MapGuide site:
Of cause, the first thing is to change the Admin password in MapGuide Site Administrator (http://servername/mapguideopensource/mapadmin/login.php ), see the screenshot below:
And then, if you are sure that you will not using the Site Administrator, you can remove it from the website. All of these pages require authentication but they do give a lot of information to anyone who can figure out the credentials. To disable the web administrator, delete the <webdir>\www\mapadmin folder.
You can also disable all of the HTTP "author role" commands by adding the following to www/webconfig.ini
[AgentProperties]
DisableAuthoring = 1
Please note that disabling authoring kills Maestro and Autodesk MapGuide Studio. You can set up secure connections for Administrations and authoring. The way this is set up, you end up with a URL of the form https://servername/mapguideopensource or http://servername/mapguide2010/ , which can be used in Autodesk MapGuide Studio or Maestro to do the authoring work.
If the administration and authoring do not need to be made publicly available, an alternative installation can be like this:
You can do that on both Apache and IIS, we have a document to show you how to do the configuration step by step, you can download it from here: http://images.autodesk.com/adsk/files/secure_autodesk_mapguide_enterprise_site.pdf
Finally, if you are not using WMS or WFS, you can also disable serving of these protocols with
[AgentProperties]
DisableWfs = 1
DisableWms = 1
Now, it is time to take action, go and make your MapGuide Site publicly and strong! Cheers! J