LoopyCMS Articles
back to LoopyCMS Articles ...
Printer-friendly version

LoopyCMS Administration - Site Configuration

Dateline: September 18, 2003
 
Overview Content editing  Content Tools Sending Newsletters
Creating Pages Editing PhotoAlbums Create a Content Type Restore from Backup
Remove old backups Siteman Site Configuration  

Overview

If you are just configuring your copy of the LoopyCMS, pay special attention to the security recommendations in this section. Installing a web server on an unsecured computer or a website administration application in an insecure way could lead to unfortunate consequences.  I will give you simple but detailed instructions, with pictures, on how to properly secure your computer and your website.  Because of the nature of what this application does, some of the admin tools just can't be made entirely safe if not properly secured. 

If you're in doubt, temporarily remove (or don't install) SiteMan. SiteMan allows editing of any page on the site.  In fact, if you don't need it, don't install SiteMan, it's an optional component that is not essential for the operation of the LoopyCMS or its administration. 

The other application that poses some danger is the Page Template Editor.  You are using it to create pages on the site.  A clever and dedicated hacker could potentially subvert the security measures I've put in place to prevent this, but why find out.  Secure the Admin directory as discussed below.  Or a better option that I recommend for business users, use the development workstation/production server model.  More on that in the security section of this document.

Finally, for business users, I suggest (and please don't think me crass for suggesting it) that you contract the services of myself or one of my trusted associates to initialize, configure and customize your site to get it up and running.  Considering that the best know how on building and running applications from the "mode school" of web application programming are within my company, we can much more quickly jumpstart your site to the point you can manage and run it yourself.  And considering that building a LoopyCMS site is so much faster than building other types of websites, you still come out ahead over other approaches.  If you want to do ongoing and extensive development with in-house developers, I would recommend training in the "mode school" of web application development (the basic methodology) and LoopyCMS development training.

Ok, now on with the details of getting up and running.

Installation

If you're familiar with running IIS, this will be easy.  If you're not, well, still not hard, but, of course, you should familiarize yourself with running IIS sooner, rather than later. 

Getting ready for installation:

  • Install IIS (if it is not already installed).  Supported operating system versions: Windows 2000, Windows XP Professional, Windows Server 2003. See the images below for recommended installation choices



  • If the SMTP Server componenet of IIS is not installed, install it. 
  • Clean out the default installation items and remove all virtual roots automatically created. 
  • Patch your system!  Install all critical updates. Download the Microsoft Baseline Security Analyzer and follow it's recommendations.
  • Unzip the LoopyCMS zip file.  The Content directory, the VRoots directory and the wwwroot directories are created.  If you're not using wwwroot as the home directory for your site, move the files to that location.  whatever that directory is, all three directories should be in the same folder.  Unlike the example images shown in the documentation, your content folder contains a folder called "default", rather than the example site's "emo" content folder.  If desired, change the folder name to something more descriptive. Here's what it should look like when you're done (with the exceptions noted)

    The Content directory contains all the elements and content you'll create for your site.  The VRoots directory contains the Admin tools, the Includes directory with the code that actually runs the site, and SiteMan, if you choose to install it.  The wwwroot directory contains your pages and images.
  • Set security on the filesystem as shown.  If you do this on a Windows XP Professional system, disable simple security so that you can set permissions on the file system on a per-user basis. 

    Make this change for the pub directory has a whole. Give yourself and any other users who want access to the system full control.  Substitute your accounts for my "Dr. Laniac" account.


    Grant the computer's Internet Guest account read permission.


    Lastly, remove the Internet Guest account's permissions from the Admin directory and the SiteMan directories under VRoots.  This is crucial!  Make sure the guest account does not have permission to run admin tools or Siteman.
  • Configure IIS
    • Here's a picture of where we're headed, from the Internet Information Services control panel (from Administrative Tools), with virtual roots created.
      The overview of the site.  The funny looking folders are the Virtual Roots we'll be creating.


      Here's a what the paths to those virtual roots should be, with the default installation path to your web directories.

      for wwwroot:
       
      for Includes:

    • Create your virtual roots. Creating virtual roots is easy, for Admin, Includes and Siteman, right click on "Default Website" and select "New" and then "Virtual Directory".  You'll be prompted for a name (Admin, Includes, SiteMan) and a path (as shown, with modifications for your installation paths). 
    • Set properties on the site, Admin, SiteMan, Includes and Content-related virtual roots).

      Site permissions









    • Set permissions on the Admin virtual root (and SiteMan, it's installed)





    • Configure Error Messages









OK, well, we're almost there.  Now, a few changes the global site settings file.

Configuration

Now, let's look at configuring the global application settings: in the Includes directory, open Config.asp.  Many of the site-wide constants are set here, so this should be the last stop in getting your site to jumpstarted.

Here's what will be working from:

Let's go over those and show you how to change them for your needs. 

 

Security

Hey, we've all heard plenty of security horror stories.  Well, I have, anyway.  But then, I've run web server environments for a living.  The thing is, almost never does it need to happen.  People cap on M$ all the time about this issue, but most of the holes and other problems can be avoided by keeping up on the patches.  Win2K and WinXP and Windows 2003 all have the ability to automatically install critical security updates.  A proper firewall and network architecture also go a long ways to keeping things safe.  

However, I still can't believe how many people out there have a cable modem or DSL modem and are basically just hanging out unprotected on the Internet.  I have a router at home, and run some of my sites, Like LoopyNews and Logon Networking on a server behind the router at home.  Only port 80 (webserver) traffic, Port 25 and 110 (for email) and a high numbered port for my development web server are visible from the outside world.  I keep up to date on patches, I lock down permissions on application directories, I use passwords within web applications themselves.  I review code for potentially unsafe activities or places I could be giving a haxor (I'm a hacker, haxors are the bad ones) a foothold.

If you run a webserver, you need also to consider the potential damage a breach could cause and try to limit it.  In a business environment, it means not putting a webserver on your office file server and putting that out on the Internet.  It means planning for security and implementing a good methodology.  For a home user running a webserver on their workstation (hopefully behind a firewall/router or at least with personal firewall software), it means keeping up to date on patches and being careful about what they do.  It means doing a little research and learning how to be safe.

If you're not ready for this kind of commitment, don't do it.  Or pay someone to help you be ready.  Or outsource your website to one of the ASP web hosting companies out there.

Conclusion

Well, if you've read all this and plan to proceed with your own LoopyCMS site, I thank you.  I've put a lot of hard work into developing it.  Six years of refining my web application development methodology has gone into arriving at this release of my integrated Web Application Development Framework and Content Management System.  I hope your site flourishes.

Lane Schwark
author of the LoopyCMS