Learn More





Security - reducing attack surface

Return to previous page

  • 4/7/2015



Security - reducing attack surface

Last updated 1 year ago



(Enter the content of this article below)




DotNetNuke ships with a number of different modules and features, not all of which you may need or want in your installation(s). Reducing the potential attack surface area of a system by running only those services and features needed is a good security best practice. Ideally you should refrain from installing un-required components, but it’s also possible to remove modules after installation.

Pre-installation procedure

During installation, DotNetNuke checks the Install Folder, and iterates through it’s sub folders, installing resources. Before you install DotNetNuke, please explore these folders, and remove any components, particularly modules, that you do not plan to use in this particular install or modules that have been superseded by more advanced versions e.g. the discussions module if often removed as the forums module is much more advanced.

To delete it go to install/module and remove Discussions*.zip (note: the name will differ depending on the version of DotNetNuke and whether you use the source or install downloads) .

Post-installation procedure

If you have existing DotNetNuke installations and want to remove unwanted modules, you can do this via the existing GUI.

  • Log in as a Superuser (e.g. the “Host” user)
  • Go to Host->Extensions
  • Click on the delete icon to the left of the module you want to remove.
  • Repeat the process for any other modules you wish to remove.

Premium modules

DotNetNuke has always supported modules that are only available to admin or host users, but it also supports the concept of premium modules, where a module is installed but only available to the host (supeuser), but the host user can also add it to the list of allowed modules on a portal.

The following video covers how to use premium modules.


When a new portal is created, all available and valid modules are automatically assigned to a portal. To avoid this auto-assigmenet, log in as a host (superuser) and go to host->extensions. Click on the pencil icon to edit the extension and check the "is premium module" option if you want to disable auto-assignment.

Assigning portal access

Modules that have been indicated as being premium can still be assigned to a portal. To do this, log in as host (superuser) and go to admin->site settings, go to the advanced settings section and expand host settings. Two lists are shown, the list of available modules and the the list of selected modules - to add/remove an extension from a portal use these lists.

Deploying modules

In the 5.0 version DotNetNuke added a custom permission to determine what users/groups have the rights to deploy an individual module. To access this, log in as an Administrator and go to Admin->Extensions. Click the edit icon beside the extension and when it appears you will see a grid listing all the roles and whether they have "deploy" permissions for that extension in the current portal - use this to add/deny the ability for a user/group to deploy a module.

No sections defined
Try Evoq
For Free
Start Free Trial
a Demo
See Evoq Live
Need More Information?