DotNetNuke has always shipped with Public set as it's default portal (site) registration (you can read more about the registration options here). This was a decision that was inherited from the IBuySpy portal codebase that early versions of DotNetNuke utilized, and whilst it has advantages in enabling users to sign up immediately after installation, there are some drawbacks. We analyzed the last 18 months of security issues and found that approximately 44% of them required the potential hacker to have a valid, authorized user account to start off with. As the install default was “Public” for registration, gaining a valid user was a trivial step.
As many sites ultimately aren't intended for public users (e.g. a personal site may have only one user or a business site may use active directory integration), the decision was made to change the site registration type to "Private" in 7.0.0 to add an additional layer of defense-in-depth. Now, when you perform an installation when you click registration you will see the note on the screen that informs the user of this:
For a user to gain portal access now, the site administrator (or host) has to go to admin->user accounts and authorize that user.
Changing site registration
In some cases sites may prefer the “old” default. If your site wants this then you can change this prior to installation by amending the relevant template file in portals/_default e.g. if you plan to install with the blank template edit Blank Website.template and change the useregistration node e.g. for private it is set as follows:
You can change this value to one of the supported values e.g.
- 0 – no registration
- 1 – private registration
- 2 – public registration (the “old” default)
- 3 –verified registration
Note: only the English (en-US) templates ship with the product, other templates are downloaded on demand via the update service during installation, so you do not have the option to alter this value during installation. Instead you will have to change it via the UI after installation.
If you’ve already installed the site and want to change the setting, log in as an admin or host and go to admin->site settings, click on the user account settings tab and change it via the user registration radio button.