Environment: modx 2.5.8
mysql 5.0.95 on a separate server accessed remotely, no known issues
New web server: (The DESTINATION)
php 7.1.7, no known issues
Windows Server 2016 IIS 8.5
old server (THE SOURCE):
centos 6; php 5.3 modx 2.5.1.
BUT, I am currently focused on an installation on DESTINATION and done as a fresh install of 2.5.8.
1. What to put in web.config for "friendly URLs"? I got something out of IIS's URL rewrite and Import.
2. What is the right mitigation for the configuration check... if it matters, the site is using running using a Active Directory domain user and its own application pool with this user set on it.
1. Your site is vulnerable to hackers who could do a lot of damage to the site. Please make your config file read only! It is located at D:\<site directory>\www/core/config/config.inc.php
MITIGATION: Added "Deny" on Write to core/config/config.inc.php. Windows would not let me deny modify without also including the read&execute and list.
This satisfied the MODX check.
Installer still present but led to this:
1b: Core folder is accessible by web
MODX detected that your core folder is (partially) accessible to the public. This is not recommended and a security risk. If your MODX installation is running on a Apache webserver you should at least set up the .htaccess file inside the core folder D:\<site directory>\www/core/. This can be easily done by renaming the existing ht.access example file there to .htaccess.
MITIGATION: Want to get a 403 error for this: https://<site directory>/core/docs/changelog.txt
MITIGATION: I tried to deny read access to core via deny read permissions. Stopped the entire manager from working. Thus I removed it.
MITIGATION: I still have to drill through the hardening guide, but am having difficulty understanding it.
If you setup everything correctly, browsing e.g. to the Changelog should give you a 403 (permission denied) or better a 404 (not found). If you can see the changelog there in the browser, something is still wrong and you need to reconfigure or call an expert to solve this.