SPE provides several web services for external access and automation. By default, most services are disabled to minimize the attack surface. This guide explains each service and how to secure them when enabled.
Web services enable powerful capabilities like:
- Remote script execution (SPE Remoting)
- RESTful API access
- File and media uploads/downloads
- Report exports
{% hint style="danger" %} Security Warning: Only enable web services you specifically need. Each enabled service increases your attack surface. Never enable services on internet-facing servers. {% endhint %}
Services are configured in App_Config\Include\Spe\Spe.config:
<sitecore>
<powershell>
<services>
<restfulv1 enabled="false" />
<restfulv2 enabled="false" />
<remoting enabled="false" />
<fileDownload enabled="false" />
<fileUpload enabled="false" />
<mediaDownload enabled="false" />
<mediaUpload enabled="false" />
<handleDownload enabled="true" />
<client enabled="true" />
<execution enabled="true" />
</services>
</powershell>
</sitecore>Service File: PowerShellWebService.asmx
Purpose: Powers the SPE Console and ISE user interfaces.
Required For:
- PowerShell Console
- PowerShell ISE (Integrated Scripting Environment)
Security Considerations:
- Required for basic SPE functionality
- Access controlled by Sitecore user permissions
- Protected by Session Elevation (UAC)
Should you disable it? No - this breaks the Console and ISE.
Service File: Various pipeline integrations
Purpose: Checks if users have permission to run SPE applications.
Required For:
- Download File dialogs
- PowerShell Script Runner
- Content Editor integrations (Context Menu, Insert Options, Ribbon)
Security Considerations:
- Authorization check service
- Does not execute arbitrary code
- Validates permissions before allowing access
Should you disable it? No - this breaks SPE integration points.
Service File: RemoteScriptCall.ashx
Purpose: Enables file downloads through the Sitecore interface.
Required For:
Out-Downloadcommand- Report exports (CSV, Excel, etc.)
- ISE script exports
Security Considerations:
- Only works for authenticated users
- Requires active Sitecore session
- Downloads are temporary and time-limited
Should you disable it? Only if you never need to download files from SPE (rare).
Service File: RemoteAutomation.asmx
Purpose: Allows external clients to execute PowerShell scripts remotely.
Required For:
- SPE Remoting module
- Automated CI/CD scripts
- External automation tools
Security Considerations:
⚠️ HIGH RISK - enables remote code execution- Must be protected with role-based authorization
- Should require HTTPS
- Ideal for CI/CD environments with proper security
Example Use Case: Automated content deployment from build servers.
Enable with HTTPS requirement:
<configuration xmlns:patch="https://www.sitecore.net/xmlconfig/">
<sitecore>
<powershell>
<services>
<remoting>
<patch:attribute name="enabled">true</patch:attribute>
<patch:attribute name="requireSecureConnection">true</patch:attribute>
<authorization>
<add Permission="Allow" IdentityType="Role" Identity="sitecore\PowerShell Extensions Remoting" />
</authorization>
</remoting>
</services>
</powershell>
</sitecore>
</configuration>Restrict to specific users:
<remoting>
<patch:attribute name="enabled">true</patch:attribute>
<patch:attribute name="requireSecureConnection">true</patch:attribute>
<authorization>
<add Permission="Allow" IdentityType="User" Identity="sitecore\automation-user" />
</authorization>
</remoting>{% hint style="warning" %}
Load Balancer Note: When using requireSecureConnection behind a load balancer that handles TLS termination, you may receive 403 errors. The backend server receives HTTP traffic and .NET doesn't recognize it as secure. Consider network-level security instead.
{% endhint %}
Service File: RemoteScriptCall.ashx
Purpose: Execute scripts via RESTful URLs with all parameters in the URL.
Required For:
- PowerShell Web API
- RESTful script endpoints
- External integrations
Security Considerations:
⚠️ MEDIUM-HIGH RISK - exposes script execution via HTTP- URL-based parameters may be logged
- Should require HTTPS
- Should use POST instead of GET when possible
Example Use Case: Providing a web API for external systems to query Sitecore content.
<configuration xmlns:patch="https://www.sitecore.net/xmlconfig/">
<sitecore>
<powershell>
<services>
<restfulv2>
<patch:attribute name="enabled">true</patch:attribute>
</restfulv2>
</services>
</powershell>
</sitecore>
</configuration>Service File: RemoteScriptCall.ashx
Purpose: Download files from the server file system via URL.
Required For:
- SPE Remoting file downloads
- External file retrieval
Security Considerations:
⚠️ MEDIUM RISK - exposes file system- Restricted by file type and location configuration
- Only works with allowed paths
Should you enable it? Only if using SPE Remoting and need file downloads.
Service File: RemoteScriptCall.ashx
Purpose: Upload files to the server file system via URL.
Required For:
- SPE Remoting file uploads
- External file deployment
Security Considerations:
⚠️ HIGH RISK - allows writing to file system- Restricted by file type and location configuration
- Can be used to deploy malicious files if misconfigured
- Must be carefully controlled
Should you enable it? Only if absolutely necessary, with strict restrictions.
See File Upload Restrictions for detailed configuration.
Service File: RemoteScriptCall.ashx
Purpose: Download media library items via URL.
Required For:
- SPE Remoting media downloads
- External media retrieval
Security Considerations:
⚠️ LOW-MEDIUM RISK - exposes media library- Respects Sitecore security
- May expose sensitive media items
Should you enable it? Only if using SPE Remoting and need media downloads.
Service File: RemoteScriptCall.ashx
Purpose: Upload files as media library items via URL.
Required For:
- SPE Remoting media uploads
- External media deployment
Security Considerations:
⚠️ MEDIUM RISK - allows media library uploads- Restricted by file type configuration
- Can bloat media library if misused
Should you enable it? Only if using SPE Remoting and need media uploads.
Service File: RemoteScriptCall.ashx
Purpose: Legacy RESTful API from early SPE versions.
Security Considerations:
⚠️ DEPRECATED - avoid using- Use RESTful v2 instead
Should you enable it? No - migrate to v2.
Default configuration - only services needed for Console and ISE:
<services>
<restfulv1 enabled="false" />
<restfulv2 enabled="false" />
<remoting enabled="false" />
<fileDownload enabled="false" />
<fileUpload enabled="false" />
<mediaDownload enabled="false" />
<mediaUpload enabled="false" />
<handleDownload enabled="true" />
<client enabled="true" />
<execution enabled="true" />
</services>Enable remoting for build automation, with strict security:
<configuration xmlns:patch="https://www.sitecore.net/xmlconfig/">
<sitecore>
<powershell>
<services>
<remoting>
<patch:attribute name="enabled">true</patch:attribute>
<patch:attribute name="requireSecureConnection">true</patch:attribute>
<authorization>
<patch:delete />
</authorization>
<authorization>
<add Permission="Allow" IdentityType="User" Identity="sitecore\build-automation" />
</authorization>
</remoting>
<fileDownload>
<patch:attribute name="enabled">true</patch:attribute>
</fileDownload>
</services>
</powershell>
</sitecore>
</configuration>Enable RESTful v2 for web API endpoints:
<configuration xmlns:patch="https://www.sitecore.net/xmlconfig/">
<sitecore>
<powershell>
<services>
<restfulv2>
<patch:attribute name="enabled">true</patch:attribute>
</restfulv2>
</services>
</powershell>
</sitecore>
</configuration>Enable all remoting capabilities (use with caution):
<configuration xmlns:patch="https://www.sitecore.net/xmlconfig/">
<sitecore>
<powershell>
<services>
<remoting>
<patch:attribute name="enabled">true</patch:attribute>
<patch:attribute name="requireSecureConnection">true</patch:attribute>
</remoting>
<fileDownload>
<patch:attribute name="enabled">true</patch:attribute>
</fileDownload>
<fileUpload>
<patch:attribute name="enabled">true</patch:attribute>
</fileUpload>
<mediaDownload>
<patch:attribute name="enabled">true</patch:attribute>
</mediaDownload>
<mediaUpload>
<patch:attribute name="enabled">true</patch:attribute>
</mediaUpload>
</services>
</powershell>
</sitecore>
</configuration>Restrict remoting access to specific roles or users.
By default, these roles can use remoting (when enabled):
<authorization>
<add Permission="Allow" IdentityType="Role" Identity="sitecore\PowerShell Extensions Remoting" />
</authorization>Remove default roles and add your own:
<authorization>
<patch:delete />
</authorization>
<authorization>
<add Permission="Allow" IdentityType="Role" Identity="sitecore\Automation" />
<add Permission="Allow" IdentityType="Role" Identity="sitecore\Developers" />
</authorization>Grant access to individual users:
<authorization>
<add Permission="Allow" IdentityType="User" Identity="sitecore\ci-user" />
<add Permission="Allow" IdentityType="User" Identity="sitecore\deployment-user" />
</authorization><authorization>
<add Permission="Allow" IdentityType="Role" Identity="sitecore\PowerShell Extensions Remoting" />
<add Permission="Allow" IdentityType="User" Identity="sitecore\admin" />
<add Permission="Allow" IdentityType="User" Identity="sitecore\build-agent" />
</authorization>Add an additional security layer by configuring IIS authentication.
Edit sitecore modules\PowerShell\Services\web.config:
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>This denies all anonymous users from accessing SPE web services.
For environments with Windows Authentication:
- Disable Anonymous Authentication in IIS for
sitecore modules\PowerShell\Services\ - Enable Windows Authentication
- Use the
Credentialparameter in remoting commands:
$session = New-ScriptSession -Username "domain\user" -Password "password" -ConnectionUri "https://sitecore.local"✅ Do:
- Only enable services you specifically need
- Require HTTPS for all external services (
requireSecureConnection="true") - Use role-based authorization to limit access
- Deny anonymous access at the IIS level
- Regularly audit which services are enabled
- Use dedicated service accounts for automation
- Monitor web service access logs
- Disable services in Content Delivery (CD) environments
❌ Don't:
- Enable all services "just in case"
- Allow HTTP for remoting or file upload
- Grant broad role access (e.g., "Everyone")
- Use administrator accounts for automation
- Enable services on internet-facing servers
- Forget to configure authorization when enabling remoting
- Leave default passwords on service accounts
| Environment | Recommended Services | Rationale |
|---|---|---|
| Local Dev | All enabled (if needed) | Convenience for development and testing |
| Shared Dev | handleDownload, client, execution | Only UI features |
| QA/Staging | Match production | Test with production security |
| Production CM | handleDownload, client, execution | Only UI features unless remoting needed |
| Production CD | None - don't install SPE | CD servers should not have SPE |
| Service | Enable If... | Security Requirements |
|---|---|---|
| client | Using Console/ISE (always) | Sitecore user auth + Session Elevation |
| execution | Using SPE features (always) | Sitecore user auth |
| handleDownload | Need to download reports/files (usually) | Sitecore user auth |
| remoting | Need external automation | HTTPS + role auth + IIS deny anonymous |
| restfulv2 | Building web APIs | HTTPS + script-level security |
| fileDownload | Using SPE Remoting file operations | HTTPS + role auth + path restrictions |
| fileUpload | Using SPE Remoting file operations | HTTPS + role auth + strict file/path restrictions |
| mediaDownload | Using SPE Remoting media operations | HTTPS + role auth |
| mediaUpload | Using SPE Remoting media operations | HTTPS + role auth + file type restrictions |
| restfulv1 | Never (deprecated) | N/A - don't use |
Cause: Load balancer terminates TLS and forwards HTTP to backend.
Solution:
- Configure network-level security instead
- Remove
requireSecureConnectionand secure at network/firewall level - Or configure load balancer to forward HTTPS
Possible causes:
- User/role not in authorization list
- IIS denies anonymous access but credentials not provided
- User doesn't exist or password is incorrect
Solution: Check configuration and verify credentials.
Cause: File type or location not allowed.
Solution: Configure file upload restrictions (see File Upload Restrictions).
- File Upload Restrictions - Configure allowed file types and paths
- IIS Security - Additional IIS-level hardening
- Remoting - Using SPE Remoting features
- Web API - Building RESTful APIs with SPE