.. include:: /Includes.rst.txt
.. index:: Security guidelines; Administrators
.. _security-administrators:

====================================
Guidelines for System Administrators
====================================

General Rules
=============

#. Subscribe to the "TYPO3 Announce" mailing list at
   https://lists.typo3.org, so that you are
   informed about TYPO3 security bulletins and TYPO3 updates.

#. React as soon as possible and update the relevant components of the
   site(s) when new vulnerabilities become public (e.g. security issues
   published in the mailing list).

#. Use different passwords for the Install Tool and the backend login.
   Follow the guidelines for secure passwords in this document.

#. If you are administrating several TYPO3 installations, use different
   passwords for all logins and components for every installation.

#. Never use the same password for a TYPO3 installation and any other
   service such as `FTP`, `SSH`, etc.

#. Change the username and password of the "admin" account after the
   installation of TYPO3 immediately.

#. If you are also responsible for the setup and configuration of TYPO3,
   follow the steps for TYPO3 integrators carefully, documented in the
   next chapter.

Further topics
==============

Please see the chapters below for further security related topics of interest
for administrators:

.. toctree::
   :titlesonly:

   RoleDefinition
   IntegrityOfTypo3Packages
   FileDirectoryPermissions
   RestrictAccessToFiles
   DirectoryIndexing
   FileExtensionHandling
   ContentSecurityPolicy
   DatabaseAccess
   EncryptedCommunication
   OtherServices
   FurtherActions