Configuring 1C-Bitrix security policies

Our company is engaged in the development, support and maintenance of Bitrix and Bitrix24 solutions of any complexity. From simple one-page sites to complex online stores, CRM systems with 1C and telephony integration. The experience of developers is confirmed by certificates from the vendor.
8+Years of work900+Completed projects100+In house employees19+Partners
Offered services
Showing 1 of 1 servicesAll 1626 services
Configuring 1C-Bitrix security policies
Simple
~1 business day
FAQ
Our competencies:
Development stages
Latest works
  • image_website-b2b-advance_0.png
    B2B ADVANCE company website development
    1175
  • image_bitrix-bitrix-24-1c_fixper_448_0.png
    Website development for FIXPER company
    811
  • image_bitrix-bitrix-24-1c_development_of_an_online_appointment_booking_widget_for_a_medical_center_594_0.webp
    Development based on Bitrix, Bitrix24, 1C for the company Development of an Online Appointment Booking Widget for a Medical Center
    564
  • image_bitrix-bitrix-24-1c_mirsanbel_458_0.webp
    Development based on 1C Enterprise for MIRSANBEL
    747
  • image_crm_dolbimby_434_0.webp
    Website development on CRM Bitrix24 for DOLBIMBY
    655
  • image_crm_technotorgcomplex_453_0.webp
    Development based on Bitrix24 for the company TECHNOTORGKOMPLEKS
    976
Show more works

Security Policy Configuration for 1C-Bitrix

Security policies in Bitrix are not an abstract section of the documentation — they are specific parameters that directly affect how easy it is to compromise a user or administrator account. By default, many of them are set in a permissive mode — for development convenience, not for protection.

Password Policies

Configured in Settings → Password Policies. Each policy is assigned to user groups. Administrators and managers should have a separate policy with the strictest requirements.

Key parameters:

  • Minimum length — at least 10 characters for staff, 12 for administrators
  • Required character types — lowercase, uppercase, digits, special characters
  • Password expiration — forced change after N days. For the "Administrators" group — 90 days
  • Password history — prohibit reuse of the last N passwords (recommended: 5–10)
  • Attempt limit — lockout after N failed attempts (b_user_auth_attempts)

Session and Authorization Settings

Settings → Main Module → Security:

  • Session lifetime — by default matches session.gc_maxlifetime in PHP. For the admin panel, 30–60 minutes is recommended
  • "Remember me" — disable or reduce the duration to 7–14 days. Long-lived cookies are an attack vector if a device is compromised
  • Session binding to IP — enable BX_SECURITY_SESSION_VIRTUAL_DIRECTORY and IP verification. Caution: mobile users may have changing IPs

Admin Panel Protection

Restrict access to /bitrix/admin/ by IP — add to .htaccess or nginx configuration:

location /bitrix/admin/ {
    allow 192.168.1.0/24;
    allow 203.0.113.10;
    deny all;
}

Changing the admin panel URL via the "Proactive Defense" module (Security → Proactive Defense → Admin Panel Protection) — adds a secret prefix to the path.

Real-World Case

A corporate portal on Bitrix24 (on-premise). A user with manager permissions left a session open on their work computer and went on vacation. A colleague gained access to their account. Solution: configured a policy restricting inactive session time to 2 hours and requiring logout when the browser is closed (session.cookie_lifetime = 0).

Execution Timelines

Auditing current policies and configuring them to meet security requirements — 3–5 hours.

1C Bitrix presentation1C Bitrix24 presentation1C Enterprise presentation