What are best practices for securing the admin section of a website? [closed]

by

These are all good answers… I generally like to add a couple additional layers for my administrative sections. Although I’ve used a few variations on a theme, they generally include one of the following:

  • Second level authentication: This could include client certificates (Ex. x509 certs), smart cards, cardspace, etc…
  • Domain/IP restrictions: In this case, only clients coming from trusted/verifiable domains; such as internal subnets; are allowed into the admin area. Remote admins often go through trusted VPN entrypoints so their session would be verifiable and is often protected with RSA keys as well. If you’re using ASP.NET you can easily perform these checks in the HTTP Pipeline via HTTP Modules which will prevent your application from ever receiving any requests if security checks are not satisfied.
  • Locked down IPrincipal & Principal-based Authorization: Creating custom Principles is a common practice, although a common mistake is making them modifiable and/or rights enumerable. Although its not just an admin issue, it’s more important since here is where users are likely to have elevated rights. Be sure they’re immutable and not enumerable. Additionally, make sure all assessments for Authorization are made based on the Principal.
  • Federate Rights Elevation: When any account receives a select number of rights, all the admins and the security officer are immediately notified via email. This makes sure that if an attacker elevates rights we know right away. These rights generally revolve around priviledged rights, rights to see privacy protected information, and/or financial information (e.g. credit cards).
  • Issue rights sparingly, even to Admins: Finally, and this can be a bit more advanced for some shops. Authorization rights should be as discreet as possible and should surround real functional behaviours. Typical Role-Based Security (RBS) approaches tend to have a Group mentality. From a security perspective this is not the best pattern. Instead of ‘Groups‘ like ‘User Manager‘, try breaking it down further (Ex. Create User, Authorize User, Elevate/Revoke access rights, etc…). This can have a little more overhead in terms of administration, but this gives you the flexibility to only assign rights that are actually needed by the larger admin group. If access is compromised at least they may not get all rights. I like to wrap this in Code Access Security (CAS) permissions supported by .NET and Java, but that is beyond the scope of this answer. One more thing… in one app, admins cannot manage change other admin accounts, or make a users an admin. That can only be done via a locked down client which only a couple people can access.

More Related Contents:

  1. JWT (JSON Web Token) automatic prolongation of expiration
  2. What is token-based authentication?
  3. Authentication versus Authorization
  4. Where to store JWT in browser? How to protect against CSRF?
  5. Non-random salt for password hashes
  6. JWT refresh token flow
  7. Cross Domain Login – How to log a user in automatically when transferred from one domain to another
  8. Where do you store your salt strings?
  9. SPA best practices for authentication and session management
  10. How do I store and retrieve credentials from the Windows Vault credential manager?
  11. Symfony2 extending DefaultAuthenticationSuccessHandler
  12. Best way for a ‘forgot password’ implementation? [closed]
  13. What is the best Distributed Brute Force countermeasure? [closed]
  14. Should I hash the password before sending it to the server side?
  15. How to do stateless (session-less) & cookie-less authentication?
  16. Using Symfony2’s AccessDeniedHandlerInterface
  17. How to manually decrypt an ASP.NET Core Authentication cookie?
  18. Secure Google Cloud Functions http trigger with auth
  19. Google Authenticator available as a public service?
  20. Best practices for server-side handling of JWT tokens [closed]
  21. Securing an API: SSL & HTTP Basic Authentication vs Signature
  22. Difference between Hashing a Password and Encrypting it
  23. XMLHttpRequest cannot load file. Cross origin requests are only supported for HTTP
  24. What is the best way to prevent session hijacking?
  25. Why is security through obscurity a bad idea? [closed]
  26. Will HTML Encoding prevent all kinds of XSS attacks?
  27. How to properly do private key management
  28. Is it OK to return a HTTP 401 for a non existent resource instead of 404 to prevent information disclosure?
  29. Removing the remembered login and password list in SQL Server Management Studio
  30. Single Session Login in Laravel

Leave a Comment