What are best practices for securing the admin section of a website?

Question

I'd like to know what people consider best practice for securing the Admin sections of websites, specifically from an authentication/access point of view.

Of course there are obvious things, such as using SSL and logging all access, but I'm wondering just where above these basic steps people consider the bar to be set.

For example:

Are you just relying on the same authentication mechanism that you use for normal users? If not, what?
Are you running the Admin section in the same 'application domain'?
What steps do you take to make the admin section undiscovered? (or do you reject the whole 'obscurity' thing)

So far, suggestions from answerers include:

Introduce an artificial server-side pause into each admin password check to prevent brute force attacks [Developer Art]
Use separate login pages for users and admin using the same DB table (to stop XSRF and session-stealing granting access to admin areas) [Thief Master]
Consider also adding webserver native authentication to the admin area (e.g. via .htaccess) [Thief Master]
Consider blocking users IP after a number of failed admin login attempts [Thief Master]
Add captcha after failed admin login attempts [Thief Master]
Provide equally strong mechanisms (using the above techniques) for users as well as admins (e.g. don't treat admins specially) [Lo'oris]
Consider Second level authentication (e.g. client certificates, smart cards, cardspace, etc.) [JoeGeeky]
Only allow access from trusted IPs/Domains, add check to basic HTTP pipeline (via e.g. HttpModules) if possible. [JoeGeeky]
[ASP.NET] Lock down IPrincipal & Principal (make them immutable and non-enumerable) [JoeGeeky]
Federate Rights Elevation - e.g. email other admins when any admin's rights are upgraded. [JoeGeeky]
Consider fine-grained rights for admins - e.g. rather than roles based rights, define rights for indicidual actions per admin [JoeGeeky]
Restrict creation of admins - e.g. Admins cannot change or create other admin accounts. Use a locked-down 'superadmin' client for this. [JoeGeeky]
Consider Client Side SSL Certificates, or RSA type keyfobs (electronic tokens) [Daniel Papasian]
If using cookies for Authentication, use separate cookies for admin and normal pages, by e.g. putting the admin section on a different domain. [Daniel Papasian]
If practical, consider keeping the admin site on a private subnet, off the public internet. [John Hartsock]
Reissue auth/session tickets when moving between admin/normal usage contexts of the website [Richard JP Le Guen]

Just a thought but. Probably the best way to secure the admin section is dont have it on the public internet. You could choose to keep the admin site only on a private subnet. — John Hartsock, May 27 '10 at 20:44
Which of these ideas that you specified would it not be a good idea to apply to all users, not just admins? — Vivian River, May 28 '10 at 16:59
You may want to check WebLoginProject at http://www.webloginproject.com/ it is a collaborative login system that is designed ground up to be secure against XSS, SQL Injection, Session fixation and CSRF vulnerabilities. It has source code in ASP and PHP, it's multilanguage and it looks cool. A lot of developers are working on it fixing holes so this is probably as close to secure as it can get. — stagas, May 31 '10 at 11:32
-1 for including the terribly wrong "strong password" (which actually is a **very** weak password instead) suggestion — o0'., Mar 27 '12 at 13:37
@Lohoris - I really don't understand why you downvoted this question. Are you downvoting becuase I sumarised someones suggestion that you don't agree with? Perhaps downvoting the related answer would be more constructive. :/ Can you clarify exactly what you have a problem with? — UpTheCreek, Mar 27 '12 at 14:06
@UpTheCreek I did downvote that on the specific answer, of course, and explained it there. Since I think that that "suggestion" is extremely bad, I feel it right to downvote this whole set of advices solely on the fact that that advice is present here. — o0'., Mar 27 '12 at 14:11
@UpTheCreek I was talking about this horror --> http://stackoverflow.com/a/2848151/207655 — o0'., Mar 27 '12 at 14:18
I take the liberty of removing that suggestion, it's community wiki after all. — o0'., Mar 27 '12 at 14:31

score 21 · Accepted Answer · edited Nov 10 '10 at 00:24

These are all good answers... I generally like to add a couple additional layers for my administrative sections. Although I've used a few variations on a theme, they generally include one of the following:

Second level authentication: This could include client certificates (Ex. x509 certs), smart cards, cardspace, etc...
Domain/IP restrictions: In this case, only clients coming from trusted/verifiable domains; such as internal subnets; are allowed into the admin area. Remote admins often go through trusted VPN entrypoints so their session would be verifiable and is often protected with RSA keys as well. If you're using ASP.NET you can easily perform these checks in the HTTP Pipeline via HTTP Modules which will prevent your application from ever receiving any requests if security checks are not satisfied.
Locked down IPrincipal & Principal-based Authorization: Creating custom Principles is a common practice, although a common mistake is making them modifiable and/or rights enumerable. Although its not just an admin issue, it's more important since here is where users are likely to have elevated rights. Be sure they're immutable and not enumerable. Additionally, make sure all assessments for Authorization are made based on the Principal.
Federate Rights Elevation: When any account receives a select number of rights, all the admins and the security officer are immediately notified via email. This makes sure that if an attacker elevates rights we know right away. These rights generally revolve around priviledged rights, rights to see privacy protected information, and/or financial information (e.g. credit cards).
Issue rights sparingly, even to Admins: Finally, and this can be a bit more advanced for some shops. Authorization rights should be as discreet as possible and should surround real functional behaviours. Typical Role-Based Security (RBS) approaches tend to have a Group mentality. From a security perspective this is not the best pattern. Instead of 'Groups' like 'User Manager', try breaking it down further (Ex. Create User, Authorize User, Elevate/Revoke access rights, etc...). This can have a little more overhead in terms of administration, but this gives you the flexibility to only assign rights that are actually needed by the larger admin group. If access is compromised at least they may not get all rights. I like to wrap this in Code Access Security (CAS) permissions supported by .NET and Java, but that is beyond the scope of this answer. One more thing... in one app, admins cannot manage change other admin accounts, or make a users an admin. That can only be done via a locked down client which only a couple people can access.

score 20 · Answer 2 · answered May 17 '10 at 10:10

If the website requires a login for both regular activities and admins, e.g. a forum, I'd use separate logins which use the same user database. This ensures that XSRF and session-stealing won't allow the attacker to access administrative areas.

Additionally, if the admin section is in a separate subdirectory, securing that one with the webserver's authentication (.htaccess in Apache for example) might be a good idea - then someone needs both that password and the user password.

Obscuring the admin path yields almost no security gain - if someone knows valid login data he's most likely also able to find out the path of the admin tool since he either phished it or keylogged you or got it via social engineering (which would probably reveal the path, too).

A brute-force protection like blocking the user's IP after 3 failed logins or requiring a CAPTCHA after a failed login (not for the first login as that's just extremely annoying for legit users) might also be useful.

in the first paragraph, is this mean its better if the project is in separated folder? — ßiansor Å. Ålmerol, Feb 06 '21 at 18:53

score 9 · Answer 3 · answered May 17 '10 at 11:15

9

I reject obscurity
Using two authentication systems instead of one is overkill
The artificial pause between attempts should be done for users too
Blocking IPs of failed attempts should be done for users too
Strong passwords should be used by users too
If you consider captchas ok, guess what, you could use them for users too

Yes, after writing it, I realize that this answer could be summarized as a "nothing special for the admin login, they are all security features that should be used for any login".

answered May 17 '10 at 11:15

o0'.

11,739
19
60
87

6

Thanks for the answer. Personally I tend to disagree, e.g.: Would a user be happy with passwords like 'ksd83,'|4d#rrpp0%27&lq(go43$sd{3>'? And, Isn't resetting IP blocks that valid users have triggered by being forgetful going to generate unneccessary admin/customer service work? Personally I think the different levels of risk justify different approaches – UpTheCreek May 17 '10 at 11:22
1

Admin password should be complex but not overly complex, otherwise even the admin won't remember it and will write it down somewhere (you would be forcing him to defy every security rule). Temporarily blocking IPs with failed attempt is pretty standard, vbulletin does it, phpbb does it IIRC, users are used to it. – o0'. May 17 '10 at 11:44
I don't really want to look to phpbb or vbulletin for security best practices ;) – UpTheCreek Mar 27 '12 at 14:12
@UpTheCreek of course, I agree! I was just questioning this _"Isn't resetting IP blocks that valid users have triggered by being forgetful going to generate unneccessary admin/customer service work"_ <-- I don't think it would be a problem, because the users are already used to such a feature. – o0'. Mar 27 '12 at 14:17

score 3 · Answer 4 · answered May 30 '10 at 22:10

3

If you do use only a single login for users who have both normal-user privileges and admin privileges, regenerate their session identifier (be it in a cookie or a GET parameter or whatever...) when there is a change in the level of priviledge... at the very least.

So if I log in, do a bunch of normal user stuff and then visit an admin page, regenerate my session ID. If I then navigate away from an admin page(s) to a normal user page, regenerate my ID again.

answered May 30 '10 at 22:10

Richard JP Le Guen

28,364
7
89
119

Could you please explain what this achieves? – Denis Pshenov Sep 15 '16 at 20:51
http://security.stackexchange.com/questions/1246/session-hijacking-regenerate-session-id – Richard JP Le Guen Sep 15 '16 at 21:06
1

I believe this won't help as much as you think. Because if attacker is able to get your current session id in normal user page he could use it to then access admin page and generate himself a new session id. Correct me if I'm wrong. – Denis Pshenov Sep 15 '16 at 21:15
1

But the attacker can't access the admin page without a password. There isn't a change in privilege level until after authentication. Failure to regenerate the session ID means they can re-use a session created insecurely to get around authentication. – Richard JP Le Guen Sep 15 '16 at 21:44
Got it now. I was thinking you described a scenario where user does not have to re-login when they switch between normal/admin context. – Denis Pshenov Sep 15 '16 at 21:54

score 2 · Answer 5 · answered May 17 '10 at 10:09

2

Have a good admin password.

Not "123456" but a sequence of letters, digits and special characters long enough, say, 15-20 characters. Like "ksd83,'|4d#rrpp0%27&lq(go43$sd{3>".

Add a pause for each password check to prevent brute force attack.

answered May 17 '10 at 10:09

could you explain a bit on what a 'pause' would be? Are you referring to doing something like Thread.Sleep(5000) to just kill some time? – earthling May 25 '10 at 18:17
@senloe: Yes, just add an artificial response delay to limit attempts per time interval. – May 25 '10 at 20:03
That serves nothing. You can request another password while the other request sleeps.. – Andreas Bonini May 31 '10 at 11:46
@Andreas Bonini: Unless you limit requests by IP and have a shared limit for checks per minute. – May 31 '10 at 12:04
6

this is stupid: a password too complex to be remembered will be written down somewhere (or saved), hence making matters much worse than if you allowed a REALLY good password (i.e. a password that will be typed because you remember it instead of copy pasted). – o0'. Sep 12 '10 at 21:34
4

Oh, I wish I could downvote this crap down to the stone age, it is *so* stupid, *so* wrong... I hate people spreading misinformation such as this one. – o0'. May 18 '11 at 08:12
1

@Lo'oris: What is it exactly that you disagree with? – May 18 '11 at 18:23
2

I've written it in... like... the comment just above? – o0'. May 19 '11 at 18:28

score 1 · Answer 6 · answered May 25 '10 at 18:10

Here are some other things to consider:

One option to consider, especially if you manage the admin's computers or they are technically competent, is to use something based on SSL certificates for client authentication. RSA keyfobs and whatnot can also be used for added security.
If you're using cookies at all - perhaps for an authentication/session token - you probably want to ensure that the cookies are only sent to the admin pages. This helps mitigate the risks posed to your site by stealing cookies, by either layer 1/2 compromise or XSS. This can be done easily by having the admin portion being on a different hostname or domain as well as setting the secure flag with the cookie.
Restricting by IP can be smart as well, and if you have users throughout the internet you can still do this, if there is a trusted VPN that they can join.

score 1 · Answer 7 · answered Jun 01 '10 at 12:38

We use Windows Authentication for admin access. This is most practical way of protecting admin areas while keeping the authentication seperate from what applies to general end-users. The system admin manages the Admin user access credentials and enforces password policies on the domain user account.

score -1 · Answer 8 · answered May 31 '10 at 19:25

The strict way is to have two complete different "farms" including databases, servers and all and move the data from one farm to the other. Most modern, large scale, systems use this approach (Vignette, SharePoint, etc.). It's normally refered to as having different stages "editing stage" -> "preview stage" -> "delivery stage". This method lets you treat content/config the same way you treat code (dev->qa->prod).

If you are less paranoid you can have a single database but only have your admin section available on the "editing" servers. I mean, only have the editing scripts/files placed on the editing server.

Naturally the editing stage should only be available on a local intranet and/or using a VPN.

This may seem a bit of an overkill and may not be the easiest solution for all usage cases, but it is definetly the most robust way of doing things.

Note that things like "have strong admin passwords" are nice, but still leave your admin open to smart attacts of all sorts.

I think this would really only be useful/practical in purely CMS/publishing situations where you are pushing content rather than processing data. — UpTheCreek, Jun 01 '10 at 06:55
Maybe, but I have known (and seen) situations where this is done for processing and user input as well. For a single farm with seperate editing server it is a no brainer. For multiple farms what you do is have input from the site go into a queue (DB or otherwise) and, by using an external procedure, is being processed and copied into the "editing" server/DB. This gives you more control over what gets into your system. It is, however, complicated to implement. — Nir Levy, Jun 02 '10 at 12:09

score -2 · Answer 9 · answered May 28 '10 at 09:10

-2

It very much depends on what kind of data you want to protect (legal requirements and such).

Alot of suggestions is about authentication.. I think you just should consider using OpenId / Facebook authentication as login. (They will most likely spend more resources on authentication security then you)
Save changes as well as updating values in the database. That way you can rollback changes from user X or between date X and Y.

answered May 28 '10 at 09:10

Carl Bergquist

3,894
2
25
42

1

Facebook authentication for the admin section of a web site... you really think that's a good idea? For general users, yes... but for the _admin section_? Feels a little dangeresque to me... – Richard JP Le Guen May 30 '10 at 21:55
I'm not sure. but I think this sites runs openid authentication only. And I don't think there is any big (in theory) difference between facebook authentication and openid. But I haven't read any license agreements or such. – Carl Bergquist May 30 '10 at 22:30
1

Very bad idea the openid for admin authentication, also the rollback most of the times is impossible, and the bad guy is all ready inside your system... what rollback ? – Aristos Jun 01 '10 at 12:31
Feel free to explain why you think its bad. Well if logging on as admin gives you full access to the db and backup it sure is hard to rollback, but in that case you all ready lost. My suggestions was aimed for cmsisch site. – Carl Bergquist Jun 01 '10 at 13:24

score -3 · Answer 10 · answered Jun 01 '10 at 12:52

-3

I didn't notice anyone mention storage/validation of the admin password. Please please please do not store the PW in plain text, and preferably not even something that can be reversed - use something like a salted MD5 hash so that at the very least if someone happens to retrieve the stored "password" they don't have anything terribly useful, unless they also have your salt scheme.

answered Jun 01 '10 at 12:52

Wayne Werner

49,299
29
200
290

1

-1 for md5. You don't want a fast hash for passwords, even beyond the other issues with md5ing. bcrypt would be a better option. – Kzqai Dec 28 '11 at 16:26

score -4 · Answer 11 · answered Jun 01 '10 at 12:39

Add a password field and a security question that the Administrator will know, e.g. what was your first girlfriend name, or randomize the questions everytime viewing the admin panel.

Perhaps you could always put the administration section in a big directory, e.g.

http://domain.com/sub/sub/sub/sub/sub/index.php

But that's not really good hah.

Perhaps you could include a query string in the home page, like:

http://domain.com/index.php?display=true

When it does, the username and password field will appear.

What are best practices for securing the admin section of a website?

11 Answers11

Linked

Related