What is the best practice to restrict access to the website’s administration system?

Asked

Viewed 222 times

3

I wanted to create an administration system for the site, I did so so that users have associated with you a level field and if this is a given value they can access administrator control, otherwise if they try are directed to the index, I don’t know if this is an efficient way.

I noticed another system of creating protected directories.

Can you tell me which of the ways is more efficient and whether there is some vulnerability in the way I decided to implement?

  • I know it’s not really an answer, and one more statement, so I decided to do it here... Have you seen the ACL bilioteca of the PHP phalcon framework? http://docs.phalconphp.com/en/latest/reference/acl.html

  • There are countless ways to do this process. I believe that the best are controls of Sessions, when logging into your system set an access level, create a function to check the access level and access to page. It’s a simple but very effective way. Abs.

  • depends also on the policy of internal use.. the vast majority of users, even in a corporate environment, if they have no restrictive internal discipline or policies, There is no point in creating a complex system of permission levels because usually by laziness they create a single admin user with all possible permissions and share with everyone.. rrsrs Therefore, check with users what security policy they intend to use. If they are sloppy, create a single root user that will be yours and a single admin, which will be theirs. In such cases, never teach them that there is a root user.

1 answer

3

There are many practices that can raise the security level of a system. I’ll be listing some of the most common and important.

Strength of Passwords

A very recommended practice is to recommend/force the user (mainly those with access to the administration system) to choose a password with a reasonably strong force, containing lower case letters, upper case letters, numbers and maybe even symbols, for example 3sSa.e.Minh4$3nH4. This makes it very difficult to break it.

Cause Passwords to Expire

The practice of expiring the password is very common nowadays, especially in corporate environments. This keeps the environment constantly updated and may even be possible to update hashs from time to time. For example by searching the password 3sSa.e.Minh4$3nH4 on the website How Secure is my Password, shows that for an ordinary computer to break this password can take 39 quadrillion years, but let’s say that the hacker has numerous zombie computers, so that number can be reduced considerably, but if you have a security routine that requires passwords to be updated every 6 months, you will extend your security breach time to an infinite amount of time.

Segurança da Senha

Do not Encrypt with md5 only

Using the MD5 Decrypt app from Hash Killer it is possible to break simple hashs with only numbers or letters, for example 123456, carlos12. It is therefore encouraged to use at least one salt in the password before encrypting it.

I’m not gonna keep rewriting the theory of relativity, so here is a question and answer about security hashs..

Avoid the name Admin

Use the address meusite.com/admin or admin.meusite.com is very obvious, give preference to alternative names like mspanel (abbreviation for Meusitepanel) or something like, an easy-to-remember name that there are no incoming links, but also that it is not so obvious. Also, if possible, restrict IP access.

SSL

If possible invest in Digital Certificates, but for an internal system you can even generate your security keys. So see what’s worth more to the kind of system.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.