DZone
Web Dev Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Web Dev Zone > 16 Tips for Securing Your Admin Page

16 Tips for Securing Your Admin Page

Mitch Pronschinske user avatar by
Mitch Pronschinske
·
Jun. 21, 10 · Web Dev Zone · Interview
Like (0)
Save
Tweet
7.58K Views

Join the DZone community and get the full member experience.

Join For Free
So you've finished that shiny new website and you want make sure that you and your buddies are in control.  Besides the obvious things such as SSL and logging all access, there are a fewest practices for authentication/access that developers recommend.  Here are some of the recommendations:

  • Require separate login pages for users and admin using the same DB table.  This will prevent XSRF and session-stealing, plus the attacker won't be able to access to admin areas) [Thief Master]

  • Use complex passwords for admin accounts.  For example, "uvula{:&:>iuJ", not "12345".  Of course, you have to remember it. :) [Developer Art]
  • Introduce an artificial pause between each admin password attempt to prevent brute force attacks.  [Lo'oris]

  • Blocking users IP after a number of failed admin login attempts or requiring a CAPTCHA after a failed login (but not the first one, because that's really annoying) will also stop brute force attacks. [Thief Master]

  • If the admin section is in a separate subdirectory, you should consider also adding webserver native authentication to that area (e.g. via .htaccess in Apache).  Then an attacker would need both the subdirectory password and the user password. [Thief Master]

  • Consider Second level authentication such as client certificates (e.g. x509 certs), smart cards, cardspace, etc. [JoeGeeky]

  • Restrict access to the admin area.  Only allow clients from trusted IPs/Domains. [JoeGeeky]

  • Lock down IPrincipal & Principal-based authorization and make rights immutable and non-enumerable.  Also make sure that all authorization assessments are based on the Principal. [JoeGeeky]

  • Set up an email notification system that alerts admins when any rights are upgraded.  This will help you catch an attacker that elevates his/her rights. [JoeGeeky]

  • Consider fine-grained rights for admins.  Typical Role-Based Security (RBS) approaches are not as safe because some roles will end up with more rights that they need.  You should distribute rights based on the exact actions that a admin performs.  This could cause a lot of overhead with more diverse admin-types, but it is safer because rights are issued more sparingly. [JoeGeeky]

  • Restrict the creation of further admins and carefully control what admins can do to other admins.  It's best to have a locked-down 'super-admin' client. [JoeGeeky]

  • Consider Client Side SSL Certificates or RSA type keyfobs (electronic tokens) for added security. [Daniel Papasian]

  • If you're using using cookies for authentication, use separate cookies for admin and normal pages.  One way is to put the admin section on a different domain. [Daniel Papasian]
  • One possibility, if it's practical, is to put the admin site on a private subnet instead of the internet. [John Hartsock]

  • Re-issue auth/session tickets when moving between admin and normal usage contexts of the website. [Richard JP Le Guen]

  • Require equally strong mechanisms (using the above techniques) for basic users so that admins aren't the only ones with highly-secure accounts. [Lo'oris]

These tips were gathered in a question by UpTheCreek from StackOverflow.
authentication Notification system master IT security Cards (iOS) Overhead (computing) Plus (programming language) Principal (computer security)

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Creating an Event-Driven Architecture in a Microservices Setting
  • What Emerging Technologies Make Data Centers More Energy Efficient?
  • Top ALM Tools and Solutions Providers
  • Revoking Access to JWTs With a Blacklist/Deny List

Comments

Web Dev Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo