[ic] Moving the admin interface to a different url

Paul Jordan jordan at gishnetwork.com
Sun Nov 18 00:20:38 EST 2007


interchange-users-bounces at icdevgroup.org wrote:
> On Saturday, November 17, 2007 5:45 PM Paul Jordan wrote:
> 
>>> I just thought it would be nice if there was a simple way to move
>>> admin pages from: www.websitedomain.com/admin
>>> to say:
>>> www.websitedomain.com/adminqwerty
>> 
>> 
>> This really would not afford you much security.
>> 
> Why not?  :-)


Because the URL will be found. Do you have any mobile workers? If not, then only
allow the office IP address -  you're done. If you do, where do they go? Are
laptop users careful? Do they all have secure Wifi at home if they are logging
in? Do you have people travelling in small towns and out of country who will go
to fly by night internet cafe's, airports?

There are countless ways for any amount of "workers" to leave trails or be
careless. I never ever trust internet cafe's, even well known ones. I don't
trust that the employees. Anyone with half a brain would just install keyloggers
on the PC's and retrieve a WEALTH of information. After all, many many people
use the same passwords for everything. If you have their email address &
password, you probably could discern quite a bit, especially after reading their
email :-)

So, if you are locked down, you really don't have anything to worry about, there
are much easier bullet proof ways to go about it.

If you are not locked down, then the effort is not worth the value. I did not
say it was no security, just that it will not afford you much of it. For the
same effort you can put in place a myriad of techniques and make it secure - and
not just hiding.

I put in place a random access code, for remote users who find themselves in a
possibly compromised environment (hotel wifi, internet cafe, foreign country,
etc). It txt msg's *only* a random code to the users registered cell phone. The
code is good, along with their username (which is not transmitted) for 5 minutes
only, once logged in, it is instantly invalid. This is so they won't have to
compromise their password when out of the office/home. The only way into that
system is by someone who knows you, and really really wants to get in. The
system is also requires it to be turned on, so if you are going somewhere, you
have to enable it first, for yourself, otherwise, you have to call in and have
an admin enable it. That system also has dual logins, so we can see where snoops
were. For example, the first password is just that, but it only gets you to
another login page :-) The random access codes are archived with a creation
date, so that if they are used later, we can track where the user was - say at
an internet cafe in Boise. We know that place was compromised. That user then
has to change their primary password, as punishment for being an idiot. 

It works well, as #1 we don't want anyone that can steal a mobile phone to have
access to the system, #2 we want to know where leaks are, and #3, we want users
to change their passwords now and then.

clinck-clinck!

Anyways, putting in place valid security will require less (read no) maintenance
than changing and (inevitably) changing again, page locations.

The page will be found.

No, I am not paranoid, but here's some advice - Trust No One

8-)

Paul Jordan

Gish Network
  For Print, Web and Life
  paul at gishnetwork.com




More information about the interchange-users mailing list