确保网站管理部分安全的最佳做法是什么?

我想知道人们认为保护网站管理部分的最佳做法是什么,特别是从认证/访问的角度来看。

当然,还有一些显而易见的事情,比如使用 SSL 和记录所有访问,但是我想知道,在这些基本步骤之上,人们认为应该在哪里设置工具条。

例如:

  • 您是否仅仅依赖于与普通用户相同的身份验证机制? 如果不是,那么是什么?
  • 您是否在同一个“应用程序域”中运行管理部分?
  • 你采取了哪些步骤使管理部分不被发现? (或者你拒绝整个“模糊”的事情)

到目前为止,来自答案的建议包括:

  • 在每个管理员密码检查中引入一个人为的服务器端暂停,以防止暴力攻击 [显影艺术]
  • 使用相同的 DB 表为用户和管理员使用单独的登录页面(以停止 XSRF 和授予对管理区域的访问权限的会话窃取) [小偷大师]
  • 还可以考虑在管理区域(例如 via. htaccess)添加 webserver 本机身份验证
  • 考虑在多次管理员登录尝试失败后阻止用户 IP
  • 在管理员登录尝试失败后添加 captcha
  • 为用户和管理员提供同样强大的机制(使用上述技术)(例如,不要特别对待管理员) [洛奥里斯]
  • 考虑二级身份验证(例如客户证书、智能卡、卡空间等) [ JoeGeeky ]
  • 只允许从受信任的 IP/域访问,如果可能的话,将检查添加到基本的 HTTP 管道(通过例如 HttpModule)
  • [ ASP.NET ]锁定 IPrime & Prime (使它们成为不可变和不可枚举的) [ JoeGeeky ]
  • 联邦权利提升-例如,当任何管理员的权利升级时,给其他管理员发电子邮件。 [ JoeGeeky ]
  • 考虑管理员的细粒度权限——例如,不是基于角色的权限,而是为每个管理员 [ JoeGeeky ]的个人操作定义权限
  • 限制管理员的创建-例如,管理员不能更改或创建其他管理员帐户。为此使用一个锁定的“超级管理”客户端。[ JoeGeeky ]
  • 考虑客户端 SSL 证书或 RSA 类型的密钥托盘(电子令牌) [ Daniel Papasian ]
  • 如果使用 Cookie 进行身份验证,可以在管理页面和普通页面使用不同的 Cookie,例如,将管理部分放在不同的域上。[ Daniel Papasian ]
  • 如果可行的话,考虑将管理站点保持在私有子网上,远离公共互联网
  • 当在网站 [ Richard JP Le Guen ]的管理/正常使用上下文之间切换时,重新发放授权/会话票据
21609 次浏览
小开

Have a good admin password.

Not "123456" but a sequence of letters, digits and special characters long enough, say, 15-20 characters. Like "ksd83,'|4d#rrpp0%27&lq(go43$sd{3>".

Add a pause for each password check to prevent brute force attack.

小开

If the website requires a login for both regular activities and admins, e.g. a forum, I'd use separate logins which use the same user database. This ensures that XSRF and session-stealing won't allow the attacker to access administrative areas.

Additionally, if the admin section is in a separate subdirectory, securing that one with the webserver's authentication (.htaccess in Apache for example) might be a good idea - then someone needs both that password and the user password.

Obscuring the admin path yields almost no security gain - if someone knows valid login data he's most likely also able to find out the path of the admin tool since he either phished it or keylogged you or got it via social engineering (which would probably reveal the path, too).

A brute-force protection like blocking the user's IP after 3 failed logins or requiring a CAPTCHA after a failed login (not for the first login as that's just extremely annoying for legit users) might also be useful.

小开
  • I reject obscurity
  • Using two authentication systems instead of one is overkill
  • The artificial pause between attempts should be done for users too
  • Blocking IPs of failed attempts should be done for users too
  • Strong passwords should be used by users too
  • If you consider captchas ok, guess what, you could use them for users too

Yes, after writing it, I realize that this answer could be summarized as a "nothing special for the admin login, they are all security features that should be used for any login".

小开
最佳答案

These are all good answers... I generally like to add a couple additional layers for my administrative sections. Although I've used a few variations on a theme, they generally include one of the following:

  • Second level authentication: This could include client certificates (Ex. x509 certs), smart cards, cardspace, etc...
  • Domain/IP restrictions: In this case, only clients coming from trusted/verifiable domains; such as internal subnets; are allowed into the admin area. Remote admins often go through trusted VPN entrypoints so their session would be verifiable and is often protected with RSA keys as well. If you're using ASP.NET you can easily perform these checks in the HTTP Pipeline via HTTP Modules which will prevent your application from ever receiving any requests if security checks are not satisfied.
  • Locked down IPrincipal & Principal-based Authorization: Creating custom Principles is a common practice, although a common mistake is making them modifiable and/or rights enumerable. Although its not just an admin issue, it's more important since here is where users are likely to have elevated rights. Be sure they're immutable and not enumerable. Additionally, make sure all assessments for Authorization are made based on the Principal.
  • Federate Rights Elevation: When any account receives a select number of rights, all the admins and the security officer are immediately notified via email. This makes sure that if an attacker elevates rights we know right away. These rights generally revolve around priviledged rights, rights to see privacy protected information, and/or financial information (e.g. credit cards).
  • Issue rights sparingly, even to Admins: Finally, and this can be a bit more advanced for some shops. Authorization rights should be as discreet as possible and should surround real functional behaviours. Typical Role-Based Security (RBS) approaches tend to have a Group mentality. From a security perspective this is not the best pattern. Instead of 'Groups' like 'User Manager', try breaking it down further (Ex. Create User, Authorize User, Elevate/Revoke access rights, etc...). This can have a little more overhead in terms of administration, but this gives you the flexibility to only assign rights that are actually needed by the larger admin group. If access is compromised at least they may not get all rights. I like to wrap this in Code Access Security (CAS) permissions supported by .NET and Java, but that is beyond the scope of this answer. One more thing... in one app, admins cannot manage change other admin accounts, or make a users an admin. That can only be done via a locked down client which only a couple people can access.
小开

Here are some other things to consider:

  1. One option to consider, especially if you manage the admin's computers or they are technically competent, is to use something based on SSL certificates for client authentication. RSA keyfobs and whatnot can also be used for added security.
  2. If you're using cookies at all - perhaps for an authentication/session token - you probably want to ensure that the cookies are only sent to the admin pages. This helps mitigate the risks posed to your site by stealing cookies, by either layer 1/2 compromise or XSS. This can be done easily by having the admin portion being on a different hostname or domain as well as setting the secure flag with the cookie.
  3. Restricting by IP can be smart as well, and if you have users throughout the internet you can still do this, if there is a trusted VPN that they can join.
小开

It very much depends on what kind of data you want to protect (legal requirements and such).

  • Alot of suggestions is about authentication.. I think you just should consider using OpenId / Facebook authentication as login. (They will most likely spend more resources on authentication security then you)

  • Save changes as well as updating values in the database. That way you can rollback changes from user X or between date X and Y.

小开

If you do use only a single login for users who have both normal-user privileges and admin privileges, regenerate their session identifier (be it in a cookie or a GET parameter or whatever...) when there is a change in the level of priviledge... at the very least.

So if I log in, do a bunch of normal user stuff and then visit an admin page, regenerate my session ID. If I then navigate away from an admin page(s) to a normal user page, regenerate my ID again.

小开

The strict way is to have two complete different "farms" including databases, servers and all and move the data from one farm to the other. Most modern, large scale, systems use this approach (Vignette, SharePoint, etc.). It's normally refered to as having different stages "editing stage" -> "preview stage" -> "delivery stage". This method lets you treat content/config the same way you treat code (dev->qa->prod).

If you are less paranoid you can have a single database but only have your admin section available on the "editing" servers. I mean, only have the editing scripts/files placed on the editing server.

Naturally the editing stage should only be available on a local intranet and/or using a VPN.

This may seem a bit of an overkill and may not be the easiest solution for all usage cases, but it is definetly the most robust way of doing things.

Note that things like "have strong admin passwords" are nice, but still leave your admin open to smart attacts of all sorts.

小开

We use Windows Authentication for admin access. This is most practical way of protecting admin areas while keeping the authentication seperate from what applies to general end-users. The system admin manages the Admin user access credentials and enforces password policies on the domain user account.

小开

Add a password field and a security question that the Administrator will know, e.g. what was your first girlfriend name, or randomize the questions everytime viewing the admin panel.

Perhaps you could always put the administration section in a big directory, e.g.

http://domain.com/sub/sub/sub/sub/sub/index.php

But that's not really good hah.

Perhaps you could include a query string in the home page, like:

http://domain.com/index.php?display=true

When it does, the username and password field will appear.

小开

I didn't notice anyone mention storage/validation of the admin password. Please please please do not store the PW in plain text, and preferably not even something that can be reversed - use something like a salted MD5 hash so that at the very least if someone happens to retrieve the stored "password" they don't have anything terribly useful, unless they also have your salt scheme.


提交答案