On Sunday, November 18, 2007 5:20 AM Paul Jordan wrote:
We are only a small company and nobody *should* be trying to access the admin page from laptops or internent cafes. Restricting the IP range is a good idea, though I would have to allow some ISP dynamic ranges.suppressed wrote:On Saturday, November 17, 2007 5:45 PM Paul Jordan wrote:I just thought it would be nice if there was a simple way to move admin pages from: www.websitedomain.com/admin to say: www.websitedomain.com/adminqwertyThis really would not afford you much security.Why not? :-)Because the URL will be found. Do you have any mobile workers? If not, then only allow the office IP address - you're done. If you do, where do they go? Are laptop users careful? Do they all have secure Wifi at home if they are logging in? Do you have people travelling in small towns and out of country who will go to fly by night internet cafe's, airports?
I agree that if I have to search for all the hardcoded references to /admin it may not be worth the effortIf you are not locked down, then the effort is not worth the value. I did not say it was no security, just that it will not afford you much of it. For the same effort you can put in place a myriad of techniques and make it secure - and not just hiding.
I like the idea of texting a random code, for supporting on-the-road users (although we don't have this need at the moment).I put in place a random access code, for remote users who find themselves in a possibly compromised environment (hotel wifi, internet cafe, foreign country, etc). It txt msg's *only* a random code to the users registered cell phone. The code is good, along with their username (which is not transmitted) for 5 minutes only, once logged in, it is instantly invalid. This is so they won't have to compromise their password when out of the office/home. The only way into that system is by someone who knows you, and really really wants to get in. The system is also requires it to be turned on, so if you are going somewhere, you have to enable it first, for yourself, otherwise, you have to call in and have an admin enable it. That system also has dual logins, so we can see where snoops were. For example, the first password is just that, but it only gets you to another login page :-) The random access codes are archived with a creation date, so that if they are used later, we can track where the user was - say at an internet cafe in Boise. We know that place was compromised. That user then has to change their primary password, as punishment for being an idiot. It works well, as #1 we don't want anyone that can steal a mobile phone to have access to the system, #2 we want to know where leaks are, and #3, we want users to change their passwords now and then. clinck-clinck!
Anyways, putting in place valid security will require less (read no) maintenance than changing and (inevitably) changing again, page locations. The page will be found. No, I am not paranoid, but here's some advice - Trust No One 8-)
8-) OK, but maybe a little bit more paranoid than me :-)Anyway, thanks for your suggestions - I'll consider them :-)
_______________________________________________ interchange-users mailing list suppressed http://www.icdevgroup.org/mailman/listinfo/interchange-users
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.