Easily Customisable "Admin" location


https://forum.kartris.com/Topic6676.aspx
Print Topic | Close Window

By Cognicom - Wed 10 Aug 2016
I'm in the process of tinkering with Kartris to confirm suitability for a particular customer (who in turn will pay for a licence once the project is at least mid-way), and am surprised by the lengths one has to go to, to customise the URL of the "admin" folder.

I've created and/or maintained several cart solutions in the past and all had very simple methods of re-naming/moving the administrative functionality - either simply re-naming the folder, or changing a configuration entry and then re-naming it. Some have even allowed re-naming of the administrative home page (to something other than "Default" or "Index").

It strikes me as a rather obvious addition to security measures - potential hackers will always try "/Admin," but the chances of them trying "/SomeRandomFolder/SomeRandomFile.aspx" would be pretty slim (unless they've gained control of the server or the admin's computer by other means, in which case it's already too late).

I know I can lunge in there with VisualStudio (or even a decent text editor) to make the required changes, but I'd like to suggest for your next iteration that you include a "quick 'n' easy" method of changing the admin home location - and perhaps (as a couple of other carts have done) even force the selection of a custom name during the installation process.
By Paul - Wed 10 Aug 2016
Renaming the admin folder is a very weak way to protect it, so weak as to be of very little use from a security point of view. Search engines will find it, even if there are no links, because various browsers and plugins will pass URLs back to their servers for various reasons, thus revealing the location to them. You can stop the SE indexing it of course with a robots.txt file, but it defeats the whole object (it would be a bit like posting a note outside your house telling people not to look under the rock next to your back door, which of course only alerts people with bad intent of the places they should be looking).

The best way to improve the security of the site back end (aside from choosing good strong passwords) is IP restriction. Effectively, limit access to the /admin to only a list of permitted IP addresses, or ranges. If you have a fixed IP as most companies do this is simple, but you probably also want to be able to access the back end from home or while travelling when you might not have a fixed IP. In this case, a VPN service that provides you with a fixed or narrow IP range is perfect. These are pretty cheap (typically 50 bucks or so per year) and mean that wherever you travel, you can access the site because the site sees the IP of the VPN server, not your actual internet connection.

There are two ways to IP restrict access to the admin section. We have support built into the Kartris web config for this:

http://userguide.kartris.com/Default.aspx?headID=35

However, you can also set this up from with IIS if you have full admin access. That's better technically, because it's done at the web server so requests from IPs outside the permitted ranges just get rejected, and never even hit Kartris.

This method provides really sound security because even if someone knows the location of the back end and a username and password, they still could not access the back end unless they are connecting from one of the permitted IPs or ranges.
By Cognicom - Thu 11 Aug 2016
Thanks, Paul.

Loving your work, both in development and in support.