Initial DotNetNuke Setup - Host & Admin Security (Part Duex)
Friday, July 14, 2006
|
While performing some upgrades after finding out that the FCKeditor integration for DotNetNuke has been released, I realized that I forgot something in my original blog on this topic.
While it is best to create the default admin account and host account with names other than the default "admin" and "host" usernames, you should also do one more thing throughout the lifetime of the portal implementation. While for most of you this may go without saying and it may also seem like web development 101 or computer user 101, for others it will not be.
Once your DNN portal is set-up, configured, and deployed, you should only login using the Host or Superuser account when it is required from that point forward. The reason being that everytime you login to the DNN portal, you are sending your login credentials as clear text across the internet. Some of you may be using encryption tools in conjunction with your login form, but if the right bot captures 3 or more of the same login it is quite realistic that your login will be compromised.
I know that many of you are now saying something like, "what are the chances of that?!" You're right to assume that the chances are low, but I rather not live through the hassle of trying to break into the DNN portal after a malicious break-in by an outside user. Should your superuser account be compromised, the offending party will have COMPLETE control over your portal instance and all the sites and user information that are contained therein.
So, as a rule of thumb and to sum this all up:
While it is best to create the default admin account and host account with names other than the default "admin" and "host" usernames, you should also do one more thing throughout the lifetime of the portal implementation. While for most of you this may go without saying and it may also seem like web development 101 or computer user 101, for others it will not be.
Once your DNN portal is set-up, configured, and deployed, you should only login using the Host or Superuser account when it is required from that point forward. The reason being that everytime you login to the DNN portal, you are sending your login credentials as clear text across the internet. Some of you may be using encryption tools in conjunction with your login form, but if the right bot captures 3 or more of the same login it is quite realistic that your login will be compromised.
I know that many of you are now saying something like, "what are the chances of that?!" You're right to assume that the chances are low, but I rather not live through the hassle of trying to break into the DNN portal after a malicious break-in by an outside user. Should your superuser account be compromised, the offending party will have COMPLETE control over your portal instance and all the sites and user information that are contained therein.
So, as a rule of thumb and to sum this all up:
- Change the default "admin" and "host" usernames.
- Only login to your portal using the host/superuser account if you specifically need to access something in the Host Menu.
- Periodically change your password. A good practice is at least once every two months, but the more frequent, the better.
- Periodically check the Log Viewer in the Admin Menu to see if there are suspicious attempts at logging in to the web site. (Filter the log by "Login Failure" or "Login - superuser" types for easier reading.)
Labels: DotNetNuke
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home