2

I'm creating this admin dashboard, and I have a question wich I have been stuck on for a while now. And I'm starting to question what kind of data the admin should be able edit/view on the other registered users.

Should the admin users be able to:

  • Change the users password?
  • Send password-reset email to the user?
  • Change account information on the user (firstname, lastname, email)?

Just to mention this: the users have the possibility to click on forgot password on the login screen to request the password request themselves. They also have the ability to change the account information themselves. Should I still implement some of this functionality on the admin side? Upsides / downsides to this?

user242001
  • 21
  • 1
  • 1
    Depends. [What is your threat model?](https://security.stackexchange.com/questions/225012/what-is-a-threat-model-and-how-do-i-make-one) There is no one right answer to this question. Letting admins reset passwords can be a convenience that makes it easy to help users, or it can be a liability that (literally) results in hundred-million-dollar lawsuits. – Conor Mancone Aug 31 '20 at 10:13
  • @ConorMancone I will need to check out this threat model you're talking about and go from there. This is basically a admin dashboard for websites, blogs and such. I don't really know where the project is heading, I just though I would ask the question so was a little bit more sure of how I was going to do this. Will deffo check out the threat model and do some analysis. Thanks! – user242001 Aug 31 '20 at 15:48

3 Answers3

0

It depends on the business context of the application. If these concerns are valid for the business context, perhaps you could split the admin role into two separate roles? Or implement a two man rule?

Saustin
  • 311
  • 1
  • 10
0

You should only implement a feature if you really need it. Less features will mean less code, and therefore you reduce the possibility of bugs and security issues. Only give admins the capabilities they really need, because of the principle of least privilege: if the admin account gets compromised, less privileges will mean less possible damage.

Most CMSs (Content Management Systems, like WordPress, Joomla, etc.) have several roles with different privileges, for example: guest, user, editor, vendor, administrator, super administrator, etc. The most privileged accounts are able to change almost everything, including first and last names, contact info, and passwords. Being able to change names, addresses, etc. is very useful in some cases, so that's probably a feature you will need. On the other hand, I'm not so sure about the need to change users' passwords. Technically it introduces the possibility of promoting some bad practices (like setting a password and then sending it via email or other insecure channels). However I don't think it's a real security issue either, because changing a user's password is probably not the worst thing a compromised admin account would be able to do. In all the CMSs I've seen, an admin can actually install software at will (plugins and extensions), so I wouldn't worry about the ability of changing users' password, generally speaking. In your specific case though, if you don't need this feature and you can avoid implementing it, do avoid it.

reed
  • 15,538
  • 6
  • 44
  • 65
-1

Should the admin users be able to change the user's password:

No, an administrator of a system should not be able to impersonate any user as this will result in false audit trails and logging.

Should the admin users be able to send password-reset email to the user?

If a proper password reset mechanism is in place, an administrative user should not be bother with doing such tasks. In this case users can make a password request themselves.

Should the admin users be able to change account information on the user (first name, last name, email)?

Definitely not the email address as this will cause issues for the end user to either login (if email is used as the login name) and the password reset mechanism.

Also, I do not see a valid reason to change a user's first name and last name other than using capital letters. However, this could also be done programmatically during the signup process.

Jeroen
  • 5,813
  • 2
  • 19
  • 26
  • 1
    While I agree with some of your logic, I don't think this is a question with one definite answer. This is a case where a clear cost/benefit analysis is needed, and the answer varies. Having done a lot of tech support, it can save everyone a lot of trouble when support can help with some basic user maintenance. However just how much they should be able to help with varies wildly depending on the site and system, what it does, and what user verification mechanisms the support team has available – Conor Mancone Aug 31 '20 at 11:14
  • To whit: if I forget what email address I have associated with my online banking, I should be able to walk into my local bank, present a photo ID, and have them fix it for me. On the other end though AT&T giving accounts to attackers because support didn't verify users has resulted in (literally) hundreds of millions of dollars in lawsuits – Conor Mancone Aug 31 '20 at 11:16
  • In my opinion there is no reason for an administrator to change the password of a user when a (self) password reset mechanism is in place. In your scenario from a support perspective, an administrator could login using the credentials of the user and perform tasks on their behalf, which will mess up your audit trail and could potentially put the user at risk from a legal perspective. – Jeroen Aug 31 '20 at 12:00
  • Also assuming that an administrator can reset a users password without knowing their password, how does the user get this password to begin with? Sending this by email is another bad practice. – Jeroen Aug 31 '20 at 12:01
  • It doesn't actually mess up the audit record because the audit record will show the admin resetting the password, and then user actions from the admin's IP address. It will be clear what happened (for any reasonable auditing system). However, that's a moot point. Again, I don't actually disagree with what you say: I think many systems suffer from allowing admins to do too much (see my AT&T example above). However that doesn't change the fact that in many circumstances admin intervention can be safe, necessary, and even helpful (see my in-person bank example). – Conor Mancone Aug 31 '20 at 12:19
  • My point therefore is that the answer, like in many cases, definitely **depends on the circumstances**. Sometimes it can be done safely and is helpful to users. The OP may have such a use case. We don't really know because the OP did not provide enough details, and so your answer is not a good answer because it provides a one-size-fits-all approach to security. – Conor Mancone Aug 31 '20 at 12:20