Base solution for your next web application
Open Closed

Security Question / Concern #6338


User avatar
0
jaycee26 created

Hi,

I would welcome any thoughts / opinions regarding a security concern with the template.

With a tenant in a multi-tenant setup, to a potential hacker there are three peices of unknon information - the Tenant ID, the user name and the password. However, the host tenant ID/name is 'blank' and cannot (to my understanding) be changed. So that is one variable less that a potential hacker needs to 'guess.' Second, the default admin user for all tenants is 'Admin' and that name cannot be changed (as far as I understand). So for access to the 'host' that in turn can gain access to all tenants just required a passowrd to be cracked/hacked. OK, that is not a simple task I agree but if three bits of information had to be known, then that would be significantly harder.

It therefore seems to be not following best practices by making 2 out of the three key bits of information clearly known (such as in these forums). It would not be so bad if we could easily change the host from a blank name to a unique tenant name, and be able to change 'Admin' to a named user with admin privelages that can be seeded with a new tenant through code - such as the user creating the new tenant.

Does anyone else share these concerns or am I being over sensitive!? Would welcome thoughts/comments.

Thanks


6 Answer(s)
  • User Avatar
    0
    jims created

    Changing the seed code might help to mitigate your concerns.

    HostRoleAndUserCreator.cs

    TenantRoleAndUserBuilder.cs

  • User Avatar
    0
    alper created
    Support Team

    Multiple attempts of wrong credentials input set the corresponding user as locked. I advice you to set a very strong password for your host admin. A "12 characters" password needs 2 centuries to be solved

    OR You can set the admin as passive and grant full permission to any host user.

  • User Avatar
    0
    jaycee26 created

    @jims - I have looked at both of those and while you can use those to change other elements of the Admin user such as first name, last name, email etc, you cannot change the user name which is set from AbpUserBase.AdminUserName and the ABP documentation states "UserName of the admin. admin can not be deleted and UserName of the admin can not be changed."

    @alper - of course you are correct from the perspective of a pure brute force attack. But that is not how sites are breached. Hackers can use a whole armoury of techniques from phishing to social engineering techniques to gain passwords. Once they have the password, they are in. Unless of course they also needd to know other secrets that where specific to that site, such as the host tenant ID and user name.

    For example, an online banking service would NEVER secure access to online accounts only using a password. The customer would also need to set other 'secrets'. These are not even bank account details such as account number or sort code, as these can be easily discovered. They are other secrets such as a user name, a passcode AND a password.

    So my main point is that ABP and ASPNET Zero is enforcing that on the template users. The ability to specificy a host tenant ID, or change the default Admin user name seems sensible, then it is the clients decision on if / how they use that ability. Especially if they are using the template for storing sensitive data (perssonal or financial or both) for other tenants.

    I will look in to the suggestion of making the 'Admin' passive and creating another user with full permissions which at least may give 2 out of 3 elements.

    Thanks

  • User Avatar
    0
    jaycee26 created

    I forgot to add that of course, there is also the option to enforce TFA on all host users. So I agree that while there are ways to make it 'secure' there are additional steps that could be taken to follow good/best practice that we cannot do due to those limitations.

  • User Avatar
    0
    ismcagdas created
    Support Team

    For such critical systems, TFA is a good option.

  • User Avatar
    0
    jaycee26 created

    Thanks @ismcagdas. I still think the ability to change the host name and default admin user would be a good future enhancement. however, I will close this off and leave that for the team to decide in the future.

    Thanks.