How to change admin folder name?!

Topics: Core, Customizing Orchard
Jul 3, 2012 at 7:16 PM
Edited Jul 3, 2012 at 7:16 PM

Hi folks,

I was wondering how I can change the admin folder name. I've already found the corresponding Routes.cs, but also noticed some modules directly using Admin in the route.

Isn't there any way to get the admin folder name changed? If not it really should be considered for one of the next versions as that's a slightly security issue, because bad visitor would always try admin name before anything else.

Regards
Thomas

Coordinator
Jul 4, 2012 at 5:32 AM

You can't. Sorry. But there is no security issue there.

Jul 7, 2012 at 2:47 PM

Still it would be nice if that folder's name could be customizable. Would it work somehow if I catch the route in a module before controller is loaded and parse response for changing admin folder name? If so where would the best place be for a module to hook in?

Regards,
Thomas

Jul 10, 2012 at 9:35 AM
Sounds like URL rewriting would be suitable. Here's a great post on the difference between Routing and Rewriting and when to use what: http://learn.iis.net/page.aspx/496/iis-url-rewriting-and-aspnet-routing/

In your case, you'd basically want to setup two (sets of) rules:

/unguessable --> /admin
/admin --> /error

This rewriting would happen before MVC assigns a controller to handle the request and thus you should be good.

Cheers, Oliver
--


2012/7/7 tohms <notifications@codeplex.com>

From: tohms

Still it would be nice if that folder's name could be customizable. Would it work somehow if I catch the route in a module before controller is loaded and parse response for changing admin folder name? If so where would the best place be for a module to hook in?

Regards,
Thomas

Read the full discussion online.

To add a post to this discussion, reply to this email (orchard@discussions.codeplex.com)

To start a new discussion for this project, email orchard@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com


Coordinator
Jul 10, 2012 at 10:06 AM

please note that security is an extremely bad reason to do that. Security by obscurity is one of the worst ideas there are.

Jul 10, 2012 at 10:27 AM
bertrandleroy wrote:

please note that security is an extremely bad reason to do that. Security by obscurity is one of the worst ideas there are.

Only if you rely on obscurity on its own. In addition to other security mechanisms and rules it is just one more feature for a secure system. Don't you think?!

Jul 10, 2012 at 10:31 AM
_oliver_ wrote:
Sounds like URL rewriting would be suitable. Here's a great post on the difference between Routing and Rewriting and when to use what: http://learn.iis.net/page.aspx/496/iis-url-rewriting-and-aspnet-routing/
In your case, you'd basically want to setup two (sets of) rules:
/unguessable --> /admin
/admin --> /error
This rewriting would happen before MVC assigns a controller to handle the request and thus you should be good.

Under circumstances where static rewriting would do the job I would agree. But as I like to get it done dynamicly, so one can either configure it on backend or in web.config or such, I would prefer to realize it inside the assembly and not the server.

Coordinator
Jul 11, 2012 at 2:47 PM

Security by obscurity is frowned upon because it is actively detrimental to security: it gives an illusion of security and hides the real risks.

http://en.wikipedia.org/wiki/Security_through_obscurity

Jul 11, 2012 at 2:51 PM
Edited Jul 14, 2012 at 5:44 PM

Ok, let’s start the flame war :-P

No honestly, as said I absolutely agree with you, but still it would be nice to have it changeable ;o)

Coordinator
Jul 11, 2012 at 3:44 PM

Yes, we've had the request a couple of times, but it's harder than it seems, and very low-priority.

Jul 11, 2012 at 3:50 PM
Edited Jul 14, 2012 at 5:44 PM

I agree about priority! Is there some code/repository somewhere that you or someone else started already? I may find time at the end of the year to look at it a bit deeper and until than I should also have worked enough with Orchard framework to get that done.

Regards
Thomas

Coordinator
Jul 11, 2012 at 5:57 PM

Not that I know of, no.

Jan 4, 2015 at 3:58 PM
The OP's request was to augment security by using obscurity and even the Wikipedia article indicates that's okay. It's only when obscurity is relied upon is it a bad idea. Knowing the URL for the admin area of a site gets the hacker past step one. Why give a hacker that sort of help?

From that wikipedia article:

A system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that if the flaws are not known, then attackers will be unlikely to find them. A system may use security through obscurity as a defense in depth measure; while all known security vulnerabilities would be mitigated through other measures, public disclosure of products and versions in use makes them early targets for newly discovered vulnerabilities in those products and versions. An attacker's first step is usually information gathering; this step is delayed by security through obscurity. The technique stands in contrast with security by design and open security, although many real-world projects include elements of all strategies.

So I too would welcome the feature to be able to customize the route.