Admin account restriction

5 posts by 3 authors in: Forums > CMS Builder
Last Post: November 5, 2014   (RSS)

By ht1080z - October 21, 2014

Hi,

I need to restrict the admin account use / change on one of my installation.

Can i delete or hide permanently the admin account from phpMyAdmin (backup the accounts table first) and restrict the admin account use like this?

My concern is, that if somebody change the email of the admin account from the phpMyAdmin, easily can request password reset for the new email and access admin level privileges for the cmsBuilder.

Any suggestion on this?

Thank you in advance,
Karls

Hi Karls, 

I really don't recommend deleting all of the admin accounts,  but I've done a quick test, and  it looks like you could theoretically do it, and it doesn't look like it has any affect on the behavior of the CMS (with the exception of not being able to login). However, there could be edge cases that my testing didn't cover that could cause issues. 

If someone gained access to phpMyAdmin, they could just add another record to the accounts section, even if the current one was deleted, then reset its password. 

I think a better option would be to ensure you make phpMyAdmin as secure as possible. For example:

  • minimize the number of accounts that can login to phpMyAdmin
  • Change the default phpMyAdmin url path (example.com/phpmyadmin) to something else.
  • Ensure that accounts that can log into phpmyadmin have long secure passwords. 

Also, if you're running the latest version of CMS Builder, if you go to the General Settings tab, it will list ways you can make your installation as secure as possible.

Let me know if you have any questions.

Thanks,

Greg

Greg Thomas







PHP Programmer - interactivetools.com

By ht1080z - November 4, 2014

Hi Greg,

The issue is not security but trust. Last year same month we completed a work for a client and gave editor access to manage the website and its data. The payment of our work only partly finished and now the client found another developer and hosting company to continue cooperation.

I want to assure that they cannot hack access to the admin account in any way and unlock cmsBuilder to future development until some differences are cleared out. In other way we agreed only for editor access at the first place.

Is there something else i can do to keep the admin account inaccessible?

Karls

By Dave - November 5, 2014

Hi Karls,

You could delete the admin account from phpMyAdmin (or through mysql) and that would be fine.  It could be added back through MySQL, but that would be complicated for someone who didn't know what they were doing.

We have a script for creating new admin accounts, I've attached it to this post.  You can use that if you need to recreate an admin account on any site at a future point.

Also, it sounds like you want to ensure the client has only limited access to their install.  This can be difficult to enforce, but if you find yourself in a situation where the CMSB license is in your name and someone is using it without your permission you can authorize us to disable that license and issue you a replacement one.  Sometimes people get their licenses stolen and that's a way we can help with that.

Hope that helps!  Let me know if you need anything else.

Dave Edis - Senior Developer
interactivetools.com
Attachments:

show_user_accounts.php 6K

By ht1080z - November 5, 2014

Hi Dave,

Thank you for your help on this! I make some tests with the script.

Karls