Jump to content

ICT:Account protection: Difference between revisions

From Costa Sano MediaWiki
Newer edit →
Mngr (talk | contribs)
Bots, Bureaucrats, club, ict, Interface administrators, research, Suppressors, Administrators
1,023 edits
VisualWikitext
Created page with "{{DISPLAYTITLE:Account Protections & System Users}} __TOC__ == Overview == This document outlines the security profile of default system accounts and the hardened registration settings for this MediaWiki instance (v1.45). == Default System Accounts == Upon initialization, MediaWiki creates or reserves specific identities. === MediaWiki default === * '''Type:''' Virtual/System User. * '''Password Protection:''' This account '''does not have a password''' and is blocked..."
 
No edit summary
Line 2: Line 2:
__TOC__
__TOC__
== Overview ==
== Overview ==
This document outlines the security profile of default system accounts and the hardened registration settings for this MediaWiki instance (v1.45).
This document outlines the security profile of default system accounts and the hardening configurations applied to this MediaWiki instance (v1.45) to restrict access and visibility.


== Default System Accounts ==
== Default System Accounts ==
Line 19: Line 19:


== Applied Hardening (LocalSettings.php) ==
== Applied Hardening (LocalSettings.php) ==
To prevent unauthorized account creation and "shadow" users, the following configurations are active:
The following configurations are implemented in the server's configuration file to secure the environment.


=== Registration Lock ===
=== 1. Registration Lock ===
The following prevents the "Create Account" option from appearing to anonymous visitors:
Prevents the "Create Account" option from appearing to anonymous visitors.
<syntaxhighlight lang="php">
<syntaxhighlight lang="php">
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['createaccount'] = false;
</syntaxhighlight>
</syntaxhighlight>


=== Write Protection ===
=== 2. Write Protection ===
To ensure data integrity and prevent spam, anonymous editing is disabled:
Disables anonymous editing to ensure only identified users can modify content.
<syntaxhighlight lang="php">
<syntaxhighlight lang="php">
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['edit'] = false;
</syntaxhighlight>
=== 3. Private Wiki Configuration (Optional/Full Privacy) ===
To prevent any unauthorized viewing of the wiki content, the following settings hide all pages from logged-out users, except for the login interface.
<syntaxhighlight lang="php">
# Disable reading by anonymous users
$wgGroupPermissions['*']['read'] = false;
# Whitelist essential pages to allow users to log in
$wgWhitelistRead = array(
    "Special:UserLogin",
    "MediaWiki:Common.css",
    "MediaWiki:Common.js"
);
</syntaxhighlight>
</syntaxhighlight>


== Successor Maintenance Notes ==
== Successor Maintenance Notes ==
# Always verify the user list via [[Special:ListUsers]] after performing software updates.
# '''Audit:''' Regularly verify the user list via [[Special:ListUsers]].
# If a new system user appears after installing an extension, verify its status on the [https://www.mediawiki.org MediaWiki System User Manual].
# '''Updates:''' If a new system user appears after an upgrade or extension install, consult the [https://www.mediawiki.org MediaWiki System User Manual].
# '''Configuration:''' All changes above must be verified in an Incognito/Private browser window to ensure they are active.


[[Category:ICT Documentation]]
[[Category:ICT Documentation]]
[[Category:Security Operations]]
[[Category:Security Operations]]

Revision as of 18:18, 9 February 2026

Overview

This document outlines the security profile of default system accounts and the hardening configurations applied to this MediaWiki instance (v1.45) to restrict access and visibility.

Default System Accounts

Upon initialization, MediaWiki creates or reserves specific identities.

MediaWiki default

  • Type: Virtual/System User.
  • Password Protection: This account does not have a password and is blocked from web-based login.
  • Function: It acts as a placeholder for automated interface updates and system-generated edits.
  • Security Status: Safe; cannot be compromised via brute force.

Initial Admin (Sysop)

  • Type: Human Administrator.
  • Security: Protected by a salted hash password.
  • Audit Path: Check rights via Special:UserRights or the Sysop List.

Applied Hardening (LocalSettings.php)

The following configurations are implemented in the server's configuration file to secure the environment.

1. Registration Lock

Prevents the "Create Account" option from appearing to anonymous visitors. 

$wgGroupPermissions['*']['createaccount'] = false;

2. Write Protection

Disables anonymous editing to ensure only identified users can modify content. 

$wgGroupPermissions['*']['edit'] = false;

3. Private Wiki Configuration (Optional/Full Privacy)

To prevent any unauthorized viewing of the wiki content, the following settings hide all pages from logged-out users, except for the login interface. 

# Disable reading by anonymous users
$wgGroupPermissions['*']['read'] = false;

# Whitelist essential pages to allow users to log in
$wgWhitelistRead = array(
    "Special:UserLogin", 
    "MediaWiki:Common.css", 
    "MediaWiki:Common.js"
);

Successor Maintenance Notes

  1. Audit: Regularly verify the user list via Special:ListUsers.
  2. Updates: If a new system user appears after an upgrade or extension install, consult the MediaWiki System User Manual.
  3. Configuration: All changes above must be verified in an Incognito/Private browser window to ensure they are active.
Retrieved from "https://mwiki.costasano.club/index.php?title=ICT:Account_protection&oldid=523"