ICT:Account protection: Difference between revisions

Revision as of 18:23, 9 February 2026

Infrastructure Overview

This wiki is configured as a Private Research Platform. Access is managed via a "Deny-by-Default" policy, using MediaWiki core permissions for global locks and the Extension:Lockdown for granular namespace security.

1. System Account Security

MediaWiki default:
- Status: Internal System User.
- Security: No password exists; interactive login is impossible.
- Role: Attributes automated software edits.
Sysop Accounts:
- Status: Human Administrators.
- Security: Password protected. Managed via Special:ListUsers/sysop.

2. Global Hardening (LocalSettings.php)

The following core settings enforce the private nature of the wiki:

# Disable public access and registration
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createaccount'] = false;

# The Whitelist: Essential for the Login Screen
# Without these, the login page becomes inaccessible (Loop Error)
$wgWhitelistRead = [
    "Special:UserLogin",
    "MediaWiki:Common.css",
    "MediaWiki:Common.js"
];

3. Namespace Lockdown Logic

While `$wgGroupPermissions` locks the door, Extension:Lockdown manages the internal rooms.

ICT: Namespace: Restricted to the `sysop` group.
Research/Dashboard Namespaces: Access granted to `user` (fellows) and `sysop`.
Sysop Rights: As per Lockdown documentation, sysops retain visibility across all restricted namespaces unless explicitly revoked.

4. Successor Checklist

Emergency Access: If locked out, set `$wgGroupPermissions['*']['read'] = true;` temporarily in LocalSettings.php.
New Namespaces: Any new namespace created for research must be added to the Lockdown array to remain private.
Auditing: Use Special:ListUsers monthly to ensure no "shadow" human accounts have been created.

@@ Line 1: / Line 1: @@
-{{DISPLAYTITLE:Account Protections & System Users}}
+{{DISPLAYTITLE:Access Control & Account Security}}
 __TOC__
-== Overview ==
+== Infrastructure Overview ==
-This document outlines the security profile of default system accounts and the hardening configurations applied to this MediaWiki instance (v1.45) to restrict access and visibility.
+This wiki is configured as a '''Private Research Platform'''. Access is managed via a "Deny-by-Default" policy, using MediaWiki core permissions for global locks and the [[Extension:Lockdown]] for granular namespace security.
-== Default System Accounts ==
+== 1. System Account Security ==
-Upon initialization, MediaWiki creates or reserves specific identities.
+* '''MediaWiki default:'''
+** Status: Internal System User.
+** Security: No password exists; interactive login is impossible.
+** Role: Attributes automated software edits.
+* '''Sysop Accounts:'''
+** Status: Human Administrators.
+** Security: Password protected. Managed via [[Special:ListUsers/sysop]].
-=== MediaWiki default ===
+== 2. Global Hardening (LocalSettings.php) ==
-* '''Type:''' Virtual/System User.
+The following core settings enforce the private nature of the wiki:
-* '''Password Protection:''' This account '''does not have a password''' and is blocked from web-based login.
-* '''Function:''' It acts as a placeholder for automated interface updates and system-generated edits.
-* '''Security Status:''' Safe; cannot be compromised via brute force.
-=== Initial Admin (Sysop) ===
-* '''Type:''' Human Administrator.
-* '''Security:''' Protected by a salted hash password.
-* '''Audit Path:''' Check rights via [[Special:UserRights]] or the [[Special:ListUsers/sysop|Sysop List]].
-== Applied Hardening (LocalSettings.php) ==
-The following configurations are implemented in the server's configuration file to secure the environment.
-=== 1. Registration Lock ===
-Prevents the "Create Account" option from appearing to anonymous visitors.
 <syntaxhighlight lang="php">
+# Disable public access and registration
+$wgGroupPermissions['*']['read'] = false;
+$wgGroupPermissions['*']['edit'] = false;
 $wgGroupPermissions['*']['createaccount'] = false;
-</syntaxhighlight>
-=== 2. Write Protection ===
+# The Whitelist: Essential for the Login Screen
-Disables anonymous editing to ensure only identified users can modify content.
+# Without these, the login page becomes inaccessible (Loop Error)
-<syntaxhighlight lang="php">
+$wgWhitelistRead = [
-$wgGroupPermissions['*']['edit'] = false;
+    "Special:UserLogin",
+    "MediaWiki:Common.css",
+    "MediaWiki:Common.js"
+];
 </syntaxhighlight>
-=== 3. Private Wiki Configuration (Optional/Full Privacy) ===
+== 3. Namespace Lockdown Logic ==
-To prevent any unauthorized viewing of the wiki content, the following settings hide all pages from logged-out users, except for the login interface.
+While `$wgGroupPermissions` locks the door, [[Extension:Lockdown]] manages the internal rooms.
-<syntaxhighlight lang="php">
-# Disable reading by anonymous users
-$wgGroupPermissions['*']['read'] = false;
-# Whitelist essential pages to allow users to log in
+* '''ICT: Namespace:''' Restricted to the `sysop` group.
-$wgWhitelistRead = array(
+* '''Research/Dashboard Namespaces:''' Access granted to `user` (fellows) and `sysop`.
-    "Special:UserLogin",
+* '''Sysop Rights:''' As per [https://www.mediawiki.org Lockdown documentation], sysops retain visibility across all restricted namespaces unless explicitly revoked.
-    "MediaWiki:Common.css",
-    "MediaWiki:Common.js"
-);
-</syntaxhighlight>
-== Successor Maintenance Notes ==
+== 4. Successor Checklist ==
-# '''Audit:''' Regularly verify the user list via [[Special:ListUsers]].
+# '''Emergency Access:''' If locked out, set `$wgGroupPermissions['*']['read'] = true;` temporarily in LocalSettings.php.
-# '''Updates:''' If a new system user appears after an upgrade or extension install, consult the [https://www.mediawiki.org MediaWiki System User Manual].
+# '''New Namespaces:''' Any new namespace created for research must be added to the Lockdown array to remain private.
-# '''Configuration:''' All changes above must be verified in an Incognito/Private browser window to ensure they are active.
+# '''Auditing:''' Use [[Special:ListUsers]] monthly to ensure no "shadow" human accounts have been created.
 [[Category:ICT Documentation]]
 [[Category:Security Operations]]