It was brought to my attention that since Codinghorror’s post, the require change email confirmation setting has been added. This means the message can now be sent to more than just staff.
The original reason for blocking edits to this template was valid at the time, but today the protection it offers is different. An attacker who knows an admin password can simply:
- Use the password to set up two-factor authentication for that account.
- Create a new account.
- Use the 2FA code to grant the new account admin rights.
From there, they can send the backup to their own email address without needing an admin to click a link to confirm an address change.
So the question is: does blocking edits to this template still make sense? It is now sent to regular users and it does no longer protect the download of a backup.
Also, Data Explorer is now always installed and can be used to access the database.