Anyway to restrict admin privileges rather than giving them access to everything? For example in most other platforms you can add a user to the admin panel solely for the design permissions without having to give them access to every feature or allow people administrator access for the vast majority of features but prevent a complete forum backup from being downloaded or created, major system settings from being changed, etc.
At the very least on Discourse official hosted installations I’d highly prefer the “Account Management” section not be open to every administrator as it contains payment information and the ability to modify subscription settings for the hosting.
I know it’s been mentioned in similar topics before “don’t make someone an admin/mod if you don’t trust them” – in some communities it’s harder than others to do that. For example ones run by volunteers compared to paid staff. However that argument isn’t the main point, if someone’s account is compromised (Could be anything from their email address being social engineered, their password being captured by malicious software, they reuse a password from another breached site, etc) which isn’t all that difficult without multi-factor authentication in place, then they’d have a whole lot of access.
In designing the security architecture we go by the popular principle of least privilege being the safest way to operate and to always assume a breach is possible so do your best to mitigate the fallout as well, not just look only at preventing the breach from happening. That way you’re more prepared. So by that principle you want users to have access only to the abilities they need to perform their job. (You don’t need a retail clerk to be able to download software to the POS system, they should only have access to the actions necessary for their job)
Once the forum settings have been decided, they rarely need to be changed/updated, so it’s not a privilege most administrators would need on a regular basis, once a design is implemented and tested it’s unlikely to change often so not a setting either that people would need often, payment details (especially last four digits and expiration date which are sensitive records, and enough to social engineer accounts with) are also not something every administrator would need access to. Could go on and on I’m sure.
An example of what we’d do in Xenforo would be have a super administrator account, set the privileges to each admin suited to their roles, even for the main ones that normally would have full access, if it’s not being updated we disabled access for any administrator to it, including myself. Then disabled the super admin access (it is something you had to update in the config.php on the server) so it could not be changed via the admin panel. That way, even in the event of a an admin’s account being breached, it wouldn’t have huge repercussions as they wouldn’t get full access to everything. They’d need to compromise the server as well to make themselves a super admin, and at that point they’d have access to the database anyway so it’s the worst case scenario there.
On Discourse though if any administrator is compromised (at least how I understand it, haven’t added an administrator since I last used it a year ago, current one still waiting on migration) then they’d be able to do a full backup of the forum, install a test version of Discourse, and compromise all the users. Disable SSL, change the CSS/templates to capture login information of members. Cancel subscription, disable the site.
Granted, keeping recent backups would mitigate data loss, but having administrator restrictions in place would help limit the scope of the damage greatly. These aren’t all hypothetical situations, it’s based breaches that have occurred on many forums in the past, both big and small.