Providing a public link to an admin area - bad idea?

Question

I have a client who is requesting that we add a link to the system admin area on the main (public) website so that they can just go to the site and click the URL.

Would you consider this to be a bad idea? I find it a bit odd that they cant remember to go to /admin - seems pretty much like you're inviting someone to try and break in, does it not?

I've been trying to come up with some other method. If it was me, I'd just bookmark it, however my client is a consortium of...'old gentlemen' with little computing know-how.

Any thoughts on how this should be tackled?

Answer 1

Having a link to the admin area is not a security risk in itself. If you have done a good job at securing the admin area, then it really does not matter to make the address public. If making the URL private increases the security, it means that you are at risk.

Answer 2

Whilst I can't imagine that this could really be described as "good practice", it would seem that the additional "security" afforded to you by not linking the administrative area publicly is relatively minimal.

Since there are a limited number of common "admin-area" type paths - /admin, /administrator, /admincp etc., and (assuming your question hasn't been censored) you are indeed using one of them, you're probably only keeping out the most amateur of attackers by not linking to it, and you'd hope that they would be defeated by the login mechanism you surely have on the administrative area anyway.

The remainder of the more determined adversaries will no doubt manage to find the admin. area by simply probing common paths whether you link to it or not.