1

Usually there's just one e-mail / e-mail password / domain registrar username / password. And perhaps one 2FA (google authenticator) device and a 2FA recovery code.

Either an employee has access to these credentials or not. Each employee has access to these credentials, can hijack the domain, i.e. transfer it to a different registrar.

How to secure domains from malicious domain admin employees?

Is there something like "multisig" (a term from the crypto currency world) where two of three people or 3 of 5 etc. (depending on company size) need to authorize domain related changes?

adrelanos
  • 680
  • 7
  • 21
  • 1. Use a 2FA with a device you have control over. 2. Reduce those with credentials allowing domain changes. You should only need two employees that have that level of access ad immediately change the authentication on any employee having access leaving. 3. If this occurs contact the domain registrar and have the change reversed. 4. There is legal resolution available through the court system. – zaph Oct 11 '18 at 22:26

1 Answers1

1

The best thing you can do is choose a registrar with a good track record of taking security seriously.

Registrars sometimes offer the ability to have multiple user accounts which can administrate the domain. This is important because you wouldn't want to be locked out if someone quits and doesn't give you the current password, or if the email associated with the account is linked to that employee.

Certain registrars will also allow out of band verification before changes are allowed. E.g. they call you to confirm changes.

CloudFlare registrar has a good rundown of some good registrar protections https://www.cloudflare.com/products/registrar/custom-domain-protection/

Your domain security depends heavily on your registrars policies and security.

Daisetsu
  • 5,110
  • 1
  • 14
  • 24