Creating Secure Facebook Installations

<I have done a test run and this seems to work fine, but I haven't run extensive testing or production. Please let me know about any existing research in this area.>

The following procedure allows an organization to retain administrative control of its Facebook assets, in the same way that the organization controls other IT assets such as email and websites. It should only take an hour or so to complete the initial setup, after which the organization will have control over its Facebook assets as long as it adheres to correct practices.

It is important to understand that there are four ways to assert control over a Facebook account. In order to secure Facebook assets, the organization must securely manage all four.
  1. Password
  2. Linked email account
  3. Security questions
  4. Application access tokens

Step 1: Create or identify an administrative email account

All Facebook accounts are linked to email accounts, so you will want to identify an email account which is securely controlled. Anyone can request a password reset on any Facebook account, which will send the new password in an email to the linked email account. If they can also read the email, they now own the account.

If you already have such an account, you can use it. Otherwise, create one, choose a secure password, and store the password securely.

The email account has to be a real email account. In order to activate a Facebook account, you must first enter a code which is sent by email. You can create a free account solely for this purpose. Invent a person and relevant details. Note that live.com and other free email services put up some weak resistance against obviously fake entries.

Step 2: Create an administrative Facebook account

Create an administrative Facebook account, linked to the email account above. Choose a secure password, and store the password securely. Note that you can only have one Facebook account linked to any single email account. Note that facebook.com puts up some weak resistance against obviously fake entries.

Step 3: Friend the administrative Facebook account

An account must be "friended" with a current group member in order to join the group. Note that it is not necessary to remain "friended" with the accounts after joining the relevant groups.

Step 4: Join the administrative Facebook account to all groups used by your organization

Step 5: Grant the administrative Facebook account Admin permission against all groups used by your organization

You will need to log on to Facebook using an account which is already Admin on the group(s) in order to do this.

Step 6 (optional): Remove Admin permission from other accounts on groups used by your organization

This is not mandatory. However, it is important to understand that anyone with Admin permission can at any time destroy the group, remove all its members, modify its settings and description at will, and -- importantly -- remove Admin permission from any other admins. In other words, a disgruntled employee (or one whose account is hijacked) can do a lot of damage to your Facebook infrastructure. Also note that ordinary operations, such as creating Events or posting to the Wall, do not require Admin permission.

Related link: http://redtape.nbcnews.com/_news/2012/10/12/14373762-when-you-and-employer-split-who-gets-your-friends-and-followers

Last edited Oct 12, 2012 at 7:25 PM by jonn_msft, version 7

Comments

No comments yet.