Securing Discord

Permissions and roles, the administrator needs to understand every permission and role in order to limit the attack vector and limit exposure. It’s about accountability, and taking responsibility for things we can control and understanding where we are vulnerable. Every discord we build should be built in mind with each and every single user being subject to compromise. Therefore, we have a PLAN in place BEFORE the attack, and do everything we can to mitigate and sometimes null the attack (before it takes place). But there is one role that must NEVER be compromised, and we can lock it down before the discord is open to the public.

Discord Creator/Founder Role

The discord creator/founder role is identified by the CROWN.
The discord creator/founder role is identified by the CROWN.

The account that creates the discord should NEVER be an active USER in the server (once it is open) or even active anywhere outside of the server. It is OK if you use an active account to create the discord, but BEFORE going public, this role should be transferred to a burner account (preferably brand new account with email and discord name unassociated with the server/unrecognizable). This account is NOT used for anything else, other than being a ‘hardware wallet/ledger’ for the server.

This role can be transferred to ANYONE, but only by the user with the role.
This role can be transferred to ANYONE, but only by the user with the role.

No matter what the permissions and roles are in a server, no matter the hierarchy of those roles, the FOUNDER/CREATOR account bypasses all restrictions and has absolute control over the entire server and every role within it. The good news is, we can completely eliminate this attack vector and keep it in cold storage, unmarked and hidden away on the server. This account doesn’t need any special roles or identifiable markings and we in fact recommend keeping it that way.

Users may be able to use tools to figure it out, or discord itself may do a poor job of hiding it, but we do NOT need to bring any extra attention to this role, nor do we need to put it at risk by using it on an active account. With the account taken out of play and not in use, there is no chance of anyone phishing or gaining access to this account. Furthermore if an Admin is compromised, we always have one role above it, hidden and ready to ‘break in case of emergency’ and regain control of the server/eradicate the threat. If this role is ever compromised in this way, we know the attack came from within and limit it to only the person who had access to it being responsible.

Roles, Permissions, & Hierarchy

The next most vulnerable area of attack is ANYONE with administrator permissions in the server (humans and bots). Administrator permissions bypass ALL roles and restrictions within the discord and channels HOWEVER they still cannot change or alter the roles at or above them. This hierarchy of roles can be used to our advantage when structuring discord roles and permissions.

Subject to change, missing verification bot.
Subject to change, missing verification bot.

Understanding ADMIN access is vulnerable to attack, we place the ONLY human role with admin at the very TOP (+) role and we only grant it to few individuals who need it. I recommend 2-3 at max, depending on the size of the server. I furthermore recommend that those working in this position understand they are NOT allowed to use these accounts to degen into other servers or operate on them for anything else other than doing their administrator work in the discords they are working on. It’s a lot of responsibility, it’s a job and should be treated as such.

post image

Notice this role is neither hoisted, nor visible on the sidebar, nor is it colored and meant to stand out. The vanity roles which mark and signify Admin, Mod, and Team do NOT have Admin access and they are restricted only to the channels they need for their job.

post image

These roles have an identifiable color and mark, sometimes with emoji icons and hoisted above all other roles. We expect these roles to be targeted and plan for them to be compromised. Therefore we plan ahead of time to mitigate the damage anyone can do with these roles with this structure and limitation of perms. Again, the only true Admins of the server have the (+) role and no ONE can give them this role, except for the founder/creator role which is on ice and locked away. And those with this + role take on extra responsibility and limit their attack vectors and exposure.

After administrator permissions (which again bypasses all restrictions, except hierarchy of roles) the next biggest threat is who has access to INFORMATION channels, with the biggest targets being on #Announcements & #Official Links channels.

post image

The standard setup takes away everyone’s ability to write in this channel except for the intended user/role which overrides the nulled send message permission. Again Administrators still have absolute access and bypass all restrictions.

post image

Therefore we NEVER grant anyone permanent control of these channels and limit their access with the (++) role. Only the true administrator (+) role has permanent access (as admin negates these restrictions) and only the (+) role can grant access.

It is therefore recommend that his exchange of power and communication for it be done (off and away from discord). Either through the use of text, whatsapp, or other platforms. This way even if a users discord account is compromised, the attackers do NOT have a means to ask for access to these permissions (other than discord channels and DMs, which we will NEVER use to ask for these permissions).

Now attackers need full use to an admins device (phone or computer) to entirely compromise them. These attackers are not doing this yet, but as we up our security they may which means we will need more security and practices outside of discord.

Trusted Bots

After removing the attack vector from the Creator/Founder account, limiting attack vectors to only trusted admin (+) role, our last area of exposure are the bots we use and the permissions we grant them. For projects of larger scale, I highly recommend fully-custom built, in-house bots to limit exposure and responsibility. As much as we dislike Azuki’s founder, I do applaud their server for having no compromises as all their bots are custom built. They remain a high target and have completely avoided compromise, this is worth noting and paying attention to regardless of feelings towards Zagabond or their project.

Not everyone can afford this option, but for any project that is bringing in hundreds of thousands to millions of dollars, there is no excuse. The only other options are to completely remove all bots from the server (which takes away logs and much welcomed automation), or to have very limited bots in the server strictly permed for their roles, and having the structure setup in a way to prepare for their compromise.

This build is currently missing a verification gate, I believe I'd place it here - but this is subject to change. (note: quarantine above hash & beemo will lead to them getting quarantined doing their regular mass bans with raids, consider moving them above quarantine if you trust their settings).
This build is currently missing a verification gate, I believe I'd place it here - but this is subject to change. (note: quarantine above hash & beemo will lead to them getting quarantined doing their regular mass bans with raids, consider moving them above quarantine if you trust their settings).

As it currently stands I have WICK above all other bots, with the quarantine role above them, but below Wick. This way we can rely on Wick to quarantine and remove all threats (including any of these bots being compromised). The problem with this build is that we are putting A LOT of faith in wick not being compromised. However, Wick is a PAID service and built with security in mind. Even if a user granted themselves a permission in this server, they wouldn’t be able to access and change the wick dashboard settings unless the server owner gave them access (which again, this account is locked away on cold storage).

When a Mee6 employee was compromised, and they were able to bypass server settings and change permissions and roles, the one server with Wick operating as intended (PXN) was able to instantly & automatically remove any webhooks and posts in their announcement channel. This was because the user was NOT whitelisted to post on the backend/dashboard of Wick. Even though an admin was compromised, Wick still didn’t allow that admin to post. Again it still puts a lot of faith in Wick and if you operate a large-scale project, I recommend you make your own.

In Conclusion

Server Creator/Founder should be kept on ice and taken out of play. Humans with Admin access and perms above all other roles should be very limited and ready to take full responsibility and accountability for their role. It should be a paid job and those in that position should understand how to properly build and manage a discord.

BOTs in the server should be very limited in permissions and channels for only their needed purpose and those that aren’t we should understand fully how much faith and trust we are granting in them (as much as an ADMIN) if they have administrator access. Depending on the size and scale of your business, understand what that means.

There are discords that have NEVER been compromised, or if compromised, had minimal damage (threats instantly eradicated). We should all understand why that was and open-source our security as much as possible to team up against these threats. Understand this does NOT replace a much needed job and position within this space as we can give someone the keys to a helicopter and they still cannot fly it, or the schematics to a building and not everyone can build it.