Dr. Grom's No. 1: Discord security guide

Introduction

Hi, I'm Dr_GromDr_Grom, Admin of the German branch and the International Translation Archive, and today I'd like to show you how to configure your Discord server for basic security. Also, I am going to guide you through the steps of role management, which can be quite confusing.

Reasons why you need basic server security

Raids: Of course, it is not completely possible to prevent a raid by organizational steps, but you can make it harder for raiders to attack your server, you can limit the damage they can do to a minimum and you can make it unsatisfying to even try an attack.

Malicious bots: On Discord, there are bots that are no Discord bots like KIRA or the often used uber-bot. They are more comparable to a web-crawler. Discord bots use an API to access Discord, a special form of account, who are marked as bots and have certain abilities and restrictions. One of the restrictions is, that they can only enter a server when an admin allows them to.

However, as like everywhere on the internet, there are people on Discord with malicious intentions. They use these web-crawler-like bots with a normal account, which are intended for actual users. Discord is displayed basically as a website either in a browser or a desktop or mobile app. Servers and channels are just sub-pages. All information displayed to you is sent to your device and therewith also to the crawler. And even more, as not all sent information is visible to the user; as modifications like certain plugins for e.g. Better Discord prove (which do nothing else than reveal information that is sent, but not displayed to you, the user). So it is quite easy for someone to write a bot that just accesses all possible combinations of server links until it finds a working link and enters a server. With this attempt to scan Discord for servers by brute force, it is possible to gather the following information:

  • Link and name of a server and owner
  • List of channels and role requirements (not sure if hidden channels can still be scanned)
  • List of users, their roles, connected services, game activity, and server owner
  • Other servers that are linked somewhere
  • All messages on all accessible channels

By analyzing this data, they can find security leaks that could be useful to attack the server and assess the attackability by raids and advertisement bots. And there are some that send private messages to users. Or their names are server links that are embedded by their welcome message.

But, more important, in my opinion, is the fact that they can pull the following personal information about your users:

  • Global nick, server nick, and IDs
    • Therewith on what servers they are when other servers they are on are scanned
  • Connected services like Steam account, Twitter account, etc.
    • What songs they listen to
    • What games they play
  • What status (online, offline, etc.) they have at what time of day
    • Upon long term scan they can find the approximate timezone and habits when to access Discord on what day
  • Personal information from descriptive roles like age, gender/sex, origin, ethnicity, political and religious alignment, fetishes, etc.
  • And of course, with the given scanning time, lots of information from each users posts:
    • The actual information from the posts
    • At what time a user uses a mobile device or a computer
    • What information is posted at what time of day and in general, all activity in relation to the time
    • How long are the messages
    • Spelling mistakes and relations to message lengths and time of day, and maybe the device
    • Writing style and use of formatting and emojis
    • Type of information and writing style in relation to the purpose of a channel
    • And a lot more

"But Grom, who is going to sit there and assess all this information? These are so many data sets and maybe millions of posts…"
Well, powerful AIs are. Memory space is as cheap as ever. They don't analyze all of your posts. They store it all and filter for certain words or phrases or for certain meta-data, like your posts after a certain event or at a certain time of day.

"But Grom, what use would they have for this data?"
They sell it! Of course, collectors of personal data are not analyzing it themselves. They just sell it. Like in the scandal around Cambridge Analytica, or the alleged election manipulation by Facebook. They don't care for you as a person. For them, you and your users are an asset. Products they can make money with. It is up to you to make it as hard for them as possible.

But do not fret! There are measures to reduce their access to a minimum.

1. Understanding Discord role permissions

Let's start with some basics. The why and how of Discord permissions and their uses are often misunderstood. As an admin, it's your job to understand, how they work.

There are two places where you can set up permissions: The basic role settings and the channel/category permissions.

They differ most by how permissions are set and how they are not set.

basic-role-settings.jpg

Basic role settings

In the basic settings, you can only allow permissions. You can not forbid anything.
Green: Allowed
Grey: Inherit
That means, that everything that is allowed for any role a user has is allowed for the user. The only way to make a user unable to do a thing is not to allow it.

channel-settings.jpg

Channel/category settings

In the channel/category permission settings, you can allow, inherit and deny.
Green: Allowed
Grey: Inherit
Red: Denied
However, permissions/denials are always counted from the highest role a user has. Only inherited settings are taken from the next lower role that allows or denies it.

To maintain an overview, I strongly advise to only allow/deny abilities once if possible. I advise keeping everything to inherit as much as possible.

2. Role settings

There are six reasons to have roles:

  1. Permissions
  2. Channel access
  3. Pingability
  4. Displaying attributes by color (like admin/mod status)
  5. Attributes like age, gender, religion etc.
  6. Fooling around

I personally advise refraining from the fifth and sixth to keep roles tidy, but many have them anyways.
1-3 usually serve as user groups, while 4 is more like some sort of attribute-tag.
I advise combining 1-4 in one or two roles per user if possible. Tidiness and a good structure are mandatory for a good administration.

This means I advise you to have one role for one thing. The less, the better. But more about that later. In this guide, I will act as if you have two groups of normal users. Newbies and experienced users. Newbies do not get access to all channels in the beginning. You can adapt this system however you like, and with as many roles you like. Small servers with hand-picked users do not need two roles for normal users.

First of all, you will need four basic roles:

  1. @everyone
  2. @newbies
  3. @members
  4. @staff

@everyone: This is the basic role. It serves only to give permissions. You can neither delete nor rename this one. Give this role all permissions all users of the lowest common user role should have at the minimum, and that they will have in most channels. Usually, you can keep the standard settings and just add or remove permissions you want to have restricted to higher user roles.

@newbies: This is your lowest common user role. All permissions this role needs should be given in @everyone, all permissions should be set to inherit. This role is just for channel access, colors, user list, and pingability.

@members: This is your higher common user role, for channel access and maybe for additional permissions. If you do not want a multi-level community, just forget about this role. If you want this role to have more general permissions than @newbies, set these here. If not, do not set any permissions for this role, set everything to inherit. If this role needs special permissions for certain, but not all channels, set these in the channels and not in the role.

@staff: Your staff role. Unless your server owner is the only staff member, you will need this role. Give this role all permissions your staff should have. If you give them admin rights, it is impossible to forbid lots of things via channel-wise permissions, and they get many permissions automatically, no matter how they are set.

I advise giving your users either @newbies, or @members. Better keep these tidy and give your users as few roles as possible. The basic permissions are to be carried by @everyone, so your members need either or, not both.

Many bots require own roles with own settings. I suggest to give all bots the same color and not to group them in the user list, but to add them as @members. That will keep your member list tidy.

I strongly advise, to set all permissions of all attribute roles to inherit. Really. The more roles you have, the more you depend on inheriting permissions from permission-roles, or you will end up with a giant mess if you want to change something.

If you want a mute-role (which is quite useful), put it right below the lowest role that will never be muted (right below staff usually). Set everything to inherit, and set Send messages, add reactions, speak and such, to denied.

3. Channel setting

As Discord itself provides no protection against this bots and against raiders, we will build ourselves a nice little Captcha. But as we can't build an actual Captcha, we will set up a channel that serves for the same purpose. I will call this the #welcome channel now. The #welcome channel will serve as a dead end for new users of all sort. They will only be able to see this channel and other users without member-roles as well as the owner and users with admin rights, and other users that can access this channel by their role. I advise to keep the number of people who can access this channel to a minimum and to consider to prune it from inactive users who joined and did nothing else once and a while.

3.1 Channel/category structure

categories.jpg

Categories

I advise using categories to set up channel permissions. This is the easiest way to manage multiple channels. For clarification, categories are grouped channels and can provide preset permissions which you can synchronize your channels with if you want. These channels then share the permissions given by the category and are adopting changes on their own. Besides that, categories are good to group and sort channels.

I advise for the following categories:

  • No category:
    • #welcome: This channel has own settings, and can be placed outside of the categories (to keep the category settings secret to outsiders).
    • Info channels: All members can read, but only staff can post and edit. For example rules and news. Usually, get custom settings and therefore can be kept outside of categories. Also, they always remain visible then, as categories can be collapsed.
  • Channels for all users (all but those in #welcome)
  • Channels for @members: Useful to keep newbies who do not know the ropes yet out of more sensitive topics. Optional, though advised for medium-sized servers. I also advise putting channels with special permissions here, like adult channels with access control.
  • Staff channels: I advise a channel to discuss, a channel to log your activities and for announcements, and one to log bot activity, welcome messages and such.
synchronized-settings.jpg

Channel with synchronized settings

Unless a channel needs additional permissions, always keep the channel permissions synchronized with the category and only make changes in there, otherwise, you will break the synchronization.

3.2 The welcome channel

This channel needs several special permission settings per role:

  • @everyone: Remove all permissions you deem unnecessary. Basic settings:
    • read messages: Allowed
    • send messages: Inherit
    • read channel history: Inherit
    • All other permissions can be denied as you wish
  • @newbies and @members (and all other solitary channel access roles), as well as all Bots you do not need in here:
    • read messages: Denied
  • @staff (only necessary if the staff role that checks the welcome channel is no administrator)
    • read messages: Allowed

This way, only users without user roles and staff have access to this channel, so your user list is protected. An even more secure method is to deny read text channels & see voice channels for @everyone and give them these rights in the categories for their role. Then you do not need to deny them access to the #welcome channel, and their existence is hidden unless the staff also has these roles.

In the welcome channel, post basic rules and information. Do not post unnecessary information. If you have a custom bot, you should post a GDPR disclaimer here, at least if you are in the EU.

I also advise giving new users a task; e.g. to ping your staff and maybe answer a question. Delete these messages afterward, and do not allow conversations here, or delete them when they are finished.

And that's it. If you have further question, feel free to ask. You can find me on almost all official SCP Discord servers, contacting me there is the quickest method.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License