Dr. Grom's No. 1: Discord security guide

Introduction

Hi, I'm Dr_GromDr_Grom, Admin of the German branch and the International Translation Archive, and today I'd like to show you how to configure your Discord server for basic security and I will tell you a bit about how role management works, which often is found confusing.

Raids: Of course, it is not completely possible to prevent a raid by organizational steps, but you can make it harder for raiders to attack your server, you can limit the damage they can do to a minimum and you can make it unsatisfying for them.

Malicious bots: On Discord, there are bots that are no Discord bots like KIRA or the often used uber-bot. They are more comparable to a web-crawler. Discord bots use an API to access Discord, a special form of account and are marked as bots and have certain abilities and restrictions. One of the restrictions is, that they can only enter a server when an admin allows them to.

However, like everywhere on the internet, there are people with malicious intentions. They use this web-crawler like bots with a normal account, like one for a person. Discord is displayed basically as a website either in a browser or a desktop or mobile app. Servers and channels are just sub-pages. All information displayed to you is sent to your device and therewith also to the crawler. And even more, as not all sent information is visible to the user. So it is quite easy for someone to write a bot that just accesses all possible combinations of server links until it finds a working link and enters a server. With this attempt to scan Discord for servers by brute force, it is possible to gather the following information:

  • Link and name of a server and owner
  • List of channels and role requirements (not sure if hidden channels can still be scanned)
  • List of users, their roles, connected services, game activity, and server owner
  • Other servers that are linked somewhere
  • All messages on all accessible channels

By analyzing this data, they can find security leaks that could be useful to attack the server and assess the attackability by raids and advertisement bots. And there are some that send private messages to users or their names are server links that are embedded by their welcome message.

But, in my opinion, more importantly, they can pull the following personal information about your users:

  • Global nick, server nick, and IDs
    • Therewith on what servers they are when other servers they are on are scanned
  • Connected services like Steam account, Twitter account etc.
    • What songs they listen to
    • What games they play
  • What status (online, offline etc.) they have at what time of day
    • Upon long term scan they can find the approximate timezone and habits when to access Discord on what day
  • Personal information from descriptive roles like age, gender/sex, origin, ethnicity, political and religious alignment, fetishes etc.
  • And of course, with the given scanning time, lots of information from each users posts:
    • The actual information from the posts
    • At what time a user uses a mobile device or a computer
    • What information is posted at what time of day and in general, all activity in relation to the time
    • How long are the messages
    • Spelling mistakes and relations to message lengths and time of day, and maybe the device
    • Writing style and use of formatting and emojis
    • Type of information and writing style in relation to the purpose of a channel
    • And a lot more

"But Grom, who is going to sit there and assess all this information? Those are so many data sets and maybe millions of posts…"
Well, powerful AIs are. Memory space is as cheap as ever. They don't analyze all of your posts. They store it all and filter for certain words or phrases or for certain meta-data, like your posts after a certain event or at a certain time of day.

"But Grom, what would they want with that data?"
They sell it! Ever heard of Cambridge Analytica? Ever heard of alleged election manipulation by Facebook? They don't care for you as a person. For them, you and your users are an asset. Products they can make money with. It is up to you to make it as hard for them as possible.

But do not fret! There are measures to reduce their access to a minimum.

1. Understanding Discord role permissions

Yes, we start with the basics. Discord permissions are often misunderstood and to know what you are doing as an admin, you must know how they work.

There are two places where you can set up permissions: The basic role settings and the channel/category permissions.

They differ most by how permissions are set and how they are not set.

basic-role-settings.jpg

Basic role settings

In the basic settings, you can only allow permissions. You can not forbid anything.
Green: Allowed
Grey: Inherit
That means, that everything that is allowed for any role a user has is allowed for the user. The only way to make a user unable to do a thing is not to allow it.

channel-settings.jpg

Channel/category settings

In the channel/category permission settings, you can allow, inherit and deny.
Green: Allowed
Grey: Inherit
Red: Denied
However, permissions/denials are always counted from the highest role a user has. Only inherited settings are taken from the next lower role that allows or denies it.

To maintain an overview, I strongly advise to only allow/deny abilities once if possible. I advise keeping everything to inherit as much as possible.

2. Role settings

There are five reasons, besides fooling around, to have roles:

  1. Permissions
  2. Channel access
  3. Pingability
  4. Displaying attributes by color (like admin/mod status)
  5. Attributes like age, gender, religion etc.

I personally advise refraining from the fourth to keep roles tidy, but many have them anyways.
1-3 usually serve as user groups, while 4 is more like some sort of attribute-tag.
As such, I advise combining 1-3 in one or two roles per user if possible. Tidiness and a good structure are mandatory for a good administration.

Meaning I advise you have one role for one thing. The less, the better. But more about that later. In this guide, I will act as if you have two groups of normal users. Newbies and experienced users. Newbies do not get access to all channels in the beginning. You can adapt this system however you like, and with as many roles you like.

First of all, you will need four basic roles:

  1. @everyone
  2. @newbies
  3. @members
  4. @staff

@everyone: This is the basic role. You can neither delete nor rename this one. Give this role all permissions all users of the lowest common user role should have at the minimum.

@newbies: This is your lowest common user role. Should not get any extra permissions. Everything this role should be able to should be set in @everyone. This role is just for channel access, colors, user list, and pingability, should you want these.

@members: This is your higher common user role. If you do not want a multi-level community, just forget about this role. If you want this role to have more general permissions than @newbies, set these here. If not, do not set any permissions for this role. Everything else will be set in the respective channels or categories.

@staff: Your staff role. Unless your server owner is the only staff member, you will need this one. Give this role all permissions your staff should have. If you give them admin rights, it is impossible to forbid lots of things via channel-wise permissions.

I advise giving your users either @newbies, or @members. Better keep these tidy and give your users as few roles as possible.
Many bots require own roles with own settings. I suggest to give all bots the same color and not to group them in the user list, but to add them as @members. That will keep your member list tidy.

3. Channel setting

As Discord itself provides no protection against this bots and against raiders, we will build ourselves a nice little Captcha. But as we can't build an actual Captcha, we will set up a channel that serves for the same purpose. I will call this the #welcome channel now. The #welcome channel will serve as a dead end for new users of all sort. They will only be able to see this channel and other users without member-roles as well as the owner and users with admin rights, and other users that can access this channel by their role. I advise to keep the number of people who can access this channel to a minimum and to prune it from inactive users who joined and did nothing else once and a while.

3.1 Channel/category structure

I advise using categories to set up channel permissions. This is the easiest way to manage channels.

I advise for the following categories:

  • #welcome: This channel has own settings, and can be placed outside of the categories.
  • Info channels: All members can read, but only staff can post and edit. For example rules and news.
  • Channels for all members
  • Channels for older members: Useful to keep newbies who do not know the ropes yet out of more sensitive topics. Optional though advised for medium-sized servers.
  • Staff channels: Like a channel to talk about who to kick, a bot channel etc.

Unless a channel needs additional permissions, always keep the channel permissions synchronized with the category and only change them there.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License