Turning off Drupal's SuperUserPolicy to Harden the user/1 Account

SuperUserPolicy

The Drupal user account user/1 is automatically granted special privileges.

As of Drupal 10.3 these privileges are governed by the newly introduced SuperUserPolicy. 

To manually enable or disabled the policy, update your sites/{sitename}/services.yml file and set  security.enable_super_user  true or false respectively, and clear your caches.

To speed up this process I created a basic Drush command: 

• drush super:on
• drush super:off

Source and instructions: https://gitlab.com/jpoesen/drush-commands 

Limitations / Warnings

You must REMOVE the Administrator role from user/1, otherwise that role will still grant user/1 all privileges.

Hardening Drupal

My process for hardening Drupal already involved:

• blocking user/1 (so they can't log in via the traditional way)
• giving user/1 a random user/pass (obscurity + nobody knows the password)
• only authenticating with user/1 when absolutely necessary
• logging in with drush uli (which generates a one-time login link)

My hardened process for authenticating as user/1:

• ssh into remote server via vpn
• drush super:on
• drush cache:rebuild
• drush user:login to generate 1-time login
• do stuff
• log out
• drush super:off
• drush cache:rebuild
   

Summary

• remove administrator role from user/1
• turn the policy on/off with drush super:on / drush super:off
• clear cache after changing the policy