Security vs Damage Control

Question

Recently I posted a question about whether it was a good idea to use seperate databases for administration and public logins in an ASP.NET SQL authorization database to prevent compromises to the public site from spilling over into the admin side.

I think I was really asking a bigger question though--when securing an application, should you spend any time on damage control?

I can see arguments for it, obviously you want to limit your exposure to a breach in your security, which may come unexpectedly from your framework. On the other hand, you only have a finite amount of resources in any case, and building these 'walls within walls' takes time and energy away from what should be the main focus of your security efforts.

Are there any clear, well-recognized best security practices that address this?

Answer 1

IMO, the idea has merit. If you've ever had a wordpress site hacked, you know what can happen when someone gets admin control of your site. I think this kind of partitioning could have helped. Maybe something as simple as IP filtering on the admin login.

Answer 2

On my original question @Rook turned me on to the term Defense in Depth which from my reading seems to indicate that these 'inner walls' are in fact widely accepted best practices.