Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Presentatie over blackboard security


Published on

Presentatie over Blackboard Security voor NLBBUG op 27 januari 2011

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Presentatie over blackboard security

  1. 1. Blackboard Security what can you do? Ir. Willem van Valkenburg
  2. 2. Agenda <ul><li>Security Threats </li></ul><ul><li>Server settings </li></ul><ul><li>SSL </li></ul><ul><li>Session Fingerprinting </li></ul><ul><li>XSS Control </li></ul><ul><li>Privileges and rights </li></ul><ul><li>Questions and discussion </li></ul>
  3. 3. Security threats <ul><li>Unauthorized access to server via OS or software </li></ul><ul><li>Denial of Service ( DoS ) attacks </li></ul><ul><li>Sensitive information is read or changed in an unauthorized manner </li></ul><ul><li>Sensitive information transmitted unencrypted between server and client </li></ul>Source:
  4. 4. Server <ul><li>Keep your server up-to-date </li></ul><ul><ul><li>Blackboard is using an ancient version of Apache! </li></ul></ul><ul><li>Firewall </li></ul><ul><li>Logging and monitoring </li></ul><ul><li>Backup </li></ul><ul><li>Personnel </li></ul>
  5. 5. BbPatch <ul><li>Easy way to apply a custom fix </li></ul><ul><li>Info: </li></ul><ul><li>Patches available: </li></ul><ul><ul><li>Interactive Tool Link Issues after Modifying Content Item </li></ul></ul><ul><ul><li>When editing content in the Visual Editor following an upgrade to Learn 9.1, images and other embedded files are broken </li></ul></ul><ul><ul><li>Course table of contents copy failures cause file permission issues for students </li></ul></ul><ul><ul><li>Course copies retain content links to the source course causing broken content links </li></ul></ul><ul><ul><li>Double-clicking in an assessment causes &quot;Access Denied&quot; errors </li></ul></ul><ul><ul><li>Following an upgrade to 9.1 SP2 guest users are unable to access course content and receive NullPointerExceptions </li></ul></ul><ul><ul><li>Batch Upload process stops after 100 errors </li></ul></ul>
  6. 6. SSL <ul><li>Blackboard supports SSL </li></ul><ul><li>Recommendation is System-wide </li></ul><ul><li>It is possible to exclude parts, such as a building block. See System Admin > SSL Choice </li></ul><ul><li>Don’t forget LDAPS </li></ul><ul><li>Don’t forget to have up-to-date browsers on campus with recent root-certificates </li></ul><ul><li>Discussion: How to deal with mixed content? </li></ul>
  7. 7. Session Fingerprinting
  8. 8. Cross-site Scripting Security Control <ul><li>Included in 9.1 SP1 </li></ul><ul><li>XSS vulnerabilities occur when untrusted data is used by a web application, typically entered through a web request. </li></ul><ul><li>The XSS Security Control is not enabled by default. </li></ul><ul><li>2 modes: FilterDangerousHtml and FilterAllHtml </li></ul><ul><ul><li>FilterDangerousHtml is recommended setting </li></ul></ul><ul><li>There is an exception list </li></ul>Source:
  9. 9. Privileges and rights <ul><li>Disable the privileges and tools you don’t use </li></ul><ul><li>Limit the users with access to System Admin panel </li></ul><ul><li>Set permit Instructors to Turn Grade History On and Off to No </li></ul><ul><li>Set Persistent Cookies to No </li></ul>
  10. 10. Stay up-to-date <ul><li>Subscribe to mailinglists : </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>[email_address] (for Content System) </li></ul></ul><ul><ul><li>[email_address] (for developers) </li></ul></ul><ul><ul><li>[email_address] (for developers) </li></ul></ul><ul><li>Subscribe to knowledge base </li></ul><ul><ul><li>Set your watch settings </li></ul></ul><ul><ul><li>Set your e-mail settings </li></ul></ul>
  11. 11. Questions and Discussion