- Identification and authentication
- Audit and accountability
- System and communications protection
- System and information integrity
System Administrators should consider secure application configuration practices in order to further harden your Blackboard Learn solution.
- Ensure the default "administrator" account password is complex and rotated regularly per your organization's Access Management policies.
- Change the default "root_admin" account password. Ensure it is complex and rotated regularly per your organization's Access Management policies. See Managing User Accounts.
- Change the default "Integration" account password. Ensure it is complex and rotated regularly per your organization's Access Management policies. On the Administrator Panel, under Building Blocks, select Data Integration, and then select Integration Password.
- Review if Anonymous (Guest) Access is appropriate at all four levels:
- System Admin > Security > Gateway Options
- System Admin > Course Settings > Course Tools
- System Admin > Course Settings > Default Course Settings
- System Admin > Organization Settings > Default Organization Settings
- Verify successful password migrations. Monitor user accounts that have not migrated and reset passwords. This is applicable beginning in Blackboard Learn, Release 9.1 Service Pack 12 when Secure User Password Storage was released.
- Verify application administrator passwords migrated. See the "Blackboard Configuration File" section of Secure User Password Storage.
- Fully use third party authentication systems such as LDAP and Active Directory. See LDAP Authentication with TLS. This provides the ability to enforce password complexity policies, obtain login failure throttling, etc.
- As a practice, do not use shared accounts. Power users should use their own accounts to help ensure accountability for changes to the system.
- Monitor usage of default system accounts by reviewing the security logs. See Audit and Accountability.
- Ensure Client IP Address appears in all logs. Verify this immediately. Otherwise, security logs will all indicate the load balancer IP address, limiting security forensics capabilities. Review information on X-Forwarded-For in Load Balancing - Configuration and Best Practices.
- Enable Grade History.
- Do not allow Instructors/Assistants to change auditing status.
- Do not allow Instructors/Assistants to clear grade history.
- Enable TLS system-wide.
If you are receiving mixed content warnings, tell users to upload the files into Learn.
- Ensure high strength ciphers (TLSv1).
SSLProtocol -ALL +TLSv1
- Use minimum 2048-bit key TLS certificates.
- For Apache Web Server configurations, set quieter headers. Set OnServerSignature Off.
- Ensure that the session timeout setting is set to a reasonable level as it mitigates session hijacking.
Default is three hours with an hourly task to cleanup the sessions (up to four hours).
To modify, change the properties of the “bb.session.invalidation” task of the BLACKBOARD_HOME/config/bb-tasks.xml.
- Modify the "bb.session.invalidation" task in BB_HOME/config/bb-tasks.xml
- Delay – Period before the server starts before the first task is run (milliseconds)
- Period – Frequency of invalidation task (milliseconds)
- Invalid – User session timeout period (milliseconds)
- Enable AND Create new session when fingerprint changes. See Session Fingerprinting.
Bb Mobile users should not enable this setting.
Configure alternate domain for serving content
- Not a default setting because it requires certificates
- See Alternate Domain for Serving Content.
- This is similar to privileges review. By default, Administrators and Instructors receive the privilege to use unrestricted HTML. If only a limited set of users need the ability to perform dynamic scripting, consider creating a custom role, placing users into that role, and granting just that role this particular privilege. This follows the security principle of Least Privilege.