System Administrators should consider secure application configuration practices in order to further harden your Blackboard Learn solution.
Identification and authentication
Harden system accounts
- Ensure the default "administrator" account password is complex and rotated regularly per your organization's Access Management policies.
- Change the default "root_admin" account password. Ensure it is complex and rotated regularly per your organization's Access Management policies. See Managing User Accounts.
- Change the default "Integration" account password. Ensure it is complex and rotated regularly per your organization's Access Management policies. On the Administrator Panel, under Building Blocks, select Data Integration, and then select Integration Password.
- Review default privileges assigned to each System Role and Course Role.
Guest access review
- Review if Anonymous (Guest) Access is appropriate at all four levels:
- System Admin > Security > Gateway Options
- System Admin > Course Settings > Course Tools
- System Admin > Course Settings > Default Course Settings
- System Admin > Organization Settings > Default Organization Settings
Secure user password migrations
- Verify successful password migrations. Monitor user accounts that have not migrated and reset passwords. This is applicable beginning in Blackboard Learn, Release 9.1 Service Pack 12 when Secure User Password Storage was released.
- Verify application administrator passwords migrated. See the "Blackboard Configuration File" section of Secure User Password Storage.
Use third party authentication systems
- Fully use third party authentication systems such as LDAP and Active Directory. See LDAP Authentication with TLS. This provides the ability to enforce password complexity policies, obtain login failure throttling, etc.
- As a practice, do not use shared accounts. Power users should use their own accounts to help ensure accountability for changes to the system.
- Monitor usage of default system accounts by reviewing the security logs. See Audit and Accountability.
Disable persistent cookies
- Go to System Admin > Content Management > Technical Settings > Authentication Settings
Audit and accountability
Ensure security logging is enabled for load-balanced configurations
- Ensure Client IP Address appears in all logs. Verify this immediately. Otherwise, security logs will all indicate the load balancer IP address, limiting security forensics capabilities. Review information on X-Forwarded-For in Load Balancing - Configuration and Best Practices.
- Enable Grade History.
- Do not allow Instructors/Assistants to change auditing status.
- Do not allow Instructors/Assistants to clear grade history.
Review log aggregation practices
- Consider log archiving duration. How far back do you need to go?
- Use a third party log aggregation tool.
System and communications protection
Use TLS system-wide
- Enable TLS system-wide.
If you are receiving mixed content warnings, tell users to upload the files into Learn.
- Ensure high strength ciphers (TLSv1).
SSLProtocol -ALL +TLSv1
- Use minimum 2048-bit key TLS certificates.
- For Apache Web Server configurations, set quieter headers. Set OnServerSignature Off.
Reduce session timeout
- Ensure that the session timeout setting is set to a reasonable level as it mitigates session hijacking.
Default is three hours with an hourly task to cleanup the sessions (up to four hours).
To modify, change the properties of the "bb.session.invalidation" task of the BLACKBOARD_HOME/config/bb-tasks.xml.
- Modify the "bb.session.invalidation" task in BB_HOME/config/bb-tasks.xml
- Delay - Period before the server starts before the first task is run (milliseconds)
- Period - Frequency of invalidation task (milliseconds)
- Invalid - User session timeout period (milliseconds)
Enable session fingerprinting
- Enable AND Create new session when fingerprint changes. See Session Fingerprinting.
Bb Mobile users should not enable this setting.
System and information integrity
Configure alternate domain for serving content
- Not a default setting because it requires certificates
- See Alternate Domain for Serving Content.
Tailor Safe HTML policy to your needs
Review usage of "add/edit trusted content with scripts" privilege
- This is similar to privileges review. By default, Administrators and Instructors receive the privilege to use unrestricted HTML. If only a limited set of users need the ability to perform dynamic scripting, consider creating a custom role, placing users into that role, and granting just that role this particular privilege. This follows the security principle of Least Privilege.