Securing your Ektron website
For this post I want to first focus on a service bulletin in case you have not heard: someone somewhere had some information just get hacked.
Yes, that is the vaguest and most nondescript service bulletin I could
have come up with, but then again, it's pretty darn accurate. We hear
about the big ones that make the headlines like Sony, Home Depot,
Chik-Fil-A, and others recently, but the truth is that smaller companies and
organizations have attacks attempted on them all the time; they're just
not big enough to make the morning news. We even dealt with someone
trying a SQL injection on our company forums at my last job.
raw truth is that as long as there is a web presence for anyone, someone
is going to try to get something from it for free. In some cases it may
be nothing more than access to an area the public isn't allowed, in
others it could be credit card and personal information that can damage a
person's credit, identity, and life. The important thing is that we
understand this is a continual act that we, as professionals in this
realm, must continue to learn from, adapt to, and be proactive against.
Being proactive is the biggest key in all of this because, as my dad
always said, for every lock that's created, there's someone already
trying to break it. Next time you're in your local hardware store, check
out the locks they have. Then wait a couple months and check again.
They constantly change for a reason.
The obvious approach
this point, the first question you may have is, "Where do I start?"
Well, first and foremost, come up with a security strategy for your
servers as part of your architecture discussions. This is a crucial
first step for any organization taking security seriously. This
discussion should cover everything from general user permissions and
roles in IIS, to user authentication, IP restrictions, and whether you
are using SSL. These are general security topics, though, and since this
post is more specific to Ektron, I think it's important we point out
some ways to make your Ektron installation more secure as well.
My first advice to anyone is read the manual. With
everything in this digital age going to "quick-start" guides, which,
let’s face it, aren't always, we can often overlook the inclusion of, or
value of, a full-length reference manual. And when it's over
1,000 pages long, maybe "overlook" is not exactly what we do. It can seem like an overwhelming task, but it's
important to remember that having documentation available is very useful
when working with something new. And you don't have to read the whole
thing right away. It's good to just know what's available when you need
to find a specific topic and skim to that topic.
Get familiar with the reference documents available for your version: http://www.ektron.com/Documentation/Ektron-CMS/. Even though the Developer Reference is the primary go-to document, the Release Notes can also help identify updates you need to be aware of.
Suggested light reading
Following that line of thinking, I focus on a few topics right out of the gate for security with Ektron. The first thing you should do before installing Ektron, is read the section on doing so! It might seem obvious, but I know way too many people who skip this step. After you read “Installing Ektron”, the next section you follow with should be "Securing Ektron".
The topics in this section cover some really important configurations
and settings that many people often overlook.
Topics like, removing
sample users, and changing group permissions are topics you might not
immediately think about when you are rushing to get that installation up
and running to make your boss happy. But these are important topics to
cover when you think about security. A harmful action is not always one
from an outside source, and is not always intentional either.
Controlling permissions and user accounts inside your Ektron Workarea
can be just as critical as employing server level security, as users
aren't always 100% sure of the actions they take. Modifying the wrong
content unintentionally can have just as strong an impact as an outside
cyber-attack. Restricting the areas your CMS users are accessing also
simplifies their experience since users can become overwhelmed when they
login and see every folder staring back at them. It's best to keep it
from becoming a guessing game for them.
There is also an "Additional Security Measures"
topic in this section that covers often overlooked settings like cookie
encryption and enabling captcha for user and membership sign-ups. The
bullet points in this section also cover things you might not think
about having an impact, or creating security issues. When was the last
time you backed up a file and gave it a ".bkp" extension to easily
identify it? Have you done that with a Web.config file? What about
zipping up site files or database backups and leaving them in a folder
in your site? Without security on these extensions those files could be
exposed for someone to easily download if they try hard enough.
Sometimes the things we think would be the most obvious are the ones we
often overlook, and reading a manual can remind us that those simple
Back when the eCommerce
module was being developed, Ektron had to create additional security
features to allow a site to follow Payment Card Industry Data
Security Standards (PCI-DSS) which enabled the application to be configured for Payment Application Data Security Standards (PA-DSS) compliance. Without
getting too technical, what this means is that more settings were added
to allow an Ektron powered site to be even more secure. Security
features like case-sensitive passwords, password enforcement policies
for character minimums, 90 day changes, and password histories, as well
as automatic time-out were added. The great thing about these features
is that you don't have to use eCommerce to enable them. The "Setting Up Ektron"
section of the Reference Guide discusses these settings a little more
thoroughly. In short, you can enable them via a key in the Web.config
by setting the value to "true". You can also adjust the password
history setting once compliance mode is enabled via the
While you're in that section of the manual, you might as well take a look at "Managing Logins and Passwords"
to read up on some additional settings that are available to you to
secure your Ektron application. Instructions on restricting the number of
login attempts, or preventing Ektron users from logging in are covered
in these topics. I've worked with many installations where we just removed all login pages, including the Workarea login, for public facing websites, but setting the "ek_loginAttempts" key to "0" helps to ensure that no overlooked login method can be exploited. Additionally, version 9.1 introduced some new features
that users upgrading, or even new users, might not even know exist. One such feature focused on security is the Password Security Policy. This feature allows you to enforce certain criteria on users passwords using a Reg Ex that you can configure, and it not only applies to users created through the Workarea, but also through the API.
With all of this information available in it, consider "Setting Up Ektron" my suggestion for the third section to read when you are getting started. I would even suggest you bookmark these links for future reference.
mentioned, staying secure is never something we can get complacent
about, as the challenges presented to us are always changing. Enabling
any security features you can for your website will always help, but you
must continue to follow security trends and news with a keen eye. You
may not have experienced an attack yet, but enabling a couple security
settings and relaxing is not going to guarantee that you don't. Follow
security bulletins, stay current with software updates and security
patches, and make sure you know what features and settings are available
to you. It also doesn't hurt to have a backup strategy as part of that
architecture discussion, just-in-case.
Oh, and have I mentioned anything about reading manuals?
comments powered by