Securing your Ektron website

By Daved Artemik

For this post I want to first focus on a service bulletin in case you have not heard: someone somewhere had some information just get hacked.

Dilbert on Hackers  

Yes, that is the vaguest and most nondescript service bulletin I could have come up with, but then again, it's pretty darn accurate. We hear about the big ones that make the headlines like Sony, Home Depot, Chik-Fil-A, and others recently, but the truth is that smaller companies and organizations have attacks attempted on them all the time; they're just not big enough to make the morning news. We even dealt with someone trying a SQL injection on our company forums at my last job.

The raw truth is that as long as there is a web presence for anyone, someone is going to try to get something from it for free. In some cases it may be nothing more than access to an area the public isn't allowed, in others it could be credit card and personal information that can damage a person's credit, identity, and life. The important thing is that we understand this is a continual act that we, as professionals in this realm, must continue to learn from, adapt to, and be proactive against. Being proactive is the biggest key in all of this because, as my dad always said, for every lock that's created, there's someone already trying to break it. Next time you're in your local hardware store, check out the locks they have. Then wait a couple months and check again. They constantly change for a reason.

The obvious approach

At this point, the first question you may have is, "Where do I start?" Well, first and foremost, come up with a security strategy for your servers as part of your architecture discussions. This is a crucial first step for any organization taking security seriously. This discussion should cover everything from general user permissions and roles in IIS, to user authentication, IP restrictions, and whether you are using SSL. These are general security topics, though, and since this post is more specific to Ektron, I think it's important we point out some ways to make your Ektron installation more secure as well.

My first advice to anyone is read the manual. With everything in this digital age going to "quick-start" guides, which, let’s face it, aren't always, we can often overlook the inclusion of, or value of, a full-length reference manual. And when it's over 1,000 pages long, maybe "overlook" is not exactly what we do. It can seem like an overwhelming task, but it's important to remember that having documentation available is very useful when working with something new. And you don't have to read the whole thing right away. It's good to just know what's available when you need to find a specific topic and skim to that topic.

Get familiar with the reference documents available for your version: http://www.ektron.com/Documentation/Ektron-CMS/. Even though the Developer Reference is the primary go-to document, the Release Notes can also help identify updates you need to be aware of.

Suggested light reading

Following that line of thinking, I focus on a few topics right out of the gate for security with Ektron. The first thing you should do before installing Ektron, is read the section on doing so! It might seem obvious, but I know way too many people who skip this step. After you read “Installing Ektron”, the next section you follow with should be "Securing Ektron". The topics in this section cover some really important configurations and settings that many people often overlook.

Topics like, removing sample users, and changing group permissions are topics you might not immediately think about when you are rushing to get that installation up and running to make your boss happy. But these are important topics to cover when you think about security. A harmful action is not always one from an outside source, and is not always intentional either. Controlling permissions and user accounts inside your Ektron Workarea can be just as critical as employing server level security, as users aren't always 100% sure of the actions they take. Modifying the wrong content unintentionally can have just as strong an impact as an outside cyber-attack. Restricting the areas your CMS users are accessing also simplifies their experience since users can become overwhelmed when they login and see every folder staring back at them. It's best to keep it from becoming a guessing game for them.

There is also an "Additional Security Measures" topic in this section that covers often overlooked settings like cookie encryption and enabling captcha for user and membership sign-ups. The bullet points in this section also cover things you might not think about having an impact, or creating security issues. When was the last time you backed up a file and gave it a ".bkp" extension to easily identify it? Have you done that with a Web.config file? What about zipping up site files or database backups and leaving them in a folder in your site? Without security on these extensions those files could be exposed for someone to easily download if they try hard enough. Sometimes the things we think would be the most obvious are the ones we often overlook, and reading a manual can remind us that those simple things exist.

The not-so-known

Back when the eCommerce module was being developed, Ektron had to create additional security features to allow a site to follow Payment Card Industry Data Security Standards (PCI-DSS) which enabled the application to be configured for Payment Application Data Security Standards (PA-DSS) compliance. Without getting too technical, what this means is that more settings were added to allow an Ektron powered site to be even more secure. Security features like case-sensitive passwords, password enforcement policies for character minimums, 90 day changes, and password histories, as well as automatic time-out were added. The great thing about these features is that you don't have to use eCommerce to enable them. The "Setting Up Ektron" section of the Reference Guide discusses these settings a little more thoroughly. In short, you can enable them via a key in the Web.config named "ek_ecom_ComplianceMode" by setting the value to "true". You can also adjust the password history setting once compliance mode is enabled via the "ek_ecom_PasswordHistory" key.

Compliance Mode

While you're in that section of the manual, you might as well take a look at "Managing Logins and Passwords" to read up on some additional settings that are available to you to secure your Ektron application. Instructions on restricting the number of login attempts, or preventing Ektron users from logging in are covered in these topics. I've worked with many installations where we just removed all login pages, including the Workarea login, for public facing websites, but setting the "ek_loginAttempts" key to "0" helps to ensure that no overlooked login method can be exploited. Additionally, version 9.1 introduced some new features that users upgrading, or even new users, might not even know exist. One such feature focused on security is the Password Security Policy. This feature allows you to enforce certain criteria on users passwords using a Reg Ex that you can configure, and it not only applies to users created through the Workarea, but also through the API.

With all of this information available in it, consider "Setting Up Ektron" my suggestion for the third section to read when you are getting started. I would even suggest you bookmark these links for future reference.

Summary

As mentioned, staying secure is never something we can get complacent about, as the challenges presented to us are always changing. Enabling any security features you can for your website will always help, but you must continue to follow security trends and news with a keen eye. You may not have experienced an attack yet, but enabling a couple security settings and relaxing is not going to guarantee that you don't. Follow security bulletins, stay current with software updates and security patches, and make sure you know what features and settings are available to you. It also doesn't hurt to have a backup strategy as part of that architecture discussion, just-in-case.

Oh, and have I mentioned anything about reading manuals?

comments powered by Disqus

What Do You Think of our New Design?

    

Have more to say? We’d love to hear it!