Security In eFrontPro - Part 2

Making Sure You Have Secure LMS Data Is eFrontPro-Level Easy!

The say that a computer system is only as secure as its weakest link.

Thankfully, when it comes to your corporate network or private cloud is the home of secure LMS data, you can easily ensure that eFrontPro is not a weak link in any way.

In the previous article of this series we had a look at LMS security in eFrontPro, meaning how you can protect your portal from malicious users, script kiddies, wannabe hackers, and generally anyone wanting to intrude or take advantage of your LMS server.

Specifically, we covered eFrontPro's security settings, password policy options, whitelisting, and its sign-up and authentication restrictions.

In this article we are going to delve into eFrontPro's remaining security features, and see how the platform actively prevents various kinds of system abuses and attacks.

Single-Sign On

While Single-Sign On (SSO) might not sound like a secure LMS provision per se, it does enable companies to consolidate their intranet authentication options, control them from a central location, and enforce uniform security policies across all of their systems.

In other words, SSO is an essential tool for secure LMS data, and eFrontPro offers it in several versions, supporting both traditional LDAP and Active Directory servers, plus all kinds of SAML 2 based systems.

sso

2-Factor Authentication Support

Two factor authentication is increasingly common these days, and for good reason: single factor authentication (e.g. plain old passwords) has been shown to be quite easy to bypass.

In case you are not familiar with the term, it is all about adding a second layer of protection -- like having double locks in your house. It’s definitely one of the top ways to ensure secure LMS data for your eFrontPro portal.

In the most common implementation, the first layer is your regular username and password, and the second layer is some time-limited PIN that you generate from an app, an SMS you receive, or a code you get in an email.

Google uses it, Apple uses it, your bank is using it -- and eFrontPro offers it too, in all of the above ways. More specifically you can:

  1. Use a QR-code generated from the Google Authenticator app (a general-purpose 2-factor authentication token generator).
  2. Use PIN codes you receive on your mobile phone (through SMS).
  3. Use a code that gets delivered in your email address.

What 2 factor authentication achieves is that it makes it more difficult for someone to just guess or steal your eFrontPro password and get in your eLearning portal -- they will also need access to your email account, unique token generator or mobile phone.

2 factor

Access control privileges

This section is more about what users are able to do after they have successfully logged in your portal.

We have already covered the relevant eLearning data security features in detail in a previous two-article series here, but, for your convenience, we are going repeat the most important things you need to know:

  1. User Types, eFrontPro's version of what other systems call "Roles", allow you to create custom sets of permissions, with restricted access to certain features and/or areas of your eLearning portal, and assign them to your users.
  2. In larger businesses and organizations, eFrontPro Branches allow you to create separate but centrally managed eLearning portals, each with its own content, users, and access restrictions.

These kinds of granular permission settings can be a life saver, especially when allowing people outside your organization or, even more so, the general public to access your secure LMS. They can very well be the difference between secure LMS data and a wallet on the sidewalk.

Pro-Active Security Features

eFrontPro's security features go beyond what is on the surface, and what you can configure yourself.

There's a whole range of security features implemented at the backend eLearning and storage engines and at the front-end (browser) code level, that work together to thwart attacks to your portal ensure secure LMS data.

Those include:

  1. XSS filtering prevents malicious users from injecting external scripts in your portal's code.
  2. CSRF tokens and backend checks prevent phishing attacks and malicious manipulation of a user's open sessions (e.g. through specially formed links on emails or third-party websites).
  3. Session hijacking protection safeguards you from malicious users bypassing authentication, by utilizing recommended countermeasures such as secure cookies and SSL.
  4. Important actions (e.g. purchase refunds) ask the user to re-authenticate, as a second layer of protection against hijacked sessions.
  5. User data are sanitized and scrutinized to prevent SQL injection and other security escalation bugs.
  6. While "security through obscurity" is not effective in itself, it is still an additional barrier against malicious attacks and a step towards more secure LMS data. eFrontPro can be configured to prevent backend information and error reports (e.g. PHP messages, SQL issues, etc) from reaching the end user.

Monitoring

Every user action in eFrontPro is time-stamped, logged and kept in the system from reviewing by the administrators.

In addition to that, eFrontPro can also optionally log all kinds of system errors it encounters, to help with troubleshooting and with the early discovery all kinds of misconfigurations and attack attempts. So, our claim to secure LMS data is not a theoretical one, it’s one you can verify yourself if you’re up for some log-reading.

Conclusion

In this series of articles we have examined eFrontPro's security features, covering those options that portal administrators can configure and fine-tune, as well as the security best practices and counter-measures that actively protect your eFrontPro installation at the code level and make for secure LMS data.

Stay tuned for more eFrontPro related news, in-depth coverage, and tutorials.

eBook Release: eFront
eFront
Train your employees, partners and customers with eFront, the powerful learning management system that shapes to fit your needs.
Close