The Steps To A More Secure LMS
In our previous series of articles, we have covered eFrontPro's access control options -- the ways with which you can restrict access to eFrontPro's content and features to specific sets of users.
An overlapping but broader topic is how to safeguard and ensure a secure LMS. That is, how you can protect your eFrontPro portal from external access, malicious users, wannabe hackers and potential eavesdroppers.
In this article, we are going to have a look at eFrontPro's security options -- and some general considerations and guidelines regarding LMS security.
Security Settings
Your first stop when it comes to eFrontPro's security options should be the Security panel, which you will find as a dedicated tab in the System Settings section.
First, there's the option to only allow certain IP addresses to have access to your secure LMS.
This won't be applicable if you want to offer broad access to your portal (e.g. because you do commercial eLearning targeting the general public, or because you want your learners to be able to log in from anywhere), but it can really enhance security if you only allow access from within your company's network (or VPN).
There's also the option to disallow certain file extensions from being uploaded to the platform. (e.g. for sharing in the File Library). This mainly focuses on files that might be executable and contain viruses and exploits (.exe, .com, etc.) and file formats that can mess with eFrontPro's PHP engine (various .php extensions).
Unless you really know what you are doing, the default set of excluded files is fine as it is -- and if you want to add some file extension, go ahead, but we'll advise you to not remove any of the already listed ones.
Setting a minimum password length is another good way to make sure your eLearning is running on a secure LMS. Generally when it comes to passwords the bigger the better, but don't make it ridiculously big -- something around 10-16 characters should be enough.
You have the option to specify a "regular expression" that a password should match, a kind of programming "code" that enforces a certain set of characters that a password should be exclusively using or other limitations that it should comply with.
In general, we would advise you not to set one, unless, again, you know what are you doing. It's better to let users use all available characters (including Unicode and special chars like #$ and %) as it makes a password more unpredictable (and thus more secure).
You can also set a password label -- a text that will be shown to users next to the password form, and prompt them to e.g. "Enter a password of 10 characters or more", or anything else you want them to comply with.
There's the option for password expiration (forcing your users to change their password frequently, and thus restricting exposure to compromised passwords) -- and because users will always try to trick the system, you can also prevent them from reusing the same exact password that they had before it expires.
Last, but not least, two checkboxes control whether you want to make the "Reset password" link visible (allowing users to reset their password by having a new one sent to their email account) and whether you require users to change their assigned password the first time they are logged into the platform.
Advanced Security Options
In addition to the basic security features we've just covered, there are several advanced options that eFrontPro Administrators can enable in their quest for a more secure LMS.
These include:
Whitelisting
Whitelisting and Blacklisting are IT terms meaning only allowing access (whitelisting), or only restricting access (blacklisting) to a specific, explicit, list of users, computers, programs, and so on. It’s a very direct way to ensure that your LMS is accessed only by the people that should benefit from it.
eFrontPro allows you to set IP address whitelisting -- that is, determine which IP addresses or IP ranges are allowed to access your eLearning portal. This is handy if you want to restrict access to people inside a corporate network (or virtual private network - VPN).
As for blacklisting, we have covered it already -- remember the part about restricting the file types that users can upload to eFrontPro in the previous section?
Login And Sign-Up Restrictions
A plethora of options to make sure you have a secure LMS are available here too.
Regarding signing up, you can choose to allow users to register for an account with just email verification (that only ensures that the user has indeed access to the email address they have given as theirs) or enforce stricter manual verification.
As for signing in, you have the options to require captcha authentication (those annoying "type the letters seen in this image" fields that are useful for preventing bots and spammers from registering en masse), and to suspend accounts after a number of failed logins (to prevent malicious users from repeatedly trying various passwords until one matches).
Finally, there's the option to prevent users from signing in simultaneously with the same username -- handy if you offer commercial learning courses and you don't want a single paid account to make the rounds.
2-Factor Authentication
2-factor authentication refers to the process where an additional piece of information (called “a factor”), is alongside your username and password, is required in order to sign into your account. eFrontPro supports 2 methods for 2-factor authentication: Google-Authenticator and SMS-based.
The Path To A Secure LMS
It might not be the primary concern of most parties involved, but security in eLearning is a critical function. After all, if you create the best content and someone steals, it, was it worth it?
In this article, we had a look at what eFrontPro options you can start with to create a very secure LMS, covering password policies, blacklisting and whitelisting, and sign-up/login restrictions.
Come back for part two, where we will delve into eFrontPro's Single Sign-On options, 2-factor authentication, and several more advanced features, including those available "under the hood".
