System Administrators should consider secure application configuration practices in order to further harden your Blackboard Learn solution.


Identification and authentication

Harden system accounts

  1. Ensure the default "administrator" account password is complex and rotated regularly per your organization's Access Management policies.
  2. Change the default "root_admin" account password. Ensure it is complex and rotated regularly per your organization's Access Management policies. See Managing User Accounts.
  3. Change the default "Integration" account password. Ensure it is complex and rotated regularly per your organization's Access Management policies. On the Administrator Panel, under Building Blocks, select Data Integration, and then select Integration Password.

    More on the Integration Password

Privileges review

  1. Review default privileges assigned to each System Role and Course Role.

Guest access review

  1. Review if Anonymous (Guest) Access is appropriate at all four levels:
    1. System Admin > Security > Gateway Options
    2. System Admin > Course Settings > Course Tools
    3. System Admin > Course Settings > Default Course Settings
    4. System Admin > Organization Settings > Default Organization Settings

Secure user password migrations

  1. Verify successful password migrations. Monitor user accounts that have not migrated and reset passwords. This is applicable beginning in Blackboard Learn, Release 9.1 Service Pack 12 when Secure User Password Storage was released.
  2. Verify application administrator passwords migrated. See the "Blackboard Configuration File" section of Secure User Password Storage.

Use third party authentication systems

  1. Fully use third party authentication systems such as LDAP and Active Directory. See LDAP Authentication with TLS. This provides the ability to enforce password complexity policies, obtain login failure throttling, etc.

Shared accounts

  1. As a practice, do not use shared accounts. Power users should use their own accounts to help ensure accountability for changes to the system.
  2. Monitor usage of default system accounts by reviewing the security logs. See Audit and Accountability.

Disable persistent cookies

  1. Go to System Admin > Content Management > Technical Settings > Authentication Settings

Audit and accountability

Ensure security logging is enabled for load-balanced configurations

  1. Ensure Client IP Address appears in all logs. Verify this immediately. Otherwise, security logs will all indicate the load balancer IP address, limiting security forensics capabilities. Review information on X-Forwarded-For in Load Balancing - Configuration and Best Practices.

Grade history

  1. Enable Grade History.
  2. Do not allow Instructors/Assistants to change auditing status.
  3. Do not allow Instructors/Assistants to clear grade history.

Review log aggregation practices

  1. Consider log archiving duration. How far back do you need to go?
  2. Use a third party log aggregation tool.

System and communications protection

Use TLS system-wide

  1. Enable TLS system-wide.

More on TLS

If you are receiving mixed content warnings, tell users to upload the files into Learn.

Web servers

  1. Ensure high strength ciphers (TLSv1).

    SSLProtocol -ALL +TLSv1
    SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:!MEDIUM:!SSLv2

  2. Use minimum 2048-bit key TLS certificates.
  3. For Apache Web Server configurations, set quieter headers. Set OnServerSignature Off.

Reduce session timeout

  1. Ensure that the session timeout setting is set to a reasonable level as it mitigates session hijacking.
    Default is three hours with an hourly task to cleanup the sessions (up to four hours).
    To modify, change the properties of the "bb.session.invalidation" task of the BLACKBOARD_HOME/config/bb-tasks.xml.
  2. Modify the "bb.session.invalidation" task in BB_HOME/config/bb-tasks.xml
    1. Delay - Period before the server starts before the first task is run (milliseconds)
    2. Period - Frequency of invalidation task (milliseconds)
    3. Invalid - User session timeout period (milliseconds)

Enable session fingerprinting

  1. Enable AND Create new session when fingerprint changes. See Session Fingerprinting.

Bb Mobile users should not enable this setting.


System and information integrity

Configure alternate domain for serving content

  1. Not a default setting because it requires certificates
  2. See Alternate Domain for Serving Content.

Tailor Safe HTML policy to your needs

  1. See Security Management - Safe HTML.

Review usage of "add/edit trusted content with scripts" privilege

  1. This is similar to privileges review. By default, Administrators and Instructors receive the privilege to use unrestricted HTML. If only a limited set of users need the ability to perform dynamic scripting, consider creating a custom role, placing users into that role, and granting just that role this particular privilege. This follows the security principle of Least Privilege.