System Administrators should consider secure application configuration practices in order to further harden your Blackboard Learn solution.
The links in this section go to articles in the Self-Hosted Deployment Option folder. The information applies to the Blackboard Learn with the SaaS Deployment. When you finish reading the articles, use your browser's back function to return here.
Identification and authentication
Harden system accounts
- Ensure the default "administrator" account password is complex and rotated regularly per your organization's Access Management policies.
- Review default privileges assigned to each System Role and Course Role.
Guest access review
- Review if Anonymous (Guest) Access is appropriate at all four levels:
- System Admin > Security > Gateway Options
- System Admin > Course Settings > Course Tools
- System Admin > Course Settings > Default Course Settings
- System Admin > Organization Settings > Default Organization Settings
Use third party authentication systems
- Fully use third party authentication systems such as LDAP and Active Directory. See LDAP Authentication with TLS. This provides the ability to enforce password complexity policies, obtain login failure throttling, etc.
- As a practice, do not use shared accounts. Power users should use their own accounts to help ensure accountability for changes to the system.
- Monitor usage of default system accounts by reviewing the security logs. See Audit and Accountability.
Disable persistent cookies
- Go to System Admin > Content Management > Technical Settings > Authentication Settings
Audit and accountability
- Enable Grade History.
- Do not allow Instructors/Assistants to change auditing status.
- Do not allow Instructors/Assistants to clear grade history.
System and communications protection
Enable session fingerprinting
- Enable AND Create new session when fingerprint changes. See Session Fingerprinting.
Bb Mobile users should not enable this setting.
System and information integrity
Configure alternate domain for serving content
- Not a default setting because it requires certificates
- See Alternate Domain for Serving Content.
Tailor safe HTML policy to your needs
Review usage of "add/edit trusted content with scripts" privilege
- This is similar to privileges review. By default, Administrators and Instructors receive the privilege to use unrestricted HTML. If only a limited set of users need the ability to perform dynamic scripting, consider creating a custom role, placing users into that role, and granting just that role this particular privilege. This follows the security principle of Least Privilege.