[Building Sakai] secure sakai?
Sam Ottenhoff
ottenhoff at longsight.com
Tue May 13 10:50:10 PDT 2014
* Disable guest access
* Disable .auth and .anon special roles
* Implement two-factor auth using Duo or Authy
* Lockdown DAV access because it can't do 2-factor
* Remove all webservices access
* Remove all unused tools (e.g., OSP)
* Setup some live auditing of Sakai events
* Prevent IP blocks except from your approved regions from accessing the
server
* Use HTTP headers like HSTS (
http://ibuildings.nl/blog/2013/03/4-http-security-headers-you-should-always-be-using
)
* Connect to a user directory provider that implements user management
(expire accounts because of inactivity, strong passwords, etc)
On Tue, May 13, 2014 at 11:05 AM, Charles Hedrick <hedrick at rutgers.edu>wrote:
> Does anyone have experience running an instance of Sakai where users are
> allowed to store sensitive information? Any suggestions for what to do
> differently?
>
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to
> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
> "unsubscribe"
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20140513/6280cb69/attachment.html
More information about the sakai-dev
mailing list