Liste de contrôle de configuration sécurisée

By default, Blackboard LMS supports single sign-on integrations with your Identity Provider (IDP) using Security Assertion Markup Language (SAML), Central Authentication Service (CAS) or Lightweight Directory Access Protocol (LDAP). Visit Identification and Authentication for more information on SAML, CAS, and LDAP.

If you are using an external authentication system like SAML, LDAP, or CAS, authentication factors including password strength policies are inherited from your configuration in those systems.

If certain users log in only with external authentication and the Default authenticator is enabled in your system, protect against misuse of their accounts by assigning a long, random password in Blackboard LMS and enabling MFA in the system.

If everyone logs in only with external authentication, consider disabling the Default authenticator to strictly enforce the use of your IDP. However, if this is done and your authentication system goes down, it will require intervention by our support team to restore access. Consider the risks and benefits of this approach.

If you are using the Default authenticator, here are some password policies that you could configure to meet your needs and regulatory requirements.

According to NIST, the most important property is the length of the password and character complexity such as "requiring at least 1 number" is less useful and often implemented by end-users in frivolous ways.

Since attackers try "stuffing" massive lists of passwords that already are known, using the feature to block stereotyped passwords, and passwords known to have been exposed in the past is also strongly recommended.

We strongly recommend enabling multi-factor authentication - it may be the single most important thing you can do to protect against unauthorized access. Multi-factor authentication (MFA) is critical because it significantly reduces the risk associated with compromised passwords. By requiring a second piece of evidence to verify your identity—such as a biometric scan, hardware key, or one-time code—MFA stops unauthorized users from accessing your accounts.

If you use the default authenticator, enable Time-Based One-Time Password (TOTP) based MFA.

If you use an external IDP enable MFA in the IDP’s settings.

Never install a REST API application to use a system administrator. The developer of the API application should provide you with a list of privileges the application requires, and you should create a role with only those permissions. Installing an external application to run at the highest privilege level is a grave security violation. A responsible developer will not ask you to do this.

If a third-party asks you to create an account in the developer portal and create a "developer group" and application registration and share the keys and secret with them, this is a security violation: keys and secrets must never be shared. Ask the third-party to contact the Blackboard LMS partnership team for instructions.

Learning Tools Interoperability is a standard developed by 1EdTech that allows you to integrate third-party tools into Blackboard LMS in a secure and seamless way.  Blackboard strongly recommends all LTI integrations to use LTI 1.3 or newer. Older versions of LTI have known and documented security vulnerabilities. Administrators should contact vendors using older versions of LTI to request an update. We also encourage institutions who created their own integrations using older versions of LTI to update their tools.

As with other integrations, it’s a best practice to always scope the configuration to the least amount of data a tool needs to function. If a third-party tool doesn’t need a user’s name or email address for any purpose, you can restrict these data fields in each LTI tools’ configuration. Similarly, if an LTI 1.3 tool doesn’t use the gradebook services, you should turn this off for the tool.

The following resources support LTI configuration and migration in Blackboard LMS:

If you use the Student Information Systems (SIS) API to manage user accounts, note that the feed file payloads are potentially highly sensitive. The file should be kept secure at rest. Avoid assigning clear-text passwords.

Do not use LMS data fields for other than their stated purpose. For example: do not use national identifying numbers like social security numbers as a login username as this may then be displayed in unwanted views. Likewise: do not use the student enrollment ID number as a username if your organization treats knowledge of this number as a de-facto identity.

All features of the application are provided in the belief that they are useful to at least some people; but not everyone needs all features. Do not load certain user data into the LMS if you do not have a need to use it. For instance: if you do not need people's telephone numbers in the LMS, don't load this data.