next up previous contents
Next: LDAP - Directory Management Up: Open Administration for Schools Previous: Customize OA - Adding

Subsections


Security

This section deals with the issues of making sure that your school data remains intact and accessible only to authorized individuals.

Web Security

Currently, both the Teacher and Admin sites are protected by basic authentication (as outlined in the installation section). This method of authentication sends passwords as clear text over the 'wire'. The parent site is freely accessible, but protected by passwords passed to the running script.

This could be improved by moving to Digest Authentication which is a step up in security and doesn't send clear text over the wire. The configuration setup for this is outlined in the Apache documentation.

The next step is to add full https (SSL) support to the server and use certificates to provide banking level protection to the transactions. These instructions are now provided by the current installation and are written by Andy Figueroa.

Another entire area of concern is the use of passwords. Access to the teacher site is by means of a single shared password (via a single password file). Other apache modules could be used to store separate passwords for each teacher in a mysql database (and in fact use the teacher table for these passwords). Apache 2.x has some advanced authentication modules to allow this. Thus the admin site could be used to directly manage teacher access to the website (as well as the attendance entry, marks entry, etc.)

Since passwords are the first line of defense, they should be carefully chosen so that people can remember them, but not be so simple that they can easily be guessed or cracked by a brute force attack.

Some other ideas:

  1. Don't provide links on any publicly visible web sites to your admin or teacher sites. This is only security by obscurity, but it can't hurt.

  2. For the truly paranoid, don't place the virtual admin and teacher sites into your DNS records. Instead, configure client workstations by placing these records in your 'hosts' file (either in /etc/hosts or c:
    windows
    hosts). The hosts file would contain the IP address and then the domain name of the school/division server.

usermanage
next up previous contents
Next: LDAP - Directory Management Up: Open Administration for Schools Previous: Customize OA - Adding

2010-12-24