Ektron
WARNING! Securing your Ektron site is critical to you and to anyone using your site. Failure to implement security measures can make your site vulnerable to cyber-attacks and other security threats. You should complete the actions in this section to make Ektron as secure as possible.
Security updates are available for Ektron versions 8.02, 8.5, 8.6, 8.6.1, 8.7, and 9.10, including all service packs from 8.02 to 9.10 SP1. For information, see Security Update 3.
Complete the actions in this section to secure Ektron.
See Also: Additional Security Measures.
IMPORTANT: You should create your own Administrator user and delete the Admin user. Also, delete unnecessary users from Ektron.
NOTE: If you changed the builtin user password during the site setup, you do not need to change it again. See Getting Started with Ektron for additional information. Also, the “builtin” user does not appear in the Users list. This user appears on the application setup screen.
NOTE: If you cannot sign in to Ektron because the builtin user password was changed and you do not know the new password, use the BuiltinAccountReset.exe
utility. This resets your Ektron user / password to Builtin / Builtin. This utility is located in C:\Program Files\Ektron\CMS400versionnumber\Utilities
.
By default, the root folder in Workarea provides the Everyone Group with all permissions except Overwrite Library. You should review the permission needs of the Everyone Group when you add a folder. See Also: Managing Folder Permissions
Click on the Everyone group. The Edit Permissions for Folder "Root" appears.
Ektron includes some sample users and sample membership users for evaluation and demonstration purposes. Remove these users when they are no longer needed.
NOTE: Some users in the following lists might not appear in your User list. Also, you might have sample users that appear in your users lists. This depends on the version of the software you have installed.
Ektron Users—See Also: Managing Users and User Groups
Membership Users—See Also: Membership Users and Groups
A group account is an account that more than one person uses to log in to Ektron using the same username and password. This is a serious security issue because it prevents you from tracking user activities in your Workarea. Group accounts violate Ektron's license agreement.
You need to restrict Web services to specific IP addresses in IIS 7.
INETMGR
); IIS Manager appears.INETMGR
); IIS Manager appears.As of version 8.50, user data is no longer indexed directly under the Assets folder. The /users/
folder may expose user data, such as your users email addresses, when browsing to this folder. Prevention was made within the Ektron handlers to address this issue in version 8.00, but you should review and remove the following folder [site root]\Assets\users
if you have version 8.50 or later. If the users folder exits, you should delete it.
Enable only the types of files that your website needs to support.
Ektron strongly recommends configuring SSLSecure Sockets Layer (https), especially if you are using Active Directory integration. SSL encrypts user names and passwords during transmissions to the server that are otherwise sent as clear text to the Ektron server.
If your Web server does not have an SSL certificate installed, you need to install one. When you set up an SSL certificate and configure Ektron to use it, the login page is launched in a Secure Socket Layer. This section explains how to set up SSL for Ektron.
web.config
file and set <add key="ek_UseSSL" value="false" />
to true
.The following best practices are also recommended.
web.config
.<add key="ek_EnableCookieEncryption" value="true" />
Enable Captcha for new user signup and other membership features. Captcha prevents automated tools from creating unwanted data and traffic on your site. Set the Membership server controla server control uses API language to interact with the CMS and Framework UI to display the output. A server control can be dragged and dropped onto a Web form and then modified.'s EnableCaptcha property to true. See Membership Properties.
See Extended Log File Format and W3C Extended Log File Format (IIS 6.0)