Security
The following sections include information on various aspects of the security of Perception and actions you can take to ensure it is secure.
General recommendations
The following actions are recommended by Questionmark:
- Configuring Perception to use SSL for encrypted, secure communication
- Changing the password for the root administrator account from the default to something unique
- Changing the server key, trusted key, and scoring tool entry key from the default values to unique ones
The above keys can be changed in the Administration | Server Management | Server Settings section of Enterprise Manager.
Phishing
Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card deals by masquerading as a trustworthy entity. You are recommended to advise Enterprise Manager users to be aware of phishing risks.
For more information, please refer to the following Knowledge Base article:
Request validation in ASP.NET
It is recommended that the request validation feature in ASP.NET is enabled. Request validation helps prevent cross-site scripting (XSS) attacks and should not be disabled.
For more information, please refer to:
Connecting to Authoring Manager
Please note that using Authoring Manager to connect to the shared repository server does not use SSL/TLS, which means that traffic, including questions and assessments that are being authored, could be read or intercepted if you are using the public internet or an unencrypted private network, and there is a potential risk of unauthorized users capturing traffic and spoofing authoring use. If this risk impacts you, here are potential solutions:
- Get users to author in local repositories and upload to Qpacks via browser-based authoring. Providing your server is configured to use SSL/TLS, browser-based authoring will use HTTPS and make the information transfer secure. For more information, refer to the Importing Qpacks section of the Authoring Guide.
- If you decide on route 1 and wish to enforce this, you can do so by disabling user permissions to Access Authoring Manager. For more information, please refer to the Authoring permissions section of the Enterprise Manager User Guide.
- You could also disable the ability for Authoring Manager to connect to a remote repository by disabling ports 7800 (TCP) and 7801 (HTTP) on your Perception server.
- Another route is to install Authoring Manager on a server that has a local area network connection to the Perception server and setting up thin client technology like Remote Desktop or Citrix to allow users secure access to Authoring Manager via SSL. For more information, refer to the following Knowledge Base article: