security

You are currently browsing articles tagged security.

As I ramp up our school’s WPMU blog platform, I look forward to rolling out the new 2.7 interface. I have updated and tested my favorite plugins. DSader’s More Privacy Options, and Peter’s Collaborative Email still work. To make things even better I found a pair of plugins that will make our configuration more secure and give greater control over user privileges.

First off, there was a security hole wherein students could view pending comments that have not been approved by an administrator. Dean Matteson discovered this flaw when he realized that student comments were appearing without his having reviewed them and wrote about in his blog. He came up with a plugin that blocks access to the comments page.

Looking for new plugins for our school site I found the WPMU Menus plugin that not only solves this problem, but it allows you to enable or disable not only comments, but almost every other function in the dashboard interface. Site Admin Options reveals new choices.

wpmu_menu

The screen shot encompasses only half the options available. Beyond security, this allows administrators to greatly simplify the back end user interface making it easier for younger students to navigate.

wpmu_menu2

This takes care of the comments security issue. I tested it further by appending edit-comments.php to the blog backend urls. I was still unable to access the comments page and it redirected me to the profile page.

The next plugin of particular interest is Role Manager. Role Manager is not a WPMU plugin. It must be enabled and configured on each individual blog. Role Manager allows you to change the permissions on any existing role or group of users. It also allows you to create new roles as well. Go to Users–>Roles.

roles1

While logged in as admin, you can also configure the permissions of an individual user by accessing their profile.

roles2

Of course, if you give a user the permissions to access a feature, you also need to enable access in the Menus.

I look forward to relaunching our school blogging platform this March with a fresh new back-end interface, greater security, and a simplified dashboard for our students. If anyone has any input regarding use of WPMU for the K12 setting, I’d love to hear from you!

Tags: , , , , , , ,

Elgg 1.1 is arriving soon. The project is maturing with more plugins and themes becoming available. It’s time to plan for deployment in the K12 environment. I have been mulling over several special issues in deploying Elgg in a K12 public school setting. I invite you to join the K12 Elgg group on the Elgg Community Website. I am also considering Web publishing and educational technology issues in my Educational Technology Policy Site. Policies need to be in place for working with Elgg and other Web 2.0 applications.

The first thing we need to consider is security. In our situation we will need to have a walled garden. Our school requires anything that is open to the world on the Internet be moderated. Since we cannot moderate in the Elgg environment, all content will have to be kept in house.

The Walled Garden plugin from the Elgg developers does much of what we will need. It disables registration so that  any user accounts must be created by the admin. This prevents outsiders from registering and gaining access to student content. It falls short in a couple ways. As configured, users can choose to make content available to the public under the access controls. In addition RSS feeds could allow outsiders to view content if they obtained the appropriate urls.

In response to my concerns expressed in the K12 Elgg area of the Elgg community, Dave Tosh offered some solutions. He pointed to engine/lib/access.php as the place to eliminate the “Public” option. Students will only be able to select permissions for access to people within the site: private, logged in users, or any collections of friends. I plan on creating a plugin offering this functionality soon leaving the core intact for easy upgrading.

With RSS feeds, Dave suggested that I eliminate the options to subscribe to an RSS Feed and Syndicate OpenDD from the owner’s block menu, then delete RSS and and OpenDD views in the views directory.

Dave is looking into administrative options to toggle public access OpneDD and RSS feeds from the administrative interface. I think this is a good idea that will make it more appealing to the K12 audience out-of-the-box.

If we allow students to work in Elgg without moderation, we need a way to monitor what the students are doing so that they are accountable for their behavior on the site.

Elgg offers several tools to this end. There is the log browser with the ability to refine the results by username and by start/end dates. As admins, we can click on a user’s avatar menu and explore their log. There is also the user option to report content to the administrator.

Use of the log options require active searching and the logs have a lot of entries not related to content. Are there ways to filter out some of the non-content related noise making it easier to monitor students? Would it be possible to create plugins to make this process easier?

These are just a couple areas of concern that I will need to address with school administration and tech committee before deploying Elgg. I hope to have answers to the questions that I know I will face. I’d like to hear what others have to say about these matters. Please comment!

Tags: , , , ,

In my previous post about Web publishing security, I proposed the following security matrix:

While this is an oversimplification of the options, I think it gives a framework for making decisions on what web publishing software to deploy, when to deploy it as well as how. As an illustration of how this framework can be used and the potential complexity, we will examine the popular multiple blog platform WordPress MU. Another reason is that we have deployed WPMU in the past and there has been some debate about how it should be used if it should be used at all.

Out of the box, WPMU has two options for access to content: Open to the world and open, but blocking search engines and archivers. It has four options for moderation: Unmoderated, Posts only moderated, comments only moderated, and both posts and comments moderated. With WPMU, then, our matrix looks like this:

As one can see, there are already eight potential options in terms of access to publishing and content. While all the content can be accessed by anyone in the world through both choices, blocking search engines and archivers would significantly reduce access unless one has a link, or goes to the site directly.

WPMU has a plugin that I discussed in an earlier post called More Security Options. This plugin offers three more content access options: Community members (all users with accounts on the WPMU installation), Blog (People who are at least subscribers of an individual blog), and Administrators (only the administrators of an individual blog). The security matrix with this plugin appears:

There are now 20 options in terms of publishing and content access! Arguable, there are even more. For example one could choose to allow unmoderated comments, but restrict comments to logged in members of a blog. Clearly there is enough flexibility in WPMU to accommodate a wide range of Web Publishing Policies.

It is up to school tech committees to consider the ramifications of all of these options in terms of security, audience, and ownership and weigh the pros and cons of each before committing to a particular configuration. Teachers can then decide within the constraints of the school web publishing policy which option best suits their class. Publishing student content to the web is not simply as choice of yes or no. There are several shades of gray. These are not the only considerations and options for deploying this software. For further discussion, refer to my other posts about WPMU for more information on managing and securing the software.

Tags: , , , ,