2 March 2023
5 Recommended ways to boost LMS security
Senior Solutions Architect
Follow these top tips to instantly improve LMS security.
In our new blog series, we’re asking our in-house e-learning experts to share their recommendations on how you can improve your learning management system.
First up is our senior solutions architect, Kenny McCormack, who is offering his recommendations on how to improve LMS security to create a safer, more secure learning environment for your organisation.
Here are Kenny’s recommended security improvements:
1. Enforce a password policy
Your LMS security is only as secure as the weakest link. And all too often the weakest link is a very weak password.
Most organisations have a password policy, so it’s important to ensure this is applied to your LMS and enforced. Your LMS will store user passwords in a secure and encrypted format, but you still need to make sure those passwords are strong enough to reduce the risk of your site being compromised.
Moodle and Totara platforms both allow you to enforce a password policy on your LMS. This includes settings for:
- Password length
- Number of digits
- Number of lowercase letters
- Number of uppercase letters
- Number of non-alphanumeric characters
- Number of consecutive identical characters
- Reuse and rotation of passwords
2. Adopt a need-to-know principle
The flexibility of an LMS makes it easy to share knowledge, data and other information across your organisation. But from a security perspective that can be a double-edged sword. The answer is to go a bit Secret Squirrel and make sure permissions are only granted on a need-to-know or need-to-use basis.
You can achieve this through good role management. The roles assigned to your learners will control what they can see and do on your LMS. Site administrators need to configure roles to create the sort of need-to-know environment we’re talking about.
All roles have a range of permissions called capabilities, which you can allow or prevent for each role. For example, you might assign a course creator role, which gives permission to create a new course but not to add new users.
Key things to consider include:
- Only give privileged roles to trusted users.
- Avoid handing out liberal permissions when creating new roles. Less is sometimes more.
- Be mindful of creating situations where personal user data could be abused or exposed.
- Follow the principle of least privilege — only assign capabilities and roles to users who absolutely need the privileges these roles allow.
3. Use single sign-on
Implement single sign-on (SSO) so that your learners can access your LMS simply by being signed in to other systems. This improves ease of access because learners don’t have to remember multiple usernames and passwords.
But it’s also a boost for security because:
- Reducing the number of times your learners enter account details limits the threat from hackers targeting usernames and passwords during logins.
- Reducing the number of login details to a single username and password per user decreases the likelihood of credentials being written down or compromised in other ways.
- You can quickly switch off user access network-wide when a user leaves your organisation, so they are immediately logged out of your LMS and all other systems.
- It helps to achieve data access regulatory compliance.
You can achieve SSO via various authentication options with your LMS or by using third-party plugins. SSO can also support multi-factor authentication, allowing you to add an extra layer of security by requiring users to enter a code sent to their phone or another method of authentication.
4. Tighten up account protocols
Create a single method for creating and managing user accounts. Having multiple mechanisms for account management introduces unnecessary complexity and this brings with it increased security risks.
Ensure user accounts aren’t created with shared email addresses or invalid email addresses. If this happens individual users will have no way to reset their password if they forget it.
5. Don’t enable settings that should be disabled (and vice versa)
Security risks are often created by enabling features that should be disabled or disabling those that should be enabled. Examples of things to avoid include:
- Having ‘Debug messages’ and ‘Display debug messages’ both enabled on a production site. This could expose information that compromises the site.
- Enabling ‘Open to search engines’ or ‘Open to Google’ settings. This will allow search engines to crawl your LMS and may result in confidential information appearing in Google search results.
- Disabling ‘Cron execution via command line only’ without a CRON password being set.
Talk to us about LMS security
If you’d like to put plans in place to improve your LMS security, fill out the form below and we’ll be in touch.