Securing ADAM

ADAM will inevitably contain information that is both important and confidential meaning that access to the site must be controlled as strictly as possible. To this end, securing your ADAM installation is important.

Authentication

Staff

ADAM provides three login authentication options for staff.

Internal Password:

  • ADAM will keep and maintain an internal password.
  • The password itself is not stored in the database, however, an irreversible hash of it is.

POP3 Server:

When a staff member logs into ADAM, ADAM simply passes the login name and password to a POP3 server against which the user should be able to authenticate.
If the POP3 server allows the login, then ADAM will allow the login. If not, ADAM will likewise deny the login attempt.
This method can be a way to ensure that people have fewer passwords to remember.

ActiveDirectory:

  • When a staff member logs into ADAM, ADAM simply passes the login name and password to the configured Domain Controller against which the user should be able to authenticate.
  • If the Domain Controller allows the login, the ADAM will allow the login. If not, ADAM will likewise deny the login attempt.
  • This method not only will allow people fewer passwords to remember, but can also enforce ActiveDirectory password policies such as limiting the number of login attempts and so on.

Pupils

ADAM provides two methods for pupils to authenticate to ADAM:

POP3 Server:

  • This behaves in the same way as for staff.

ActiveDirectory:

  • This behaves in the same way as for staff.

Parents

ADAM currently only allows for validation of parents against their cell numbers and ID numbers.

Database

When initially configured, phpMyAdmin has no root password and will allow connections from any machine. It is an important part of the setup process to include a password for the root user.

HTTPS Access

In order to properly ensure that ADAM cannot be hacked by eavesdroppers, it is necessary to secure the channel between the end computer and the server.

What is the danger?

There are two main dangers when using unencrypted transport over the Internet.

  • Password discovery can happen because the password is passed over the Internet in plain text.
  • Session hijacking can happen at any point after login while a session is still active. If a third party can get access to the session value (which is stored in a cookie and transmitted with each request), then they can ‘spoof’ the session.

Both of these vulnerabilities involve eavesdropping. While the likelihood of such attacks are possibly remote, they are real and demonstrable attacks.

How does HTTPS solve this?

HTTPS is a secure protocol that is used to encrypt traffic that is sent between a web server and the client. The traffic is encrypted before it leaves your computer and can only be decrypted by the computer who is receiving the request.

This means that from the very first contact you have with the site (before you log in), any potential eavesdroppers will only see encrypted traffic and won’t be able to tell at any point what information is being sent, yet alone which bits are important.

HTTPS does not solve password vulnerabilities discussed above (such as brute force attacks) and thus the best solution for ADAM is not simply one or the other, but both.

How can I enable HTTPS on my server?

The good news is that XAMPP is ready for use with HTTPS. To get it working smoothly, there are a number of tweaks that need to be made and these are discussed separately.

Be aware that HTTPS involves trust. Web browsers have been pre-configured to trust security certificates that have been issued by certain Certification Authorities such as Thawte and Verisign. While you can always use a certificate to encrypt the channel you are speaking on, many browsers will display scary error messages because they do not trust the certificate they have been shown. This does not stop the encryption from happening, but, on the Internet, a certificate that cannot be linked to a trusted authority is often the sign of a fraudulent or criminal website.

There are two options to generate a certificate:

  1. In a Microsoft network, the Domain Controller is a Certification Authority that is trusted by any of the machines which have been joined to the domain. Such a certificate will work flawlessly with any of these machines. However: if machines from the Internet (such as teachers working from home, or parents and pupils) are attempting to access your server, their computers are not configured to trust your Domain Controller and will display error messages because of it.
  2. Get a certificate issued by a certification authority. These certificates are not free but they are supported immediately by more than 99% of web browsers currently in use. A single domain certificate from Thawte currently costs in the region of R5000 for a 5 year certificate.