Security
Follett School Solutions, Inc. continues to invest in technologies that enhance product security and help in the identification of potential security vulnerabilities. As part of that ongoing commitment, Follett has included several capabilities in Destiny v9.5 or higher that let you create a tight password policy and help prevent denial-of-service attacks.
The following configuration options are easily implemented and represent fairly straightforward concepts to adjust the way Destiny 9.5 or higher handles login behavior.
Password and User Login Policies
A robust password policy is an essential first step when building a secure web-based system. Use the options provided by Follett to tighten the Destiny password policy within your school district. Destiny controls all security measures for your district from the Password Policies page.
To access these controls:
- Log in as the Destiny Administrator.
- Select Setup > District Options sub-tab.
- Next to Password Policies, click Edit.
- Consider the following options:
Define a Strict Password Policy
Security vulnerability can occur if users select common terms as their password fields. Using the Password Policies options, you can configure Destiny to enforce a strict password policy.
- To require users to choose passwords that are 8 characters or greater in length and include a mixture of digits and letters, select the Strong password required checkbox.
Note: This setting does not invalidate existing passwords.
- To enforce your district's password change policy, use the Login expires field.
Define a Password Lockout Policy
An effective defense against automated password discovery tools is to temporarily disable a user account after a specific number of invalid login attempts.
- To configure the login security to match your district's security needs:
- Select a number from the Login attempts allowed drop-down.
- Enter the number of minutes to disable the account in the Login lockout delay field.
Example: If you select 2 from the drop-down and enter a 5 in the Login lockout delay field, then, after two failed login attempts, Destiny will lock the user's account for 5 minutes.
- To require users to choose passwords that are 8 characters or greater in length and include a mixture of digits and letters, select the Strong password required checkbox.
- Click Save.
Advanced Security Options
If your district needs to configure the system to deal with a denial-of-service attack, Follett offers powerful tools that can help. However, the configuration can be complex and requires a consultative engagement with the Follett School Solutions, Inc. technical team. Such a solution will be tailored to the specific needs of your district, your network infrastructure, and your user's specific searching and transaction patterns. The configurable settings include:
- HTTP Session Creation Governor, limiting the number of new session that can be created per second
- Total Web Request Size Filter, preventing overflow attack
- Limit percentage of total thread pool available to Guest
- Limit percentage of total thread pool available to external IP addresses
These settings, while highly beneficial in prevention of a network attack, can be misconfigured without extensive research and a benchmark of your Destiny installation. These settings can also unintentionally restrict the usefulness and performance of the Destiny system. Contact Follett Technical Support for more details.
Conclusion
Security of your system is central to protecting your district’s data. Security is especially critical as the pace of technology changes and installations become more complex. To ensure your system remains reliable and to protect data integrity, Follett will continue to implement safeguards that enhance the security of your Destiny system.