- 21 Jun 2022
- 3 Minutes to read
- Updated on 21 Jun 2022
- 3 Minutes to read
The Security area can be accessed via the quick-access menu. It contains a range of security settings for the site, server, and users. It is recommended that you check through all options with your systems/network administrator before launching your site and discuss any changes with the relevant stakeholders before implementing.
It is difficult to offer explicit security advice, as the requirements will vary slightly based on your own organisational preferences and policies. Instead, the below advice highlights recommended best practice and considerations.
When considering the server setup for your Totara site the focus should be around balance, deciding how locked down you want the server to be, and how this might impact external connections. This will ultimately be your decision, but we recommend the following:
- Using SSL
- Proper setup of dataroot permissions
- DMZ / secure network setup
If you follow the recommendation for proper setup of dataroot permissions, there are two main requirements:
- The dataroot should not be accessible via the web. We recommend that the dataroot be located outside of the web directory (wwwroot).
- The dataroot ownership and permissions should be configured so they are accessible to the web server process. For maximum security the files should not be read or writable to other users.
Demilitarised zone (DMZ)
For DMZ / secure network setup the exact configuration will depend on your organisation's requirements. However it is important that internal firewalls are configured so that sensitive internal resources cannot be accessed from the machine that is hosting the Totara site (if the Totara site has less strict access control than the sensitive internal systems).
It is important to note that, even without the DMZ, access to the internal system will still be restricted to users who have a Totara login. However given you can enable self registration, that could mean anyone.
As noted above, a lot of these recommendations will be affected by both external requirements (such as compliance) and/or internal company policy. For example, some companies will have their database in a DMZ (demilitarised zone) to avoid DMZ to trusted network interactions. Others will put it on a private subnetwork and then pin hole the firewall to allow access. Some will put the entire product in a private subnetwork either with or without a VPN for access. Other companies may even create an application-specific DMZ data subnet for the data access of the product thereby giving the best of both worlds, although this is more typical in cloud environments.
For more server security best practice advice you can see the Open Web Application Security Project (or OWASP for short).
If you are currently running your site using HTTP then you may wish to transition to HTTPS to ensure extra security for your site. Before doing this it is important to note that any content you have (excluding links) that currently uses HTTP will no longer be able to be embedded once you switch to HTTPS. Therefore you will need to check the content can be moved to HTTPS or find new content (you could also change to using links for any HTTP content you need). Once you are happy that your content can manage the change, follow these steps:
- You will need to obtain an SSL certificate from a certificate authority such as Let's Encrypt, which is a free service (other services may charge).
- After getting the certificate you will then need to enable SSL on your server and apply the certificate. The documentation for your server should explain this process as it can vary.
- Now you can can set up the Totara site by changing the $CFG→wwwroot value in your config.php file from http:// to https:// e.g.
$CFG->sslproxy = true;
$CFG->wwwroot = 'https://example.com';
Once this is done you will then need to update any existing content that is using HTTP, as this will no longer work (links are fine, other content will need to use HTTPS as well).
Once you have made sure you are happy with the security of the server setup, you should also configure your Totara site to ensure it is secure. Again, a lot of this will depend on the policies and end goals of your organisation. Consider the following carefully:
- Review the security settings to make sure they are appropriate for your organisation
- Check your site's Security overview report for guidance on specific areas to consider/review
You can get to this page via Quick- access menu > Reports > Security overview.
© Copyright 2022 Totara Learning Solutions. All rights reserved. Some content originally obtained via GPLv3 license and continues to be available under GPLv3. All other content is the sole copyright of Totara Learning Solutions.