Security

Recommended user login policies for Destiny® v9.5 or higher

Follett School Solutions, Inc. continues to invest in technologies that enhance product security and help in the identification of potential security vulnerabilities in Destiny Resource Management Solution. As part of that ongoing commitment, we have included several capabilities in Destiny v9.5 or higher that provide you the ability to create a tight password policy as well as to help prevent denial of service attacks.

This help topic outlines the basic configuration options available to adjust the way Destiny 9.5 or higher handles login behavior. The configuration options are easily implemented and represent fairly straightforward concepts.

Password and user login policies

A robust password policy is an essential first step when building a secure web-based system. Using the options provided by Follett let you tighten the password policy within your school district. Destiny controls all security measures for your district from the Password Policies page.

To access these controls, login as the District Administrator, click the Setup link in the upper corner, and then select the District Options tab. Click the Edit button for the Password Policies section.

Define a strict password policy

Possible security vulnerability can occur if users select common terms as their password fields. Using the Password Policies options, you can configure Destiny to enforce a strict password policy. By selecting the Strong password required check box, you require users to choose passwords that are 8 characters or greater in length and include a mixture of digits and letters.

note This setting does not invalidate existing passwords.

You can use the Login expires field to enforce your district's password change policy.

Define a password lockout policy

An effective defense against automated password discovery tools is to temporarily disable a user account after a specific number of invalid login attempts. By selecting a numerical option from the Login attempts allowed list, and then entering the number of minutes to disable the account in the Login lockout delay field, you can configure the login security to match your district's security needs.

example If you select 2 from the list and enter a 5 in the Login lockout delay field, then, after two failed login attempts, Destiny will lock the user's account for 5 minutes.

Advanced security to prevent attacks on your Destiny installation

If your district has a need to configure the system to deal with a denial of service attack, we have powerful tools that can be brought to bear. However, the power they provide is at the expense of complexity of configuration and requires a consultative engagement with Follett School Solutions, Inc. technical team. Such a solution will be tailored to the specific needs of your district, your network infrastructure, your user's specific searching and transaction patterns. The configurable settings include:

• HTTP Session Creation Governor limiting the number of new session that can be created per second
• Total Web Request Size Filter preventing overflow attack
• Limit percentage of total thread pool available to Guest
• Limit percentage of total thread pool available to external IP addresses

These settings, while highly beneficial in prevention of a network attack, can be misconfigured without an extensive research and benchmark of the customer installation. This may unintentionally restrict the usefulness and performance of the Destiny system.

Conclusion

Security of your system is central to protecting your district’s data. This is especially critical as the pace of technology changes and installations become more complex. To ensure your system remains reliable and to protect data integrity, Follett will continue to implement safeguards within our solutions that enhance the security of your Destiny system.