• Ektron Passwords Stored with Reversible Encryption

    Description This article details the password encryption that Ektron uses in the database.  For some customers it is important to know what we use to understand the level of security that is currently implemented in their projects.   Resolution As of version 9.0 Ektron password encryption has been changed to use a one way hash based on the rfc2898derivebytes library, which is a pbkdf2 implementation using a random number generator on hmacsha1.

  • Finding The Security Update Log File

    DescriptionThis article explains how to find the log file for the security patch installer. ResolutionLog into the webserver and navigate to the drive where the site is installed on. Go to this directory.  C:/Program Files (x86)/Ektron/SecurityUpdate/Look for the Results.html file and open it. This will show what was updated. 

  • Heartbleed Vulnerability

    DescriptionEktron is taking the Heartbleed vulnerability very seriously and want to keep you all informed of how this impacts you. Below is a description of what the vulnerability is, what it can effect, and how to mitigate intrusions due to this vulnerability. Ektron sites use IIS and so are unaffected by heartbleed. Heartbleed is a vulnerability in OpenSSL affecting versions 1.0.1 and 1.0.2-beta, and is resolved in 1.0.1g and 1.0.2-beta. OpenSSL is a library commonly implemented on apach...

  • How To Add HttpOnly Flag To The ECM Cookie

    DescriptionThis article describes the Ektron configuration option for setting the HttpOnly flag for the ECM Cookie.ResolutionIn the web.config you will find the following key <!-- This is for setting the HttpOnly attribute for the ECM cookie --><add key="ek_HttpOnly" value="false" /> Set the key to true to enable the setting.

  • How to configure a self-signed SSL certificate with Ektron

    DescriptionThis article shows you how to configure a self-signed certificate to test the Workarea in SSL or troubleshoot an SSL issue. A self-signed certificate can help you find a feature that works in HTTP, but not HTTPS. ResolutionThe following linked article outlines the steps to create a self-signed certificate: http://technet.microsoft.com/en-us/library/cc753127(v=ws.10).aspx After you create the self-signed certificate, add the certificate to your site bindings as follows. Choos...

  • How to encrypt the ecm cookie

    DescriptionThis article explains how to encrypt the ecm cookie. ResolutionTo encrypt the ecm cookie 1)  Edit web.config.Changeto 2) Recycle the application pool for the website.

  • HTTPONLY flag not set in Internet Explorer

    Description After having set ek_HttpOnly to true in the web.config you may not see the HTTPONLY flag in Internet Explorer's F12 Developer Tools. Resolution This is an issue with how older versions of IE display if a cookie is set to HTTPOnly and other methods should be used to verify that setting(such as using Fiddler). In newer versions of IE if you delete the cache and check the response header's HTTPONLY column you should see it checked. 

  • Prevent aspx files from being executed

    DescriptionHere are some steps you can take to make your environment more secure.[Update 08/01/2013: We've created a utility that automatically runs through the steps below. You can find the utility here: EkSiteLockDown.exe -- download this file and run it on the server you'd like to secure]Many hackers use viruses and worms to spread malicious code across the internet. In order to do this, hackers will often try to upload scripts to a web server, then try to execute those scripts on the ser...

  • Restrict access to a file or folder

    DescriptionHow to restrict access to a file or a folder based on incoming IP addresses ResolutionSecuring a FolderOpen IIS Manager (Start > Run > Open INETMGR and hit enter)Navigate to web siteSelect the folder, which needs restrictionIn features view double click on “IPv4 Address and Domain Restrictions”In Action pane click “Add Allow Entry”Select “Specific IPv4 Address” radio buttonEnter IP address and click OK.In action pane click “Edit Feature Settings”Select “Deny” from the d...

  • Security Flaw in Telerik.Web.UI.dll Reported

    Description This article discusses the concerns that customers had with some security flaw announcements from Telerik and how this relates to Ektron. Cryptographic WeaknessUnrestricted file uploadInsecure direct object reference Resolution These reports are not an issue for Ektron. Please see the full breakdown below. According to the telerik documentation for the issues, the product is not vulnerable. For all the issues listed, you must have the handlers defined in your web.c...

  • SSL versus TLS – What’s the difference?

    DescriptionIf you are trying to use a secure email connection to GMAIL servers, use port 587.  Port 587 is considered a TLS port and is as or more secure than the general SSL ports of 465. ResolutionSSL versus TLSTLS (Transport Layer Security) and SSL (Secure Sockets Layer) are protocols that provide data encryption and authentication between applications and servers in scenarios where that data is being sent across an insecure network, such as checking your email (How does the Secure S...