Easy-to-follow video tutorials help you learn software, creative, and business skills.Become a member

Understanding security and permissions

From: Drupal 6 Essential Training

Video: Understanding security and permissions

The best site should be protected with the best security. So let's take a look at some steps you can take from the very beginning to ensure that you have complete control over who can access and change your content. We won't go into how to configure user roles within Drupal in this video. We will do that in another video. But a little bit of planning now will save you a lot of meddling about when that time comes and could prevent some disastrous security errors. When you run a Drupal site, you will be concerned with security on three levels. First, the server, which contains all the core programs that run Drupal, any additional programs you have added, such as modules and any custom programming that you created. Server security is especially important because some configuration files store passwords in plain text. If your server security is bad, someone might be able to break in and look at those passwords without you ever knowing that it happened. MySQL contains virtually all of the content of your site. If your MySQL security is improperly set, an attacker could change the site's content, including matters relating to your user's identities. With full access to the MySQL database, the attacker can also change user passwords effectively giving them full access while removing yours.

Understanding security and permissions

The best site should be protected with the best security. So let's take a look at some steps you can take from the very beginning to ensure that you have complete control over who can access and change your content. We won't go into how to configure user roles within Drupal in this video. We will do that in another video. But a little bit of planning now will save you a lot of meddling about when that time comes and could prevent some disastrous security errors. When you run a Drupal site, you will be concerned with security on three levels. First, the server, which contains all the core programs that run Drupal, any additional programs you have added, such as modules and any custom programming that you created. Server security is especially important because some configuration files store passwords in plain text. If your server security is bad, someone might be able to break in and look at those passwords without you ever knowing that it happened. MySQL contains virtually all of the content of your site. If your MySQL security is improperly set, an attacker could change the site's content, including matters relating to your user's identities. With full access to the MySQL database, the attacker can also change user passwords effectively giving them full access while removing yours.

Finally, we have Drupal security, flaws in which can cause very similar effects to flaws in MySQL security because really, Drupal is essentially just a nice user interface for the database and the web server. So while it would take a MySQL expert to cause particular vandalism through MySQL security flaws, even a novice attacker with full Drupal access could change content and passwords easily and efficiently. So let's take a look at Drupal security. In short, here's what you need to know.

As it's installed by default, Drupal security is user based, that is, you categorize users as being members of a group and set limits on what members of that group can do. Among the users, there is one super user. That's the administrator that you created when you first set up Drupal. That one has the ID of 1, if you go into the MySQL database. The second part of Drupal security is the two groups that are automatically built in, one is called Anonymous, the other one is called Authenticated.

Authenticated users are all those who have signed up for your site, while Anonymous users are those who just happened to be browsing it without signing in. Finally, Drupal security allows you add more groups as you need them and you probably will do that if you have a collaborative site. So for example, you may have one group that's Editors and one group that's Writers and another group that's Graphic Designers each one of which can only affect their particular area. There are other ways to controlled user access. Most important however, is the permissions administration screen. You get to that screen by going to Administer and then scrolling down to Permissions. Here you see all of the different kinds of permissions that you can set. Each one of these lines is a different sort of permission and each one of the columns is a different sort of user. As you can see, you have your two built-in users here, Anonymous who have not signed in and Authenticated, who have. As we scroll down, there is a nice little trick here that Anonymous and Authenticated stays at the top, so you always know which column you are working with. That's new in Drupal 6 by the way.

By default, all users can access content, however that's pretty much it. So anytime you add an additional module or want to give permission to your Authenticated users to do something, you have to give them that permission specifically by turning it ON with a checkbox and then click on Save permissions. Another way that you can change Permissions is to go in to Administer and then instead of seeing it by Task, see it by Module. In each one of these groups, you will see a Configure permissions, which will bring you specifically to the part of that permission screen that deals with that particular Module. For example, Block, let's click on Configure permissions and it automatically jumps down to the Blocks area, which has two different things that can be set. Besides giving you ways to control access through the permission screen, Drupal also offers some limited ways of looking at access logs, which can be useful for tracking attacks. For example, a series of failed login attempts in very close succession could be a sign that someone is using an automated program to guess at your users passwords. Let's go and take a look at some of those reports. Go to Administer and then scroll down to Reports and here you can see Recent Log Entries which is everything. If there have been any Access Denied Errors, you can see those and then if people happen to go to pages that don't exist, you can even see those. Let's take a look at log entries here. This is in a reverse chronological order, so the most recent ones are at the top. But you could change that by clicking on any of these highlighted columns. For example, to sort by type, click here and then to sort in the opposite direction, that is from Z to A, you would click again. Let's go back to date and then click again to see it again from most recent to least recent. In addition, you can filter these log messages, for example, only to show those things that were an emergency level or of another high level. If you hold down the Shift key, for example, we can see everything from warning on up and then click Filter. That cuts out a lot of the noise that might otherwise distract you.

Finally, we should mention of some parts of Drupal that are particularly vulnerable to attacks. First of all, any third party modules, which were programmed by individuals, and then contributed to the Drupal project, they tend not to have as much oversight as the main Drupal project which of course, has dozens of people looking at it at any one time. Secondly, PHP and MySQL issues are always popping up and this is much larger than Drupal. It's a good idea for Drupal administrators to keep an eye on these matters as well although, if you follow the Drupal news, they will usually report any that affect Drupal. Finally, most important to watch out for is good old social engineering and by that, I mean getting e-mails that say, I am your administrator, give me your password or anything else that's basically tricking your users.

As always, your main source of information about Drupal should be drupal.org specifically for security purposes, drupal.org/security. On drupal.org/security page, you will see a list of advisories in reverse chronological order. So the most recent show up at the top. This video briefly discusses measures to protect the very top level, that is to say, Drupal itself. But then again, your Drupal installation is available to everybody on the internet, if you make it public. Fortunately, a knowledgeable application of Drupal's user based security systems is enough to stop most attacks.

Show transcript

This video is part of

Image for Drupal 6 Essential Training
Drupal 6 Essential Training

66 video lessons · 31391 viewers

Tom Geller
Author

 
Expand all | Collapse all
  1. 4m 38s
    1. Welcome
      50s
    2. Using the example files
      3m 48s
  2. 28m 55s
    1. Drupal is a CMS
      7m 43s
    2. Choosing Drupal
      5m 32s
    3. Checking Drupal's requirements
      4m 26s
    4. Understanding the inner workings of Drupal
      4m 35s
    5. Meeting the Drupal community
      6m 39s
  3. 11m 28s
    1. Learning key terms in Drupal
      5m 20s
    2. Touring Drupal's interface
      6m 8s
  4. 34m 35s
    1. Installing WAMP and Drupal on Windows
      9m 41s
    2. Installing MAMP
      4m 34s
    3. Setting up the database on a Mac
      2m 2s
    4. Downloading and installing Drupal on a Mac
      6m 37s
    5. Troubleshooting installation problems
      3m 49s
    6. Automating updates with cron
      7m 52s
  5. 25m 37s
    1. Setting up clean URLs
      5m 52s
    2. Backing up your Drupal site
      3m 31s
    3. Restoring your Drupal site from backup
      4m 19s
    4. Wiping your Drupal installation clean
      2m 7s
    5. Updating Drupal
      9m 48s
  6. 15m 37s
    1. Using the Administration menu
      6m 21s
    2. Setting site information
      4m 50s
    3. Setting the theme
      4m 26s
  7. 35m 8s
    1. Understanding security and permissions
      7m 2s
    2. Controlling site access with user management
      3m 39s
    3. Creating users
      7m 58s
    4. Setting user profiles
      9m 40s
    5. Creating contact forms
      6m 49s
  8. 19m 19s
    1. Creating your site's basic info pages
      7m 13s
    2. Understanding page layout
      5m 40s
    3. Creating a flexible layout with blocks
      6m 26s
  9. 15m 35s
    1. Monitoring performance
      4m 52s
    2. Recovering from disasters
      7m 37s
    3. Improving administration skills
      3m 6s
  10. 41m 3s
    1. Understanding nodes
      6m 50s
    2. Creating basic content: Stories and pages
      7m 9s
    3. Enabling other content types
      9m 22s
    4. Adding blogs
      3m 49s
    5. Adding forums
      6m 56s
    6. Adding polls
      6m 57s
  11. 34m 50s
    1. Exploring content categories
      7m 45s
    2. Exchanging content via RSS
      9m 47s
    3. Using input filters
      7m 41s
    4. Managing comments
      9m 37s
  12. 38m 5s
    1. Configuring your theme
      11m 27s
    2. Changing your theme's graphics
      4m 59s
    3. Finding and installing a new theme
      8m 56s
    4. Understanding Cascading Style Sheets (CSS)
      5m 56s
    5. Deciphering CSS files
      6m 47s
  13. 22m 41s
    1. Finding modules
      6m 53s
    2. Unpacking and installing modules
      6m 30s
    3. Configuring modules
      3m 50s
    4. Implementing complex modules
      5m 28s
  14. 32m 12s
    1. Ensuring automated updates with poormanscron
      3m 11s
    2. Defining custom content types with CCK
      12m 54s
    3. Stopping spam using a CAPTCHA
      10m 43s
    4. Using a WYSIWYG text editor
      5m 24s
  15. 22m 18s
    1. Getting around with multilevel menus
      7m 26s
    2. Building custom menus
      5m 42s
    3. Creating easy-to-navigate books
      9m 10s
  16. 20m 19s
    1. Changing page templates with PHP
      8m 15s
    2. Using PHP in content
      5m 20s
    3. Implementing PHP snippets
      6m 44s
  17. 10m 15s
    1. Launching your site
      5m 52s
    2. Joining the Drupal community
      4m 23s
  18. 14s
    1. Goodbye
      14s

Start learning today

Get unlimited access to all courses for just $25/month.

Become a member
Sometimes @lynda teaches me how to use a program and sometimes Lynda.com changes my life forever. @JosefShutter
@lynda lynda.com is an absolute life saver when it comes to learning todays software. Definitely recommend it! #higherlearning @Michael_Caraway
@lynda The best thing online! Your database of courses is great! To the mark and very helpful. Thanks! @ru22more
Got to create something yesterday I never thought I could do. #thanks @lynda @Ngventurella
I really do love @lynda as a learning platform. Never stop learning and developing, it’s probably our greatest gift as a species! @soundslikedavid
@lynda just subscribed to lynda.com all I can say its brilliant join now trust me @ButchSamurai
@lynda is an awesome resource. The membership is priceless if you take advantage of it. @diabetic_techie
One of the best decision I made this year. Buy a 1yr subscription to @lynda @cybercaptive
guys lynda.com (@lynda) is the best. So far I’ve learned Java, principles of OO programming, and now learning about MS project @lucasmitchell
Signed back up to @lynda dot com. I’ve missed it!! Proper geeking out right now! #timetolearn #geek @JayGodbold
Share a link to this course

What are exercise files?

Exercise files are the same files the author uses in the course. Save time by downloading the author's files instead of setting up your own files, and learn by following along with the instructor.

Can I take this course without the exercise files?

Yes! If you decide you would like the exercise files later, you can upgrade to a premium account any time.

Become a member Download sample files See plans and pricing

Please wait... please wait ...
Upgrade to get access to exercise files.

Exercise files video

How to use exercise files.

Learn by watching, listening, and doing, Exercise files are the same files the author uses in the course, so you can download them and follow along Premium memberships include access to all exercise files in the library.


Exercise files

Exercise files video

How to use exercise files.

For additional information on downloading and using exercise files, watch our instructional video or read the instructions in the FAQ.

This course includes free exercise files, so you can practice while you watch the course. To access all the exercise files in our library, become a Premium Member.

Join now "Already a member? Log in

Are you sure you want to mark all the videos in this course as unwatched?

This will not affect your course history, your reports, or your certificates of completion for this course.


Mark all as unwatched Cancel

Congratulations

You have completed Drupal 6 Essential Training.

Return to your organization's learning portal to continue training, or close this page.


OK
Become a member to add this course to a playlist

Join today and get unlimited access to the entire library of video courses—and create as many playlists as you like.

Get started

Already a member?

Become a member to like this course.

Join today and get unlimited access to the entire library of video courses.

Get started

Already a member?

Exercise files

Learn by watching, listening, and doing! Exercise files are the same files the author uses in the course, so you can download them and follow along. Exercise files are available with all Premium memberships. Learn more

Get started

Already a Premium member?

Exercise files video

How to use exercise files.

Ask a question

Thanks for contacting us.
You’ll hear from our Customer Service team within 24 hours.

Please enter the text shown below:

The classic layout automatically defaults to the latest Flash Player.

To choose a different player, hold the cursor over your name at the top right of any lynda.com page and choose Site preferencesfrom the dropdown menu.

Continue to classic layout Stay on new layout
Exercise files

Access exercise files from a button right under the course name.

Mark videos as unwatched

Remove icons showing you already watched videos if you want to start over.

Control your viewing experience

Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.

Interactive transcripts

Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.

Are you sure you want to delete this note?

No

Your file was successfully uploaded.

Thanks for signing up.

We’ll send you a confirmation email shortly.


Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

Keep up with news, tips, and latest courses with emails from lynda.com.

Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

   
submit Lightbox submit clicked
Terms and conditions of use

We've updated our terms and conditions (now called terms of service).Go
Review and accept our updated terms of service.