CVC Logo and home link
Log In
CVC Logo and home link
Log In
OEI @ CVC
Log In
CVC Logo and home link

Canvas Guides for Administrators

As Canvas environments come back online, there are some steps we recommend to safeguard against risk of further intrusion. These steps are not exhaustive, but address some common areas that may be targeted in the wake of a cybersecurity incident. For more updated information from Instructure on the cybersecurity incident and ways to safeguard your environment, please visit the Incident Update & FAQ page.

Step 1. Complete a full audit of all Administrator accounts to review for any unrecognized, suspicious, or new administrator accounts and revoke access if found.

Step 2. Enable MFA for all administrator accounts in Canvas. (You may need to reach out to your Canvas CSM to request this if you have not previously enabled MFA and follow these linked steps to configure: Configuring MFA).

Step 3. Regenerate/rotate any stored access tokens in LTIs or administrator accounts and update any integrations, especially key data integrations with your SIS. This should include terminating any active sessions for administrators: How to terminate active sessions in Canvas user settings or use the Canvas API to terminate sessions

Step 4. Restrict token creation to administrator accounts only by updating your system settings.

Step 5. Alert students and faculty to be wary of any new Canvas messages or emails soliciting money to access any element of Canvas or complete Canvas activities. Recommend avoiding accessing any links in messages from any user they are not familiar with.

Step 6. Review your Authentication configuration in Canvas to ensure no new Authentication Types have been configured in your instance

Step 7. Review your theme settings in Canvas and remove the usage of any insecure CSS for custom login pages. We recommend following the guidance from Instructure on secure Theme Editor Settings

Step 8. Carefully review LTIs to check for any new LTI installations and reconfigure critical LTI's that may require regenerated API tokens.

Again, while these steps alone may not prevent all possible vulnerabilities in Canvas, they will help safeguard against any common risks or access points that could be exploited by bad actors. 

Get Assistance

If you have questions or need
help, visit our Support Center

Connect

CVC Logo and home link
2024 California Community College Chancellors Office, All rights reserved.

Creative Commons License

This work by California Virtual Campus - Online Education Initiative, a project by the California Community Colleges Chancellor's Office is licensed under a Creative Commons Attribution 4.0 International License. Copyright © 2019 by California Community Colleges Chancellor's Office