Highlights of WebSAMS Server, Network

1
Highlights of WebSAMS Server, Network Security
Seminar
2
Contents

• WebSAMS Architecture
• Security and Maintenance
• Backup of Data
• Logs Checking
• Root Certificate

3
WebSAMS Architecture
4
WebSAMS Requirements

• WebSAMS Architecture

• WebSAMS Network is a private and separated
  network, isolated from ITED Network
• Outside the WebSAMS Network, all users must via
  the HTTP Server to access WebSAMS
• HTTP Server can be located within the DMZ zone,
  or inside the ITED Network, as shown in the
  following

5
Network Designs in WebSAMS
WebSAMS Architecture
6
Network Designs in WebSAMS (contd)
WebSAMS Architecture
7
Internet Gateway
WebSAMS Architecture

• Internet Gateway
• Separate Internet and ITED
• 2 interfaces - one for real IP and another for
  internal IP
• Support NAT ( Network Address Translation ), i.e.
  access from Internet to ITED

8
What is NAT?
WebSAMS Architecture

• Network Address Translation ( NAT )
• Translate the IP address from one network to
  other network
• Typically one is inside and one is outside
• Port mapping function

9
HTTP Server
WebSAMS Architecture

• HTTP server is simply a relay server which
  forwards all the requests to the WebSAMS server
• The HTTP server itself does not store any data

10
WebSAMS Router
WebSAMS Architecture
11
WebSAMS Router (contd)
WebSAMS Architecture

• WebSAMS Router ( between WebSAMS and ITED )
• Block all unnecessary network traffic
• Only allow specific network services and TCP
  ports
• HTTP Server connects to WebSAMS server
• Using TCP 8009 for production, TCP 7009 for
  training, TCP 8109 for 1 server 2 SAMS
• WebSAMS server can access Internet without
  passing through proxy
• TCP 80 ( HTTP ) , TCP 443 ( HTTPS ), TCP/UDP 53 (
  DNS )
• TCP 25 ( SMTP ), TCP 110 ( POP3 )

12
Security and Maintenance
13
Best practices

• Security Maintenance

• Best practices on protection of and export of
  data from WebSAMS
• Proper Access Control
• Data Encryption
• Password Handling

14
Patch update

• Security Maintenance

• Update security patches of Windows Server 2012R2
• Install major Windows patches for Window Servers
  only after testing by EDB as announced via
  WebSAMS Release Notes / CDR message from time to
  time
• Update virus pattern on Anti-virus program
• Update IOS (Cisco) or firmware on WebSAMS Router
  (Consult to hardware vendor)

15
Data Security

• Security Maintenance

• Disconnect any shared folder on WebSAMS Server

16
Data Security (cont'd)

• Security Maintenance

• NAS should be connected to WebSAMS Server with a
  cross-over ethernet cable. Do not connect NAS
  device to the WebSAMS network switch.
• Exposure of any sensitive export data to any
  public machine, such as student guardian
  personal info, staff personal info, financial
  report, etc. is not recommended.
• Keep an offline and offsite backup

17
Data Security (cont'd)

• Security Maintenance

• Keep original basic network setting in WebSAMS
  unchanged.
• E.g. Wrongly connect WebSAMS Server to the ITED
  network switch or firewall directly.
• Wrongly connect WebSAMS HTTP Server to the
  WebSAMS network switch.
• Wrongly connect NAS device to WebSAMS network
  switch.
• Wrongly connect Internet cable from ISP to
  WebSAMS Server.

18
Resources on IT Security of WebSAMS

• Security Maintenance

• IT Security in Schools Recommended Practice
  (ITSS)
• Path EDB Webpage gt Education System and Policy gt
  Primary and Secondary School Education gt
  Applicable to Primary and Secondary School gt IT
  in Education gt On-going Support
• Security Guides for WebSAMS
• Path http//cdr.websams.edb.gov.hk gt ?? gt ???? gt
  ???????????
• WebSAMS Version Upgrade release note
• Path http//www.websams.edb.gov.hk gt Version
  Upgrade for 3.0 gt Major Upgrade
• Security reminders in security alert from EDB
  from time to time
• e.g.

19
Resources on IT Security of WebSAMS (contd)

• Security Maintenance

• Regularly visit the Information Security website
  of HKSAR for the update information of IT
  security
• http//www.infosec.gov.hk
• Cyber Security Information Portal
• http//www.cybersecurity.hk/tc/index.php
• Hong Kong Computer Emergency Response Team
  Coordination Centre (HKCERT)
• https//www.hkcert.org

20
Internet Security

• Security Maintenance

• Only open WebSAMS to Internet access for a
  specific period when necessary
• 1. Restrict the time for accessing WebSAMS from
  clients outside SAMS LAN segment at Security gt
  Configuration gt System Configuration

21
Internet Security (cont'd)

• Security Maintenance

• 2. Set up specific Internet Access Time Profile
  to further control the access time for particular
  user clients outside SAMS LAN segment at
  Security gt Access Control gt Internet Access Time
  Profile

22
Internet Security (cont'd)

• Security Maintenance

23
WebSAMS Server Security

• Security Maintenance

• Windows server policies and security best
  practices
• 1. Local Security Policy

• Start Control Panel -gt Administrative Tools -gt
  Local Security Policy
• In Account Policies -gt Account Lockout Policy,
  set Account lockout threshold to 3 invalid
  logon attempts
• Set Account logout Duration and also Reset
  account lockout counter after to 30 minutes.

24
WebSAMS Server Security (cont'd)

• Security Maintenance

• In Local Policies -gt Audit Policy
• Set Audit object access security setting to
  Failure and also set Audit system events
  security setting to Success
• More policy settings in Appendix 8 of
  Installation Guidelines for WebSAMS 3.0

25
WebSAMS Server Security (cont'd)

• Security Maintenance

• 2. User account management
• Start -gt Control Panel -gt Administrative Tools -gt
  Computer Management -gt System Tools -gt Local
  Users and Groups -gt Users -gt Administrator
• On the General tab of ALL user accounts
  properties, uncheck the Password never expires
  checkbox.

26
WebSAMS Server Security (cont'd)

• Security Maintenance

• 3. Enable Screen Saver Timeout
• Start -gt Control Panel -gt Display gt Change screen
  saver

27
WebSAMS Server Security (cont'd)

• Security Maintenance

• 4. Enable Windows Firewall
• Start -gt Control Panel -gt Windows Firewall gt
  Advanced settings

28
WebSAMS Server Security (cont'd)

• Security Maintenance

• Inbound Rules gt new Rule

29
WebSAMS Server Security (cont'd)

• Security Maintenance

• Rule Type gt Port

30
WebSAMS Server Security (cont'd)

• Security Maintenance

• Protocol and Ports gt TCP gt Specific local ports
• 80, 443, 8009, 7009, 3268, 7010, 7268 (Add 8109
  9268 for 1 Server 2 WebSAMS only)

31
WebSAMS Server Security (cont'd)

• Security Maintenance

• Action gt Allow the connection

32
WebSAMS Server Security (cont'd)

• Security Maintenance

• Profile gt Domain, Private Public

33
WebSAMS Server Security (cont'd)

• Security Maintenance

• Name gt WebSAMS gt Finish

34
Backup of Data
35
Backup

• Backup of Data

• Remind Importance of Off-Line Backup
• WebSAMS Backup Schedule
• Pre-backup ? Backup ? Post-backup
• From about 0000 am to 0600 am
• Flow of Scheduled Backup
• Stop WebSAMS engine
• Backup
• Housekeep WebSAMS application log files
• Start WebSAMS engine

36
Backup Job Workflow

• Backup of Data

37
Pre-backup

• Backup of Data

• D\WebSAMS3.0\batch\pre_backup.bat
• 15 mins
• Stop JBoss, database, Apache
• Make copy of WebSAMS data to
• E\data\ltSUIDgt\database\sched

38
Post-backup

• Backup of Data

• D\WebSAMS3.0\batch\post_backup.bat
• Housekeep Apache log files
• D\WebSAMS3.0\Apache\logs\
• Housekeep WebSAMS server log files ( older than
  30 days )
• D\WebSAMS3.0\JBoss-as-7.1.1.Final\standalone\log
• Housekeep CDS log ( More than 30 days )
• E\data\CDS\ltdest_idgt\system\log\
• Housekeep Report temp log files
• E\data\ltSUIDgt\rpt\temp
• Start database, JBoss, Apache

39
Backup on HTTP Server

• Backup of Data

• Back up WebSAMS HTTP server (SUSE Linux
  Enterprise 11) setting to a floppy or a USB drive
• Use command fdisk -l to check USB device
  namee.g. sda1, sda2 or sdb1,etc.
• Use command grepconfig / grepconfig /dev/USB
  device name.(For 1 Server 2 WebSAMS
  environment, use grepconfig_1s2s)
• Run the command when HTTP server is running in
  good condition
• Those files can be copied to any Windows storage
  for backup purpose

40
Backup on HTTP Server (cont'd)

• Backup of Data

• Step 1 Log in HTTP server as root
• Step 2 Type command grepconfig /dev/sda1.
• Step 3 Press Y in the following screen

41
Backup on HTTP Server (cont'd)

• Backup of Data

42
Backup on HTTP Server (cont'd)

• Backup of Data

• Step 4 Press 0 if all information is correct
• Step 5 Press Y to confirm in the following
  screen

43
Logs Checking
44
Logs checking

• Logs Checking

• Windows Event Viewer log
• Control Panel gt Administrative Tools gt Event
  Viewer
• Apache log
• D\WebSAMS3.0\Apache\logs\
• access.log-ltdd-MM-yyyygt ( http request log )
• errors.log-ltdd-MM-yyyygt ( error log )
• Virus scanning log
• Backup software log

45
Logs checking (cont'd)

• Logs Checking

• Local backup log
• To check whether the pre-backup tasks have been
  run successfully (E\data\ltSUIDgt\Log\DB\backup.log
  )

46
Logs checking (cont'd)

• Logs Checking

• JBoss Server Log
• D\WebSAMS3.0\JBoss-as-7.1.1.Final\standalone\log\
  server.log

Severity
Time Stamp
Message
47
Logs checking (cont'd)

• Logs Checking

• WebSAMS Upgrade Logs
• E\temp\wsup1\ltyyyyMMdd.HHmmgt\
• E\temp\wsup2\ltyyyyMMdd.HHmmgt\
• (For 2nd instance of 1 Server 2 WebSAMS)
• E\temp\training\ltyyyyMMdd.HHmmgt\
• Files and directories are saved under
  ltyyyyMMdd.HHmmgt folder, and the latest folder
  should be kept for tracking purpose.

48
Logs checking (cont'd)

• Logs Checking

• WebSAMS HTTP Linux Server
• Apache log
• (/var/log/apache2/access_log_80, 443, 7010)
• Error log
• (/var/log/apache2/error_log_80, 443, 7010)
• System log
• (/var/log/messages)
• Virus scan log (/var/log/TrendMicro/SProtectLinux/
  Virus.yyyyMMdd. )

49
Logs checking (cont'd)

• Logs Checking

• Linux System Log
• /var/log/messages
• /var/log/

50
Logs checking (cont'd)

• Logs Checking

• All logs in anti-virus
• https//websams.school.edu.hk14943
• Virus Logs, Spyware Logs, Scan Logs System Logs
• /var/log/TrendMicro/SProtectLinux/

51
Logs checking (cont'd)

• Logs Checking

52
Logs checking (cont'd)

• Logs Checking

• Hardware Firewall Log Screen

53
Ad-hoc tasks

• Logs Checking

• Change Passwords in each 3 months
• OS System administrator
• WebSAMS login accounts sysadmin and asysadmin
• HTTP root account

54
Root Certificate
55
Root certificate on WebSAMS client PC

• Root Certificate

• Purpose of installing root certificate
• With this root certificate, WebSAMS is confirmed
  as a trusted website. No more warning message
  will be shown whenever accessing WebSAMS again.

56
Root certificate on WebSAMS client PC

• Root Certificate

• Install WebSAMS Root Certificate on Windows
  Vista/7/8/10

57
Root certificate on WebSAMS client PC (cont'd)

• Root Certificate

• Install WebSAMS Root Certificate on Windows
  Vista/7/8/10

58
Root certificate on WebSAMS client PC (cont'd)

• Root Certificate

• Install WebSAMS Root Certificate on Windows
  Vista/7/8/10

59
Root certificate on WebSAMS client PC (cont'd)

• Root Certificate

• Install WebSAMS Root Certificate on Windows
  Vista/7/8/10

60
Root certificate on WebSAMS client PC (cont'd)

• Root Certificate

• Install WebSAMS Root Certificate on Windows
  Vista/7/8/10

61
Root certificate on WebSAMS client PC (cont'd)

• Root Certificate

• Verification of root certificate in Internet
  Explorer
• Tools (AltT) gt Internet Options gt Content tab

62
Root certificate on WebSAMS client PC (cont'd)

• Root Certificate

• Verification of root certificate in Internet
  Explorer

63
CDR Website
64
WebSAMS Forum (contd)
65
Q A Section
66
The End