1 / 77

Briefing Session on WebSAMS Server, Network & System Security Management

Briefing Session on WebSAMS Server, Network & System Security Management. Contents. 01. Management Experience Sharing. WebSAMS Architecture. Tools for WebSAMS Security. WebSAMS Hardening. Support & Summary. Hands-on Regular Tasks. 02. Assistance, Summary…. Hardware, Software.

kcopeland
Download Presentation

Briefing Session on WebSAMS Server, Network & System Security Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Briefing Session on WebSAMS Server, Network & System Security Management

  2. Contents 01 Management Experience Sharing WebSAMS Architecture Tools for WebSAMS Security WebSAMS Hardening Support & Summary Hands-on Regular Tasks 02 Assistance, Summary… Hardware, Software Security Checklist/ Check Report, IT Security, New School Docs HTTP Server, Router, Firewall, WebSAMS Security, SSL Cert Backup, Security Checking, Updating, Log Checking Prevent Ransomware, Password Policy….. 03 04 05 06

  3. 01 WebSAMS Architecture Hardware, Software

  4. WebSAMS Architecture 4 Hardware WebSAMS Network is a private and separated network, isolated from ITED Network by WebSAMS Router Outside the WebSAMS network, all users must go via the HTTP Server to access WebSAMS (server) HTTP Server can be located within the Demilitarized Zone (DMZ), or inside the ITED Network Network Attached Storage (NAS) for backup WebSAMS

  5. WebSAMS System Software 6 Software • Required software are installed in WebSAMS server (Windows Server 2012 R2) • Apache • Jboss & JRE (Java) • Sybase SQL Anywhere 16 • Crystal Server 2013 • Anti-Virus Software • Backup Software

  6. 2 Network (Typical) Network Design in WebSAMS (A)

  7. 3 Network (Other) Network Design in WebSAMS (B)

  8. Internet Gateway in ITED • Internet Gateway • Separate Internet and ITED • 2 interfaces - one for real IP and another for internal IP • Support NAT ( Network Address Translation ), • i.e. access from Internet to ITED • Translate the IP address from one network to another network • Port mapping function

  9. HTTP Server Simply forward all requests to WebSAMS server No store any data

  10. 02 Tools for WebSAMS Security Security Checklist/ Sec Check Report, IT Security, New School Docs

  11. 5 Tools for Security Resources on Security of WebSAMS • Security Check Summary Report (WebSAMS built-in function) • Security Checklist • WebSAMS Security Guide and Recommended Practice • WebSAMS documents for New School • Pre-installation Reminders and Activities (Doc 4) • Specification of WebSAMS 3.0 Hardware & Software (Doc 20) • Network Integration Guideline For New School (Doc 24) • Site Preparation Guideline for WebSAMS in school (Doc 17) • Installation Guidelines for WebSAMS 3.0 (Doc 33) • Government security website

  12. Resources on Security of WebSAMS (Con’t) • Regularly visit the Information Security website • IT Security of HKSAR • http://www.infosec.gov.hk • Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) • https://www.hkcert.org

  13. 03 Management Experience Sharing Prevent Ransomware, Password Policy…..

  14. 4A in WebSAMS What is IT Security (4A) • 4A: Authentication, Authorization, Accounting, Audit • Authentication • Password Policy/ Account Policy • Authorization • Proper Access Control • Accounting • Audit trail, System/Application logging • Audit • Security Checklist/ Sec Check Summary Report, 3rd party security audit

  15. Management Experience Sharing 4 Challenge • Security Check Summary Report and Checklist • Prevent Ransomware • Password Policy • Change New ISP

  16. Security Check Summary Report • Enable Security Check function and read summary report popup in WebSAMS • Report included • Summary • Details • Note

  17. Security Check Summary Report (Con’t) The Security Check function facilitates schools to check the basic system security settings of WebSAMS Tips on using the new function:

  18. System Security Setting Checklist Download Checklist & Tips from CDR site Conduct checking regularly Keep the completed checklist for record purpose (DO NOT required to submit this checklist to the EDB)

  19. System Security Setting Checklist (cont'd)

  20. Prevent Ransomware • Backup the important data regularly • Separate Student network, Teacher network, Server network, WiFi network and WebSAMS network in different zone (VLAN) • Use the secure public DNS • Monitor the server’s CPU usage • Government schools, if they found themselves infected with ransomware, report to EDB OS helpdesk first

  21. Change password • Change passwords on regular basis • OS System administrator • WebSAMS login accounts including “sysadmin” and “asysadmin” • HTTP root account

  22. Change password (cont'd) • Change any simple password in use as soon as possible. The new password should meet the minimum complexity requirements as follows: • The password should fulfill any 3 out of the 4 criteria: • contain English character(s) a-z (lower case) • contain English character(s) A-Z (upper case) • contain digit(s) 0-9 • contain special character(s) ("Space" is not allowed) • Length of password should be within 8-40 characters • User ID cannot be used as password

  23. Change password (cont'd)

  24. 04 Hands-on Regular Tasks Backup, Security Checking, Updating, Log Checking

  25. Backup • WebSAMS Server backup • Every day full backup recommended • HTTP Server backup / WebSAMS Router backup • When changed setting, backup the setting only

  26. DataBackup • Reminder: Importance of Off-line Backup • WebSAMS Backup Schedule • Pre-backup  Backup  Post-backup • From about 00:00 am to 06:00 am • Flow of Scheduled Backup • Stop WebSAMS engine • Backup • Housekeep WebSAMS application log files • Start WebSAMS • Encryption of backup images • Check Backup status daily

  27. Backup Job Workflow

  28. Pre-backup D:\WebSAMS3.0\batch\pre_backup.bat Running 15 mins Stop JBoss, database, Apache • Make copy of WebSAMS data to • E:\data\<SUID>\database\sched

  29. Backup Rotation Configuration

  30. Post-backup • D:\WebSAMS3.0\batch\post_backup.bat • Housekeep Apache log files • D:\WebSAMS3.0\Apache\logs\ • Housekeep WebSAMS server log files ( older than 30 days ) • D:\WebSAMS3.0\JBoss-as-7.1.1.Final\standalone\log • Housekeep CDS log ( More than 30 days ) • E:\data\CDS\<dest_id>\system\log\ • Housekeep Report temp log files • E:\data\<SUID>\rpt\temp • Start database, JBoss, Apache

  31. Backup on HTTP Server • Back up WebSAMS HTTP server setting to a USB drive • User command “httpconfig” • Or use command “fdisk -l” to check USB device namee.g.: sda1, sda2 or sdb1…,etc. • Use command “grepconfig” / “grepconfig /dev/{USB device name}”. • Run the command when HTTP server is running in good condition • Those files can be copied to any Windows storage for backup purpose

  32. Backup on HTTP Server (cont'd) • Step 1 : Log in HTTP server as root • Step 2 : Type command “httpconfig”or “grepconfig /dev/sda1”. • Step 3 : Press “Y” in the following screen

  33. Backup on HTTP Server (cont'd)

  34. Backup on HTTP Server (cont'd) • Step 4: Press “0” if all information is correct • Step 5: Press “Y” to confirm in the following screen

  35. Security Check Summary Report (Con’t) 2. • Enable sec. check function (default: Enable) • Set the daily scanning time(default: 08:00PM) • The Security Check function scans basic settings in: • HTTP server • WebSAMS router • WebSAMS server 1. 192.168.x.x

  36. Security Check Summary Report (Con’t) 7. If the checkbox is checked, a notification will be displayed after login WebSAMS when an exception report is generated Read the report and follow the remedy action to fix the issues (if any) 192.168.x.x

  37. Security Check Summary Report (Con’t) • Exception Report • Summary • Details • Note

  38. System Security Setting Checklist

  39. Patch update Run Windows Update Monthly Install major Windows patches for Windows servers only after testing by EDB as announced via WebSAMS Release Notes / CDR message from time to time Enable real time protection & update virus pattern on Anti-virus(including all servers and workstations) Update firmware on WebSAMS Router (Consult hardware vendor)

  40. Patch update (cont'd) • Update HTTP server patch by “starthsp” command monthly • 1) Log in HTTP server by using the “root” account • 2) Type the following command and press [Enter] • 3) If the process is successful, the following message will be shown

  41. Logs checking • Windows Event Viewer log • Control Panel > Administrative Tools > Event Viewer • Apache log • D:\WebSAMS3.0\Apache\logs\ • access.log-<dd-MM-yyyy> ( http request log ) • errors.log-<dd-MM-yyyy> ( error log ) • Virus scanning log Backup software log

  42. Logs checking (cont'd) • Local backup log • To check whether the pre-backup tasks have been run successfully (E:\data\<SUID>\Log\DB\backup.log)

  43. Logs checking (cont'd) • WebSAMS HTTP Linux Server • Apache log • (/var/log/apache2/access_log_80, 443, 7010) • Error log • (/var/log/apache2/error_log_80, 443, 7010) • System log • (/var/log/messages) • Virus scan log • (/var/log/TrendMicro/SProtectLinux/Virus.yyyyMMdd.#### )

  44. Logs checking (cont'd) • Linux System Log • /var/log/messages • /var/log/

  45. Logs checking (cont'd) • All logs in anti-virus: • https://websams.school.edu.hk:14943 • Virus Logs, Spyware Logs, Scan Logs & System Logs • /var/log/TrendMicro/SProtectLinux/

  46. Logs checking (cont'd)

  47. Logs checking (cont'd) Hardware Firewall Log Screen

  48. Pilot Cloud School • Local WebSAMS original server/NAS/router still needs regular operations • Windows updates • WebSAMS Security guide and Recommended Practice • Anti-malware updates • Regular checking e.g. hardware fault LED • Firmware update • Security-related tasks inside WebSAMS remains the same e.g. • Check login audit log • Maintain access rights of different user accounts/groups • Password settings, policy • Precautions against ransomware and malware

  49. 05 WebSAMS Hardening HTTP Server, Router, Firewall, WebSAMS Security, SSL Cert

  50. WebSAMS Router • WebSAMS Router ( between WebSAMS and ITED ) • Block all unnecessary network traffic • Only allow specific network services and TCP ports • HTTP Server connects to WebSAMS server • Using TCP 8009 for production, TCP 7009 for training • WebSAMS server can access Internet without passing through proxy • TCP 80 (HTTP), TCP 443 (HTTPS), TCP/UDP 53 (DNS), TCP 25 (SMTP), TCP 110 (POP3)

More Related