Briefing Session on WebSAMS Server, Network

& System Security Management

2

Contents

01 WebSAMS Architecture

Hardware, Software

02 Tools for WebSAMS Security

Security Checklist/ Check Report, IT Security, New School Docs

03 Management Experience Sharing

Prevent Ransomware, Password Policy…..

04 Hands-on Regular Tasks

Backup, Security Checking, Updating, Log Checking

05 WebSAMS Hardening

HTTP Server, Router, Firewall, WebSAMS Security, SSL Cert

06 Support & Summary

Assistance, Summary…

3

Hardware, Software

01 WebSAMS Architecture

4

WebSAMS Architecture

WebSAMS Network is a private and separated

network, isolated from ITED Network by WebSAMS

Router

Outside the WebSAMS network, all users must go

via the HTTP Server to access WebSAMS (server)

HTTP Server can be located within the Demilitarized

Zone (DMZ), or inside the ITED Network

4 Hardware

Network Attached Storage (NAS) for backup

WebSAMS

5

WebSAMS System Software

Required software are installed in WebSAMS server

(Windows Server 2012 R2)■ Apache

■ Jboss & JRE (Java)

■ Sybase SQL Anywhere 16

■ Crystal Server 2013

■ Anti-Virus Software

■ Backup Software

6 Software

6

Network Design in WebSAMS (A)

2 Network (Typical)

7

Network Design in WebSAMS (B)

3 Network (Other)

8

Internet Gateway in ITED

Internet Gateway

■ Separate Internet and ITED

■ 2 interfaces - one for real IP and another for internal IP

■ Support NAT ( Network Address Translation ),

■ i.e. access from Internet to ITED

■ Translate the IP address from one network to another

network

■ Port mapping function

9

HTTP Server

Simply forward all requests to

WebSAMS server

No store any data

10

Security Checklist/ Sec Check Report,

IT Security, New School Docs

02 Tools for WebSAMS Security

11

Resources on Security of WebSAMS

Security Check Summary Report (WebSAMS built-in function)

Security Checklist

WebSAMS Security Guide and Recommended Practice

WebSAMS documents for New School

Pre-installation Reminders and Activities (Doc 4)

Specification of WebSAMS 3.0 Hardware & Software (Doc 20)

Network Integration Guideline For New School (Doc 24)

Site Preparation Guideline for WebSAMS in school (Doc 17)

Installation Guidelines for WebSAMS 3.0 (Doc 33)

Government security website

5 Tools for Security

12

Resources on Security of WebSAMS (Con’t)

Regularly visit the Information Security website

IT Security of HKSAR

http://www.infosec.gov.hk

Hong Kong Computer Emergency Response Team Coordination Centre

(HKCERT)

https://www.hkcert.org

13

Prevent Ransomware, Password Policy…..

03 Management Experience Sharing

14

What is IT Security (4A)

4A: Authentication, Authorization, Accounting, Audit

Authentication

Password Policy/ Account Policy

Authorization

Proper Access Control

Accounting

Audit trail, System/Application logging

Audit

Security Checklist/ Sec Check Summary Report,

3rd party security audit

4A in WebSAMS

15

Management Experience Sharing

Security Check Summary Report and Checklist

Prevent Ransomware

Password Policy

Change New ISP

4 Challenge

16

Security Check Summary Report

Enable Security Check

function and read summary

report popup in WebSAMS

Report included

• Summary

• Details

• Note

17

Security Check Summary Report (Con’t)

The Security Check function facilitates schools to check the basic

system security settings of WebSAMS

Tips on using the new function:

18

System Security Setting Checklist

Download Checklist & Tips from CDR site

Conduct checking regularly

Keep the completed checklist for record purpose (DO NOT required to

submit this checklist to the EDB)

19

System Security Setting Checklist (cont'd)

20

Prevent Ransomware

Backup the important data regularly

Separate Student network, Teacher network, Server network, WiFi

network and WebSAMS network in different zone (VLAN)

Use the secure public DNS

Monitor the server’s CPU usage

Government schools, if they found themselves infected with

ransomware, report to EDB OS helpdesk first

21

Change password

• Change passwords on regular basis

• OS System administrator

• WebSAMS login accounts including “sysadmin” and “asysadmin”

• HTTP root account

22

Change password (cont'd)

Change any simple password in use as soon as possible.

The new password should meet the minimum complexity

requirements as follows:

■ The password should fulfill any 3 out of the 4 criteria:

■ contain English character(s) a-z (lower case)

■ contain English character(s) A-Z (upper case)

■ contain digit(s) 0-9

■ contain special character(s) ("Space" is not allowed)

■ Length of password should be within 8-40 characters

■ User ID cannot be used as password

23

Change password (cont'd)

25

Backup, Security Checking, Updating,

Log Checking

04 Hands-on Regular Tasks

26

Backup

WebSAMS Server backup

• Every day full backup recommended

HTTP Server backup / WebSAMS Router backup

• When changed setting, backup the setting only

27

Data Backup

Reminder: Importance of Off-line Backup

WebSAMS Backup Schedule

■ Pre-backup Backup Post-backup

■ From about 00:00 am to 06:00 am

Flow of Scheduled Backup

■ Stop WebSAMS engine

■ Backup

■ Housekeep WebSAMS application log files

■ Start WebSAMS

Encryption of backup images

Check Backup status daily

28

Backup Job Workflow

29

Pre-backup

D:\WebSAMS3.0\batch\pre_backup.bat

Running 15 mins

Stop JBoss, database, Apache

Make copy of WebSAMS data to

■ E:\data\<SUID>\database\sched

30

Backup Rotation Configuration

31

Post-backup

D:\WebSAMS3.0\batch\post_backup.bat

Housekeep Apache log files

D:\WebSAMS3.0\Apache\logs\

Housekeep WebSAMS server log files ( older than 30 days )

D:\WebSAMS3.0\JBoss-as-7.1.1.Final\standalone\log

Housekeep CDS log ( More than 30 days )

E:\data\CDS\<dest_id>\system\log\

Housekeep Report temp log files

E:\data\<SUID>\rpt\temp

Start database, JBoss, Apache

32

Backup on HTTP Server

Back up WebSAMS HTTP server setting to a USB drive

User command “httpconfig”

Or use command “fdisk -l” to check USB device name

e.g.: sda1, sda2 or sdb1…,etc.

Use command “grepconfig” / “grepconfig /dev/{USB device name}”.

Run the command when HTTP server is running in good condition

Those files can be copied to any Windows storage for backup purpose

33

Backup on HTTP Server (cont'd)

• Step 1 : Log in HTTP server as root

• Step 2 : Type command “httpconfig”

or “grepconfig /dev/sda1”.

• Step 3 : Press “Y” in the following screen

34

Backup on HTTP Server (cont'd)

35

Backup on HTTP Server (cont'd)

• Step 4: Press “0” if all information is correct

• Step 5: Press “Y” to confirm in the following screen

36

Security Check Summary Report (Con’t)

1. Enable sec. check function

(default: Enable)

2. Set the daily scanning time

(default: 08:00PM)

3. The Security Check function

scans basic settings in:

• HTTP server

• WebSAMS router

• WebSAMS server

192.168.x.x

1.

2

.

37

Security Check Summary Report (Con’t)

4. If the checkbox is checked, a

notification will be displayed after

login WebSAMS when an

exception report is generated

5. Read the report and follow the

remedy action to fix the issues

(if any)

192.168.x.x

7

.

38

Security Check Summary Report (Con’t)

Exception Report

• Summary

• Details

• Note

39

System Security Setting Checklist

40

Patch update

Run Windows Update Monthly

Install major Windows patches for Windows

servers only after testing by EDB as

announced via WebSAMS Release Notes /

CDR message from time to time

Enable real time protection & update virus

pattern on Anti-virus

(including all servers and workstations)

Update firmware on WebSAMS Router

(Consult hardware vendor)

41

Patch update (cont'd)

Update HTTP server patch by “starthsp” command monthly

• 1) Log in HTTP server by using the “root” account

• 2) Type the following command and press [Enter]

• 3) If the process is successful, the following message will be shown

42

Logs checking

Windows Event Viewer log

■ Control Panel > Administrative Tools > Event

ViewerApache log

■ D:\WebSAMS3.0\Apache\logs\

■ access.log-<dd-MM-yyyy> ( http request

log )

■ errors.log-<dd-MM-yyyy> ( error log )

Virus scanning log

Backup software log

43

Logs checking (cont'd)

Local backup log

• To check whether the pre-backup tasks have been run

successfully (E:\data\<SUID>\Log\DB\backup.log)

44

Logs checking (cont'd)

WebSAMS HTTP Linux Server

■ Apache log

(/var/log/apache2/access_log_80, 443, 7010)

■ Error log

(/var/log/apache2/error_log_80, 443, 7010)

■ System log

(/var/log/messages)

■ Virus scan log

(/var/log/TrendMicro/SProtectLinux/Virus.yyyyMMdd.#### )

45

Logs checking (cont'd)

Linux System Log

• /var/log/messages

• /var/log/

46

Logs checking (cont'd)

All logs in anti-virus:

• https://websams.school.edu.hk:14943

• Virus Logs, Spyware Logs, Scan Logs & System Logs

• /var/log/TrendMicro/SProtectLinux/

47

Logs checking (cont'd)

48

Logs checking (cont'd)

Hardware Firewall Log Screen

49

Pilot Cloud School

Local WebSAMS original server/NAS/router still needs regular operations

• Windows updates

• WebSAMS Security guide and Recommended Practice

• Anti-malware updates

• Regular checking e.g. hardware fault LED

• Firmware update

Security-related tasks inside WebSAMS remains the same e.g.

• Check login audit log

• Maintain access rights of different user accounts/groups

• Password settings, policy

Precautions against ransomware and malware

50

HTTP Server, Router, Firewall,

WebSAMS Security, SSL Cert

05 WebSAMS Hardening

51

WebSAMS Router

WebSAMS Router ( between WebSAMS and ITED )

■ Block all unnecessary network traffic

■ Only allow specific network services and TCP

ports

■ HTTP Server connects to WebSAMS server

■ Using TCP 8009 for production, TCP 7009 for

training

■ WebSAMS server can access Internet without

passing through proxy

■ TCP 80 (HTTP), TCP 443 (HTTPS), TCP/UDP

53 (DNS), TCP 25 (SMTP), TCP 110 (POP3)

52

Router Config

Modified default route■ Example:

■ ip route 0.0.0.0 0.0.0.0 10.128.15.253

ACL modification■ Example:

■ access-list 101 permit tcp any 10.128.30.0 0.0.0.255 gt 1023 established

■ access-list 101 permit udp any 10.128.30.0 0.0.0.255 gt 1023

■ access-list 101 permit icmp any 10.128.30.0 0.0.0.255 echo-reply

■ access-list 101 permit icmp any host 10.128.30.150 packet-too-big

■ access-list 101 permit tcp host 172.16.0.150 host 10.128.30.150 eq 8009

■ access-list 101 permit tcp host 172.16.0.150 host 10.128.30.150 eq 7009

■ access-list 101 deny ip any any log

53

WebSAMS subnet access internet

Access Internet directly not through the Proxy

server

Involved equipments / Service■ WebSAMS Router

■ Internet Gateway

■ ISP

54

Encrypt Export Files in WebSAMS

• To avoid repeating warning

messages during decrypting the

exported files, trust the school

WebSAMS URL in IE:

ALT+T > Internet Options > Security tab

> Local Intranet > [Sites]

> Input {School WebSAMS URL} > [Add]

In IE11 of Windows 7

55

Encrypt Export Files in WebSAMS (cont’d)

ALT+T > Internet Options > Security tab

> Trusted sites > [Sites]

> Input {School WebSAMS URL} > [Add]

In IE11 of Windows 10

56

WebSAMS Server Security

Enable Screen Saver Timeout

• WebSAMS Server and all client PC

• Start -> Control Panel -> Display >

Change screen saver1

.

2.

57

WebSAMS Server Security (cont’d)

Enable Windows Firewall

• Start -> Control Panel -> Windows Firewall > Advanced settings

58

WebSAMS Server Security (cont’d)

• Inbound Rules > New Rule…

1

.2

.

59

WebSAMS Server Security (cont’d)

• Rule Type > Port

• Protocol and Ports > TCP >

Specific local ports:

• 80, 443, 8009, 7009, 3268,

7010, 7268

• Action > Allow the Connection

1. 2.

3.

60

WebSAMS Server Security (cont’d)

• Name > WebSAMS > Finish

1. 2.

3.

4.

5. Apply latest security

patch for WebSAMS

61

Root certificate on WebSAMS client PC

Purpose of installing root certificate:

■ WebSAMS is confirmed as a trusted

website.

■ No more warning message will be shown

whenever accessing WebSAMS again.

62

Root certificate on WebSAMS client PC (cont'd)

Install WebSAMS Root Certificate on Windows 7/8/10

63

Root certificate on WebSAMS client PC (cont'd)

Install WebSAMS Root Certificate on Windows 7/8/10

64

Root certificate on WebSAMS client PC (cont'd)

Verification of root certificate in Internet Explorer

65

Disable remote desktop service

66

Data Security

• Disconnect any shared folder on WebSAMS Server

67

Data Security (cont'd)

NAS should connect WebSAMS Server with a

cross-over cable. Don’t connect NAS device to

the WebSAMS network switch.

Don’t use WebSAMS on public PC. Eg Cafe,

MTR

Keep an offline and offsite backup

68

Data Security (cont'd)

Keep original basic network setting

• Don’t connect WebSAMS Server to ITED

network directly.

• Don’t connect HTTP Server to WebSAMS

network switch.

• Don’t connect NAS device to WebSAMS

network switch.

• Don’t connect ISP device to WebSAMS

Server directly.

69

Internet Security

Only open WebSAMS to Internet access for a specific period when

necessary:

1. Restrict the time for accessing WebSAMS from clients outside

SAMS LAN segment at “Security > Configuration > System

Configuration”

70

Internet Security (cont'd)

2. Set up specific “Internet Access Time Profile” to further control the access

time for particular user clients outside SAMS LAN segment at “Security >

Access Control > Internet Access Time Profile”

71

Internet Security (cont'd)

72

Assistance, Summary…

06 Support & Summary

73

WebSAMS Helpdesk Scope

WebSAMS Application enquiry

Modules maintenance

General usage enquiries

WebSAMS Technical enquiry

Focus on WebSAMS Application

Other enquiries:

School Liaison Officer of the WebSAMS Team

74

Resources

WebSAMS Central Document Repository:

https://cdr.websams.edb.gov.hk

WebSAMS System Manual:

(AOM) https://www.websams.edb.gov.hk

> Installation for New School

(COPM) https://www.websams.edb.gov.hk

> Installation for New School

(UM) https://cdr.websams.edb.gov.hk

>主頁 > 系統文件 > 用戶手冊

75

Resources

WebSAMS Forum:

• WebSAMS Central Document Repository

• 主頁 > 相關網頁連結 > 香港教育城校管系統討論區

• https://forum.hkedcity.net/forumdisplay.php?fid=71

WebSAMS Helpdesk:

• Hotline: 3125-8510 , Fax: 3125-8999

• E-mail: websams_support@hk.ncs-i.com

• Leave your School ID, contact person and contact number

76

6. WebSAMS Download Site Problem

Register the real IP address to

School Liaison Officer

https://cdr.websams.edb.gov.hk > 主頁 > 常用電話/電郵/地址 > 網上校管系統學校聯絡主任名單及聯絡方法

77

Q & A Session

78

The End