Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Briefing Session on WebSAMS Server, Network
& System Security Management
2
Contents
01 WebSAMS Architecture
Hardware, Software
02 Tools for WebSAMS Security
Security Checklist/ Check Report, IT Security, New School Docs
03 Management Experience Sharing
Prevent Ransomware, Password Policy…..
04 Hands-on Regular Tasks
Backup, Security Checking, Updating, Log Checking
05 WebSAMS Hardening
HTTP Server, Router, Firewall, WebSAMS Security, SSL Cert
06 Support & Summary
Assistance, Summary…
3
Hardware, Software
01 WebSAMS Architecture
4
WebSAMS Architecture
WebSAMS Network is a private and separated
network, isolated from ITED Network by WebSAMS
Router
Outside the WebSAMS network, all users must go
via the HTTP Server to access WebSAMS (server)
HTTP Server can be located within the Demilitarized
Zone (DMZ), or inside the ITED Network
4 Hardware
Network Attached Storage (NAS) for backup
WebSAMS
5
WebSAMS System Software
Required software are installed in WebSAMS server
(Windows Server 2012 R2)■ Apache
■ Jboss & JRE (Java)
■ Sybase SQL Anywhere 16
■ Crystal Server 2013
■ Anti-Virus Software
■ Backup Software
6 Software
6
Network Design in WebSAMS (A)
2 Network (Typical)
7
Network Design in WebSAMS (B)
3 Network (Other)
8
Internet Gateway in ITED
Internet Gateway
■ Separate Internet and ITED
■ 2 interfaces - one for real IP and another for internal IP
■ Support NAT ( Network Address Translation ),
■ i.e. access from Internet to ITED
■ Translate the IP address from one network to another
network
■ Port mapping function
9
HTTP Server
Simply forward all requests to
WebSAMS server
No store any data
10
Security Checklist/ Sec Check Report,
IT Security, New School Docs
02 Tools for WebSAMS Security
11
Resources on Security of WebSAMS
Security Check Summary Report (WebSAMS built-in function)
Security Checklist
WebSAMS Security Guide and Recommended Practice
WebSAMS documents for New School
Pre-installation Reminders and Activities (Doc 4)
Specification of WebSAMS 3.0 Hardware & Software (Doc 20)
Network Integration Guideline For New School (Doc 24)
Site Preparation Guideline for WebSAMS in school (Doc 17)
Installation Guidelines for WebSAMS 3.0 (Doc 33)
Government security website
5 Tools for Security
12
Resources on Security of WebSAMS (Con’t)
Regularly visit the Information Security website
IT Security of HKSAR
http://www.infosec.gov.hk
Hong Kong Computer Emergency Response Team Coordination Centre
(HKCERT)
https://www.hkcert.org
13
Prevent Ransomware, Password Policy…..
03 Management Experience Sharing
14
What is IT Security (4A)
4A: Authentication, Authorization, Accounting, Audit
Authentication
Password Policy/ Account Policy
Authorization
Proper Access Control
Accounting
Audit trail, System/Application logging
Audit
Security Checklist/ Sec Check Summary Report,
3rd party security audit
4A in WebSAMS
15
Management Experience Sharing
Security Check Summary Report and Checklist
Prevent Ransomware
Password Policy
Change New ISP
4 Challenge
16
Security Check Summary Report
Enable Security Check
function and read summary
report popup in WebSAMS
Report included
• Summary
• Details
• Note
17
Security Check Summary Report (Con’t)
The Security Check function facilitates schools to check the basic
system security settings of WebSAMS
Tips on using the new function:
18
System Security Setting Checklist
Download Checklist & Tips from CDR site
Conduct checking regularly
Keep the completed checklist for record purpose (DO NOT required to
submit this checklist to the EDB)
19
System Security Setting Checklist (cont'd)
20
Prevent Ransomware
Backup the important data regularly
Separate Student network, Teacher network, Server network, WiFi
network and WebSAMS network in different zone (VLAN)
Use the secure public DNS
Monitor the server’s CPU usage
Government schools, if they found themselves infected with
ransomware, report to EDB OS helpdesk first
21
Change password
• Change passwords on regular basis
• OS System administrator
• WebSAMS login accounts including “sysadmin” and “asysadmin”
• HTTP root account
22
Change password (cont'd)
Change any simple password in use as soon as possible.
The new password should meet the minimum complexity
requirements as follows:
■ The password should fulfill any 3 out of the 4 criteria:
■ contain English character(s) a-z (lower case)
■ contain English character(s) A-Z (upper case)
■ contain digit(s) 0-9
■ contain special character(s) ("Space" is not allowed)
■ Length of password should be within 8-40 characters
■ User ID cannot be used as password
23
Change password (cont'd)
25
Backup, Security Checking, Updating,
Log Checking
04 Hands-on Regular Tasks
26
Backup
WebSAMS Server backup
• Every day full backup recommended
HTTP Server backup / WebSAMS Router backup
• When changed setting, backup the setting only
27
Data Backup
Reminder: Importance of Off-line Backup
WebSAMS Backup Schedule
■ Pre-backup Backup Post-backup
■ From about 00:00 am to 06:00 am
Flow of Scheduled Backup
■ Stop WebSAMS engine
■ Backup
■ Housekeep WebSAMS application log files
■ Start WebSAMS
Encryption of backup images
Check Backup status daily
28
Backup Job Workflow
29
Pre-backup
D:\WebSAMS3.0\batch\pre_backup.bat
Running 15 mins
Stop JBoss, database, Apache
Make copy of WebSAMS data to
■ E:\data\<SUID>\database\sched
30
Backup Rotation Configuration
31
Post-backup
D:\WebSAMS3.0\batch\post_backup.bat
Housekeep Apache log files
D:\WebSAMS3.0\Apache\logs\
Housekeep WebSAMS server log files ( older than 30 days )
D:\WebSAMS3.0\JBoss-as-7.1.1.Final\standalone\log
Housekeep CDS log ( More than 30 days )
E:\data\CDS\<dest_id>\system\log\
Housekeep Report temp log files
E:\data\<SUID>\rpt\temp
Start database, JBoss, Apache
32
Backup on HTTP Server
Back up WebSAMS HTTP server setting to a USB drive
User command “httpconfig”
Or use command “fdisk -l” to check USB device name
e.g.: sda1, sda2 or sdb1…,etc.
Use command “grepconfig” / “grepconfig /dev/{USB device name}”.
Run the command when HTTP server is running in good condition
Those files can be copied to any Windows storage for backup purpose
33
Backup on HTTP Server (cont'd)
• Step 1 : Log in HTTP server as root
• Step 2 : Type command “httpconfig”
or “grepconfig /dev/sda1”.
• Step 3 : Press “Y” in the following screen
34
Backup on HTTP Server (cont'd)
35
Backup on HTTP Server (cont'd)
• Step 4: Press “0” if all information is correct
• Step 5: Press “Y” to confirm in the following screen
36
Security Check Summary Report (Con’t)
1. Enable sec. check function
(default: Enable)
2. Set the daily scanning time
(default: 08:00PM)
3. The Security Check function
scans basic settings in:
• HTTP server
• WebSAMS router
• WebSAMS server
192.168.x.x
1.
2
.
37
Security Check Summary Report (Con’t)
4. If the checkbox is checked, a
notification will be displayed after
login WebSAMS when an
exception report is generated
5. Read the report and follow the
remedy action to fix the issues
(if any)
192.168.x.x
7
.
38
Security Check Summary Report (Con’t)
Exception Report
• Summary
• Details
• Note
39
System Security Setting Checklist
40
Patch update
Run Windows Update Monthly
Install major Windows patches for Windows
servers only after testing by EDB as
announced via WebSAMS Release Notes /
CDR message from time to time
Enable real time protection & update virus
pattern on Anti-virus
(including all servers and workstations)
Update firmware on WebSAMS Router
(Consult hardware vendor)
41
Patch update (cont'd)
Update HTTP server patch by “starthsp” command monthly
• 1) Log in HTTP server by using the “root” account
• 2) Type the following command and press [Enter]
• 3) If the process is successful, the following message will be shown
42
Logs checking
Windows Event Viewer log
■ Control Panel > Administrative Tools > Event
ViewerApache log
■ D:\WebSAMS3.0\Apache\logs\
■ access.log-<dd-MM-yyyy> ( http request
log )
■ errors.log-<dd-MM-yyyy> ( error log )
Virus scanning log
Backup software log
43
Logs checking (cont'd)
Local backup log
• To check whether the pre-backup tasks have been run
successfully (E:\data\<SUID>\Log\DB\backup.log)
44
Logs checking (cont'd)
WebSAMS HTTP Linux Server
■ Apache log
(/var/log/apache2/access_log_80, 443, 7010)
■ Error log
(/var/log/apache2/error_log_80, 443, 7010)
■ System log
(/var/log/messages)
■ Virus scan log
(/var/log/TrendMicro/SProtectLinux/Virus.yyyyMMdd.#### )
45
Logs checking (cont'd)
Linux System Log
• /var/log/messages
• /var/log/
46
Logs checking (cont'd)
All logs in anti-virus:
• https://websams.school.edu.hk:14943
• Virus Logs, Spyware Logs, Scan Logs & System Logs
• /var/log/TrendMicro/SProtectLinux/
47
Logs checking (cont'd)
48
Logs checking (cont'd)
Hardware Firewall Log Screen
49
Pilot Cloud School
Local WebSAMS original server/NAS/router still needs regular operations
• Windows updates
• WebSAMS Security guide and Recommended Practice
• Anti-malware updates
• Regular checking e.g. hardware fault LED
• Firmware update
Security-related tasks inside WebSAMS remains the same e.g.
• Check login audit log
• Maintain access rights of different user accounts/groups
• Password settings, policy
Precautions against ransomware and malware
50
HTTP Server, Router, Firewall,
WebSAMS Security, SSL Cert
05 WebSAMS Hardening
51
WebSAMS Router
WebSAMS Router ( between WebSAMS and ITED )
■ Block all unnecessary network traffic
■ Only allow specific network services and TCP
ports
■ HTTP Server connects to WebSAMS server
■ Using TCP 8009 for production, TCP 7009 for
training
■ WebSAMS server can access Internet without
passing through proxy
■ TCP 80 (HTTP), TCP 443 (HTTPS), TCP/UDP
53 (DNS), TCP 25 (SMTP), TCP 110 (POP3)
52
Router Config
Modified default route■ Example:
■ ip route 0.0.0.0 0.0.0.0 10.128.15.253
ACL modification■ Example:
■ access-list 101 permit tcp any 10.128.30.0 0.0.0.255 gt 1023 established
■ access-list 101 permit udp any 10.128.30.0 0.0.0.255 gt 1023
■ access-list 101 permit icmp any 10.128.30.0 0.0.0.255 echo-reply
■ access-list 101 permit icmp any host 10.128.30.150 packet-too-big
■ access-list 101 permit tcp host 172.16.0.150 host 10.128.30.150 eq 8009
■ access-list 101 permit tcp host 172.16.0.150 host 10.128.30.150 eq 7009
■ access-list 101 deny ip any any log
53
WebSAMS subnet access internet
Access Internet directly not through the Proxy
server
Involved equipments / Service■ WebSAMS Router
■ Internet Gateway
■ ISP
54
Encrypt Export Files in WebSAMS
• To avoid repeating warning
messages during decrypting the
exported files, trust the school
WebSAMS URL in IE:
ALT+T > Internet Options > Security tab
> Local Intranet > [Sites]
> Input {School WebSAMS URL} > [Add]
In IE11 of Windows 7
55
Encrypt Export Files in WebSAMS (cont’d)
ALT+T > Internet Options > Security tab
> Trusted sites > [Sites]
> Input {School WebSAMS URL} > [Add]
In IE11 of Windows 10
56
WebSAMS Server Security
Enable Screen Saver Timeout
• WebSAMS Server and all client PC
• Start -> Control Panel -> Display >
Change screen saver1
.
2.
57
WebSAMS Server Security (cont’d)
Enable Windows Firewall
• Start -> Control Panel -> Windows Firewall > Advanced settings
58
WebSAMS Server Security (cont’d)
• Inbound Rules > New Rule…
1
.2
.
59
WebSAMS Server Security (cont’d)
• Rule Type > Port
• Protocol and Ports > TCP >
Specific local ports:
• 80, 443, 8009, 7009, 3268,
7010, 7268
• Action > Allow the Connection
1. 2.
3.
60
WebSAMS Server Security (cont’d)
• Name > WebSAMS > Finish
1. 2.
3.
4.
5. Apply latest security
patch for WebSAMS
61
Root certificate on WebSAMS client PC
Purpose of installing root certificate:
■ WebSAMS is confirmed as a trusted
website.
■ No more warning message will be shown
whenever accessing WebSAMS again.
62
Root certificate on WebSAMS client PC (cont'd)
Install WebSAMS Root Certificate on Windows 7/8/10
63
Root certificate on WebSAMS client PC (cont'd)
Install WebSAMS Root Certificate on Windows 7/8/10
64
Root certificate on WebSAMS client PC (cont'd)
Verification of root certificate in Internet Explorer
65
Disable remote desktop service
66
Data Security
• Disconnect any shared folder on WebSAMS Server
67
Data Security (cont'd)
NAS should connect WebSAMS Server with a
cross-over cable. Don’t connect NAS device to
the WebSAMS network switch.
Don’t use WebSAMS on public PC. Eg Cafe,
MTR
Keep an offline and offsite backup
68
Data Security (cont'd)
Keep original basic network setting
• Don’t connect WebSAMS Server to ITED
network directly.
• Don’t connect HTTP Server to WebSAMS
network switch.
• Don’t connect NAS device to WebSAMS
network switch.
• Don’t connect ISP device to WebSAMS
Server directly.
69
Internet Security
Only open WebSAMS to Internet access for a specific period when
necessary:
1. Restrict the time for accessing WebSAMS from clients outside
SAMS LAN segment at “Security > Configuration > System
Configuration”
70
Internet Security (cont'd)
2. Set up specific “Internet Access Time Profile” to further control the access
time for particular user clients outside SAMS LAN segment at “Security >
Access Control > Internet Access Time Profile”
71
Internet Security (cont'd)
72
Assistance, Summary…
06 Support & Summary
73
WebSAMS Helpdesk Scope
WebSAMS Application enquiry
Modules maintenance
General usage enquiries
WebSAMS Technical enquiry
Focus on WebSAMS Application
Other enquiries:
School Liaison Officer of the WebSAMS Team
74
Resources
WebSAMS Central Document Repository:
https://cdr.websams.edb.gov.hk
WebSAMS System Manual:
(AOM) https://www.websams.edb.gov.hk
> Installation for New School
(COPM) https://www.websams.edb.gov.hk
> Installation for New School
(UM) https://cdr.websams.edb.gov.hk
>主頁 > 系統文件 > 用戶手冊
75
Resources
WebSAMS Forum:
• WebSAMS Central Document Repository
• 主頁 > 相關網頁連結 > 香港教育城校管系統討論區
• https://forum.hkedcity.net/forumdisplay.php?fid=71
WebSAMS Helpdesk:
• Hotline: 3125-8510 , Fax: 3125-8999
• E-mail: [email protected]
• Leave your School ID, contact person and contact number
76
6. WebSAMS Download Site Problem
Register the real IP address to
School Liaison Officer
https://cdr.websams.edb.gov.hk > 主頁 > 常用電話/電郵/地址 > 網上校管系統學校聯絡主任名單及聯絡方法
77
Q & A Session
78
The End