770 likes | 786 Views
Briefing Session on WebSAMS Server, Network & System Security Management. Contents. 01. Management Experience Sharing. WebSAMS Architecture. Tools for WebSAMS Security. WebSAMS Hardening. Support & Summary. Hands-on Regular Tasks. 02. Assistance, Summary…. Hardware, Software.
E N D
Briefing Session on WebSAMS Server, Network & System Security Management
Contents 01 Management Experience Sharing WebSAMS Architecture Tools for WebSAMS Security WebSAMS Hardening Support & Summary Hands-on Regular Tasks 02 Assistance, Summary… Hardware, Software Security Checklist/ Check Report, IT Security, New School Docs HTTP Server, Router, Firewall, WebSAMS Security, SSL Cert Backup, Security Checking, Updating, Log Checking Prevent Ransomware, Password Policy….. 03 04 05 06
01 WebSAMS Architecture Hardware, Software
WebSAMS Architecture 4 Hardware WebSAMS Network is a private and separated network, isolated from ITED Network by WebSAMS Router Outside the WebSAMS network, all users must go via the HTTP Server to access WebSAMS (server) HTTP Server can be located within the Demilitarized Zone (DMZ), or inside the ITED Network Network Attached Storage (NAS) for backup WebSAMS
WebSAMS System Software 6 Software • Required software are installed in WebSAMS server (Windows Server 2012 R2) • Apache • Jboss & JRE (Java) • Sybase SQL Anywhere 16 • Crystal Server 2013 • Anti-Virus Software • Backup Software
2 Network (Typical) Network Design in WebSAMS (A)
3 Network (Other) Network Design in WebSAMS (B)
Internet Gateway in ITED • Internet Gateway • Separate Internet and ITED • 2 interfaces - one for real IP and another for internal IP • Support NAT ( Network Address Translation ), • i.e. access from Internet to ITED • Translate the IP address from one network to another network • Port mapping function
HTTP Server Simply forward all requests to WebSAMS server No store any data
02 Tools for WebSAMS Security Security Checklist/ Sec Check Report, IT Security, New School Docs
5 Tools for Security Resources on Security of WebSAMS • Security Check Summary Report (WebSAMS built-in function) • Security Checklist • WebSAMS Security Guide and Recommended Practice • WebSAMS documents for New School • Pre-installation Reminders and Activities (Doc 4) • Specification of WebSAMS 3.0 Hardware & Software (Doc 20) • Network Integration Guideline For New School (Doc 24) • Site Preparation Guideline for WebSAMS in school (Doc 17) • Installation Guidelines for WebSAMS 3.0 (Doc 33) • Government security website
Resources on Security of WebSAMS (Con’t) • Regularly visit the Information Security website • IT Security of HKSAR • http://www.infosec.gov.hk • Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) • https://www.hkcert.org
03 Management Experience Sharing Prevent Ransomware, Password Policy…..
4A in WebSAMS What is IT Security (4A) • 4A: Authentication, Authorization, Accounting, Audit • Authentication • Password Policy/ Account Policy • Authorization • Proper Access Control • Accounting • Audit trail, System/Application logging • Audit • Security Checklist/ Sec Check Summary Report, 3rd party security audit
Management Experience Sharing 4 Challenge • Security Check Summary Report and Checklist • Prevent Ransomware • Password Policy • Change New ISP
Security Check Summary Report • Enable Security Check function and read summary report popup in WebSAMS • Report included • Summary • Details • Note
Security Check Summary Report (Con’t) The Security Check function facilitates schools to check the basic system security settings of WebSAMS Tips on using the new function:
System Security Setting Checklist Download Checklist & Tips from CDR site Conduct checking regularly Keep the completed checklist for record purpose (DO NOT required to submit this checklist to the EDB)
Prevent Ransomware • Backup the important data regularly • Separate Student network, Teacher network, Server network, WiFi network and WebSAMS network in different zone (VLAN) • Use the secure public DNS • Monitor the server’s CPU usage • Government schools, if they found themselves infected with ransomware, report to EDB OS helpdesk first
Change password • Change passwords on regular basis • OS System administrator • WebSAMS login accounts including “sysadmin” and “asysadmin” • HTTP root account
Change password (cont'd) • Change any simple password in use as soon as possible. The new password should meet the minimum complexity requirements as follows: • The password should fulfill any 3 out of the 4 criteria: • contain English character(s) a-z (lower case) • contain English character(s) A-Z (upper case) • contain digit(s) 0-9 • contain special character(s) ("Space" is not allowed) • Length of password should be within 8-40 characters • User ID cannot be used as password
04 Hands-on Regular Tasks Backup, Security Checking, Updating, Log Checking
Backup • WebSAMS Server backup • Every day full backup recommended • HTTP Server backup / WebSAMS Router backup • When changed setting, backup the setting only
DataBackup • Reminder: Importance of Off-line Backup • WebSAMS Backup Schedule • Pre-backup Backup Post-backup • From about 00:00 am to 06:00 am • Flow of Scheduled Backup • Stop WebSAMS engine • Backup • Housekeep WebSAMS application log files • Start WebSAMS • Encryption of backup images • Check Backup status daily
Pre-backup D:\WebSAMS3.0\batch\pre_backup.bat Running 15 mins Stop JBoss, database, Apache • Make copy of WebSAMS data to • E:\data\<SUID>\database\sched
Post-backup • D:\WebSAMS3.0\batch\post_backup.bat • Housekeep Apache log files • D:\WebSAMS3.0\Apache\logs\ • Housekeep WebSAMS server log files ( older than 30 days ) • D:\WebSAMS3.0\JBoss-as-7.1.1.Final\standalone\log • Housekeep CDS log ( More than 30 days ) • E:\data\CDS\<dest_id>\system\log\ • Housekeep Report temp log files • E:\data\<SUID>\rpt\temp • Start database, JBoss, Apache
Backup on HTTP Server • Back up WebSAMS HTTP server setting to a USB drive • User command “httpconfig” • Or use command “fdisk -l” to check USB device namee.g.: sda1, sda2 or sdb1…,etc. • Use command “grepconfig” / “grepconfig /dev/{USB device name}”. • Run the command when HTTP server is running in good condition • Those files can be copied to any Windows storage for backup purpose
Backup on HTTP Server (cont'd) • Step 1 : Log in HTTP server as root • Step 2 : Type command “httpconfig”or “grepconfig /dev/sda1”. • Step 3 : Press “Y” in the following screen
Backup on HTTP Server (cont'd) • Step 4: Press “0” if all information is correct • Step 5: Press “Y” to confirm in the following screen
Security Check Summary Report (Con’t) 2. • Enable sec. check function (default: Enable) • Set the daily scanning time(default: 08:00PM) • The Security Check function scans basic settings in: • HTTP server • WebSAMS router • WebSAMS server 1. 192.168.x.x
Security Check Summary Report (Con’t) 7. If the checkbox is checked, a notification will be displayed after login WebSAMS when an exception report is generated Read the report and follow the remedy action to fix the issues (if any) 192.168.x.x
Security Check Summary Report (Con’t) • Exception Report • Summary • Details • Note
Patch update Run Windows Update Monthly Install major Windows patches for Windows servers only after testing by EDB as announced via WebSAMS Release Notes / CDR message from time to time Enable real time protection & update virus pattern on Anti-virus(including all servers and workstations) Update firmware on WebSAMS Router (Consult hardware vendor)
Patch update (cont'd) • Update HTTP server patch by “starthsp” command monthly • 1) Log in HTTP server by using the “root” account • 2) Type the following command and press [Enter] • 3) If the process is successful, the following message will be shown
Logs checking • Windows Event Viewer log • Control Panel > Administrative Tools > Event Viewer • Apache log • D:\WebSAMS3.0\Apache\logs\ • access.log-<dd-MM-yyyy> ( http request log ) • errors.log-<dd-MM-yyyy> ( error log ) • Virus scanning log Backup software log
Logs checking (cont'd) • Local backup log • To check whether the pre-backup tasks have been run successfully (E:\data\<SUID>\Log\DB\backup.log)
Logs checking (cont'd) • WebSAMS HTTP Linux Server • Apache log • (/var/log/apache2/access_log_80, 443, 7010) • Error log • (/var/log/apache2/error_log_80, 443, 7010) • System log • (/var/log/messages) • Virus scan log • (/var/log/TrendMicro/SProtectLinux/Virus.yyyyMMdd.#### )
Logs checking (cont'd) • Linux System Log • /var/log/messages • /var/log/
Logs checking (cont'd) • All logs in anti-virus: • https://websams.school.edu.hk:14943 • Virus Logs, Spyware Logs, Scan Logs & System Logs • /var/log/TrendMicro/SProtectLinux/
Logs checking (cont'd) Hardware Firewall Log Screen
Pilot Cloud School • Local WebSAMS original server/NAS/router still needs regular operations • Windows updates • WebSAMS Security guide and Recommended Practice • Anti-malware updates • Regular checking e.g. hardware fault LED • Firmware update • Security-related tasks inside WebSAMS remains the same e.g. • Check login audit log • Maintain access rights of different user accounts/groups • Password settings, policy • Precautions against ransomware and malware
05 WebSAMS Hardening HTTP Server, Router, Firewall, WebSAMS Security, SSL Cert
WebSAMS Router • WebSAMS Router ( between WebSAMS and ITED ) • Block all unnecessary network traffic • Only allow specific network services and TCP ports • HTTP Server connects to WebSAMS server • Using TCP 8009 for production, TCP 7009 for training • WebSAMS server can access Internet without passing through proxy • TCP 80 (HTTP), TCP 443 (HTTPS), TCP/UDP 53 (DNS), TCP 25 (SMTP), TCP 110 (POP3)