Highlights of Web. SAMS Server, Network & Security Seminar
Contents: Web. SAMS Architecture Security and Maintenance Backup of Data Logs Checking Root Certificate & SSL Certificate Regular Checking of Web. SAMS System Security Settings Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A-2
Web. SAMS Architecture
Web. SAMS Requirements Web. SAMS Architecture Web. SAMS Network is a private and separated network, isolated from ITED Network Outside the Web. SAMS Network, all users must go via the HTTP Server to access Web. SAMS HTTP Server can be located within the Demilitarized Zone (DMZ) zone, or inside the ITED Network, as shown in the following page Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A-4
Web. SAMS Requirements Web. SAMS Architecture HTTP Server and Web. SAMS Server are connected in different subsets. Required software is installed in Web. SAMS server Apache Jboss & JRE (Java) Sybase SQL Anywhere 16 Crystal Server 2013 Anti-Virus Software & Backup Software All Web. SAMS network card must be connected to Web. SAMS network only. Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A-5
Network Designs in Web. SAMS Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar Web. SAMS Architecture A-6
Network Designs in Web. SAMS (cont’d) Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar Web. SAMS Architecture A-7
Internet Gateway Web. SAMS Architecture Internet Gateway Mar 2017 Separate Internet and ITED 2 interfaces - one for real IP and another for internal IP Support NAT ( Network Address Translation ), i. e. access from Internet to ITED Highlights of Web. SAMS Server, Network & Security Seminar A-8
What is NAT? Mar 2017 Web. SAMS Architecture Network Address Translation ( NAT ) Translate the IP address from one network to other network Typically one is inside and one is outside Port mapping function Highlights of Web. SAMS Server, Network & Security Seminar A-9
HTTP Server Web. SAMS Architecture HTTP server is simply a relay server which forwards all the requests to the Web. SAMS server The HTTP server itself does not store any data Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 10
Web. SAMS Router Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar Web. SAMS Architecture A - 11
Web. SAMS Router (cont’d) Web. SAMS Architecture Web. SAMS Router ( between Web. SAMS and ITED ) *Block all unnecessary network traffic *Only allow specific network services and TCP ports HTTP Server connects to Web. SAMS server Mar 2017 Web. SAMS server can access Internet without passing through proxy For details of configurations of Web. SAMS Router and School Internet Gateway, please refer to ‘Doc 36 Rules for Configuration of Web. SAMS Router and Internet Gateway’ Highlights of Web. SAMS Server, Network & Security Seminar A - 12
Security and Maintenance
Best practices on protection of and export of data from Web. SAMS : Security & Maintenance Proper Access Control Data Encryption Password Handling Disable remote desktop service in Web. SAMS server Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 14
Patch update Security & Maintenance § Update security patches of Windows Server 2012 R 2 § Install major Windows patches for Window Servers only after testing by EDB as announced via Web. SAMS Release Notes / CDR message from time to time § Enable real time protection & update virus pattern on Anti-virus program (including all server and workstation) § Update IOS (Cisco) or firmware on Web. SAMS Router (Consult to hardware vendor) § Command “starthsp” can be completed successfully in HTTP server Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 15
Data Security & Maintenance § Disconnect any shared folder on Web. SAMS Server Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 16
Data Security (cont'd) Security & Maintenance NAS should be connected to Web. SAMS Server with a crossover ethernet cable. Do not connect NAS device to the Web. SAMS network switch. Exposure of any sensitive export data to any public machine, such as student & guardian personal info, staff personal info, financial report, etc. is not recommended. Keep an offline and offsite backup Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 17
Data Security (cont'd) Security & Maintenance Keep original basic network setting in Web. SAMS unchanged. For example: Do not connect Web. SAMS Server to the ITED network switch or firewall directly. Do not connect Web. SAMS HTTP Server to the Web. SAMS network switch. Do not connect NAS device to Web. SAMS network switch. Do not connect Internet cable from ISP to Web. SAMS Server. Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 18
Data Security (cont'd) Security & Maintenance To protect against leakage of sensitive data, schools are advised to: ensure that users can only import and export system data when they are authorized to do so and appropriate measures have been taken. maintain accuracy, integrity and consistency of system data when importing data to Web. SAMS take all feasible measures so as to ensure the personal data collected by data users are protected against unauthorized or accidental access, processing, erasure or use. Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 19
Resources on IT Security of Web. SAMS IT Security in Schools – Recommended Practice (ITSS): Security & Maintenance Path: EDB Webpage > Education System and Policy > Primary and Secondary School Education > Applicable to Primary and Secondary School > IT in Education > On-going Support Security Guides & Checklist for Web. SAMS: Path: http: //cdr. websams. edb. gov. hk >主頁 > 參考資料 > 保安及 處理敏感數據指引 Web. SAMS Version Upgrade release note: Path: http: //www. websams. edb. gov. hk > Version Upgrade for 3. 0 > Major Upgrade Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 20
Resources on IT Security of Web. SAMS (cont’d) Security reminders in security alert from EDB from time to time Path: EDB Website > Education System and Policy > Primary and Secondary School Education > Applicable to Primary and Secondary School > IT in Education Regularly visit the Information Security website of HKSAR for the update information of IT security Security & Maintenance http: //www. infosec. gov. hk Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) https: //www. hkcert. org Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 21
Internet Security & Maintenance Only open Web. SAMS to Internet access for a specific period when necessary: 1. Restrict the time for accessing Web. SAMS from clients outside SAMS LAN segment at “Security > Configuration > System Configuration” Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 22
Internet Security (cont'd) Security & Maintenance 2. Set up specific “Internet Access Time Profile” to further control the access time for particular user clients outside SAMS LAN segment at “Security > Access Control > Internet Access Time Profile” Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 23
Internet Security (cont'd) Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar Security & Maintenance A - 24
Web. SAMS Server Security & Maintenance OS Hardening Setting and Security Best Practices: 1. Local Security Policy Start Control Panel -> Administrative Tools -> Local Security Policy In Account Policies -> Account Lockout Policy, set Account lockout threshold to “ 3” invalid logon attempts Set Account logout Duration and also Reset account lockout counter after to “ 30 minutes”. Mar 2017 2. 1. 3. Highlights of Web. SAMS Server, Network & Security Seminar A - 25
Web. SAMS Server Security (cont'd) Security & Maintenance In Local Policies -> Audit Policy Set Audit object access security setting to “Failure” and also set Audit system events security setting to “Success” More policy settings in Appendix 8 of Installation Guidelines for Web. SAMS 3. 0 Mar 2017 1. 2. 3. Highlights of Web. SAMS Server, Network & Security Seminar A - 26
Web. SAMS Server Security (cont'd) Security & Maintenance 2. User account management Disable / delete all unused Login Accounts of Windows Server and Web. SAMS Application Start -> Control Panel -> Administrative Tools -> Computer Management -> System Tools -> Local Users and Groups -> Users -> Administrator On the General tab of ALL user accounts properties, uncheck the Password never expires checkbox. Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 27
Web. SAMS Server Security (cont'd) Security & Maintenance 3. Enable Screen Saver Timeout Web. SAMS Server Similar settings also apply to Web. SAMS workstation/ITED workstation if accessing Web. SAMS Start -> Control Panel -> Display > Change screen saver 1. 2. Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 28
Web. SAMS Server Security (cont'd) Security & Maintenance 4. Enable Windows Firewall Start -> Control Panel -> Windows Firewall > Advanced settings Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 29
Web. SAMS Server Security (cont'd) Security & Maintenance Inbound Rules > new Rule… 1. Mar 2017 2. Highlights of Web. SAMS Server, Network & Security Seminar A - 30
Web. SAMS Server Security (cont'd) Security & Maintenance Rule Type > Port 1. 2. Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 31
Web. SAMS Server Security (cont'd) Security & Maintenance Protocol and Ports > TCP > Specific local ports: 80, 443, 8009, 7009, 3268, 7010, 7268 (Add 8109 & 9268 for 1 Server 2 Web. SAMS only) 1. 2. 3. Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 32
Web. SAMS Server Security (cont'd) Security & Maintenance Action > Allow the connection 2. 1. Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 33
Web. SAMS Server Security (cont'd) Security & Maintenance Profile > Domain, Private & Public 2. 1. Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 34
Web. SAMS Server Security (cont'd) Security & Maintenance Name > Web. SAMS > Finish 2. 1. 4. 5. Apply Latest Security patch of Web. SAMS 3. Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 35
Backup of Data Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 36
Backup of Data ** Remind: Importance of Regular Off-Line Backup Web. SAMS Backup Schedule Flow of Scheduled Backup: Pre-backup Backup Post-backup From about 00: 00 am to 06: 00 am Stop Web. SAMS engine Backup Housekeep Web. SAMS application log files Start Web. SAMS engine Encryption of backup images Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 37
Backup Job Workflow Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar Backup of Data A - 38
Pre-backup D: Web. SAMS 3. 0batchpre_backup. bat 15 mins Stop JBoss, database, Apache Backup of Data Make copy of Web. SAMS data to E: data<SUID>databasesched Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 39
Post-backup D: Web. SAMS 3. 0batchpost_backup. bat Backup of Data Housekeep Apache log files Housekeep Web. SAMS server log files ( older than 30 days ) E: dataCDS<dest_id>systemlog Housekeep Report temp log files D: Web. SAMS 3. 0JBoss-as-7. 1. 1. Finalstandalonelog Housekeep CDS log ( More than 30 days ) D: Web. SAMS 3. 0Apachelogs E: data<SUID>rpttemp Highlights Web. SAMS Server, Start database, JBoss, of. Apache Network & Security Seminar Mar 2017 A - 40
Backup on HTTP Server Back up Web. SAMS HTTP server (SUSE Linux Enterprise 11) setting to a USB drive or a floppy drive Backup of Data User command “httpconfig” Or use command “fdisk -l” to check USB device name e. g. : sda 1, sda 2 or sdb 1…, etc. Use command “grepconfig” / “grepconfig /dev/{USB device name}”. (For 1 Server 2 Web. SAMS environment, use “grepconfig_1 s 2 s”) Run the command when HTTP server is running in good condition Those files can be copied to any Windows storage for backup purpose Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 41
Backup on HTTP Server (cont'd) Step 1 : Log in HTTP server as root Step 2 : Type command “httpconfig” Or “grepconfig /dev/sda 1”. Backup of Data Step 3 : Press “Y” in the following screen Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 42
Backup on HTTP Server (cont'd) Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar Backup of Data A - 43
Backup on HTTP Server (cont'd) Backup of Data Step 4: Press “ 0” if all information is correct Step 5: Press “Y” to confirm in the following screen Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 44
Logs Checking Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 45
Logs checking Windows Event Viewer log Logs Checking Control Panel > Administrative Tools > Event Viewer Apache log D: Web. SAMS 3. 0Apachelogs access. log-<dd-MM-yyyy> ( http request log ) errors. log-<dd-MM-yyyy> ( error log ) Virus scanning log Backup software log Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 46
Logs checking (cont'd) Logs Checking Local backup log To check whether the pre-backup tasks have been run successfully (E: data<SUID>LogDBbackup. log) Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 47
Logs checking (cont'd) Logs Checking JBoss Server Log D: Web. SAMS 3. 0JBoss-as-7. 1. 1. Finalstandalonelogserver. log Severity Time Stamp Mar 2017 Message Highlights of Web. SAMS Server, Network & Security Seminar A - 48
Logs checking (cont'd) Logs Checking Web. SAMS Upgrade Logs E: tempwsup 1<yyyy. MMdd. HHmm>* E: tempwsup 2<yyyy. MMdd. HHmm>* (For 2 nd instance of 1 Server 2 Web. SAMS) E: temptraining<yyyy. MMdd. HHmm>* Files and directories are saved under <yyyy. MMdd. HHmm> folder, and the latest folder should be kept for tracking purpose. Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 49
Logs checking (cont'd) Logs Checking Web. SAMS HTTP Linux Server Apache log (/var/log/apache 2/access_log_80, 443, 7010) Error log (/var/log/apache 2/error_log_80, 443, 7010) System log (/var/log/messages) Virus scan log (/var/log/Trend. Micro/SProtect. Linux/Virus. yyyy. MMdd. #### ) Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 50
Logs checking (cont'd) Logs Checking Linux System Log /var/log/messages /var/log/ Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 51
Logs checking (cont'd) Logs Checking All logs in anti-virus: https: //websams. school. edu. hk: 14943 Virus Logs, Spyware Logs, Scan Logs & System Logs /var/log/Trend. Micro/SProtect. Linux/ Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 52
Logs checking (cont'd) Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar Logs Checking A - 53
Logs checking (cont'd) Logs Checking Hardware Firewall Log Screen Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 54
Change password Logs Checking Change Passwords in regular basis OS System administrator Web. SAMS login accounts including “sysadmin” and “asysadmin” HTTP root account Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 55
Change password (cont'd) Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar Logs Checking A - 56
Root Certificate & SSL Certificate
Root certificate on Web. SAMS client PC Root Certificate & SSL Certificate Purpose of installing root certificate: With this root certificate, Web. SAMS is confirmed as a trusted website. No more warning message will be shown whenever accessing Web. SAMS again. Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 58
Root certificate on Web. SAMS client PC Root Certificate & SSL Certificate Install Web. SAMS Root Certificate on Windows Vista/7/8/10 Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 59
Root certificate on Web. SAMS client PC (cont'd) Root Certificate & SSL Certificate Install Web. SAMS Root Certificate on Windows Vista/7/8/10 Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 60
Root certificate on Web. SAMS client PC (cont'd) Root Certificate & SSL Certificate Install Web. SAMS Root Certificate on Windows Vista/7/8/10 Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 61
Root certificate on Web. SAMS client PC (cont'd) Root Certificate & SSL Certificate Install Web. SAMS Root Certificate on Windows Vista/7/8/10 Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 62
Root certificate on Web. SAMS client PC (cont'd) Root Certificate & SSL Certificate Install Web. SAMS Root Certificate on Windows Vista/7/8/10 Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 63
Root certificate on Web. SAMS client PC (cont'd) Root Certificate & SSL Certificate Verification of root certificate in Internet Explorer Tools (Alt+T) > Internet Options > Content tab Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 64
Root certificate on Web. SAMS client PC (cont'd) Root Certificate & SSL Certificate Verification of root certificate in Internet Explorer Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 65
Upgrade of SSL Certificate in Web. SAMS HTTP Server Root Certificate & SSL Certificate Browser providers may terminate the old Security Sockets Layer (SSL) Certificate at any time Ensure school’s Web. SAMS network would not be susceptible to security risks For details, please refer to the CDS message on 29 November, 2016 “Important Upgrade of SSL Certificate in Web. SAMS HTTP Server” Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 66
Regular Checking of Web. SAMS System Security Settings Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 67
System Security Setting Checklist for Web. SAMS (cont'd) Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 68
System Security Setting Checklist for Web. SAMS (cont'd) To ensure system and data safety, schools are advised to: follow basic requirements as recommended in the Web. SAMS Security Guide and Recommended Practice conduct the checking on a regular basis as well as a need basis properly keep the completed checklist for record purpose (schools are NOT required to submit this checklist to the EDB) Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 69
System Security Setting Checklist for Web. SAMS (cont'd) Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 70
System Security Setting Checklist for Web. SAMS (cont'd) For enquiries: Technical support: Web. SAMS Helpdesk 3125 8510 Other enquiries: School Liaison Officer of the Web. SAMS Team Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 71
CDR Website Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 72
Web. SAMS Forum (cont’d) Mar 2017 Highlights of Web. SAMS Server, Network & Security Seminar A - 73
Q & A Section
The End
Скачать презентацию Highlights of Web SAMS Server Network Security
d040504529f13fe24aabf8b29bd5b67a.ppt