Conference 2014 Security - The New Priority for us and

advertisement
• Important to inform users as to the importance of strong passwords.
• Important to inform users that web access means potential access from
anywhere – can’t see the students doing it!
• Diligence in signing out, caution about being on public computers, acknowledge
using student computers could mean keyboard logging … On some tablets/Ipad
if you are inclass projection .. As you type your password it could be showing
each password letter then hiding it. ** turn that setting off
• HECK do not limit this to just passwords … it is all about privacy of information
period – class lists, student profiles, …. Do not print and post without
appreciating the impact.
• What district policies do you have in place “share”
Iseries Security – we are SOLID with access to data files
• *Public Exclude to all XXXFILES libraries – only a few (less than 10 eg: T4’s for
payroll) objects that have private authorities described .. Unique to the iseries
we grant temporary access when executing programs. Only passwords of super
users will get you anywhere!
•
xxxTRANS libraries (user downloads like EIS.530 download report) – Key objects are
cleared nightly to reduce risk of someone grabbing information ** We clear ours out …
but now that information is on your PC, your USB, …. OR .. Safe on the network?
• IFS Directory - Some exposure for *public /cimssms *WX Objexist,Objmgt …
investigate and test on your own system with a normal *user
• SHARES are necessary for LIMITED number of people (all to just image /cimssms
/cimsems /cimsfms … CAREFUL: Ensure not anonymous on iseries AND set
share/map drive to the CIMS prescribed IDS cimsacp, cimsems … so particular
users are not owning objects
• Audit logs in STU.190, PAY.190, GNL.190 – Excellent RESOURCE for important
items that have changed – audit will track the CIMS USERID and the EC
Employee number/name as per access from the Connects
• Audit on all image views, changes, and adds – IMG.301E, IMG.301, IMG.301F
(report cards, T4’s, Employee Applicant information …)
• GOAL: Server has nothing important on it … as of the latest release – the only
thing left on the server is student and employee pictures.
• Html tags written into the software to not invite site to be indexed
• Robots.txt file recommendation to reduce chance of indexing
User-agent: *
Disallow: /
• Delete.bat file to triple check no outlying pdf’s around
• ** Change to the way PDF’s are generated – When any other key is selected, the
pdf is deleted automatically to reduce PDF’s sitting on the server at all.
What are you doing on your webservers to reduce security exposure
– IIS Setup and webserver definitions?
•
Reviewed IIS Logging. IIS does log activity – all access to pages from what IP and how
many times, how many error outs etc … CAN help to know what pages are being hit and
when/if timeouts and errors are occurring
•
New audit for all Connect Logins: Each time anybody signs into any connect in
ACSFILES/PACSWEB we are logging
• Userid
Successful password attempt
• IP address coming from
Browser, Operating System information
PRODUCT IP
DATE
TIME
Browser
192.168.0
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0;
AC
.55
20140227 115432 rv:11.0) like Gecko
206.45.12
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0;
AC
1.16
20140227 115544 rv:11.0) like Gecko
192.168.0
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0;
AC
.22
20140227 141104 rv:11.0) like Gecko
206.45.12
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0;
TC
1.16
20140227 141221 rv:11.0) like Gecko
192.168.0
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
EC
.22
20140227 154428 Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.432
Netscape, Mozilla Open Source
User
Extras
Password
kim
0N
donna
donna
semem
0Y
1191 Y
semem
0Y
ca1191
1191 Y
• Districts can control what screen messaging appears when there is
a timeout or error to an .aspx page …… we present
errormessage.pdf
• Districts can control what screen messaging appears when the
iseries is not available …. We present nosignon.pdf
• REMINDER: EmployeeConnect Force password change to EC (EIS.331) – we can
set a default value (currently I think only Portage is using)!
• TeacherConnect … Option to enforce password change policy for those districts
not automatically loading this password each day.
• Pull student and staff pictures from the webserver .. Worried about speed if we
have to go to the iseries for all the pictures
• Additional connect logging (same work as at login). Log each page movement of
each user – you would know who hit what page everyday, every minute.
THOUGHTS?
• Do we have to get crazy and think about asking for additional passwords in
teacherconnect to update marks?
Download