Guidelines to be followed by the Systems Administrators / Operators of Computerised Offices:
. The server should be kept securely away from users to ensure security of data. The system administrator of MSSQL server has full rights on the operation of RDBMS. It is therefore, necessary that only the system administrator authorised performs the administrative functions and does not give the password to other operators. He should also change the password at regular intervals to ensure better security.
. Officials at each of the computerised SB offices have been trained as System administrators and they have been given administrative access to the Server at their respective offices. They have also been provided with the Superuser password in Sanchay post software. Even if more than one system Administrator as been trained in an office only one system administrator should be appointed for the Sanchay Post / Meghdoot application. He should be asked not to give the password of SQL Server to any other person but to keep it to himself: The System Administrators should also be instructed strictly not to use SQL Server Management tools such as Query Analyzer, Enterprise manager etc. but to use the front end application only. They should also ensure that no one else has access to SQL Server Tools, which can be used to tamper with databases.
. Day to day functioning, backup operations to tape and to harddisks in nodes & addition, deletion, modification of Users in Sanchay post software has been taught to the System Administrators. During visits it was noticed that backups are not being taken regularly. In case of any doubt they may contact the Project Officer (SB), Technology Section, Circle Office for clarification.
System Administrators to ensure:
_ That the clients connecting to the server should have only the client connectivity component of SQL server installed on them. Any other administrative tools such as the Query Analyzer, Enterprise Manager etc., if found installed in the clients, should be uninstalled
_ Removal of data entry modules for schemes which have been made online on all the nodes.
_ User rights allotted in Sanchay post should be post specific and a person should not be allotted both counter and supervisor rights. Group and Form access in online mode should be as per work distributions to counter users an, supervisors. They should not be assigned groups or forms which are no' handled by them to prevent misuse. The users should be given access to only the functions they perform and they should set their own password
_ Passwords should be official specific and not post specific. If there are five people who are likely to handle an operation over a period of time, individual user id should be created for each of them and under no circumstances should one individual log in with another's id
_ In the event of one's password becoming known to others one should reset h password immediately. If an individual makes his password public the risk lie with him. Full responsibility for misuse of his password would fall on him. All the entries and changes made in the application package are recorded along with the login name in a log.
_Enforce password change at regular intervals and minimum password length to ensure better security..
_ Supervisor's id should be at an appropriate level If more than one supervisor was to work owing to leave or training etc more ids can be created for each of the supervisors in the office.
_ Delete old or inactive accounts
People who have moved out of the computerised operation set up in a specific office should be removed from the user group without any loss of time.
_ Periodic backup should be taken without fall. The daily, weekly monthly backup copies should be kept in different places. (System administrator, Head of the office, Divisional office etc)
_ At least one copy of the backup should be kept in a building away from the office (offsite) to provide protection against location-specific catastrophes. Rotate tapes used for backup & replace tapes when its suspect.
_ For most computer activity, log on as a member of the Users or Power Users group. If you need to perform an administrator-only task, or configuring system parameters log on as an administrator, perform the task, and then log off
_ Server or any node connected to the Meghdoot/SB network should not be connected to the internet. Whenever Internet connection is needed, it should be given to a standalone node or an exclusive server meant for specific purpose like SPCC or track and trace.
_ Floppy drives in all the nodes have to be disconnected or disabled.
_ Antivirus software has to be installed in all the nodes.
_ When the service personnel makes a visit ensure he cleans the system interiors especially the CPU fans and SMPS fans.
_ During the initial installation of the server keep the following points in mind.
Separating the boot and system volumes
Put the Windows 2000 Server system and boot volumes and the data volumes on separate drives/or partitions. This greatly simplifies recovery if a disk is damaged.
Saving the disk configuration
Save the disk configuration data each time you change the configuration using Disk Management.
Keeping a written record
Keep a written record of disk volumes and their sizes to have during disk recovery. Attach this information to the front of each disk drive.
Make an Emergency Repair Disk
. Win2000 server - click Start, point to Programs, point to Accessories, point to System Tools, and then click Backup. On the Welcome tab, click Emergency Repair Disk. Follow the instructions that appear on your screen.
. Winnt4.0 Server - Click start, click run and type rdisk to create Emergency Repair Disk.
Fault- Tolerance/Redundancy
Mirroring in server provides fault - tolerance at the disk drive physical level and limits unacceptable unscheduled downtime.
A list of Do's and Don'ts are enclosed for the benefit of LAN users.
Do's & Don'ts for Officials working on LAN
Do's
1. Use easily remembered passwords with sufficient complexity, which should be changed at frequent intervals.
To Chan2e password
Log on to the online module. Go to 'SetUp' menu. Select 'Set personal password', then type "current personal password'. Type new personal password and retype new password. Click on OK.
2. Backup your data every day. Keep three copies of the media (Tape/CD). Keep at least one copy offsite. A register has to be maintained for recording the following information. Date Name of the person taking backup, Type of Media (CD, Tape or Node) Counter Signature of the Postmaster.
3. Enforce logging out when the workstation is unattended for a significant period of time. All changes done to the database is recorded against your name. Use "lock screen" in setup menu when leaving workstation for a short while.
4. In case of problem follow the checklist given below for connecting to the server before
sending SOS. Follow the sequence of switching on
(a) UPS
(b) Hub
(c) Server (Wait for "Begin log on" screen with a message press Ctrl- Alt -Del to log on) (d) switch on nodes.
5. If when you double click on Sanchay Post icon, you get a message "Unable to connect to server. Do you want to correct." Click on "Yes". You will then be prompted for the server name. Type the server name and click" SAVE". You will obtain a message "Rerun Application" Now double click on the Online or data entry icon to enter Sanchay Post application package.
6. If there is some kind of 'system message' read it first, it solves most of the problems. If you have to report a problem, record the messages you get Telling someone that the message was something about a hardware error does not help the problem solver.
7. Request your system administrator or the system support personnel identified in your office to run a ) Scandisk b) Disk defragmenter utilities on the NODES once a month. This helps to make your files open quickly.. Both these utilities can be found in Start -Programs ¬Accessories -System Utilities - Scandisk or Disk defragmenter.
8. Keep the system and the table clean. Do not keep drink/water etc near keyboard or the system. Use dust covers to cover systems and printers after use. Clean system before use daily.
9. Make sure the computer table is stable and is not shaky.
Don'ts
10. Don't run any other application other than departmental Software on your systems.
11. Don't allow a third party to log in with your name & password. All the entries and changes made in the application package are entered in a log against your user name.
12. Even though an anti-virus program is installed and running on the systems, the anti-virus software installed will not catch latest viruses as there are new ones coming out. Hence floppies should not be used on the LAN systems.
13. Do not simply turn off your computer; instead use the correct shutdown process given
below.
Shut down Process in Nodes:
i) Exit the application software [Sanchay Post] in the nodes by clicking on quit.
ii) Go to Start button, Click on Shut down. You will get a screen "Shut down
windows". Select shut down from optiOP8 available and click on "OK".
ill) Wait till you get the message " It is now safe to shut down the computer" before
switching the computer of{
Shut down Process in Server:
Log on to the server and then follow step ii & iii as stated above.
14. Do not clutter computer work place with unnecessary things.
15. Do not keep stamping pads on computer table. The impact during stamping will cause irreversible harm to the delicate parts in the computer and printers. Always use a side table or stool for it.
16. Do not manually push-in the CD tray. Always use the open/close buttons of the CD-ROM drive to push CD's inside to prevent damage.
¬Security
Although we read more about security breaches coming from outside the network, most security attacks come from people inside the organization. Good security means that systems and user data is protected from attacks originating from inside as well as from outside. The points given below are to help you secure your network.
i)Physical Security
The danger posed by people physically entering your offices and tampering with computers is often overlooked. Unauthorised persons should not have physical access to a computer. To be safe servers should be placed in rooms that can be locked and then make sure to lock them during non-office hours. The server should be kept securely to ensure security of data.
if)Set appropriate access levels
a)Officials at each of the computerised offices have been trained as System administrators and they have been given administrative access to the Server at their respective offices. Even if more than one system Administrator has been trained in an office only one system administrator should be appointed for the Sanchay Post I Meghdoot application. System Administrator should be instructed not to give the password of SQL Server to any other person.
b)The system administrator has full rights on the operation of MSSQL Server and NT Server. It is therefore, necessary that only the system administrator authorised performs the administrative functions
c)Supervisor's id should be at an appropriate level. If more than one supervisor is to work owing to leave or training etc more ids can be created for each of the supervisors in the office.
d)User rights allotted in Sanchay post should be post specific and a person need not be allotted both counter and supervisor rights .
e)In respect of 'Point of Sale' there are 3 levels of users viz., counter, supervisor and system administrator. The users should have access to only the functions they perform and they can/should set their own password.
f)Maintaining Operating system and Database in a NTFS partition provides
the ability to limit network access based on user accounts and network¬ defined groups.
g)The nodes connected to the server should have only the client connectivity component of SQL server installed on them. Any other administrative tools such as the Query Analyzer, Enterprise Manager Etc., should not be installed.
h)Data entry modules for schemes which have been made online should be removed from all the nodes.
iii)Strictly enforce password policy
Passwords should be official specific and not post specific. If there are five people who are likely to handle an operation over a period of time, individual user id should be created for each of them and under no
a)circumstances should one individual log in with another's id. All the entries and changes made in the application package are recorded along with the login name in a log.
b)In the event of one's password becoming known to others one should be given a new id and password immediately. If an individual makes his password public the risk lies with him. Full responsibility for misuse of his password would fall on him.
c)Enforce password change at regular intervals and minimum password length to ensure better security.
d)Enforce 10ggir:Jg out when the workstation is unattended for a significant period of time. All changes done to the database is recorded against your name. Use "lock screen" in setup menu when leaving server for a short while.
iv)Fault - Tolerance / Redundancy
a)Mirroring in server provides fault - tolerance at the disk drive physical level and limits unacceptable unscheduled downtime.
b)Backup server. A spare machine in each of the LAN offices may be loaded with Windows NT 12000 and SQL Server 6.517.012000 as the case may be. In case of non availability of a spare system, a working node with win98 may be installed with WIN NT 12000 thereby enabling dual boot. In case of Server failure the above mentioned system can be utilized as a server with minimum downtime.
BackUp
Backup your data every day. Periodic backup is very essential. The daily, weekly monthly backup copies (Tapes\CD) should be kept in different places. Backup taken should be checked before being stored.
At least one copy of the backup should be kept in a building away from the office (off site) to provide protection against location-specific catastrophes. Rotate tapes used for backup & replace tapes when it is suspect.
Delete old or inactive accounts
People who have moved out of the computerised operation set up in a specific office should be removed from the user group without any loss of time.
Keep superuser access to a minimum
For most computer activity, log on as a member of the Users or Power Users group. If you need to perform an administrator-only task, or configuring system parameters log on as an administrator, perform the task, and then log off.
As we do not have a firewall & Intrusion Detection Systems installed in our networks, any node connected to the Meghdoot/SB network should not be connected to the internet. Whenever Internet access is essential, it should be given to a standalone node or an exclusive server meant for specific purpose like Speed Post or track and trace.
Antivirus software should be installed in all the nodes. Even though an anti-virus program is installed and running on the systems, the anti-virus software installed will not catch latest viruses as there are new ones coming out and hence, floppy drives in all the nodes should be disconnected or disabled.
Do not run any other application other than departmental Software on your systems.
This comment has been removed by a blog administrator.
ReplyDelete