Gu1 has local admin Could not ping from server
Wins set to 1.1 in ipconfig/all and within network settings Wins left as default / top option
Print/file sharing not turned on (+ DO turn it on as needed for unlink when uploading) Messenger service disabled
Lowered local admin rights for all users from admin to power user. tested and working still.
THURS 28 MAR
Did unlink for dl shared docs from server + tested Did if set cookies test for all shared area
Coded the PHP ICACLs.exe script so that it adds a folder in the right path (called the user's name) then adds their name to ACL with modify perms; then integrated this in with
adduser.PHP (when added they have a level 1 account within the DB (system login) and a folder created under /Users on the server).
Server needs to be logged in as Administrator at all times
Local admin is not used, so now users cannot browse to other users docs on same local pc to manipulate/move cookies over their local profile then type in URL past the login point to gain unauthorised access that would be traced back to other user.
Need to be local admin when initially setting up (for firewall exclusions, sharing xxx local library folder ...)
John Neesham Page 72 of 102 FRI 29 MAR
Did add user on manageusers.PHP page. This adds a user to the DB/system and also creates a folder under /users on the server, with modify perms for that users added to the ACL (then to all subfolders/files within)
Changed interface pages so that users can dl/ul docs from user/yourdocs and restricted/restricteddocs; also secured with 2xif cookies
Security Note:
-users can ul/dl docs to server if they have access to that part of the system (SVS doc library system), even if they do not have correct NTFS perms on folder/doc itself; this is stopped by cookies blocking access to parts of the system. this means that users cannot get access to docs that they should not be able to.
However, if a user knows the entire path to the document including extension (eg.
\\svr\SVS\SVS document library\shared\doc1.txt) then if not locked down with the correct NTFS perms they can bypass the system and access the doc directly; that is why NTFS perms are used on top of cookies for security.
Note1 - the user can still bypass the system but only if they know the exact path including extension and also have the correct NTFS perms. *This issue was stopped by removing Local Admin Rights*
Note2 - users cannot navigate to find the path as 'SVS' and 'SVS document library' folders act as blocks to stop navigation
Altered the manageusers/changeuser scripts to include change access levels properly.
when changed to 1 it changes DB/system access and removes users name from restricted docs ACL (inc dirs+files within)
when changed to 2 or 3 it changes the db/system access and adds the users name to the restricted docs ACL (including dirs+files within)
SUN 31 MAR
Altered changeuserlevel script to add/rem name to /shared and /restricted folders ACL on server + to alter access level DB field
Altered deletuser to remove un from /shared and /restricted folders ACL on server, to delete un folder under /user on server + to remove row from 'user' table in db
Did Not do warning box if deleting (warn that all files belonging to that user will be deleted if you continue)
MON 1 APR
Did 'if exists' check on file ul - doesn't ul and displays message and resolution guide if either wrongly logged in or wrongly named/shared folder.
Did user password reset box on management area screen - pops up an alert box with guidance to reset user pw on ad, then will pull through to SVS doc lib system also (single sign on)
Stopped unlink when dl'ing yourdocs, shared and restricted docs from server - keeps copy on server too so always has copy that's backed up in case client accidentally deletes or pc
malfunction. Changes made by client will be applied to server version on upload, as it overwrites.
This will be tightened up later with DB check, so that doc can only be dl'd by one user at a time - this will stop multiple versions of the same document and the lost update syndrome.
TUES 2 APR
Included search feature in yoursdocs, shared & restricted areas. this ignores certain characters such as . and .. so that a folder's hidden files do not show. Search by doc name. If search with no search text then just returns all docs. Is local to each area (yourdocs, shared, restricted) so that
John Neesham Page 73 of 102 you cannot see another's yourdocs and if only a level one user (yourdocs & shared) searches then they cannot see restricted docs. you can click on each to dl to your local library.
Created second DB table (document) to aid with tracking document use.
ERD modelling / DB use is less than i originally though as documents are stored on folders and files and are accessed using arrays. A DB is not required for this.
CREATE TABLE document
Foreign Key (username) references user (username) ON DELETE CASCADE ON UPDATE CASCADE
);
Have chosen to remove rows relating to userA in documents table if userA is deleted from the user table. This is because that user is no longer part of the system and information pertaining to them should no longer be available. therefore when user is deleted their name is taken from the ACL of restricted folder (if present) & shared folder, their folder on the server under /user is deleted including all contents, and the tracking information is also deleted; any information regarding their file use within the system should be garnered before deleting their system account.
WED 3 APR
Decided not to audit user's 'your docs' movements. this is because they can only be accessed by each individual user, so users will know of their movements, other users will not be waiting for any of their docs as they are specific to the user, and the management team being able to
monitor personal document use may be considered unethical. Will only do shared and restricted.
Changed scripts on ul and dl of shared and restricted documents so that if a file is uploaded or downloaded a row is added to the DB that records the username, document name, area (shared or restricted), pc name, date & time and also changes the status to Checkout Out (if
downloading) or Checked In (if uploading) (MySQL 2013).
Filenames containing apostrophes have been blocked from being added to the SVS document library, as MySQL insert queries have problems with this. The ‘str_replace’ function could have been used but would need to be used across a number of ul and dl scripts, so i thought a much cleaner way would be to block all filenames on ul with a message explaining why and how to rectify
THU 4 APR
Modified dl code to check with DB so that if userA tries to dl a doc that userB has dl'd but not returned yet then they cannot dl and get a message that says who has it on what pc. This stops multiple copies being dl'd / lost update problem.
Did this for shared and restricted areas.
Modified ul code to check for duplicate names (if trying to add new doc to the library) and if a user checked out a doc to a pc then (A) only they can check it in/return it, (B) only from the same pc and (C) only back to the same area that it was borrowed from.
John Neesham Page 74 of 102 SUN 7 APR
Did fileaudit.PHP page and can get last result/activity for each unique doc - for both 'all' and 'search' results (Stackoverflow 2013c).
Doc was chosen as search term rather than username for legal reasons MON 8 APR
Did fileauditresults.PHP page. This takes chosen doc from fileaudit.PHP and then displays many details (columns) for last 5 rows (box checked) or all rows (box unchecked)
Did an 'add document' button on the homepage; this gives step by step instructions on how to add a document to the library
Did onload message in authenticatedlandingpage.PHP page. This lets correctly authenticated user know that their doc use will be monitored by the management team and also that other users may be able to see which docs they are currently borrowing; with this knowledge they can then decide whether to continue or not. This is to legally safeguard the management team and other users (no unknown tracking and/or singling out).
TUE 9 APR
All JS is now in external script and functions are called in. This will help with XHTML validation.
Authenticatedlandingpage.PHP (homepage) has 'user accept' popup on initial login but not afterwards
Got 'webtom brown' html/CSS template from www.oswd.com; modified it so that it fits my layout needs and reflects the colours/logo/branding stated in the requirements
WED 10 APR
Merged template with authenticated landing page Removed excess CSS
Recoded, reordered, commented, indented - tested and working still XHTML validated
This can be the template for other pages THU 11 APR
Used scrollbar for results
Did XHTML validation, recoding, tables, buttons, scrollbars, commenting, indenting, and tidying for pages:
Did XHTML validation, recoding, tables, buttons, scrollbars, commenting, indenting, and tidying for pages:
John Neesham Page 75 of 102 shareduploader
restricteddocuments searchrestdocs restricteddocsdl restricteddocumentsul restdocuploader SUN 14 APR
Did XHTML validation, recoding, tables, buttons, scrollbars, commenting, indenting, and tidying for Management Area.
MON 15 APR
Did and tested deldoc.php page
Did XHTML validation, recoding, tables, buttons, scrollbars, commenting, indenting, and tidying for pages:
managedocuments furtherdocdetails del doc
Only docs that are not checked out and have not already been deleted can be deleted (removes doc from dir and adds DB row in document table with status set as deleted)
Did parts of manageuser section inc:
manageusers changeuserlevel deleteuser
Most of changedelusermain TUE 16 APR
Did XHTML validation, recoding, tables, buttons, scrollbars, commenting, indenting, tidying Finished all pages then tested them for functionality and display
WED 17 APR
Started adding and modifying different CSS files for different browser use THU 18 APR
Finished adding and modifying different CSS files for different browser use; works in IE 7, 8 &
9. It may work in IE10 but having difficulty installing it on Windows7 VM.
Tested and working with NVDA screen reader.
Passes most colour blindness and contrast tests using Colour Contrast Analyser tool.
John Neesham Page 76 of 102
Appendix I - Virtual Domain and SVS Document Library Installation Guide 1. Install VMWare Player
VMWare player is used to create virtual machines that will exist in the domain. Please download and install from http://vmware-player.en.softonic.com/download.
2. Create Server and Install System
2.1. Build Server VM
Download the ISO for Windows Server 2008 R2 x64 (standard version with 180 day trial) from http://technet.microsoft.com/en-us/evalcenter/dd459137.aspx. This can be done without a license but must be rearmed every 10 days by following these instructions
(http://support.microsoft.com/kb/948472).
Build the VM with 60GB+ HDD space and 4GB RAM.
2.2. Configure the Server
· Change the computer name to ‘SVR’
· Change the network settings to static addressing with an IP address of 192.168.1.1/24 and set WINS to the same address
· Change the administrator password to ‘Chiltern123’
· Install AD domain services via the Initial Configuration wizard. In the run box enter
‘DCPromo’ and follow the wizard to set the FQDN of root domain to ‘SVS-VAC.com’, set the forest functional level to ‘Windows Server 2008 R2’, set Directory Restore Mode administrator password to ‘Chiltern123’. Finally, add a new container called ‘SVS Users’
directly under ‘SVS-VAC.com’ in AD for Users and Computers
· Install WINS via the Initial Configuration Tasks wizard; select Add Features then WINS
· Add an exception to the firewall to allow incoming http/port 80 connections, but only from the 192.168.1.x/24 range
2.3. Create Storage Folders
· Add a folder directly under the C drive called ‘SVS’. Within the share tab, share it to Everyone with full control. Within the security tab, disinherit the permissions from parent folder and configure so that the only ACE’s in the ACL are Administrator and Administrators, then give both full control
· Add a folder directly under the SVS folder called ‘SVS Document Library’. Within the security tab, disinherit the permissions from parent folder and configure so that the one ACE’s in the ACL are Administrator and Administrators, then give both full control
· Add a folder called ‘Restricted’ directly under the ‘SVS Document Library’. The permissions will be automatically set from the parent folder so that the only ACE’s in the ACL are Administrator and Administrators, then give both full control
· Add a folder called ‘Shared’ directly under the ‘SVS Document Library’. The
permissions will be automatically set from the parent folder so that the only ACE’s in the ACL are Administrator and Administrators, then give both full control
· Add a folder called ‘Users’ directly under the ‘SVS Document Library’. The permissions will be automatically set from the parent folder so that the only ACE’s in the ACL are Administrator and Administrators, then give both full control
2.4. Install, Configure and Secure XAMPP
· Download XAMPP from http://www.apachefriends.org/en/xampp-windows.html
· Install XAMPP following instructions from http://www.edukatr.com/14-mins-to-start-your-own-xampp-server-on-windows-2008-server-r2/
· Secure XAMPP by following instructions from
http://www.apachefriends.org/en/xampp-windows.html#1221. XAMPP pages and
John Neesham Page 77 of 102 PHPMyAdmin should have username 'administrator' and password 'Chiltern123' . Root SQL Server should have username 'root' and password 'Chiltern123'
· The php.ini file needs to be changed in order to allow PHP LDAP functions. In the php.ini file you need to uncomment (remove #) from line 'extension=php_ldap.dll' (PHP 2013d)
· Reboot the server, log on as administrator, then start Apache and MySQL services from the XAMPP control panel
· Access PHPMyAdmin (http://192.168.1.1/phpmyadmin)
· Add a database called SVS
· Within SVS database, click SQL tab
· Copy contents of 'DB Create Script.txt' file from the CD at back of the dissertation, and paste them into this window then press go; this has created the tables and also a starter level 3 account called 'managementuser' which you can use to login to the system when finished in order to create accounts
· Copy the contents of the 'htdocs' folder from the CD at the back of the dissertation and paste into the C:\xampp\htdocs folder on the server
3. Create Clients and Configure for System Access
3.1. Build Client VM
The client pc should be Windows XP Pro XP3. The VM should be built with 40GB+ HDD space and 1GB RAM
3.2. Configure the Client
· Change the network setting to a free static IP address in the 192.168.1.x/24 range
· Add WINS address of 192.168.1.1 and leave NetBIOS setting at default (top radio button)
· Add exception to the firewall for ‘File and Print Sharing’
· Do not configure Default Gateway or DNS
· Change the PC name to identify it in the building (e.g. Reception)
· Add PC to the ‘SVS-VAC’ domain then reboot 3.3. Configure for system access
· Logon to domain as a user in AD
· Once logged in, give the user local Administrator rights and reboot
· Add a desktop shortcut to 'http://192.168.1.1/login.php' named 'SVS Document Library'
· Add a folder to the desktop named the user's username then Local Library (e.g. 'JSmith Local Library'), then do the following to securely share the folder:
· 1. Right click -> properties -> sharing tab. Choose 'share this folder', Choose
‘permissions’, Click the 'full control' box, Click apply and ok
· 2. Choose the 'security' tab. Click advanced, Deselect the 'inherit from parent...' checkbox so that there is no tick, Select copy from popup box, Click apply and ok, Highlight 'system' ACE buy clicking on it, Click remove, Click apply and ok
· Demote the user from Local Administrator to Standard/Power user, then reboot
· Repeat this on as many PCs as you would like to access the SVS Document Library
John Neesham Page 78 of 102