1.0 Introduction 1.1 Manual Overview...1-1 1.2 Roles of a System Administrator.1-1 1.3 Hardware Environment.1-2 1.3.1 MMC Hardware Environment.1-2 1.3.2 ASP Hardware Environment.............1-3 1.3.3 DAO/ATP Hardware Environment.1-4 1.3.4 MMC/ASP/DAO/ATP Software Environment..............1-4 1.4 Maintenance Contract1-5
2.0 Information Sheet 2.1 Information Sheet...2-1 2.2 Server Install Checklist..2-3 2.3 Workstation Install Checklist....2-7 2.4 ATP Install Checklist..2-10
3.0 Software Needed 3.1 Server Software..3-1 3.2 Workstation Software.3-2
4.0 Installing Windows 2003 Server 4.1 Upgrade to 2003 Server4-1 4.2 Install Service Pack 14-9 4.3 Install Server Security4-10 4.4 Install Fresh Copy of Windows 2003 Server..4-11
6.0 Installing SAAS Server Software 6.1 Installing SAAS-MOD Server Software..............6-1 6.2 Server Cleanup..............6-2 6.3 Installation on ATP..6-2 6.4 SAAS Folder Layout..............6-3 6.5 Installing WinZip..6-4
7.0 Installing Windows XP Software 7.1 Install Procedures as part Installing L6F-09-00.....7-1 7.2 Install Service Pack7-8 7.3 Install Security.7-8 7.4 Installing Fresh Copy of Windows XP.7-10 AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 TOC-1 Table of Contents
9.0 Server Administration 9.1 User Administration...............9-1 9.1.1 Domain User Accounts9-2 9.1.2 Local User Accounts.9-7 9.1.3 Remaining User Accounts9-8 9.1.4 Deleting Users..............9-10 9.1.5 Changing Passwords9-11 9.1.6 Adding Users to Groups..............9-12 9.1.7 Removing Users from Groups.9-15 9.1.8 Assigning User Rights..9-16
10.0 Periodic Maintenance 10.1 Backups...10-1 10.1.1 Full System Backup.10-2 10.1.2 Backing up a Dump file...10-4 10.1.3 Using the SAAS-MOD System Backup Scheduler.10-5 10.1.4 Restoring the Full System Backup10-5 10.1.5 Restoring the Dump file..10-6 10.2 Checking the Event Log...10-7 10.3 Maintaining Hard Drives...10-8 10.3.1 Setting Security on Hard Drives.10-8 10.3.2 Setting up Shares.10-9 10.3.3 Allowing Users to Access a Computer..10-11 10.3.3.1 Permissions10-11 10.3.3.2 Mapping..10-13 10.3.4 Maintaining Adequate Disk Space.10-14 10.4 Creating Emergency Repair Disk...10-16 10.5 SpaceMaker...10-16 10.6 Server System Maintenance10-16
11.0 Communications 11.1 Introduction to SAAS Communications..11-1 11.2 COMSETUP.exe Operation Instructions...11-6 11.2.1 Initial Setup Instructions...11-6 11.2.2 COMSETUP Instructions for Adding other DODAACs.......11-9 11.2.3 Other COMSETUP Functions.11-14 11.3 COMRUN.exe Operation Instructions11-15 11.4 Remote Access Service Installation...11-17 11.5 GlobalSCAPE Secure FTP..11-17 11.6 User Manager Setup for Dial in RAS..11-17 11.7 Duplicate File Ship Instructions...11-20 AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 TOC-2 Table of Contents 11.8 COMRPT.exe Operation Instructions.11-21 11.9 COMMO File Description.11-21 11.10 COMMO Troubleshooting..11-26 11.11 Remote Dial-Up Processing..11-26
12.0 Importing/Exporting Databases 12.1 Importing Databases.12-1 12.2 Exporting Databases.12-2 13.0 Troubleshooting 13.1 User Problems...13-1 13.1.1 Cant Log In13-1 13.1.2 Cant partition or format while doing setup13-1 13.1.3 Formatting the 2 nd Hard Drive.13-2 13.2 Database Problems...13-2 13.3 Data Browser Problems13-4 13.3.1 To Remove the Default Limitations on Data Browsers.......13-4 13.4 Comwatch Errors...13-5 13.5 System Running Slow...13-15 13.6 Relationship between SAAS and Oracle...13-16 13.7 Customer Assistance FTP Process Using Secure FTP..13-17
14.0 COOP 14.1 General...14-1 14.2 Sample14-1
15.0 AIT Installation 15.1 Overview.15-1 15.2 Installation of SAAS AIT Application..15-1 15.3 Setting up your AIT Equipment...15-1 15.4 Connecting AIT to your Computer..15-2 15.5 Driver Installation and Settings15-2 15.6 Burn-in of the Hand Held Devices..15-3 15.7 AITCFG Tool..15-6 15.8 Troubleshooting AIT..15-7 15.9 AIT Practical Exercise......15-8
16.0 Norton 10.1 Installation 16.1 Uninstall Norton Server and Workstation..16-1 16.2 Install Norton 10.1 on the Server or Workstation.16-5 16.3 Norton Antivirus Updates.16-14
17.0 Reserved for Future Use....................................................................17-1
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 TOC-3 Table of Contents 18.0 SAAS Utilities 18.1 Oracle IP Tool18-1 18.2 Archive Transactions18-1 18.3 Create Oracle User...18-2 18.4 Drop Oracle User..18-3 18.5 Export..18-4 18.6 Import..18-4 18.7 Lock Database...18-5 18.8 Logged-On Users..18-5 18.9 System Backup Scheduler...18-6 18.10 Restore Transactions..18-7 18.11 Unlock Database.18-7 18.12 Change Oracle Password..18-8 18.13 Oracle RA Tool....18-8
19.0 RFID (Radio Frequency Identification) 19.0 Installation Procedures for RFID on ASP Workstations..19-1 19.1 Tag Docking Station Hardware, Configuration Setup and Registration...19-2 19.1.1 Tag Docking Station Hardware ..19-2 19.1.2 Tag Docking Station Hardware Setup Procedures..19-2 19.1.3 Tag Docking Station Configuration Procedures...19-2 19.1.4 Tag Docking Station Setup Location Procedures....19-4 19.1.5 Tag Docking Station Setup Communications Settings Procedures..19-5 19.1.6 Tag Docking Station Setup Registration Procedures..19-6 19.2 RFID Interrogator Hardware, Configuration, Setup and Registration Procedure19-7 19.2.1 RFID Interrogator Hardware19-7 19.2.2 Interrogator Hardware Setup Procedures.19-7 19.3 RFID Network and Modem Setup Procedures.19-8 19.3.1 Dial-up Networking / Modem Setup...19-9 19.3.2 Configuring the Modem with Windows 2003.19-9 19.3.3 Creating a Dial-up Networking (DUN) Phonebook Entry19-10 19.3.4 Viewing all Dial-up Networking Phonebook Entries from TIPS- Write19-11 19.3.5 Network Setup...19-12
20.0 SAAS Security 20.1 Overview.20-1 20.2 Security Features Users Guide (SFUG)20-1 20.3 Trusted Facilities Manual (TFM).20-28 20.4 AKO Security Update and Downloads ..20-91
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 TOC-4 Introduction
SECTION 1.0 INTRODUCTION 1.1 Manual Overview The purpose of this manual is to guide a System Administrator (SA) in managing the Standard Army Ammunition System Modernization (SAAS-MOD) system. This manual defines the role of the SA, the electronic environment, and relevant applications running on the system.
1.2 Roles of a System Administrator The site System Administrators role is to keep the SAAS Modernization system functioning. The SA position carries a great deal of responsibility. Some of the specific technical responsibilities of the SA are to: a. Understand the system architecture. b. Maintain the NT Server and Workstation. c. Bring the system up and down. d. Control access to the system. e. Communicate on-line with system users. f. Modify the system to add new users and printers. g. Make the system reasonably secure from tampering. h. Maintain the operating system software and troubleshoot problems. i. Monitor system usage and performance. j. Act as the focal point for questions/concerns that are to be addressed to the support hotline.
1.3 Hardware Environment The SAAS Hardware is described below in generic terms. The actual equipment used at each site may vary but should be equivalent to the descriptions below.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 1-2 Introduction 1.3.2 ASP Hardware Environment
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 1-3 Introduction
1.3.3 DAO/ATP Hardware Environment.
1.3.4 MMC/ASP/DAO/ATP Software Environment The MMC/ASP/DAO SAAS software operating environment will be client/server. This environment will be supported by Windows 2003 Server operating system (OS) on a single server computer and Windows XP OS with Service Pack #2 (operating system) on multiple workstation (user) computers. The application executable will reside on each workstation and will execute on that workstation. The SAAS database will reside on the server and will be managed by the Oracle Relational Database Management System (RDBMS). Components of Oracle will reside on both the server and each workstation for the purpose of communicating and satisfying application requests for data during processing. The exception to this client/server environment will be the ATP. The Windows 2003 Server OS, Oracle RDBMS, Database and application executables will all reside and operate on a single laptop/notebook computer. This provides a "standalone" operating environment requiring only one computer system which can easily be transported to meet the needs of an ammunition transfer point. AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 1-4 Introduction Communications between SAAS systems and outside of SAAS will be accomplished primarily with secure and non-secure File Transfer Protocol (FTP). When direct network connections are not available to support FTP, the Remote Access System (RAS) will be used in conjunction with a modem to establish a connection which will also support FTP. For the ASP system only, a unique communication environment will be used to support the communication interface with the Training Ammunition Management Information System (TAMIS) using web browsers to access it.
1.4 Maintenance Contract The Project Manager maintains the maintenance contract for the SAAS-MOD system. The PM has outlined the procedure to obtain the maintenance support as follows: Call the on-site system administrator. If the problem cannot be resolved, the SA should call the SEC-LEE Customer Assistance Office (CAO) at 804-734-1051 (commercial) or 687-1051 (DSN). If the problem still cannot be fixed, CAO will contact the responsible contractor. As needed, the contractor may call Microsoft or ORACLE for further assistance.
NOTE: Users should not attempt to open any system hardware to fix it. This will violate the terms of the maintenance contract and may cause loss of maintenance support. AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 1-5 Information Sheet SECTION 2.0 INFORMATION SHEET
2.1 Information Sheet The following information is needed to complete the installation of Windows 2003 TM Server and Windows XP Workstation. This information should be supplied by the site System Administrator.
1. Name: SAAS-MOD 2. Organization: U.S. Army
Note: For computer name, Active Directory Domain name and IP addresses check with your local DOIM for compliance with installation standards and to avoid duplication.
3. Computer Name: ____________________________ (Use your installations naming standards) 4. Domain Name: _____________________________ (May be your Installation Domain or Regional Active Directory name) 5. Type of Install: Server OR Workstation 6. IP Address: ___.___.___.___ 7. Subnet Mask: ___.___.___.___ 8. Gateway IP Address: ___.___.___.___ 9. DNS Server Address: ___.___.___.___ 10. WINS Server Address: ___.___.___.___ 11. Printer: Local or Remote (Circle one). Type: _______________ Port: _____ Shared? Yes or No Printer Name: ________________________________ 12. Network Adapter: Type (i.e. NE 2000): ______________ IRQ (if not a PCI adapter): _____ IF REQUIRED Base I/O Address (if not a PCI adapter): _____ IF REQUIRED 13. Administrator Name:______________________ Administrator Password: ___________________ 14. Product ID Number: ______________________ (may be required depending on CD type.) 15. Communications Information Needed for Servers using RAS: Static Address Pool of IP's: (should be contiguous) _______________ thru _______________ Site System Info: DODAAC: _______________________ FTP Username: ____________________ FTP Password: ____________________ Terminal Server Info (if required): Terminal Server Phone Number: ______________ AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 2-1 Information Sheet Terminal Server Username: __________________ Terminal Server Password: __________________ (may change every 90 days) Destination System Info: DODAAC: _________________________ FTP Username: _____________________ FTP Password: _____________________ AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 2-2 Information Sheet 2.2 Server Install Checklist Using Windows 2003 Server CD's
I. INFORMATION NEEDED PRIOR TO INSTALLATION:
__ 1. Name and Organization for Software Registration: ________________
Product ID Number on Software: __________________________
__ 2.Type of Network Adapter: ________________________________
Active Directory Domain Name: ___________________________
Server Name (DODACC): _______________________________ (Also known as Machine Name; must adhere to installation naming conventions)
Server IP: __________________________________________
Static IP Address Pool (if loading RAS): _____________________ (Must be 3 contiguous IP Addresses)
__ 3. Check BIOS and modify in Setup, if applicable. Boot device sequence should be CD ROM, Hard Drive 0 then Floppy.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 2-3 Information Sheet
II. LOAD SERVER SOFTWARE AND DEVICES:
NOTE: IF LOADING A GATEWAY 6400 SERVER THE LSI DUAL ULTRA 160 DRIVER AND WILL NEED TO BE CREATED FROM THE ORIGINAL GATEWAY SERVER COMPANION CD; THIS DRIVER WILL BE USED DURING INITIAL INSTALLATION SO THAT THE HARDRIVES ARE RECOGNIZED BY THE OPERATING SYSTEM.
1. Load W2K3 and current Service Pack. Service Pack 1 included with W2K3 install software.
2. Load SAAS Server Baseline (SA 6). Be sure to select correct level (MMC, ASP, DAO or ATP).
3. Check the AKO Website for Interim Changes since the last SAAS Software Release. (SA 20.10)
4. Install WinZip (SA 6.5)
5. Import the file CDdriveletter\ SCP0xDB.dmp where x is the current change package release number
6. Install the Oracl10G (L6F-0x-00) change package where x is the current SCP package.
7. Restore backup taken prior to this installation unless this is a fresh install. (SA 10.1.5) or copy the files back from D drive if you copied them there as part of the pre-installation procedures.
8. Set up COMMO Group, users and permissions:
a. Must create FTPUSERS global group. (SA 11.6)
b. Must create ftp***user and make member of FTPUSERS group. (SA Manual, section 11.6) Where *** is platform of system being installed (mmc, asp, dao).
c. Set PERMISSIONS on Files and Directories. (SA 11.6) FTPUSERS Full Control of Dodaacom, saas_ftp, winnt\system32\drivers\etc, and c:\comwatch.log *On folders be sure to check box that refers to replacing permissions on sub-folders and files. Right click on file or folder. Select Properties ->Security ->Permissions.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 2-4 Information Sheet Click on Add. Click on Users. Click on Add. Change Access to Full Control. Click on OK. Click on Yes. Click on OK.
d. Create saasmod user account and other users determined by SA. (SA 9.1.1 general info) Give right to [log on locally] to users.
9. Import your database dump file as was backed up as part of the pre- installation instructions. (SA 12.1)
10. Set up FTP in Internet Service Manager. (SA 11.5)
11. Load SAAS documentation to D:\wwwroot and share. (SA 18) If you already have it, delete the wwwroot directory first. This will allow the copy to run much quicker.
12. Load Microsoft Internet Explorer 6.0 and Service Pack 1 from the SAAS Utility CD. Follow the on-screen prompts. Refer to section 17 in the SA Manual. NOTE: ASP(s) must have Microsoft Internet Explorer for TAMIS. Also set HOMEPAGE to point to D:\WWWROOT. (SA 18.3.1)
13. Load Norton Antivirus Software, refer to Server install (SA 16.0Norton 10.1 Installation Updated) unless you are directed by local military authorities to use a different anti-virus software.
14. Install SAAS Security CD. (Server or Workstation Install for W2K3 on CD). Check the AKO website for updates since the last SAAS Software Release. (SA 20.10)
15. Add Printer (SA 5.2)
16. Set Time Zone to your local time. Double click the clock/Time Zone/Drop down menu to your locality.
17. Set Short Date format to MMDDYYYY in Control Panel/Regional Settings/Date/Short Date format.
18. Install RFID (IF APPLICABLE) (SA 19)
19. Setup System Backup Scheduler. (SA 10.1.3)
20. Update Repair Info and create updated Emergency Repair Diskette. (SA 10.4.1) Start ->Run: RDISK. (SA 10.4)
21. Perform an EXPORT of the Database (SA 12.2). Recommend EXPORT file is copied on to a 4mm DAT tape for future restoration purposes. AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 2-5 Information Sheet
22. Change Administrative password. (SA 9.1.5) *Try for consistency for Administrator password on Server and all Workstations.
23. W2K3 Full System Backup. Be sure to backup C: and D: and Registry. (SA 10.1.1)
24. Run script for restoring Oracle Users: RECREATE_USERS.SQL
- OR -
NOTE: All SAAS Users need to have an Oracle User created. See SA 18.3 Create Oracle User. If the SAAS User also needs to perform Backups, install SCP or ICP packages, or access Specific executables located on the Server, and then they also need to be a member of the ORA_SAAS_DBA group.
Follow these steps to Add Users to the new group: 1. Logon to the SAAS-MOD server as an administrator. 2. Left click on Start | Programs | Administrative Tools (Common) |Computer Management | Users and Groups | Groups. 3. Double left click on ORA_SAAS_DBA under Groups on the right half of the window. 4. Left click on the Add button in the Local Group Properties window. This will put you in the Add Users and Groups Window. 5. Left click on a user in the Names: box to highlight (select) it. 6. Left click Add button to put the user in the Add Names: box. Repeat steps 5 & 6 until all SAAS-MOD users appear in the Add Names: box. 7. Left click the OK button to return to the Local Group Properties window. All the users you selected will now appear in the Members: box. 8. Left click the OK button to exit the Local Group Properties window. 9. In the User Manager window, left click on User (in the upper left hand corner) and select Exit from the drop down menu.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 2-6 Information Sheet 2.3 Workstation Install Checklist
Using SAAS Supplied Software (Microsoft Windows XP Professional with Service Pack 2 - September 2004)
I. INFORMATION NEEDED PRIOR TO INSTALLATION:
___1. Name and Organization for Software Registration: _Use SAAS MOD U. S. ARMY____________
Product ID Number on Software: ___See sticker on the back sleeve of the CD_______________
Example: J C4Y8-J 2V9R-4J GY6-Y69W4-TYCMQ
___2. Type of Network Adapter: _____________________________
Active Directory Domain Name: ________________________
Workstation Name: __________________________________ (also known as Machine Name; must adhere to installation naming conventions)
___3. Check BIOS and modify in Setup, if applicable. Boot device sequence should be CD ROM, Hard Drive 0 then Floppy.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 2-7 Information Sheet
II. LOAD WORKSTATION SOFTWARE AND DEVICES:
____ 1. Load Windows XP Workstation (Professional) using CD provided (SA 7).
____ 2. Load SAAS Workstation Baseline (SA 6). Be sure to select correct level (MMC, ASP, and DAO).
____ 3. Load SAAS documentation to D:\wwwroot and share. (SA 17)
____ 4. Load Microsoft Internet Explorer 6.0 and Internet Explorer Service Pack #1 from the SAAS Utility CD. Follow the on-screen prompts. Refer to section 17 in the SA Manual. NOTE: ASP(s) must have Microsoft Internet Explorer for TAMIS.
____ 5. Load Norton Antivirus Software, and Uninstall McAfee Antivirus software, refers to Workstation install (SA 16.0Norton 10.1 Installation Updated) unless you are directed by local military authorities to use different anti-virus software.
COMPLETE ITEM #7 BELOW FOR ASP Workstations ONLY!
____ 6. RFID Setup: Install RFID from the CD if your installation used RFID.
NOTE: SAAS AIT software is installed automatically with the installation of the Application install. Refer to SA 15 for all AIT instructions.
____ 7. Install SAAS Security CD. (Workstation Install for Windows XP on CD)
III. CHECK COMMUNICATIONS:
____ 1. Check network connectivity.
____ 2. Manually ping your server from Command Prompt.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 2-8 Information Sheet
IV. MISCELLANEOUS INSTRUCTIONS FOR THE SAASMOD SYSTEM:
Verify that each user created can log onto the system___________
Static IP Address Pool (if loading RAS): ____________________ (must be 3 contiguous IP Addresses)
___3. Check BIOS and modify in Setup, if applicable. Boot device sequence should be CD ROM, Hard Drive 0 then Floppy.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 2-10 Information Sheet
II. LOAD SERVER SOFTWARE AND DEVICES:
____1. Load W2K SERVER (SA 4).
____ 2. Create saasmod user account and other network users determined by SA. (SA 9.1.1 general info) ____ Give right to logon locally to domain users. *Passwords will expire after 90 days and must be alpha/numeric with special characters and 10 characters in length. Refer to AR 25-2.
____ 3. Restore backup taken prior to installation unless this is a fresh install.
____ 4. Set up COMMO Group, users and permissions:
a. OPTIONAL GROUP CREATION: Create a Commo group if desired. Add usernames that will be responsible for performing Commo determined by SA.
b. Must create FTPUSERS global group. (SA 11.6)
c. Must create ftp***user and make member of FTPUSERS group. (SA Manual, section 11.6) *Fill in *** with platform of system loading (mmc, asp, dao).
d. Set PERMISSIONS on Files and Directories. (SA 11.6) FTPUSERS Full Control of Dodaacom; Domain Users or Commo Group Full Control of Dodaacom, saas_ftp, winnt\system32\drivers\etc, and comwatch.log *On folders be sure to check box that refers to replacing permissions on sub-folders and files. Right click on file or folder. Select Properties ->Security -> Permissions. Click on Add. Click on Domain Users. Click on Add. Change Access to Full Control. Click on OK. Click on Yes. Click on OK.
____ 5. Load SAAS Server Baseline (SA 6). Be sure to select correct level (ATP).
____ 6. Import the database dump file. (SA 12.1)
____ 7. Set up FTP in Internet Service Manager. (SA 11.5)
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 2-11 Information Sheet ____ 8. Load SAAS documentation to D:\wwwroot and share. (SA 17)
____ 9. Load Microsoft Internet Explorer 6.0 and Internet Explorer Service Pack 1 from the SAAS Utility CD. Follow the on-screen prompts. Refer to section 17 in the SA Manual.
NOTE: ASP(s) must have Microsoft Internet Explorer for TAMIS.
____ 10. Load Norton Antivirus Software, refer to Server install (SA 16.0 Norton 10.1 Installation Updated) unless you are directed by local military authorities to use a different anti-virus software.
____ 11. Load current Service Pack.
____ 12. Logon as saasmod, and go into Maintain User to create SAAS users.
COMPLETE ITEM # 13 BELOW FOR ASP SERVERS ONLY!
____ 13. AIT Setup:
NOTE: SAAS AIT software is installed automatically with the installation of the Application install. Refer to SA 15 for all AIT instructions.
____ 14. Install SAAS Security CD.
III. CHECK COMMUNICATIONS:
____ 1. Check network connectivity.
____ 2. Manually FTP from Command Prompt.
IV. CREATING ORACLE USERS FOR THE SAASMOD SYSTEM:
NOTE: All SAAS Users need to have an Oracle User created. See SA 18.3 Create Oracle User. If the SAAS User also needs to perform Backups, install SCP or ICP packages, or access specific executables located on the Server, then they also need to be a member of the ORA_SAAS_DBA group.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 2-12 Information Sheet
Follow these steps to Add Users to the new group: 1. Logon to the SAAS-MOD server as an administrator. 2. Left click on Start | Programs | Administrative Tools (Common) |Computer Management |Users and Groups | Groups. 3. Double left click on ORA_SAAS_DBA under Groups on the right half of the window. 4. Left click on the Add button in the Local Group Properties window. This will put you in the Add Users and Groups Window. 5. Left click on a user in the Names: box to highlight (select) it. 6. Left click Add button to put the user in the Add Names: box. Repeat steps 5 & 6 until all SAAS-MOD users appear in the Add Names: box. 7. Left click the OK button to return to the Local Group Properties window. All the users you selected will now appear in the Members: box. 8. Left click the OK button to exit the Local Group Properties window. 9. In the User Manager window, left click on User (in the upper left hand corner) and select Exit from the drop down menu.
Verify that each user created can log onto the system___________
Set SHORT DATE FORMAT to MMDDYYYY in CONTROL PANEL->REGIONAL SETTINGS ______________________________
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 2-13 Information Sheet
V. FINAL SETUP AND REVIEW:
____ 1. Have User change Administrative password before you depart location. (SA 9.1.5) *Administrator password on Server and all Workstations should comply with AR 25-2, Section IV, Procedure Security, Section 4-12, and Password Control.
____ 2. Setup System Backup Scheduler. (SA 10.1.3)
____ 3. Update Repair Info and create updated Emergency Repair Diskette. (SA 10.4) Start ->Run: RDISK. (SA 10.4)
____ 4. Perform an EXPORT of the Database (SA 12.2). Recommend EXPORT file is copied on to a 4mm DAT tape for future restoration purposes.
____ 5. Perform a Full System Backup. Be sure to backup C: and D: and Registry. (SA 10.1.1)
The following software will be required on the Server:
Microsoft Windows 2003 Server Standard Edition Microsoft Windows 2003 Server Standard Edition Service Pack 1 SAAS Application Software CD-ROM SAAS Security CD-ROM SAAS RFID CD-ROM
Order of loading: 1. Do a complete load on the server first before starting with the workstations. 2. The server load is started by loading Windows 2003 Server. (Section 4.0) 3. Windows 2003 Service Pack * (Section 4.2) * or current release after Service Pack 1 4. Add Users (Section 9.0) 5. Add Printers/Modems (Section 5.0) 6. Load the SAAS Application Software. (ASP, MMC, DAO, ATP) (Section 6.0) Communication Applications (Section 11.5) NOTE: on a fresh install you will get an error for missing dll for cominter.exe until you load Oracle 7. Load Oracle (Insert CD and double click on Oracle Install.exe) 8. RFID (ASP, ATP only) (Section 15.0) 9. Norton Anti Virus (Section 16.0) 10. Load SAAS Security CD (Both Policy and IAVA) (Section 4.3)
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 3-1 Software Needed
3.2 Workstation Software
The following software will be required on the Workstations:
Windows XP Professional with Service Pack 2 SAAS Application Software CD-ROM and Diskette created from Server Install SAAS Security CD-ROM SAAS RFID CD-ROM
Order of loading: 1. The workstation load is started by loading Windows XP Professional on the workstation. (Section 7.0) 2. The second software to be loaded is Windows XP Service Pack * (Section 7.2) * or current release after Service Pack 2 3. Load the SAAS Application Software. (Section 8.0) 4. Load Oracle (Insert CD and double click on Oracle Install.exe) 5. SAAS Security CD (Section 7.3) 6. Norton Anti Virus (Section 16.0)
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 3-2 Installing Windows Server 2003 SECTION 4.0 INSTALLING WINDOWS SERVER 2003
4.1 Upgrade to Windows Server 2003
1. Insert CD labeled "Microsoft Windows Server 2003" into the CD drive. 2. Click on Start/Run/Browse/CD drive/setup.exe, select Open then OK as below:
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 4-1 Installing Windows Server 2003
3. Select Install Windows Server 2003, Standard Edition:
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 4-2 Installing Windows Server 2003
4. On the Welcome Screen select Next for the default which is Upgrade:
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 4-3 Installing Windows Server 2003
5. On the License Agreement screen, select I Agree and click on Next:
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 4-4 Installing Windows Server 2003
6. Enter Product ID from label on the back of the sleeve for the CD and click on Next:
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 4-5 Installing Windows Server 2003
7. Click Next on Get Updated Setup Files:
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 4-6 Installing Windows Server 2003
8. On Report System Compatibility screen click Next.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 4-7 Installing Windows Server 2003
9. After a few minutes the system will reboot as shown below:
10. Click on OK to Terminate Batch Processes.
11. System will continue to install with progress in the areas of Preparing installation, Installing Windows and Finalizing installation Average time is about 50 minutes depending on your Processor speed.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 4-8 Installing Windows Server 2003
12. When complete the system will Reboot and Windows 2003 Server Standard Edition will be installed.
(Install Windows 2003 Server Service Packs)
4.2 Install Service Pack 1
The current Service Pack (Service Pack 1) is included with the upgrade installation. Any new Service Packs can be installed by contacting your local DOIM or AKO. AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 4-9 Installing Windows Server 2003
(Getting Windows Server 2003 IAVA Compliant)
4.3 Install Server Security
1. Insert CD labeled SECURITY CD for L6F-10-00 with SAAS Security Policy
a. Logon as administrator.
b. Insert the SAAS-MOD Security CD into your CD drive.
c. Double click on My Computer.
d. Right click on the CD ROM.
e. Left click on Explore.
f. Double click on SAAS Security Policy.exe (Note: the .exe will not appear if you have turned off display of file extensions).
g. You will be prompted to "Install Security Policy?" Two options will be displayed, Continue or Quit. Select "Continue." The install will now analyze your system and verify that it is a SAAS-Mod system. NOTE: If the system is not a SAAS-Mod system the security program will not install. Click on OK to exit and refer to paragraph 4.1 above.
Several windows will flash before you. At the message, Policy installation completed. You MUST RE-BOOT for changes to take effect! click on OK and the system will re-boot causing the security modifications to take effect.
2. Next will be to install Security Updates to make SAAS IAVA Compliant
a. Logon as administrator.
b. Do NOT start communications. If you do, terminate communications by clicking on the Start button and select SAAS Communications. Then double click the TERMINATE COMMO icon. You MUST wait for the Comrun.exe task block at the bottom of your screen to disappear AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 4-10 Installing Windows Server 2003 BEFORE proceeding to the next step. Please be patient, this may take a few minutes.
c. Insert the SAAS-MOD Security CD into your CD drive.
d. Double click on My Computer.
e. Right click on the CD ROM.
f. Left click on Explore.
g. Double click on SAAS IAVA Updates.exe (Note: the .exe will not appear if you have turned off display of file extensions).
h. You will be prompted to "Install IAVA Updates?" Two options will be displayed, Continue or Quit. Select "Continue." The install will now analyze your system and verify that it is a SAAS-Mod system. NOTE: If the system is not a SAAS-Mod system the security program will not install. Click on OK to exit and refer to paragraph 4.1 above.
Several windows will flash before you. At the message, IAVA installation completed. You MUST RE-BOOT for changes to take effect!, click on OK and the system will re-boot causing the security modifications to take effect.
4.4 Install Fresh Copy of Windows Server 2003
NOTE: These procedures are designed for those units that for whatever reason, such as the hard drive crashed, need to reinstall their Operating System back to Windows Server 2003. The L6F-10-00 baseline was developed to upgrade Windows Server 2000 to Windows Server 2003 only. Therefore, these instructions will be to manually reinstall your Operating System.
1. Begin by printing the checklist for Server Install at Section 2.2 above. Please read before beginning because there is information you must obtain prior to starting the installation.
2. Insert the CD labeled Microsoft Windows Server 2003 Standard Edition (Volume License Product Key Required) and starts your system.
NOTE: If you are loading a Gateway 6400 you will need to press F6 when you see the message Setup is inspecting your configuration and select the option to install additional drivers. The LSI Dual Ultra 160 driver can be obtained via AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 4-11 Installing Windows Server 2003 your original Server Companion CD or off of the driver folder on the Application CD.
3. At the Welcome to setup Press Enter to setup Windows Server 2003 now.
4. Scroll down to the end of the Licensing Agreement and Press F8 for I Agree.
5. At the select Partition Screen Press "D" to Delete.
6. Press Enter to Delete
7. Press "L" to confirm delete of partition.
8. Press "C" to Create Partition.
9. Leave default value of entire disk drive and Press Enter.
10. Press Enter to Install
11. Press Enter to format partition using NTFS.
After formatting the drive, setup will copy files to the hard drive and reboot.
12. After Reboot, the system will continue on its own
13. At the Regional Settings screen, click on Next.
14. Enter Name as SAAS MOD. Enter Organization as U. S. Army and click on Next.
15. Enter Product Key which is located on a label on the back of the sleeve of the CD.
16. Enter the Computer Name per your local naming conventions, Administrative Password and Confirm Password and click on Next.
17. Enter Date/Time and Time Zone for your region and click on Next.
18. At the Network Settings do the following: Select Custom Settings and Press Next.
19. Highlight Internet Protocol (TCP/IP) and click on Properties.
20. Select "Use the following IP Address" Enter your IP address, local Subnet Mask, Default Gateway, Preferred DNS Server, and Alternate DNS Server. AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 4-12 Installing Windows Server 2003 Click on Advanced tab, WINS tab and enter WINS addresses if applicable. Click on OK, OK then Next
21. On Networking Components screen, click Next.
22. For Workgroup or Computer Domain: Click Yes, Enter appropriate data and provide credentials and click on Next.
23. If you get message "To improve appearance of visual elements Press OK", Press OK. When box appears "If you can read this Press OK" Press OK.
24. System will finalize installation and reboot.
Note: Some users may get the screen for Windows Server Post Installation... Critical Update Screen. Scroll to the bottom and click Finish and Yes to the message screen. This is to configure Automatic Microsoft Windows Update which is a local DOIM Policy and should be skipped at this point.
25. At Manage your Server. Check the box Don't display this page at logon and close the window.
26. Click on Start, Right click My Computer, Manage
27. Click on Device Manager.
28. For any devices show the yellow ?, it means that the driver was not installed. You must Right click on the device and select Update Driver.
29. Some drivers are located in the Application CD, driver folder. Most new systems should have come with a driver utility CD.
30. Update drivers for all devices required.
31. Continue with instructions in Server Install Checklist.
1. Connect a modem to a com port and turn it on. 2. From the Desktop, click on Start, Control Panel. Click on Add Hardware. An Add Hardware Wizard will appear. Click on Next.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 5-1 Adding Hardware 3. Windows 2003 will try to detect your connected modem.
4. Check Yes, I have already connected the hardware and click on Next.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 5-2 Adding Hardware 5. Scroll down and highlight Add a new hardware device and click on Next.
6. Select Search for and install hardware automatically. Click Next.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 5-3 Adding Hardware 7. Select Modems and click on Next.
8. At the install new modem window click on Next.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 5-4 Adding Hardware 9. Highlight the Com Port and click on Next.
10. At the notification of successful installation, click on Finish.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 5-5 Adding Hardware
5.2 Adding Printers
1. Unpack the printer and connect it to your Server or Workstation. Refer to the documentation with the printer for this step. Most Printers will be connected to the LPT1 port on your computer.
2. Power up the printer. Power on the computer if not already running.
NOTE: Be sure to be logged on as the Administrator before attempting to a printer or any other hardware.
3. From the desktop click on Start, Printers and Faxes, then click on Add Printer.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 5-6 Adding Hardware
4. On the Add Printer Wizard screen click on Next.
5. Select Local printer if printer is directly connected to your computer and make sure the box to automatically detect and install my Plug and Play printer is checked, or select Network printer if connecting to a printer on your network, then click on Next. For Network printer go to step 13. AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 5-7 Adding Hardware
6. If you selected Local printer above, you will see the New Printer Detections window like below:
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 5-8 Adding Hardware 7. Your printer should automatically be installed. If so, check Yes to print a test page and click on Next. If your printer is not detected, then you will have to supply to driver, click on Have Disk and point to the correct location of your driver.
8. Click on Finish to complete adding a printer.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 5-9 Adding Hardware 9. Click on OK if test page printed, otherwise click on Troubleshoot and follow the prompts.
10. To share your printer click on Start/Printers and Faxes on 2003 Server or Start/Settings/Printers and Faxes for XP and click on Properties
11. Click on the Sharing Tab AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 5-10 Adding Hardware
12. Click on Share this printer, enter a Share name and click on OK.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 5-11 Adding Hardware For connecting (mapping) to a Network Printer do the following: 13. If you know the name of the printer enter in format "\\computer name\shared name"
14. If you do not know the name then click on next to browse for a network printer
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 5-12 Adding Hardware 15. Highlight the printer and click on Next. 16. Select if you want this system to use this printer as the default printer "Yes". Click on Next.
17. Click on finish to complete the setup of your printer.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 5-13 Adding Hardware 18. If all else fails in attempting to connect to a shared printer, contact your local DOIM or CSSAMO representative.
5.3 Adding AIT/RFID Hardware
Currently we have 2 serial devices that can be attached to ASP and ATP systems in SAAS; the Symbol PDT7200 HHT and the SAVI RFID tag reader/writer. With the Windows 2003 operating system, we may be able to use some or all of the devices via USB (USB 2.0) port(s).
The communications settings: To view these settings, right click on My Computer, Manage, Device Manager, then click on the (+) next to Ports (Com and LPT):
To see the desired port, right click on the port, select properties then click on the Port settings Tab.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 5-14 Adding Hardware RFID Tag reader/writer:
HHT:
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 5-15 Adding Hardware Configuration file control exists for the HHT and RFID tag reader/writer:
RFID Tag reader/writer: Log into TAV Tools as an Administrator and go to the TAV Tools configuration window.
Select the com port
Then select the communications settings:
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 5-16 Adding Hardware
HHT:
Log on as an administrator, and go to C:\saas\ait and run AITCFG.exe.
Select HHT and this option appear:
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 5-17 Installing SAAS Server Software SECTION 6.0 INSTALLING SAAS SERVER SOFTWARE
6.1 Installing the SAAS-MOD Application on Server
Windows 2003 TM Server installed on system (SA 4). SAAS Application (Latest Release) software on CD
Installing SAAS from CD 1) Sign on as administrator. 2) Insert SAAS MOD Application CD into CD-ROM drive 3) Go to my Computer and click on CD-ROM drive. 4) Double click on the install.exe file. (Flag icon if using explorer) 5) Read the notice, and then click on Next. 6) On the screen to install the latest release of SAAS-MOD click Yes. 7) Select system type to install, ASP, MMC, DAO or ATP. Not required for reinstall or upgrade. 8) Select type installation either Server or Combined, which is server and workstation on a single computer. Not required for reinstall or upgrade. 9) Insert a blank diskette on message and click OK. Not required for reinstall or upgrade. 10) Remove diskette when prompted and click OK. Not required for reinstall or upgrade. 11) At message Core installation complete, adhere to message on database and click on OK to reboot.
If this is a new install, you must now import a database. The instructions on importing databases are in Section 12.1 Importing Databases. If you have a current database, simply import it. If your database is a previous release, you will need to import it then you will need to run the utility located at C:\SAAS\UTILITIES\db_chgs_rollup.exe. This utility will make all structure changes to your database and bring it up to date with the latest SAASMOD release.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 6-1 Installing SAAS Server Software NOTE: Users created previously should still exist. May want to check User Manager for Domains for requested users. (For example, saasmod user should still exist.) Once Workstation is loaded, check database connectivity. Also if old database is desired, copy it back into \saas\dumps\backups and perform an import.
6.2 Server Cleanup
With the latest release of the SAAS MOD baseline is now over writable. This means that there is no requirement to remove the previous baseline prior to reinstalling a new baseline. You also have the capability to completely uninstall SAAS-MOD. You can do this by going to <Start, Settings, Control Panel, Add/Remove Programs>, select SAAS-MOD and remove.
6.3 Installation for ATP
The ATP baseline is loaded on a laptop/notebook computer. Unlike other loads which uses a different machine for a server and each workstation, the whole ATP system (database and executable) are included on just one laptop. However, with the fielding of SAASMOD latest release, ATP baseline install has been added to completely load the ATP application, server and workstation both in one load.
NOTE: THE FOLLOWING ACTIONS/PROCEDURES ARE ASSUMED TO HAVE BEEN PERFORMED CORRECTLY; a.) Windows Server 2003 Operating System has been loaded. b.) Windows XP Operating System with the latest Service Pack installed. c.) Page File Size has been reset to 150 / 200 (or more). d.) Video Display has been reset if required. e.) Install Printer if required. f.) Network Card must be installed into Drive 1 even if not connected to a network.
NOTE: THIS CONCLUDES THE LOAD OF THE ATP EXECUTABLES. IF REQUIRED, YOU MAY PROCEED TO LOAD AIT (Section 15) and COMMO (Section 11.0).
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 6-2 Installing SAAS Server Software 6.4 SAAS Folder layout
This structure will be in effect with the SAASMOD latest release.
Server:
\SAAS AIT (on ASP and ATP only) * will be shared on ASP server only (Drivers for Intermec 4400 printer; on ASP server only)
APPS (SAAS MOD program executables; replaces c:\iefenv21) UPDATES (this folder is used for tracking interim updates)
AIT (Scanning technology for SAAS)
BROWSERS (new default location for queries)
DATABASE (Actual residence of your data)
DUMPS (*.dmp will default to reside here - previously c: saas\dumps\backups)
ORACLE (Oracle application system files)
REPORTS (ASP only)
UTILITIES (Executables accessed from Start>Programs>SAAS Utilities)
DATABASE (will exist on C: and D: drives)
LOGS (Import, Export, etc. Previously under separate folders)
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 6-3 Installing SAAS Server Software
WORKSTATION:
\SAAS APPS BROWSERS ORACLE REPORTS UTILITIES LOGS
6.5 Installing WinZip
1. Navigate to C:\Dodaacom with Windows Explorer 2. Double click on WinZip32 3. Click Next on WinZip Setup screen 4. Click Yes on License Agreement screen 5. Click on Start with WinZip Classic, then Next 6. Click on Finish 7. Close WinZip window 8. Close Explorer window
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 6-4 Installing Windows XP Software SECTION 7.0 INSTALLING WINDOWS XP SOFTWARE
7.1 Install Procedures for Windows XP Software
1. Must be logged on to the computer as Administrator to perform the procedures.
2. Insert CD labeled "Microsoft Windows XP Professional with (latest) Service Pack into the CD drive.
3. Click on Start/Run/Browse/CD drive/setup.exe, select Open then OK as below:
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 7-1 Installing Windows XP Software
4. Select Install Windows XP.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 7-2 Installing Windows XP Software
5. On the Welcome Screen select Next for the default which is Upgrade:
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 7-3 Installing Windows XP Software
6. On the License Agreement screen, select I accept this agreement and click on Next:
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 7-4 Installing Windows XP Software
7. Enter Product ID from label on the back of the sleeve for the CD and click on Next:
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 7-5 Installing Windows XP Software
8. Click Next on Get Updated Setup Files:
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 7-6 Installing Windows XP Software
9. After a few minutes the system will reboot as shown below:
10. Click on OK to Terminate Batch Processes.
11. System will continue to install with progress in the areas of Preparing installation, Installing Windows and Finalizing installation. Average time is about 60-90 minutes depending on your Processor speed.
12. When complete the system will Reboot and Windows XP Professional will be installed.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 7-7 Installing Windows XP Software 7.2 Install Service Pack
(Install Windows XP Service Pack 2)
This version of the system supplied already came complete including Windows XP Service Pack 2 so there are no instructions to follow.
7.3 Install Security
(Getting Windows XP IAVA/Security Compliant)
1. Insert CD labeled SECURITY CD with SAAS Security Policy
a. Logon as administrator.
b. Insert the SAAS-MOD Security CD into your CD drive.
c. Double click on My Computer.
d. Right click on the CD ROM.
e. Left click on Explore.
f. Double click on SAAS Security Policy.exe (Note: the .exe will not appear if you have turned off display of file extensions).
g. You will be prompted to "Install Security Policy?" Two options will be displayed, Continue or Quit. Select "Continue." The install will now analyze your system and verify that it is a SAAS-Mod system. NOTE: If the system is not a SAAS-Mod system the security program will not install.
Several windows will flash before you. At the message, Policy installation completed. You MUST RE-BOOT for changes to take effect! click on OK and the system will re-boot causing the security modifications to take effect.
2. Next will be to install Security Updates to make SAAS IAVA Compliant
a. Logon as administrator.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 7-8 Installing Windows XP Software b. Do NOT start communications. If you do, terminate communications by clicking on the Start button and select SAAS Communications. Then double click the TERMINATE COMMO icon. You MUST wait for the Comrun.exe task block at the bottom of your screen to disappear BEFORE proceeding to the next step. Please be patient, this may take a few minutes.
c. Insert the SAAS-MOD Security CD into your CD drive.
d. Double click on My Computer.
e. Right click on the CD ROM.
f. Left click on Explore.
g. Double click on SAAS IAVA Updates.exe (Note: the .exe will not appear if you have turned off display of file extensions).
h. You will be prompted to "Install IAVA Updates?" Two options will be displayed, Continue or Quit. Select "Continue." The install will now analyze your system and verify that it is a SAAS-Mod system.
NOTE: If the system is not a SAAS-Mod system the security program will not install.
Several windows will flash before you. At the message, IAVA installation completed. You MUST RE-BOOT for changes to take effect! click on OK and the system will re-boot causing the security modifications to take effect.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 7-9 Installing Windows XP Software
7.4 Installing a Fresh Copy of Windows XP Professional
NOTE: These procedures are designed for those units that for whatever reason, such as the hard drive crashed, need to reinstall their Operating System back to Windows XP. The L6F-09-00 baseline was developed to upgrade Windows 2000 Professional to Windows XP Professional only. Therefore, these instructions will be to manually reinstall your Operating System.
1. Begin by printing the checklist for Workstation Install at Section 2.3 above. Please read before beginning because there is information you must obtain prior to starting the installation.
2. Insert the CD labeled Microsoft Windows XP Professional with Service Pack 2 (Volume License Product Key Required) and start your system.
3. At the Welcome to setup Press Enter to setup Windows XP now.
4. Scroll down to the end of the Licensing Agreement and Press F8 for I Agree.
5. At the select Partition Screen Press "D" to Delete.
6. Press Enter to Delete
7. Press "L" to confirm delete of partition.
8. Press "C" to Create Partition.
9. Leave default value of entire disk drive and Press Enter.
10. Press Enter to Install
11. Press Enter to format partition using NTFS. After formatting the drive, setup will copy files to the hard drive and reboot.
12. After Reboot, the system will continue on its own
13. At the Regional Settings screen, click on Next.
14. Enter Name as SAAS MOD. Enter Organization as U. S. Army and click on Next.
15. Enter Product Key which is located on a label on the back of the sleeve of the CD.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 7-10 Installing Windows XP Software 16. Enter the Computer Name per your local naming conventions, Administrative Password and Confirm Password and click on Next. Be sure to record your Administrative Password in a secure location.
17. Enter Date/Time and Time Zone for your region and click on Next.
18. At the Network Settings do the following: If your installation for workstations requires you to use DHCP (Dynamic Host Control Protocol) which will automatically assign IP addresses, Press Next. Go to step 21.
19. Highlight Internet Protocol (TCP/IP) and click on Properties.
20. Select "Use the following IP Address" Enter your IP address, local Subnet Mask, Default Gateway, Preferred DNS Server, and Alternate DNS Server. Click on Advanced tab, WINS tab and enter WINS addresses if applicable. Click on OK, OK then Next
21. On Networking Components screen, click Next.
22. For Workgroup or Computer Domain: If not on network, click Next, otherwise Click Yes, Enter appropriate data and provide credentials and click on Next.
23. If you get message "To improve appearance of visual elements Press OK", Press OK. When box appears "If you can read this Press OK" Press OK.
24. System will finalize installation and reboot.
25. At Welcome screen Press Next to set up your system.
26. At Help Protect your PC, Select Not Right Now and click on Next.
27. At Checking Internet connectivity, Select Skip.
28. At Ready to register with Microsoft, Select No, Not at the time and click on Next.
29. At who will use the computer enter "saasmod" at first line and click on Next.
30. At Thank you, click on Finish.
31. Continue with instructions in Workstation Install Checklist. AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 7-11 Installing SAAS Workstation Software SECTION 8.0 INSTALLING SAAS WORKSTATION SOFTWARE 8.1 Software needed 1. Microsoft Windows XP Professional (Workstation) installed on system. 2. SAAS Server software on CD-ROM. 8.2 Installing SAAS on Workstation 1. Sign on as administrator on the workstation.
2. Insert the CD labeled as the current software release L6F-xx-00, x being the latest. 3. Navigate to the CD and double click on install.exe. Flag icon if using explorer. 4. Read the notice and click on Next to continue. 5. On question to install latest release click Yes.
6. Select type of workstation to install (MMC, ASP, and DAO). Not required for reinstall or upgrade. 7. Insert diskette created from the server install when prompted and click on OK. Not required for reinstall or upgrade.
8. Remove diskette when prompted and click OK. Not required for reinstall or upgrade. 9. At Core Installation complete message, click on OK to reboot. 10. Workstation install is now complete.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 8-1 Server Administration SECTION 9.0 SERVER ADMINISTRATIONS
9.1 User Administration A user account is required to log on to a Windows Server 2003 computer. This section will cover the procedure on creating user accounts, deleting user accounts, and joining groups in Windows Server 2003. There are two ways to log on to a machine. One way is by using a domain user account stored in the Windows Server 2003. The other way is by using a local account stored in the local user account database. In using the SAAS-MOD application, all workstations should log on as part of the domain. Therefore all user accounts should be made at the server. The only local account on the workstation should be the Administrator account which was created during the Windows XP operating system installation. The Windows Server 2003 user account gives an individual a means to log-on into Windows Server 2003. To create a user account follow instructions in Section 9.1.1. With the release of a System Change Package (SCP), Oracle has been installed to accept Windows Server 2003 login authentication and will no longer require a separate login when a SAAS-MOD application process is executed. This will require that an Oracle user is created with the same name as the Windows Server 2003 user. Along with the new SCP, a new user group has been created named ORA_SAAS_DBA. This group has special Oracle permissions that are needed to run some of the SAAS-MOD functions on the server. Each user must be added to this group. An administrator must perform this function on the server. Follow these steps to add users to the new group: 1. Logon to the SAAS-MOD server as the administrator. 2. Click on Start | Programs | Administrative Tools| Computer Management | Local Users and Groups| Groups 3. Click on ORA_SAAS_DBA under groups on the bottom half of the window. 4. Click on the Add button in the Local Group Properties window. This will put you in the Add Users and Groups Window. 5. Click on a user in the Names box to highlight (select) it. 6. Click on Add to put the user in the Add names box. Repeat 5 & 6 for all users. 7. Click OK to return to the Local Group Properties window. All users selected will now appear in the Members box. 8. Click on OK to exit the Local Group Properties window. AISM-25-L6F-AJ A-ZZZ-SA 9. Click on User in the User Manager window and select Exit. 11 October 2007 9-1 Server Administration
9.1.1 Domain User Accounts
1. To create a server user account, log on as administrator and do the following steps on the Server: Right click My Computer, Manage Note: Must Create SAASMOD user in order to create other SAAS-Mod application users. SAASMOD user should be disabled after creating other SAAS- Mod application users.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 9-2 Server Administration
2. Highlight Users, click on Action on the menu tab.
3. Select New User and the New User dialog box will open.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 9-3 Server Administration
4. Type a username in the Username box. 5. Type the users password in the Password box. 6. Type the same password in the Confirm Password box. 7. Make sure to uncheck boxes for User Must Change Password at Next Logon, Password Never Expires and User Cannot Change Password. 8. Click Create and the new account will be added to the account database.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 9-4 Server Administration Note: SAAS-MOD has developed new security measures concerning user accounts and passwords. See below for these setting.
Security Settings Procedures - Servers and Workstations Server and workstation users are to implement security settings on the local machines. The following is a guideline to implement these settings. Security settings are done automatically when you install the SAAS MOD Security from the CD-ROM. To view, 1. Click Start, Programs, Administrative Tools, Local Security Policy. 2. Click on Password Policies. 3. In the resulting window (below), implement the settings according to the screen print below.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 9-5 Server Administration 4. Under Local Policies, highlight Audit Policy 5. In the resulting window (below), implement the settings according to the screen print below.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 9-6 Server Administration 6. Under Account Policy, highlight Account Lockout Policy. 7. In the resulting window (below), implement the settings according to the screen print below.
9.1.2 Local User Accounts
Creating a local user account is no different from when you created a server user account on the Server. Actually, relative to the Server the domain user account is also a local user account. Therefore, when creating a local account, other than in the Server, remember that it only works for the particular machine it was made from.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 9-7 Server Administration 9.1.3 Renaming User Accounts
When renaming an account, its properties, rights, permissions are held intact. This is because renaming a user account does not change the account's Security Identifier (SID). The SID is a unique number that Windows uses when assigning permissions to the user or when adding a user to various groups, which grant and restrict permissions to members of the group.
NOTE: FOR SECURITY REASONS, ARMY NETWORK SECURITY HAS DETERMINED THAT USERS RENAME THE ACCOUNT 'ADMINISTRATOR' TO SOME OTHER NAME.
To rename an account, do the following steps:
1. Right click My Computer, Manage.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 9-8 Server Administration 2. Highlight a User Account you wish to rename by highlighting it.
3. Click on Action/ Rename.
4. No dialog box will appear, however the name will be highlighted. Simply type a new name and press the Enter key.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 9-9 Server Administration
9.1.4 Deleting User Accounts
Deleting and recreating a user account is not equivalent to renaming a user account. Deleting and recreating a user account assigns a new SID to a user, so the user does not retain any permissions or group memberships that were based on his or her original user account. If there is any chance that the user in question will be granted access to the network in the future, it is advisable that the account be disabled instead. To delete a user account, do the following steps: 1. Right click My Computer, Manage. 2. Select the account to be deleted. 3. Press the Delete key or click on Action/Delete. 4. User Manager for Domains will display a dialog box which asks for reconfirmation whether you want to delete the account or not. Click Yes and the account will be deleted. Click No to abort deleting the user.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 9-10 Server Administration
9.1.5 Changing Password
1) To change your User password, begin by right clicking on My Computer, then selecting Manage. 2) Double click on Local Users and Groups to open up Users and Groups sub folders. 3) Click once on Users to show users on right side of the window. 4) Highlight a user, click on Action to show menu option "Set Password".
5) Click on Set Password. AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 9-11 Server Administration
6) Type in new password in both the "Password" and "Confirm Password" boxes. 7) When finished click "OK".
9.1.6 Adding Users to Groups
1) To add a user to a Local or Global Group you must first right click on My Computer and select Manage. 2) Double click on Local Users and Groups to open up Users and Groups sub folders. 3) Click once on Groups to show groups on right side of the window.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 9-12 Server Administration
4) Highlight a group, click on Action to show menu option "Add to Group".
5) Click on Add to Group. AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 9-13 Server Administration
6) Click on Add. AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 9-14 Server Administration
7) Click on a user, click on Add. Repeat for all users to add. Click OK when youre done.
9.1.7 Removing Users from Groups
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 9-15 Server Administration
9.1.8 Assigning User Rights
1) To assign User Rights, first click on Start, Programs, Administrative Tools, and Local Security Policy.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 9-16 Server Administration
2) Click on the plus next to Local Policies on the left hand side, and then click on User Right Assignment
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 9-17 Server Administration
3) Scroll down to desired User Right such as Log on Locally and Right Click on it.
4) Click on Security.... AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 9-18 Server Administration
5) Click on Add.... AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 9-19 Server Administration
6) Select user or users and click on Add, then OK to exit Select Users or Groups window. AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 9-20 Server Administration
7) Click on OK to exit Local Security Policy Setting window. 8) Close Local Security Setting window.
10.1 Backups Backups will save you one of these days. Therefore it is important that it is done religiously and correctly. It is also advisable to schedule backups during low network traffic.
It is recommended that whenever you update any part of the operating system with new office automation software, patches to software, install service packs, loading of SAAS SCP (System Change Package) or ICP (Interim Change Package), you should perform a full manual system backup. If in doubt, do a backup!
Keep at least 3 of your most recent full system backups. Remember, the scheduled backup in SAAS only backs up SAAS data. It does not back up system files!
Check the file C :\( your system root)\security\logs\backup.log and C :\( your system root)\autobackup.log periodically. The first is the default file name for a manual backup, and the second is the name used by the scheduled backup utility. These files are appended to, so they should be checked for errors and deleted when you are satisfied that the backup is good. Either process will recreate the file.
Before doing a backup you must shut down the database, stop Oracle and Netlogon services. To do this, do the following steps: 1. Log on as Administrator or Backup Operator on the Server. Make sure to stop all background processes including commo. 2. Right click My Computer | Manage | Services and Applications | 3. Click Services. 4. Scroll down to Netlogon, right click it, and click Stop. (Note: this will stop Netlogon service and prevent users from connecting to the server. However, this will not cut off connection to users already logged on. It is highly recommended to have users log off their workstation.) 5. Scroll down to OracleSAASORATNSListenrLSNR, right click it, and click Stop. 6. Highlight OracleServiceSAAS and right click it, click Stop. A window will pop-up then click OK. (Note: this will also stop services for OracleStartORCL.) AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 10-1 Periodic Maintenance 7. Click Close. 8. The backup procedure discussed here will start with a full system backup at the beginning of the week and a daily backup of an exported dump file through out the remaining week. In this way, restoring will involve the full system backup and then the exported dump file. It is recommended that the dump file be named according to the date it was made. (i.e.: 04151998.dmp)
(Note: To make backups or restore files, you must be a member of the Administrators or Backup Operator group.)
10.1.1 Full System Backups Note: Perform Full System Backup once a week. 1. Click Start | Programs | Accessories| System Tools | Backup. 2. A Backup window will appear. If you click on the Backup on the toolbar it will show you the available drives to backup. If you click on Restore it will show you the available tapes for restore options. AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 10-2 Periodic Maintenance
3. Click on the check box for drive C and D. This will backup the whole C and D drive. NOTE: If you check System State it will also back up the Registry.
4. Click on Start Backup on the right lower corner of the window. A Backup Information dialogue box will appear.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 10-3 Periodic Maintenance 5. Default Backup type is Normal. (Under Advanced....)
6. Click Start Backup to start the backup process.
7. Follow the on-screen prompts.
10.1.2 Backing up a Dump file
Note: Perform Backing up a Dump file daily and also use 5 day rotating 4mm DAT tape drive (e.g. one tape for Monday. One tape for Tuesday... and so on).
1. To create a dump file follow procedure in Section 12.2 (Exporting the Database). 2. To backup the dump file to tape click on Start | Programs | Accessories| System Tools | Backup. 3. Make sure the Drives window is open. 4. In the Drives window double click on the C drive icon. (Note: don't click the check box.) 5. Another window will pop-up showing you the directory tree of the C drive. 6. Double click on the folders SAAS, Dumps, and backups. (Note: don't click on any check box as you move thru the folders) 7. Once inside the backups folder click on the dump file you created. (i.e. 06191998) 8. Click on Backup on the toolbar. A Backup Information dialogue box will appear. 9. In the Backup Set Information section type in the name of the dump file (i.e. 06191998) for description. Choose Normal for Backup Type. 10. Click OK. 11. Close window and remove tape.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 10-4 Periodic Maintenance
10.1.3 Using the SAAS-MOD System Backup Scheduler
Note: This process does an export of the database so there is no need to shut down oracle services.
The scheduled backup must be set up by the System Administrator as no other user has permission to use the Scheduler. Also if the computer is shutdown, the backup must be setup again when the computer is turned on. The settings previously chosen may appear in the setup screen, but the System Administrator has to click OK again to schedule the backup.
1. Double click on the short cut desktop icon SAAS | Utilities | System Backup Scheduler or Start | Programs | SAAS | Utilities | System Backup Scheduler. 2. A Window will appear called System Backup Schedule. Click the check boxes for the appropriate days backup should occur. 3. Enter the time you want backup to occur during selected days, in the format shown below the box. 4. Click Save and Exit. 5. Make sure there is a properly labeled tape in the tape drive during scheduled backup.
10.1.4 Restoring the Full System Backup
If you are restoring and Windows 2003 is still working then start with step 1. However, if for some reason the server just dies (e.g. the hard drive crashes and needs to be replaced.) thus Windows 2003 is not accessible then you would have to install Windows Server 2003 (Section 4.1) and possibly the drivers for the Tape drive.
1. Click on Start | Programs | Accessories| System Tools | Backup. 2. Open the Tapes window. 3. Insert the tape with the latest Full System Backup. After inserting tape, Backup will read the whole tape. AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 10-5 Periodic Maintenance 4. Double Click on the C folder found on the right side of the window. This will create a list of what are backed-up on the tape. Make sure you check both the C and D folder then click on the Restore button. 5. The Restore Information dialog box will appear. 6. On the Restore to Drive option make sure it is to the C: drive also. 7. Check Restore File Permissions, and Restore Local Registry. 8. Click OK. 9. A Restore Status box will appear. Click OK when restore is successfully completed. Note: The procedure discussed above assumes that you are restoring to the original computer. If you are restoring it to a different computer it has to be identical with the original one. Another computer might have a different set of hardware and not match with the data stored in the backup. (I.e. different drivers)
Note: Restoring the Full System Backup will only restore the system up to the point when that backup was made. To make the database current, you have to restore the latest dump file as well.
10.1.5 Restoring the Dump file
1. Insert the tape with the dump file. After inserting tape, Backup will read the whole tape. 2. Click on Start | Programs | Accessories| System Tools | Backup.
NOTE: You may get the message New Import Media since the tape was originally created on an NT machine. Check the box to allocate this media to backup now and check the box to do not show this message again and click on OK.
3. Click on the Restore tab on the menu bar. Do not click on Restore Wizard. 4. Check the dump file you wish to restore by double clicking on the tape icon. 5. On the Restore files to option make sure it is to the original location. 6. Click on Start Restore. AISM-25-L6F-AJ A-ZZZ-SA 7. The Restore Information dialog box will appear. 11 October 2007 10-6 Periodic Maintenance 8. A Restore Status box will appear. Click Close when restore is successfully completed. 9. Now that you have the latest dump file in place you need to import it back to the database, follow the procedures described in Section 12.1.
10.2 Checking the Event Log
To view the event logs, do the following steps: Click on Start | Programs | Administrative Tools | Event Viewer.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 10-7 Periodic Maintenance
There are three event logs that you can look into by clicking on Log from the pull down menu. They are:
System Log Records events related to Windows 2003 components. For example, if a service fails to start when Windows 2003 starts, Windows 2003 records the event in the System Log. Whenever a problem occurs, you should check the System Log for error messages. Security Log Records security-related events. Security events include logon attempts and audit events. Only Administrators can view the Security Log. Application Log Records application events, including errors and warnings. Application developers decided which events should be logged. Some Windows 2003 components, such as Winlogon and HP J etDirect print monitor, record events in the Application Log.
10.3 Maintaining Hard Drives
10.3.1 Setting Security on Hard Drives
By default, the hard drives are administratively shared. When you look at your Windows explorer after booting you will notice that the drive icons has a hand underneath them. This will allow an administrator account to access the hard drive from the network. One way to improve security is to take out these shares and or other shares every time you boot the system, and share it only when needed.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 10-8 Periodic Maintenance 10.3.2 Setting up Shares
1) To share or not share a drive or folder, do the following steps: 2) Go to the Windows explorer by right clicking on Start | My Computer | Explore. 3) Right click on the hard drive or folder and choose Sharing.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 10-9 Periodic Maintenance
4) Click on the Not Shared or Shared As radio button depending on what you want to do.
5) If you choose Shared As the Share Name box option will be accessible. You can use the default share name or come up with your own share name. Also, if you put a dollar sign ($) after the name, the name will be hidden when someone tries to map to the machine. 6) Click OK to accept your settings.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 10-10 Periodic Maintenance 10.3.3 Allowing Users to Access a Computer
Users can access files from another computer on the same network. To do this, the user needs to map a network drive and the folder where the file resides should be shared. Also, the file should have the correct permissions.
10.3.3.1 Permissions
To configure the permissions on a file do the following steps: 1) Go to the Windows explorer by right clicking on My Computer | Explore. 2) While in explorer, locate the desired file and right click on the mouse. 3) A short cut menu will show up. Choose Properties.
4) Click on the Security Tab. 5) A security window will show up. AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 10-11 Periodic Maintenance
6) The permissions box will appear showing the current permission of the file. The default setting is Everyone with Full control. What this means is that everyone has access to this file and has full control. If you want to limit the access to this file, Remove Everyone and click Add to add the specific user accounts to access the file. You can also change the type of access to No access, Read, Change, Full Control, or Special Access.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 10-12 Periodic Maintenance
10.3.3.2 To map a network drive, do the following steps:
1) Go to Windows explorer by right clicking on My Computer | Explore. 2) Once in explorer click on Tools | Map Network Drive.
3) Choose the Computer you want to access. The shared folders of that particular computer will show up. Click on the particular shared folder. The path box will AutoFill. Click OK. 4) A new drive with a network icon will show up on the left side of explorer. 5) Click on the folder tab and the previous mapped connections will show up. AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 10-13 Periodic Maintenance
10.3.4 Maintaining Adequate Disk Space
1) Whenever other users have access to a server with shared files you run the risk of it being used as a place to dump files on. It wont be long and those files will begin to take up a lot of the servers hard disk space. From time to time it would be wise to do some house cleaning and take those files out. However, make sure that you inform the owner of those files first before you start deleting anything. 2) To check for ownership right click on the file and a shortcut box will appear. 3) Click on Properties and a Properties box will appear. 4) Click on the Security Tab. 5) On the Security box... AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 10-14 Periodic Maintenance
6) Here you will see the owner of the file. Click Close to exit. 7) One type of file that you might want to monitor is the Dump file created after doing an Export. After awhile the number of Dump files created gets big and takes up a huge amount of disk space on the C drive. Especially with units that process large quantities of transactions or have a big database, C drive disk space is very precious. Therefore, it is suggested that the Dump files found in C:\SAAS\dumps\backups be transferred to the D drive. You can also run the utility SpaceMaker under the SAAS Commo Utilities.
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 10-15 Periodic Maintenance 10.4 Emergency Repair Disk
With the advancement beyond the Windows 2000 Platform, there is no more capability to create or utilize an Emergency Repair Disk. This feature is no longer available.
10.5 SpaceMaker
This procedure was initially written when SAAS MOD was first deployed and the disk drives were only 2-4 GB in size. This is no longer the case however this procedure still merits value to clean out old data no longer required. This desktop icon (SAAS| COMMO| SpaceMaker) will move selected data from your C: hard drive to the tape archive freeing up space. The following type of files will be moved and a print out of all affected directories and files will be generated. A. Communications history files for all incoming and outgoing data 1. *.DAT; *.CHK; *.ZIP and *.END 2. WARS history files 3. DAAS_CCSS history files B. Oracle dump files C. FTP Log files 1. Set the number of days you wish to keep on your system. Default is 15. 2. Place a properly labeled tape in the tape drive.
10.6 Basic Schedule of Server System Maintenance
DAILY: 1) Check c:\(your system root)\autobackup.log first thing in AM to ensure Scheduled Backup performed correctly. 2) Insert next day's tape for System Backup. Go to Start ->Programs -> Administrative Tools ->Backup. Select Operations ->Erase Tape. AISM-25-L6F-AJ A-ZZZ-SA Execute Start Commo (Icon) prior to leaving for day (before time set to send files 1800 at Huachuca). 11 October 2007 10-16 Periodic Maintenance NOTE: Have communication interval set for 1 min. Commo should be set to run first - 1800; then backup - 2000. Follow local Security Guidelines relative to departing your work area at the end of each work day.
WEEKLY: 1) Perform export and check c:\SAAS\dumps\explogs\exp.log. (Section 12 all users logged off). Check Event Viewer in Start ->Programs ->Administrative Tools ->Event Viewer. NOTE: Default on Event Viewer log in NT is 7 days. Be sure to check all STOP signs. (Section 10) 3) May want to reboot (actually Power Down) Server once\week to flush all memory.
BIWEEKLY: Execute SPACEMAKER icon on desktop (Section 10.5). Keep maybe 15 days on the Server. NOTE: This will append to tape. Should keep several months worth on tape. When get <25M free space on C: drive a warning will appear.
MONTHLY: Perform an export and immediately turn around and import the database. All users must be logged off. NOTE: This is done since the export process does a routine similar to a "defrag", but is on exported database. Therefore user doesn't get the advantage of the "defrag" unless user imports database back in. Be sure to check exp.log and imp.log. (Section 12) 2) Perform Archive Audit Table in SAAS Utilities. (see sheet with instructions - users logged off) Section 18.1. AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 10-17 Periodic Maintenance NOTE: Audit table grows much faster than any other table in the database. Users should check the #of records in the table and, when that number reaches a threshold of 100,000, archive. Based on this threshold number and number of days to reach that number they can decide the periodicity of Archiving audit table.
QUARTERLY: 1) Perform Archive Transactions in Saas Utilities. (see sheet with instructions - users logged off) Section 18.2 NOTE: Rule of thumb: aim to have <5000 transactions in Transaction_History table.
MISCELLANEOUS MAINTENANCE NOTES: 1) If there is a problem with commo there will be an error message. Comview Icon (made up of saasftp.log and comftp.log) - only really need to check Icon if there is a problem. Mandatory to keep this log for 90 days. The SAAS system takes care of it for you. Comwatch.log - check only if problems. (Section 11) 2) A Full System Backup should be executed whenever deemed necessary; i.e., before new ICP loaded, new SW, etc... Users must be logged off. (Section 10)
AISM-25-L6F-AJ A-ZZZ-SA 11 October 2007 10-18 Communications SECTION 11.0 COMMUNICATIONS
11.1 Introduction to SAAS communications
With all fielded baselines, communications software will be loaded automatically. Once this is done there will be two directories built on the C drive for communications: DODAACOM and SAAS_FTP. Sub directories will be built once COMSETUP is run.
SAAS communications is automated to the point that there is little user interface. The system will automatically perform the rest of the SAAS communications functions. The communications programs are designed to use the NIPRNET, if the NIPRNET is not available, or you are unable to connect to it, the program will initiate the remote access service using a modem. You must configure your communications setup (COMSETUP) records to let SAAS know the exact communications process to use to communicate.
Microsoft has simplified remote LAN access considerably by building a Remote Access Service (RAS) into Windows 2003. RAS integrates smoothly with Windows 2003 and does not require you to learn a new method of using LAN resources. The only difference between a remote user and a local user is the initial dial-in step. Once you dial-in, everything works as though the computers were directly attached to the LAN cable.
The SAAS communications programs are designed to use RAS if the NIPRNET or terminal server is not available. The only intervention you have is to connect modems to the system and add the phone number(s) in the SAAS communications setup utility. All levels of SAAS operate the communications in the exact same manner. No matter how the connections are made, File Transfer Protocol (FTP) is the means used to transfer data between SAAS elements. The driving force is all files created by the system will begin the file name with the DODAAC which the user defines within the setup utility as to how to communicate with that particular DODAAC.
There are numerous functions to the SAAS communications. They are named as follows: COMSTART, COMSETUP, COMVIEW, COMRPT, WARSCOM, DAASCOM, SPBSIN, TERMINATE COMMO, SpaceMaker, TAMIS missing batch, and TAMISreship. These programs constitute the entire SAAS communications capability which is described below.
With the release of SCP L6F-09-00, SAAS communications has incorporated secure FTP. Commercial off the shelf software (COTS) AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 11-1 Communications developed by GlobalScape will be added to the SAAS baseline. There is no new look. The communications programs will simply transmit the data calling the new program instead of regular, non secure FTP. a. COMSTART: This program is initiated at startup and will run in background mode on the server only at all times. It serves as the driver for all SAAS communications functions, whether it be to send files via NIPRNET, dial-out, receive calls for incoming files, write files to disk, update communications log files and check the database for outgoing data. There is a program called COMWATCH that is the program interface with the database. The program COMRUN will call COMWATCH. With SCP 04 you may see a comwatcherr.exe icon appear on the task bar and the system will be beeping. If there were errors detected, click on the comwatcherr.exe icon on the task bar to determine what error there is. You may need to terminate communications. The error will be described and appropriate action will need to be taken. You can view a list of all errors in Section 13.4.
b. COMSETUP: This program allows the user to establish the mode of communications and define what type of communications will occur for each communications interface. It is here that you will enter the required data to define how you communicate with each user. You enter the data by DODAAC, IP Address or Phone number, if you will connect via terminal server , if you will generate diskette only for this user, number of attempts before reporting errors and number of minutes between each attempt to connect to communicate. This is the maintenance utility for SAAS communications. c. COMRPT: This program allows the user to check duplicates either coming into the system or that are system generated. d. COMVIEW: This program allows the user to view the communications log file by bringing it into the Microsoft Notepad facility. This program has been updated to allow the user to view additional communications log files to include: comftp.log; comftpget.log; comwatch.log; copylog.log; nlacftp.log; psftp.log; savicom.log; tamiscomerr.log; tamisftphistory.log and warsftp.log. A menu window will be displayed allowing the user to select which log they wish to view. Highlight the log you want to view, click on display. When you are finished, close the log by closing the window to notepad, then click on exit. e. WARSCOM: This program allows the user to send files to WARS that were previously skipped. To change your password, which is a regulatory function of WARS, at the Password field on the login and transmit screen, enter old password - forward slash new password, without spaces. This program is only loaded on SAAS MMC Servers. Ex. roip23xe/ii97bgrw2. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 11-2 Communications f. DAASCOM: This program allows the user to send files to DAAS that were previously skipped. g. SPBSIN: This program allows the user to read in SPBS-R diskettes that have been received. This program is only loaded on SAAS MMC Servers. It will no longer be needed when PBUSE is fully fielded. h. TERMINATE COMMO: This program will check the comrun.exe program at a point that will not corrupt files. Previously, termination of communications while entering data for processing to Oracle or pulling data for user distribution from Oracle has created transactional duplication. This process monitors the communications program and waits until it is a safe point to terminate the program. NOTE: If you lose power to your server and the communications process was running, then you will have to delete the file c:\commrunning. This file tells the COMSTART program that the communications process is running already, so it won't start another copy. i. SpaceMaker: This program allows the user to "clean" old data from the system. It targets certain commo and dump files for removal from the hard drive and archived to tape. j. AEPS Output: SAAS MOD can now create "automated" transactions for DIC's A05 and A0E which only requires operator input the first time it is run. If any log on information changes, the update capability exists within the COMSETUP program. (See Section 11.2.3) Once run, the AEPS log on data will be saved to your comini.ini file and can be viewed by the COMSETUP program. See below. Once you have obtained a UserID and password through AEPS, and you have generated output, a message will be displayed to run COMSETUP and enter the AEPS IP Address, your AEPS Userid and AEPS password and click on test. For the first connection, enter "y" to cache your system information with the host (AEPS) and enter bye to exit. When you return to the COMSETUP screen, the test button will read SAVE. Click on SAVE and your data will be saved. No further input will be required unless your password changes, which can be accomplished by simply running COMSETUP. k. TAMIS-R Communications: Enhanced Training Ammunition Management Information System Revised (TAMIS-R) interface. This interface will require two way secure ftp traffic between the SAAS ASP system and TAMIS-R. The SAAS user must set up a ftp account for TAMIS-R to send electronic DA581 data to. The SAAS user should contact his/her local DOIM to determine all information required to establish a firewall rule at the local installation. Then the SAAS user should contact Mr. Guoqing Tian at TAMIS-R, phone (301) 794-8200 or email GTian@aim4value.com, to obtain all the required information. Mr. Tian will also minimally need the IP address and the ftp account information for the SAAS system. An alternate POC at TAMIS-R is Mr. William Ford, (301) 794- 8200 or email wford@aim4value.com. The new TAMISCOM uses secure FTP AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 11-3 Communications and will use batch numbers for tracking data transmissions. Incoming will track batch numbers and will be displayed if there is a batch out of sequence. User will be able to request transmission of missing batch. For outgoing transmissions, the user will have the capability to resend by selecting a specific batch number. File names will be in the format of DODAAC, Batch number.TAMIS. l. TAMIS Missing Batch. This program is designed to keep users in line with batch numbers. Each interface with TAMIS should generate a new sequential serial batch number. If for some reason, a missing batch number should appear in your in folder from TAMIS, when comrun.exe calls the TAMIS process and sees it, it will display a screen like below:
You may select any or all batches to be deleted, or with coordination with your TAMIS representative, have the missing batch number reshipped to your. To delete a batch, highlight select batch(s) and click on the DELETE BATCH(s) button. Click on EXIT to exit this screen. This process can also be run from the SAAS Communications Menu. m. TAMISreship. This process is for reshipping missing batch files to TAMIS. Execute from the SAAS Communications Menu and you will see the following screen: AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 11-4 Communications
You can enter the batch number or click on SELECT to see the next screen:
If this is the correct file you wish to reship to TAMIS click on Send. If you are not sure and what to examine the transactions click on DISPLAY DATA. If this is not the correct batch, click on Select Different Batch. Once you are sure of the correct file, click on SEND. When finished, click on EXIT. n. NLAC Communications: Requisitions for configured load will be sent to the National Level Ammunition Capability (NLAC). Status will come back through the normal DAAS channels. SAAS communications has been modified to recognize a configured load requisition and prompt the user for NLAC login information. The requisitions will be sent via ftp. A process was added to the catalog maintenance process to allow the user to add, delete, and update configured load codes.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 11-5 Communications
11.2 COMSETUP.exe Operation Instructions
11.2.1 Initial setup instructions:
NOTE: This is done when system is first installed and refers to information about YOUR system.
1) Enter your Organization Level (ASP, ATP, DAO, or MMC) at Organization Level of Remote Site. Use ASP for sites operating as an ATHP. 2) Enter your DODAAC. 3) Enter your IP Address. NOTE: Currently, you may now enter names rather than IP addresses. In the case of FORSCOM, TRADOC and NGB users can enter ftp.osc.army.mil in the IP address field. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 11-6 Communications 4) Enter NONE or Phone Number. NONE Must be Uppercase! 5) Enter a User Name that has FTP privileges (EX: ftpaspuser - see User Manager Setup Instructions.) 6) Enter the PASSWORD for that USER. NOTE: Password is case-sensitive. 7) You may set retry count (default is 3) and Communication Interval (default is 1 minute). To set each field, type in a value and Click on ENTER. NOTE: The Communication Interval field determines how often to send data. For example, enter 1 to transmit every minute, or enter 5 to transmit every 5 minutes. The Retry Count gives the number of times to try to connect at each interval before an error is reported. 8) Setting Call time HOUR NOTE: This is when to START transmissions at a specific HOUR - determined by SA at site. a) Enter HOUR in Call time HOUR (military time 0 through 24). NOTE: A 0 in Call time HOUR means to send whenever there is data available. This is dependent on the Communications Interval. b) Click on ENTER under Communications Interval. NOTE: This field is for how often to send (1 for 1 minute; 5 for every 5 minutes). c) To Call every Interval ENTER 0 in Call time HOUR (when 0 is entered COMRUN will call whenever there is data to send. 9) If using a terminal server for phone connections: a) Enter Terminal server Phone number. b) Enter Terminal server User Name. c) Enter Terminal server User Password. d) Select Terminal server YES. 10) Click on SAVE SAAS. 11) You now have the capability to change your DODAAC. You can perform this by doing the following actions: a) Double click on CHANGE DODAAC tab. b) Enter DODAAC in the box next to the tab CHANGE DODAAC AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 11-7 Communications c) Do steps 1 thru 10 above and you system DODAAC will be changed to the new DODAAC. NOTE: The following table gives a summation of the required fields for the local site regardless of the type of connection. COMSETUP FOR LOCAL SITE COMSETUP FIELD REQUIRED ENTRIES FOR LOCAL SITE ORGANIZATION LEVEL SELECT LOCAL SITE'S ORGANIZATION LEVEL -- MMC, ASP, DAO, OR ATP DODAAC ENTER DODAAC OF LOCAL SERVER - SHOULD ALSO BE THE NAME OF THE LOCAL SERVER IP ADDRESS ENTER IP ADDRESS OF LOCAL SERVER FTP USER NAME ENTER FTP USER NAME OF LOCAL SERVER FTP PASSWORD ENTER FTP USER PASSWORD ON LOCAL SERVER RETRY COUNT LEAVE DEFAULT SETTING COMMUNICATION INTERVAL LEAVE DEFAULT SETTING CALL TIME HOUR VALUE WILL BE ECHOED FROM OTHER SCREENS DUPLICATE CHECK FIELD ENTER NUMBER OF DAYS TO CHECK FOR DUPLICATE RECORDS IN HISTORY THIS SYSTEM USING A TERMINAL SERVER NOT APPLICABLE ON THIS SCREEN DESTINATION SYSTEM IS USING A TERMINAL SERVER NOT APPLICABLE ON THIS SCREEN TERMINAL SERVER ID NOT USED TERMINAL SERVER PASSWORD NOT USED PHONE NUMBER ENTER NONE (CAPS)
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 11-8 Communications 11.2.2 COMSETUP instructions for adding OTHER DODAAC's: NOTE: Add DODAAC's you communicate with. 1) Required information for Destination systems. NOTE: ALL information supplied by SA at destination site. a) DODAAC of system. b) User LOGON name. c) User Password. d) IP address. e) Phone number (if applicable). If using a terminal server for phone connections: f) Terminal server Phone number. g) Terminal server User Name. h) Terminal server User Password. 2) Double click on COMSETUP ICON. 3) Click on appropriate Organizational Level of Destination System. 4) Enter DODAAC name of Destination System. 5) Enter IP address of Destination System. NOTE: If you want the DODAAC to ALWAYS generate a floppy disk, enter xxx.xxx.xxx.xxx for IP address) 6) Enter Phone number of Destination System or enter NONE (If using a network connection) 7) Enter USER NAME for Destination System. 8) Enter USER PASSWORD for Destination System. NOTE: This is case-sensitive, ensure it is correct. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 11-9 Communications 9) Enter Retry count. NOTE: This is the number of times to try connecting before error is reported; recommend 3-5. 10) Enter Communications Interval. NOTE: This is how often you want to transmit data: 1 minute Minimum, 11080 minutes Maximum 11) If using a terminal server for phone connections: a) Enter Terminal server Phone number. b) Enter Terminal server User Name. c) Enter Terminal server User Password. d) Select Terminal server YES. 12) Duplicate Check Period in Days. This is set to check for duplicate records for the number of days entered. If it were set to 7, then Commo will keep a history of records sent for the preceding 7 days. Commo will check this history file for duplicates before each transmission. 13) Click on SAVE SAAS to ENTER DATA or QUIT to ABORT. NOTE: Once the information is entered, it can be modified at any time. When you change the way you connect to one of your sites, you will change the information for the DODAAC in COMSETUP. When necessary, changes can be made by doing the following: click on the COMSETUP icon on the server, change the information as needed, and save it. The following tables are a summation of the fields required in COMSETUP for the four ways to communicate with other sites in SAAS. A screen must be completed for each unit the local site connects to. The sites may not use the same connection method. COMSETUP FOR NETWORK CONNECTION COMSETUP FIELD REQUIRED ENTRIES FOR NETWORK CONNECTION ORGANIZATION LEVEL SELECT DESTINATION ORGANIZATION LEVEL -- MMC, ASP, DAO, OR ATP AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 11-10 Communications DODAAC ENTER DODAAC OF DESTINATION SERVER IP ADDRESS IP ADDRESS OF DESTINATION SERVER FTP USER NAME FTP USER NAME ON DESTINATION SERVER FTP PASSWORD FTP USER PASSWORD ON DESTINATION SERVER RETRY COUNT ENTER NUMBER OF ATTEMPTS BEFORE ERROR IS REPORTED COMMUNICATION INTERVAL ENTER NUMBER OF MINUTES BETWEEN TRANSMISSIONS (1 TO 11080) CALL TIME HOUR ENTER NUMBER FROM 01 TO 24 INDICATING WHEN TO BEGIN TRANSMISSION -- VALUE WILL BE ECHOED TO OTHER SCREENS DUPLICATE CHECK FIELD ENTER NUMBER OF DAYS TO CHECK FOR DUPLICATE RECORDS IN HISTORY THIS SYSTEM IS USING A TERMINAL SERVER DO NOT SELECT DESTINATION SYSTEM IS USING A TERMINAL SERVER DO NOT SELECT TERMINAL SERVER ID NOT USED TERMINAL SERVER PASSWORD NOT USED PHONE NUMBER ENTER NONE * LOCAL DECISION ON TIME. DO NOT USE 0, UNLESS YOU WANT THE SYSTEM TO CHECK EVERY MINUTE FOR DATA. COMSETUP FOR MODEM TO MODEM CONNECTION COMSETUP FIELD REQUIRED ENTRIES FOR NETWORK CONNECTION ORGANIZATION LEVEL SELECT DESTINATION ORGANIZATION LEVEL -- MMC, ASP, DAO, OR ATP DODAAC ENTER DODAAC OF DESTINATION AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 11-11 Communications SERVER IP ADDRESS IP ADDRESS OF DESTINATION SERVER FTP USER NAME FTP USER NAME ON DESTINATION SERVER FTP PASSWORD FTP USER PASSWORD ON DESTINATION SERVER RETRY COUNT ENTER NUMBER OF ATTEMPTS BEFORE ERROR IS REPORTED COMMUNICATION INTERVAL ENTER NUMBER OF MINUTES BETWEEN TRANSMISSIONS (1 TO 11080) CALL TIME HOUR ENTER NUMBER FROM 01 TO 24 INDICATING WHEN TO BEGIN TRANSMISSION -- VALUE WILL BE ECHOED TO OTHER SCREENS DUPLICATE CHECK FIELD ENTER NUMBER OF DAYS TO CHECK FOR DUPLICATE RECORDS IN HISTORY THIS SYSTEM IS USING A TERMINAL SERVER NOT USING TERMINAL SERVER -- DO NOT SELECT DESTINATION SYSTEM IS USING A TERMINAL SERVER IF USER REPORTING BY TERMINAL SERVER, THIS FIELD WILL BE SELECTED BY MMC TERMINAL SERVER ID NOT USED TERMINAL SERVER PASSWORD NOT USED PHONE NUMBER PHONE NUMBER OF DESTINATION SERVER * LOCAL DECISION ON TIME. DO NOT USE 0, UNLESS YOU WANT THE SYSTEM TO CHECK EVERY MINUTE FOR DATA. COMSETUP FOR TERMINAL SERVER CONNECTION COMSETUP FIELD REQUIRED ENTRIES FOR NETWORK CONNECTION ORGANIZATION LEVEL SELECT DESTINATION ORGANIZATION LEVEL -- MMC, ASP, DAO, OR ATP DODAAC ENTER DODAAC OF DESTINATION AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 11-12 Communications SERVER IP ADDRESS IP ADDRESS OF DESTINATION SERVER FTP USER NAME FTP USER NAME ON DESTINATION SERVER FTP PASSWORD FTP USER PASSWORD ON DESTINATION SERVER RETRY COUNT ENTER NUMBER OF ATTEMPTS BEFORE ERROR IS REPORTED COMMUNICATION INTERVAL ENTER NUMBER OF MINUTES BETWEEN TRANSMISSIONS (1 TO 11080) CALL TIME HOUR ENTER NUMBER FROM 01 TO 24 INDICATING WHEN TO BEGIN TRANSMISSION -- VALUE WILL BE ECHOED TO OTHER SCREENS DUPLICATE CHECK FIELD ENTER NUMBER OF DAYS TO CHECK FOR DUPLICATE RECORDS IN HISTORY THIS SYSTEM IS USING A TERMINAL SERVER YES, SELECT THAT THIS SYSTEM IS USING A TERMINAL SERVER DESTINATION SYSTEM IS USING A TERMINAL SERVER IF USER REPORTING BY TERMINAL SERVER, THIS FIELD WILL BE SELECTED BY MMC TERMINAL SERVER ID ENTER TERMINAL SERVER ID TERMINAL SERVER PASSWORD ENTER TERMINAL SERVER PASSWORD PHONE NUMBER ENTER PHONE NUMBER OF TERMINAL SERVER *LOCAL DECISION ON TIME. DO NOT USE 0, UNLESS YOU WANT THE SYSTEM TO CHECK EVERY MINUTE FOR DATA. ** IF SYSTEM IS MMC, AND REPORTING USER IS USING A TERMINAL SERVER TO SEND DATA, SELECT 'DESTINATION SYSTEM IS USING A TERMINAL SERVER'. THIS ALLOWS DESTINATION USER TO PULL BACK DATA FROM THE MMC.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 11-13 Communications
11.2.3 Other COMSETUP Functions 1) Read>A: button is to read in floppy disk data 2) To display the data for a DODAAC already entered in the system a) Highlight the desired DODAAC in EXISTING ORGANIZATIONS. b) Click on Display DODAAC. c) You may modify entry information and SAVE. 3) To delete a DODAAC: a) Highlight the desired DODAAC to delete in EXISTING ORGANIZATIONS. b) Click on DELETE ORGANIZATION. 4) To modify AEPS connection data: a) Highlight and change AEPS IP Address if required. b) Highlight and change AEPS User Name if required. c) Highlight and change AEPS Password if required. d) Click on SAVE AEPS adjacent to the AEPS date elements. (Not the SAVE SAAS at the bottom as this saves DODAAC entries only) 5) To modify TAMIS connection data: a) Highlight and change TAMIS IP Address if required. b) Highlight and change TAMIS User Name if required. c) Highlight and change TAMIS Password if required. d) Click on SAVE TAMIS adjacent to the TAMIS date elements. (Not the SAVE SAAS at the bottom as this saves DODAAC entries only) 6) To modify NLAC connection data: a) Highlight and change NLAC IP Address if required. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 11-14 Communications b) Highlight and change NLAC User Name if required. c) Highlight and change NLAC Password if required. d) Click on SAVE NLAC adjacent to the NLAC date elements. (Not the SAVE SAAS at the bottom as this saves DODAAC entries only)
11.3 COMRUN.exe Operation Instructions COMRUN instructions for correcting DODAAC's if SETUP Screen appears 1) Required information for Destination systems. (ALL information supplied by system admin at destination) a) DODAAC of system b) User LOGON name c) User Password d) IP address e) Phone number (if applicable) If using a terminal server for phone connections f) Terminal server Phone number g) Terminal server LOGON ID h) Terminal server Password 1) Select Terminal server YES 2) If SETUP screen appears the system had problems connecting with the DODAAC displayed. a) Check connection status report for error b) If error displayed refers to no answer, access denied, not logged on check your entries in displayed area. You may correct the IP address phone number, User name and password. If the DODAAC is INCORRECT you must use COMSETUP to enter the correct DODAAC information. If you make corrections you must SAVE. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 11-15 Communications c) If the error refers to a busy line you may increase the Retry count and/or just Continue. Continue will use the existing information and retry connecting. If you wish to correct only one Entry you may do that and skip directly to SAVE. ONLY USE SAVE IF YOU HAVE CHANGED one or more ENTRIES. 3) Enter IP address (if you want the DODAAC to ALWAYS generate a floppy disk, enter xxx.xxx.xxx.xxx for IP address) 4) Enter Phone number or NONE 5) Enter USER NAME 6) Enter USER PASSWORD ( this is CASE sensitive ensure it is correct) 7) Click on SAVE ONLY IF YOU HAVE CHANGED ONE or MORE of the ABOVE ENTRIES 8) Enter Retry count CLICK on ENTER then CONTINUE (this is the number of times to try connecting before error is reported, recommended 5) 9) Enter Communications Interval CLICK on ENTER then CONTINUE (this is how often you want to transmit data. (1 minute Minimum and Maximum equals 10080 minutes) 10) To display the data for a DODAAC already entered in the system: a) Highlight the desired DODAAC in EXISTING ORGANIZATIONS b) Click on Display DODAAC c) You may modify entry information and SAVE. 11) To delete an DODAAC: a) Highlight the desired DODAAC to delete in EXISTING ORGANIZATIONS b) Click on DELETE ORGANIZATION 12) Setting Call time HOUR (to start transmissions at a specific hour) a) Enter HOUR in Call time HOUR (military time 0 through 24) b) Click on ENTER under Communications Interval c) To Call every Interval ENTER 0 in Call time HOUR\ (when 0 entered COMRUN will call whenever there is data to send, as often as the Communications Interval is set i.e.: every minute for 1 every 5 minutes for 5)
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 11-16 Communications 11.4 Remote Access Service Installation SAAS MOD no longer supports the use of Remote Access Service. This is a feature designed for allowing users to connect via Modems. This is no longer allowed by AR 25-2.
11.5 GlobalSCAPE Secure FTP SAAS now installs this product for secure communications which replaces the need for Microsoft Internet Information Services which controlled the FTP site. All settings and configuration are self contained during the installation of SAAS communications package. FTP Publishing Service is also no longer required and has been disabled with the implementation of SAAS communications. GlobalSCAPE is set for secure FTP transmissions, but will also accept regular (non-secure) FTP if the sender does not have secure FTP installed.
11.6 User Manager Setup 1) Open User Manager by a right click on My Computer| Manage..
2) Click on Local Users and Groups.
3) Right click on Groups and select New Group. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 11-17 Communications
4) Create a Group called FTPUSERS (or their SA choice) and click on Create. 5) Click on Create, and then close.
6) Right click on the new group and click on Properties..
7) Click on Add and select your user. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 11-18 Communications
8. Click on Add. 9. Click on OK and exit Computer Management.
NOTE: FTPUSERS Group must have full control of C:\dodaacom directory and files All Domain users must have full control of the following c:\comwatch.log file c:\dodaacom directory and all sub directories and files c:\saas_ftp directory and files c:\winnt\system32\drivers\etc directory and files AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 11-19 Communications
11.7 Duplicate File ship Instructions A) Required information to send duplicate Data 1. FILE NAME to transmit 2. DODAAC name you want to transmit to. 3. User Logon to that DODAAC for Dial-In and FTP 4. User password 5. DODAAC's IP address B) Instructions to implement DUPLICATE FILE SHIPMENTS ( TO SEND A FILE ALREADY SENT BUT NOT RECEIVED BY THE RECIPIENT) 1. Stop COMRUN.EXE 2. Use Explorer or File Manager to locate the File to be sent a. file will be located in c:\dodaacom\(this systems DODAAC name)\OUT\(DODAAC to be transmitted to) \Trans_history\ (file.zip & file.end) 3. Copy these files to c:\users\default 4. Use Dial-up Networking to connect to the destination DODAAC a. Dial-up Networking is located in - START PROGRAMS ACCESSORIES b. Select DODAAC name c. Click on DIAL d. Enter User name & password (if asked for) e. Wait for Connection 5. Start command prompt a. located in - START PROGRAMS 6. Do Dir (enter) to check that you are in c:\users\default if you are not in that Directory CD to it. Type FTP (IP address) (enter) a. Enter User name b. Enter Password c. Type put (filename.zip) (destination DODAAC)\IN\filename.zip) d. If you receive Transfer complete. go to e. (if you receive an error check the directories and file name) e. Type/put (filename.end) (destination DODAAC)\IN\filename.end) f. If you receive Transfer complete. go to g. (if you receive an error check the directories and file name) AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 11-20 Communications g. Type bye h. Type exit i. Use Dial-up Networking and HANG UP Double click on COMSTART icon.
11.8 COMRPT.exe Operation Instructions 1. To display a DODAAC duplicate record report a) Highlight the DODAAC you wish to see. b) Click on DISPLAY DODAAC REPORT. This will display ALL duplicate records shipped to that DODAAC. You may print this list or delete it. 2. To display INPUT duplicate records received. a) Click on DISPLAY INPUT REPORT. 3. Click on QUIT to exit.
11.9 COMMO File Descriptions ASP/MMC/DAO/ATP Header File Descriptions File Names Eight characters before the period and three characters after period as an extension. First two characters will be the first two characters from the level indicator, Like AS for ASP, MM for MMC, DA for DAO and AT for ATP. The next six characters form a unique number. The extension is HDR. Header File Contents Mandatory header file keywords and descriptions are: SOURCE_ID: DODAAC, UIC, RIC of the sender. DEST_ID: DODAAC, UIC, RIC of the receiver. FILE_ID: The absolute path of the data file (No Special Characters). Example of a Data Header File Name : AS5202.HDR AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 11-21 Communications ATTRIBUTE SOURCE_ID: SAASM2ATTRIBUTE DEST_ID: W83J HTATTRIBUTE FILE_ID: C:\dodaacom\SAASM2\OUT\AS5202.DAT Data File Descriptions File Names Eight characters before the period and three characters after the period as an extension. First two characters will be the first two characters from the level indicator, Like AS for ASP, MM for MMC, DA for DAO and AT for ATP. The next six characters form a unique number. The extension is DAT.
Data File Contents All the attributes in the data field are delimited by a tilde character (~).
Sender: SAAS ASP - MMC Receiver: SAAS MMC - WARS - TAMIS Source: Transaction rocessing P Action: Transaction Processing Itm Data Name Le n Cls Data Name Len Cls Posn Remarks 1 Transaction Format Ind 1 Text Transaction Format Ind 1 Text 1 Constant 'W' for LMP 2 Record Type 1 Text Record Type 1 Text 2 Constant 'A' for Asset Transactio n 3 Item_ID 15 Text NSN 15 Text 3-17 4 Lot_Number 18 Text LOT.NO 18 Text 18-35 5 Serial_Number 18 Number SER.NO 18 Text 36-53 6 Condition_Code 1 Text COND.CD 1 Text 54 7 RIC 3 Text RIC 3 Text 55-57 8 Purpose_Code 1 Number PURP.CD 1 Number 58 9 Transaction_Code 3 Text TRANS.CD 3 Text 59-61 10 TrnsctnQty 9 Number TRANSACTION/LOT.QT Y 12 Number 62-73 right- justified, zero fill 11 Obligated Qty TRANSACTION/OBLIG QTY 12 Number 74-85 right- justified, zero fill AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 11-22 Communications 12 DateMFG 6 Number YR.MON.MFG.DT 6 Number 86-91YYYYMM 13 DefectCd 6 Text QUAL.DEF.CD 6 Text 92-97 14 DefectCd2 6 Text QUAL.DEF.CD 6 Text 98- 103
15 DefectCd3 6 Text QUAL.DEF.CD 6 Text 104- 109
16 DefectCd4 6 Text QUAL.DEF.CD 6 Text 110- 115
17 RestrictionCd 5 Text RESTR.CD 3 Text 116- 118
18 RestrictionCd 5 Text RESTR.CD 3 Text 119- 121
19 AmmoUseCd 5 Text AMMO.USE.CD 3 Text 122- 124
20 AmmoUseCd 5 Text AMMO.USE.CD 3 Text 125- 127
21 FUNC COND CD 1 Text 128 22 ACCEPT CD 1 Number 129 23 AMMO OWNER CD 1 Text 130 24 SHELF LIFE 1 Text 131 25 SHELF LIFE EXPIR 6 Text 132- 137 YYYYMM 26 TypStorCd 1 Text TY.STOR.SP.CD 1 Text 138 27 TypLastInsp 1 Text TLI.CD 1 Text 139 28 DtLastInsp 6 Number MO.YR.LST.INSP 6 Number 140- 145 MMYYYY 29 TypNextInsp 1 Text TNI.CD 1 Text 146 30 DtNextInsp 6 Number MO.YR.NXT.INSP 6 Number 147- 152 MMYYYY 31 DtTimeGp 13 Number DT.TM 13 Number 153- 165 YYYYDDD HHMMSS 32 WARS CMD CD 3 Number 166- 168
33 DODAAC 6 Text DODAAC/UIC 6 Text 169- 174 XREF SP to Mil_Org 34 DODAAC/UIC 6 Text DODAAC/UIC (TO/FROM) 6 Text 175- 180 XREF SP to Mil_Org 35 DOC NBR/TCN 17 Text DOCUMENT NBR/TCN 17 Text 181- 197
36 Batch_Number 6 Number BATCH.NO 6 Number 198- 203 Batch number, right- justified, zero fill 37 Batch Record Nbr 9 Number BATCH.REC.NO 9 Number 204- 212 Record number in AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 11-23 Communications batch, right- justified, zero fill 38 LMP Owner/Purpose Cd 1 Text LMP Owner/Purpose Cd 1 Text 213 39 12 214- 225 Spaces 40 Training_Event_C ode 3 Text TRAINING EVENT CD 3 Text 226- 228
41 4 229- 232 Spaces 42 Recording_Accou nt_Code 3 Text Recording ACCT CD 3 Text 233- 235
43 TIN or Container 12 Text TIN_OR_CONTAINER 12 Text 236- 247
44 Crop 12 Text CROP 12 Text 248- 259
45 Config Load 12 Text CONFIG LOAD 12 Text 260- 271
46 Storage Space Cd 3 Text Storage Space Code 3 Text 272- 274
47 LMP FSA RIC 3 Text LMP FSA RIC 3 Text 275- 277
48 Typ Stg To 1 Text Typ Stg To 1 Text 278 49 Purp To 1 Text Purp To 1 Text 279 50 20 280- 300 Spaces 51 StorPtCd 2 Text Storage Point Code 2 Text 301- 302
52 CompGP 1 Text Compatibility Group 1 Text 303 53 TypePkCd 2 Text Type Pack Code 2 Text 304- 305
54 LineNo 4 Number Line_Number 4 Number 306- 309
55 ContainerInd 1 Text Container Indicator 1 Text 310 Blank or 'C' if container 56 DODIC 4 Text DODIC 4 Text 311- 314
57 TrnsctnType 1 Text Transaction_Type 1 Text 315 58 TurnAroundInd 1 Text Turn Around Indicator 1 Text 316 59 UnitDsgntn 12 Text DODAAC_Name 12 Text 317- 328
60 WhsidentNo 5 Text Storage_Site_ID 5 Text 329- 333
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 11-24 Communications 61 CondCdTo 1 Text Condition_Code_To 1 Text 334 62 WhsIdentNoTo 5 Text Storage_Site_Id_To 5 Text 335- 339
63 RDD 3 Text Required Delivery Date - Period 3 Text 340- 342
64 StorPtCdTo 2 Text Storage_Point_Code_To 2 Text 343- 344
65 ProjectCd 3 Text Project Code 3 Text 345- 347
66 PD 2 Number Priority Designator 2 Number 348- 349
67 RICTo 3 Text RIC To 3 Text 350- 352
68 ReqQuantity 9 Number Requested Quantity 9 Number 353- 361
69 AcctCdAmmoTo 3 Text Account Code Ammunition To 3 Text 362- 364
70 ModeOfShip 1 Text Mode Of Shipment 1 Text 365 71 ActualPullDt 7 Number Actual Pull Date 7 Number 366- 372
72 GBL 11 Text Government Bill Of Lading 12 Text 373- 384
73 SecDocNo 14 Text Secondary Document Number 14 Text 385- 398
74 3 399- 401 Spaces 75 DIC 3 Text Document Identifier Code 3 Text 402- 404
76 TAMISInstallation Cd 4 Text TAMIS Installation Code 4 Text 405- 408
77 USERID 10 Text USERID 30 Text 409- 438
78 62 439- 500 Reserved for SAAS
Example of a Data File
Name : AS5202.DAT 2005061~0001001 090143 ~15315~TAR~ASA W81K5Y~WA1305001823217 LC-04A920-054 A TAR000000003080 000000 W 000000 0000002005061090143 W81K5YW8GLAAW90HB450342001SER 020000201TTRP2005TRA NES 0001 A080BYHQ 209TH REGH460 NE 00 000003080TRA 0000000 W90HB442092004FEB michael. ~0~0~0
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 11-25 Communications 11.10 Communications Troubleshooting 1. Communications won't start. If this is the problem you are having, there may be a reason. When commo is started, comrun.exe creates a file at the root of C drive called "comrunning". If for some reason commo was not ended properly, i.e.. killed by task manager or sudden power failure, this may be the reason. When commo starts it checks to see if the file above is there, and if so, thinks that commo is already running and won't start to keep more than one copy of comrun.exe from executing. Delete this file and commo will start. 2. Sending zero byte zip files. When this problem occurs it could be one of two things. First, it may be that you are attempting to send duplicate data. If your not sure, you can go to the folder of the DODAAC you are attempting to send to. Navigate to the folder chk_history and delete the file chkhist.chk. If problem persists it may be the next problem. This same problem will occur if you do not have WinZip 9.0 SR-1 installed. It must be installed also in the Dodaacom folder. This program was released with SCP 07and can be found on your Utility and Database CD as part of the SCP package. 3. Terminating Commo. The communications process must be shut down properly. Always use the Terminate Commo Icon in the SAAS Application (COMMO) to stop commo. Killing the process using Task Manager can and probably will create additional problems for you. How it works is that when you click on it, it simply creates a file at the root of C drive called Terminatecom. Comrun.exe periodically checks to see if this file exists and if so, will shut it down and delete the Terminatecom file and Comrunning file. See one above.
11.11 Remote Dial-Up Processing SAAS MOD no longer supports the use of Remote Access Service. This is a feature designed for allowing users to connect via Modems. This is no longer allowed by AR 25-2.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 11-26 Importing / Exporting Databases SECTION 12.0 IMPORTING AND EXPORTING DATABASES All users must be logged off the database before an import or export is executed. If a user is logged on and updating data during an export, it is possible that some tables will not be updated. At the same time, the EXP.LOG will not reflect an error message for this occurring. An import will not be successful as well if users are logged onto the database. Fortunately, an error message will occur and be logged into the IMP.LOG file. 12.1 Importing the Database Database import utility uses an operating system file generated by export utility to restore the database. The IMPORT icon does the following: Recreates user SAASDB. Drops public synonyms for SAASDB objects. Creates tables under SAASDB. Loads data into the tables. Creates indexes on the tables. Create views, synonyms, sequences and any other objects that belong to SAASDB. Grant privileges on SAASDB tables to other users. Creates public synonyms for SAASDB. To Import the Database: 1. Go to Start | Programs | SAAS Utilities | Import. 2. At " About to Import a new Database" , click on Continue. 3. At " Current data will be dropped" , click on Continue. 4. Enter password for System Account and click on OK. 5. Enter database name (asp, dao, mmc) and click on OK. 6. User will be prompted for the name of file to import. It will display all files under C:\SAAS\DUMPS\BACKUPS. Users can also move to other location wherever the file maybe save at. Select the file to be imported and click on OPEN. NOTE: Any data that existed in the database before the import will be replaced by the data in the .DMP file selected. 7. Click on OK to confirm file to be imported. Importing will then start. 8. At " Database import is complete..." , click on OK to exit import utility. 9. Check the import log file for any errors that may have occurred. The log file will be generated with the name of IMP.LOG under C:\SAAS\DUMPS\IMPLOGS and is overwritten with each import. At the end of IMP.LOG you should see "Import terminated successfully without warnings." AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 12-1 Importing / Exporting Databases
12.2 Exporting the Database: Database export utility does a logical backup of the data in the database. It backups the data in the database to an operating system file. The file thus created can only be used by import utility to import the data back into the database. The EXPORT icon of the SYSTEM group backups following items: Definitions of the tables owned by SAASDB. Definitions of indexes on tables of SAASDB. Definitions of views, sequences, synonyms and other objects owned by SAASDB. Data stored in the tables of SAASDB. Privileges on tables of SAASDB granted to other users. To Export the Database: 1. Go to Start | Programs | SAAS Utilities | Export. 2. At " About to Export current Database" , click on Continue. 3. Enter password for SAASDB Account and click on OK. The system will try to logon to Oracle with the password entered. If it is wrong, it will be prompted again. 4. Enter database name of system to be exported (asp, dao, mmc). 5. Enter filename of dmp file (EX: 980601) and click on OK. The file will be created under C:\SAAS\DUMPS\BACKUPS with an extension of .DMP. (Note: Do not use spaces when naming dump files.) 6. Check the export log file for any errors that may have occurred. The log file will be generated with the name of EXP.LOG under C:\SAAS\DUMPS\EXPLOGS and is overwritten with each report. At the end of EXP.LOG you should see "Export terminated successfully without warnings." ERROR MESSAGES: " Unable to logon, check the database." - Invalid database name was entered. See #5 under Importing a Database or #4 under Exporting a Database. Possibly user typed in "asp" instead of "mmc", or entered a typo such as "asd" instead of "asp". " Invalid System Password. Enter again." - Invalid System password entered on Import. See #4 under Importing a Database. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 12-2 Importing / Exporting Databases " Object already exists." This error message may be seen in IMP.LOG if a user was logged onto the database during an import. See #9 under Importing a Database. Start Import again without users logged onto the database. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 12-3 Troubleshooting SECTION 13.0 TROUBLESHOOTING
13.1 User Problems
The problems that are attempted to be corrected in this subsection pertain to the Windows Server 2003 environment. For now we have identified four possible problems that system administrators might encounter. Upon fielding the SAAS application there maybe more problems arise. Those problems with its solutions will be included in future documentation. In trying to solve any problem, we will first need to identify its root cause. In this subsection we will check on those possible causes one by one to make sure they are correct. If any configuration error is found, we will correct them and hopefully solve the problem.
13.1.1 Can't Log in
All users should log into the domain. The first thing they should check is to make sure that the user name is correct, the password is correct, and the domain is correct. The user name is not case sensitive however the password is, so make sure it is typed exactly how it should be. Also, make sure you are using the right domain name. We have found out that a lot of people make a mistake of logging into the local computer account instead. If after making absolutely sure that everything was correct and still the user can't log in, check to make sure that there is a user account on the server. When checking the user account, go to Local Users & Groups on the server. If the user account is not there, follow the instructions on section 9.1.1 on how to create a user account.
13.1.2 Can't partition or format during setup
You were trying to load Windows Server 2003 and in the middle of setup it would not want to partition or format and couldn't continue with setup. Well, have no fear because we have the solution for that particular problem. The first thing you need to do is to get a hold of the latest version of MS-DOS you can find. Insert disk #1 and re-boot the computer. Once inside MS-DOS setup, press F3 twice to exit. On the A prompt, type fdisk. Select option 3 for delete. Next, select option 4 to delete non-dos partition. Once that is done, re-boot the computer and leave the disk in the drive. Again press F3 twice to exit setup. Once on the A prompt, type format C:. This will format your C drive. Replace the MS-DOS disk with Windows Server 2003 CD-ROM and try again to install Windows Server 2003 by re-booting the computer.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 13-1 Troubleshooting 13.1.3 Formatting the 2nd Hard Drive 1. As administrator, open My Computer. 2. Click on File, then Format. 3. Click on down arrow at File System and select NTFS (default is FAT). 4. Click on Start. 5. Click on OK at Warning screen. 6. Formatting begins. Click on OK when Format completes. 7. Click on Close.
13.2 Database Problems The following problems can occur, which are related to the database: ERROR: ORA-12203: Connect error, cant get error text This error occurs if neither the Oracle service nor the TNS listener has been started on the server. Start the Oracle related services from CONTROL PANEL / SERVICES. ERROR: ORA-12500: Connect error, cant get error text This error occurs if the Oracle service has not been started but TNS listener has been started on the server. Start the Oracle related services from CONTROL PANEL / SERVICES. ERROR: ORA-12203: TNS: unable to connect to destination This error occurs if the Oracle service has been started but TNS listener has not been started on the server. Start the Oracle related services from CONTROL PANEL/ SERVICES. ERROR: ORA-01034: ORACLE not available ORA-09243: smsget: error attaching to SGA AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 13-2 Troubleshooting OSD-04101: invalid SGA: SGA not initialized These error occur when Oracle service and TNS listener have been started but database is not available on the server. It might so happen that the status is shown as started for all Oracle related services in the SERVICES box of CONTROL PANEL but the database is not up and running. This may happen due to invalid or missing INITORCL.ORA file or one or all of control files, data files or log files. If the problem is with INITORCL.ORA then only that file need to be restored from the backup. If the problem is with any of the control files or data files or log files then all of them will have to be restored from the same backup and it will involve redoing the work done between the dates of the backup being restored till date. ERROR: ORA-12154: TNS: could not resolve service name This error occurs if TNSNAMES>ORA file on the workstation is either corrupt or missing. Copy the file from another working workstation. ERROR 2140: An internal Windows Server 2003 error occurred. This error occurs while starting TNS listener service if LISTENER.ORA file on the server is either missing or corrupt. Restore the file from the backup. ORA-01652: unable to extend (name) segment by (size) in tablespace (tablespace) This error occurs if the available space in the tablespace mentioned is not sufficient for the operation, which caused the error. NAME is the object for which space is required. SIZE is the amount of space required. TABLESPACE is the location of the object where space is required. The error can occur either because all allocated space for the tablespace is utilized or space is not available on the hard disk. If the tablespace is SAAS_ROLL or SAAS_TEMP, doing the same operation at a later time when no other user is accessing Oracle might solve the problem. If it is any other tablespace more space will have to be made available. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 13-3 Troubleshooting 13.3 Data Browser Problems
13.3.1 To Remove The Default Limitations on Data Browser: There are 2 parameters which need to be set to proper value, MAXROWS and MAXVMEM. To reset them, perform the following: 1) Start browser. On Workstation: Start => Programs => Oracle for Windows Server 2003 => Data Browser or Start => MMC Executables => Browser. On Server: Start=> Programs => Oracle for Windows Server 2003 => Data Browser 2) Login as saasuser. 3) At Create New Query window click on OK. 4) At Select Data Tables window click on Close. 5) Click on Edit => Preferences. 6) Click on Command Line on the 'Preferences for' slide bar. 7) Click on All Documents button. 8) Change the values for MAXROWS to more than the maximum rows in any table (i.e. 100,000) and MAXVMEM (i.e. to 100M). NOTE: These values may need to be raised on some databases to 200,000 and 200M. 9) Click on OK to close the window. NOTE: This procedure IS MACHINED specific! This procedure must be accomplished for each machine where Data Browser will be executed (Workstation and Server) and these parameters are desired to be reset. It is not user specific (either Windows or ORACLE). AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 13-4 Troubleshooting 13.4 Comwatch Errors Message Displayed: COMWATCH - Unable to open COMINI.INI. Can not continue with program execution. Explanation: COMINI.INI file contains the system DODAAC. If this file can not be opened, COMWATCH can not find the system DODAAC. Action: Run COMSETUP to establish all DODAACs that the system communicates including the system DODAAC. Start over again. Message Displayed: COMWATCH - System DODAAC not found in COMINI.INI file. Run com setup. COMWATCH - Can not continue with program execution. Explanation: COMINI.INI file contains the system DODAAC. If there is no line starting with "MY_DODAAC" in this file, this error results. Action: Run COMSETUP to establish all DODAACs that the system communicates including the system DODAAC. Start over again. Message Displayed: COMWATCH - No permission to create file in \system32\drivers\etc directory. COMWATCH - Can not continue with program execution. Explanation: Some of the parameters required for successful execution of COMWATCH are stored in this folder. If the files containing those parameters don't exist, the program creates them with initial values. Hence, the program needs the AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 13-5 Troubleshooting permission to create files in this folder. If that permission is not available, this error occurs. Action: Log on as Administrator of the machine and grant the permission to the user that runs COMWATCH.
Message Displayed: COMWATCH - COM_SCR.TXT file not found in system root. Run Com Setup. COMWATCH - Can not continue with program execution. Explanation: COM_SCR.TXT file contains all the DODAACs that the system communicates with and their level (ASP, DAO, MMC, ATP). If this file is missing, COMWATCH will not be able to identify the destination of data. Action: Run COMSETUP to establish all DODAACs that the system communicates with including the system DODAAC. Start over again.
Message Displayed: COMWATCH - System DODAAC not found in com_scr.txt file. Run Com Setup. COMWATCH - Can not continue with program execution. Explanation: COM_SCR.TXT file contains the DODAAC and the level(ASP, DAO, MMC, ATP) of the system. If there is no entry for the system DODAAC in this file, this error is returned.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 13-6 Troubleshooting Action: Run COMSETUP to establish all DODAACs that the system communicates including the system DODAAC. Start over again.
Message Displayed: COMWATCH - COM_SCR.TXT has not been set up properly. Run Com Set Up. COMWATCH - Can not continue with program execution. Explanation: COM_SCR.TXT file contains the DODAAC and the level(ASP, DAO, MMC, ATP) of the system. If the DODAAC that is to receive data is not in this file, this error is returned. Action: Run COMSETUP to establish all DODAACs that the system communicates including the system DODAAC. Start over again. Message Displayed: COMWATCH - WARS_SEQ.FILE can not be opened. Check directory permissions. COMWATCH - WARS processing can not be done. Explanation: WARS_SEQ.FILE file contains the next batch number to send to WARS. If the file does not exist, COMWATCH creates it and sets initial batch number to 1. If COMWATCH can not create the file, this error results. Action: Log on as Administrator of the machine and grant the permission to the user that runs COMWATCH.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 13-7 Troubleshooting Message Displayed: COMWATCH - WARS_YR.FILE can not be opened. Check directory permissions. COMWATCH - WARS processing can not be done. Explanation: WARS_YR.FILE file contains the year. If the system year is same as the year in this file COMWATCH adds 1 to batch number in the WARS_SEQ.FILE and uses it to send the file to WARS. If they are not same, COMWATCH sets the year in the file to system year and sets the batch number to 1 to send to WARS. If the file does not exist, COMWATCH creates it and sets the year to system year and batch number to 1. If COMWATCH can not create the file, this error results. Action: Log on as Administrator of the machine and grant the permission to the user that runs COMWATCH. Message Displayed: COMWATCH - HOLD_CUR_DAY.FILE can not be opened. Check directory permissions. COMWATCH - CCSS processing can not be done. Explanation: HOLD_CUR_DAY.FILE contains the day of the month. COMWATCH uses this number to reset the sequence number in CCSS_SEQ.FILE to 1 when the first file for the day is received. If COMWATCH can not open this file to write, then it returns the above error. Action: Log on as Administrator of the machine and grant the permission to the user that runs COMWATCH. Message Displayed: COMWATCH - CCSS_SEQ.FILE can not be opened. Check directory permissions. COMWATCH - CCSS processing can not be done. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 13-8 Troubleshooting Explanation: CCSS_SEQ.FILE contains the sequence number that COMWATCH uses for file sequence number in the file header sent to CCSS. This number must be unique within a day. It checks in HOLD_CUR_DAY.FILE for the day, and if it is same as system day, it adds 1 to the number in CCSS_SEQ.FILE file and uses it for file sequence number. If it is not same, then it sets the day in HOLD_CUR_DAY.FILE to system day, sets the number in CCSS_SEQ.FILE to 1 and uses 1 for file sequence number. If COMWATCH can not open this file to write, then it returns the above error. Action: Log on as Administrator of the machine and grant the permission to the user that runs COMWATCH. Message Displayed: COMWATCH - Non Group Out data file <<file name>>can not be created. COMWATCH - Can not process outgoing SAAS data Explanation: COMWATCH is not able to create an out-going file. Action: This may be because there is no space on the hard drive or the user that is executing COMWATCH does not have permission to create files on C:\DODAAC folder. Check the source of the problem and fix it.
Message Displayed: COMWATCH - Out data file <<file name>>can not be created. COMWATCH - Can not process outgoing SAAS data Explanation: COMWATCH is not able to create the outgoing file either because there is no space on the hard disk or file create permission is not given to the user running COMWATCH. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 13-9 Troubleshooting Action: Check for the possible problems and correct. Message Displayed: COMWATCH - An incorrect group is present in the Database. COMWATCH - Can not process outgoing SAAS data Explanation: Grouped transactions, like RECON, have a group number and sequence number within the group. Group number is set to the number of transactions within the group. Before creating a file for this grouped transactions, COMWATCH checks whether the group has all the transactions that make up the group. If not, COMWATCH gives this error. Action: Delete the transactions from TRANSACTION_COM_OU and regenerate the transactions. Message Displayed: COMWATCH - For level indicator <<system level>>Destination DODAAC is not defined in COM_SCR.TXT. COMWATCH - Can not process outgoing data. Explanation: TRANSACTION_COM_OU table has an attribute called DESTINATION. Programs set this to three character system level followed by a space and, optionally, DODAAC. COMWATCH checks the COM_SCR.TXT for DODAACs that match the level in DESTINATION attribute. If no DODAAC is found in the file for that level, the transaction can not be sent. Hence, COMWATCH gives this error. Action: Run COM Setup and establish all DODAACs.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 13-10 Troubleshooting Message Displayed: COMWATCH - Unable to create <<file name>>file, Function terminating. COMWATCH - Can not process outgoing ULLS data. Explanation: COMWATCH is unable to create the outgoing ULLS file because there is no space on the hard disk or file create permission is not given to the user running COMWATCH. Action: Check for the possible problems and correct.
Message Displayed: COMWATCH - The file RI.TXT does not exist. COMWATCH - Can not process outgoing CCSS data Explanation: RI.TXT file has router identifier and office symbol. This information is put in the header of the file sent to CCSS. If RI.TXT does not exist, then COMWATCH gives this error. Action: Create RI.TXT file with the above information.
Message Displayed: COMWATCH - Record has incorrect ric - <<ric>>, Record to be corrected. COMWATCH - <<data record>> COMWATCH - Can not process outgoing CCSS data.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 13-11 Troubleshooting Explanation: COMWATCH checks the transaction code of outgoing transaction to CCSS. If it is A0E or A05 and RIC is not B14 or B64 then COMWATCH gives this error. Action: Delete the transaction form TRANSACTION_COM_OU. Message Displayed: COMWATCH - Unable to open wars outbound file <<file name>>. Contact Support. COMWATCH - Can not process outgoing WARS data Explanation: COMWATCH is unable to create the outgoing WARS file because there is no space on the hard disk or file create permission is not given to the user running COMWATCH. Action: Check for the possible problems and correct. Message Displayed: COMWATCH - Unable to open ILAP outbound file <<file name>>. Contact Support. COMWATCH - Can not process outgoing ILAP data. Explanation: COMWATCH is unable to create the outgoing ILAP file because either there is no space on the hard disk or file create permission is not given to the user running COMWATCH. Action: Check for the possible problems and correct.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 13-12 Troubleshooting
Message Displayed: COMWATCH - Unable to open <<file name>>file, Function terminating. COMWATCH - Can not process incoming ULLS data. Explanation: COMWATCH is unable to open the incoming ULLS file because file read permission is not given to the user running COMWATCH or the file is corrupted. Action: Check for the possible problems and correct.
Message Displayed: COMWATCH - DAAS_IN_SEQ.FILE can not be opened. Check directory permissions. COMWATCH - DAAS processing can not be done. Explanation: DAAS_IN_SEQ.FILE contains a number that COMWATCH uses for CONTINUATION_SEQ attribute of TRANSACTION_COM_IN table when loading data from DAAS/SPBSR. Every time an incoming file is loaded into the table, COMWATCH reads this file adds 1 to it and stores in the and uses it. If COMWATCH can not open this file to write, then it returns the above error. Action: Log on as Administrator of the machine and grant the permission to the user that runs COMWATCH.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 13-13 Troubleshooting Message Displayed: COMWATCH - DAAS incoming file cannot be removed. File name :<<file name>> COMWATCH - <<rec count>>no of erroneous transactions found COMWATCH - <<rec count>>no of correct records found out of <<rec count>>nos, please check daas incoming file COMWATCH - Erroneous DAAS incoming file. Can not process DAAS incoming file. Explanation: An incoming DAAS file has NULL at the beginning of some lines. Action: Correct the file.
Message Displayed: COMWATCH - Incomplete Group Present in the Data File :<<file name>> COMWATCH - Can not process this file Explanation: Total number of transactions in the file does not match MAX_GROUP_SEQ. Every line in the incoming file has a sequence number and the highest sequence number in the group. If the transactions are not grouped, then both these numbers are zeros (0). For grouped transactions, like RECON transactions, highest sequence number represents the number of transactions in the group and sequence number is the sequence of the transactions within the group. Action: Get source of the file to resend the file.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 13-14 Troubleshooting
13.5 System Running Slow 1. Whats running? a. Check Taskbar at bottom of screen b. Go to Task Manager via (CNTRL-ALT-DEL) Look at applications tab and CPU performance, also can check memory usage (good to check at bottom of Task Mgr screen) c. Antivirus software may have become activated. 2. Make a screen print and send it to CAO. 3. How much disk space is on C: and D:? Go to My Computer->Right click on C: drive. Go to Properties. See Used and Free space. Repeat above for D: drive, if needed. 4. Ways to free up space on Server: a. Run Spacemaker. b. Archive Transaction History Files - This may not actually free up space on the system but may make the db run faster. c. If it has been some time since an import was performed (not a recent SCP), an export followed by an immediate import of the database just exported will do a cleanup of the db. Below is for both Server and Workstations: d. Go to Start->Programs->Administrative Tools ->Computer Management. Look in the Storage area and click on Disk Defragmenter. In the right window will be Analyze and Defragment buttons. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 13-15 Troubleshooting Select Analyze. System will respond if defragmentation is recommended or not and will have buttons to Exit or Defragment. If they decided to Defragment they should close any open files/processes. NOTE: On the Server, a defrag followed by an export and an immediate import of the db just exported is considered an ultimate cleanup. e. Go to Internet Explorer. Select Tools->Internet Options. On the General tab, have user select and confirm the following buttons: Delete Files Delete Cookies and even hit Clear History button (less here probably) If the above suggestions fail to resolve a users complaints, then come and inform us. There are a few other things that could be checked, however more than likely at this point it may be an issue for their local IT people or a hardware issue.
13.6 Relationship between SAAS and Oracle Understanding the Relationship between SAAS and Oracle Users *As of SCP-08 Maintain Users will accept more than just 8 characters. Windows OS limits to 20 characters. Username should match Windows OS username and SAAS Oracle User usernames below. Is case-sensitive. Maintain Users This is an exe in SAAS Application Install and a user should be created matching the Windows OS Usernames that run SAAS application. Access can be controlled by transaction. SAAS does not authenticate, but gives privileges. Windows OS usernames General username to logon to system and/or network. Probably assigned to user by DOIM. Must match username created in Create Oracle User in order to use / in iefgdic.ini and avoiding the 2nd logon screen. Is case-sensitive. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 13-16 Troubleshooting Create Oracle User Create an oracle user to logon to the db. This is needed in order to create SAAS application transactions and run reports. As stated above, must match Windows OS username in order to use / in iefgdic.ini and avoid 2nd logon screen. ORA_SAAS_DBA Group Only those users that need to startup or shutdown the database need to be in this local group. NOT a good idea to put all users in this group! Startup/Shutdown Oracle DB is needed by those who run Scheduled Backup, MMC Reconciliation, Lock/Unlock the Database (via SAAS->Utilities) or login to SQL Plus and startup/shutdown the db. *The Oracle Install script also uses sql scripts that require this ability. If NOT a member of the ORA_SAAS_DBA group, sql scripts will not properly backup and recreate the Oracle usernames and passwords (created via SAASOracle User) during the Oracle Install (resulting in them having to be manually re-created). 13.7 Customer Assistance FTP Process Using Secure FTP This is a process provided by Fort Lee for users to be able to send files such as your database or to get files from Fort Lee to help with problem resolution. The address and login information is provided below to connect to the SAAS MOD FTP site. If you experience problems connecting then there is probably a firewall filter at your location that will not allow you to FTP out. If so, contact your local DOIM. This site is in the public domain and has no restrictions for access. We recommend that you use the GlobalScape Secure FTP as the means to do so. Follow the instructions below when needed or instructed by SAAS MOD Customer Assistance Personnel from the Start\Programs\GlobalScape\Cute FTP Professional\Cute FTP 7 Professional. Use the following to connect to the Fort Lee (SAAS) FTP Server: UserID Password saasftp AB!#rt89ee saasftp2 Mpn7y9rs.* saasftp3 *.sr9y7npM
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 13-17 Troubleshooting
1.) Click on File\New\SFTP (SHH2 Site) and the following screen will pop up.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 13-18 Troubleshooting 2.) Enter the data as shown below using the data from above. The address is static; however you may use any of the above user names and passwords. Each has the same level of permissions.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 13-19 Troubleshooting
3.) On the screen under "source" (the upper left window) you may select location of file to transfer using the drop down to the level to select a specific file. On the "destination" (the upper right window) you may select the location to send the file to as well. Recommend you go to the Upload folder and then your folder. You can also create a folder if one does not exist by clicking the Create New Folder Icon on the top Menu Bar.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 13-20 Troubleshooting
4.) When you are ready to send the file you can right click and select Upload or you may simply drag and drop the file to its destination:
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 13-21 Troubleshooting
5.) Once the file begins transmitting, you will see the progress as shown in the status window which is the bottom portion of the screen:
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 13-22 Troubleshooting 6.) To go back to the first folder you click on the IP address of 132.159.16.40 under other Places. To close out click on the X in the upper right-hand corner.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 13-23 Troubleshooting 7) When it completes you will see 100% of the file. Select another file if you have more to send and repeat the steps above.
8) When you are finished. Right click on the tab at the bottom of the destination window (upper right window) with the name you used for your connection and Select close. Then close the window. NOTE: The next time you have a need for this procedure, GlobalScape will have saved these settings and under the Site Manager, right click on your connection and click on Connect. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 13-24 COOP SECTION 14.0 CONTINUITY OF OPERATIONS PLAN (COOP)
14.1 General All Army Data Processing Installations (DPI) require a COOP to allow continued operation of critical data processing functions that could be interrupted due to the loss of hardware, software, and data. The standards, procedures, and responsibilities for the COOP are contained in Department of the Army Technical Bulletin No. 18-108, Army Automation, Continuity of Operations Plan (COOP). Assistance in preparing a COOP should be obtained from the organization automation or security office.
14.2 Sample Sample COOP Outline. TB 18-108, Appendix A, contains a sample COOP outline. That sample outline is reproduced below. It is intended only to be used as a guideline.
DEPARTMENT OF THE ARMY DATA PROCESSING INSTALLATION (DPI NUMBER) FORT BLANK, MARYLAND 12345-7890
CONTINUITY OF OPERATION PLAN (COOP)
DATE: ____________
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 14-1 COOP
Table of Contents
Section Paragraph I General Purpose 1-1 Mission 1-2 Responsibilities 1-3 Contingencies or Risk Analysis 1-4 Job or Systems Priorities 1-5 Succession of Personnel 1-6
II Protection of Records and Documentation List of records and documentation 2-1 Procedures for safeguarding essential materials 2-2
III Emergency Response Detail Procedure 3-1
IV Backup Operations AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 14-2 COOP Designation of COOP site 4-1 ADPE Configurations 4-2 Facilities, security, supplies, and communication 4-3 Personnel requirements 4-4 Planning coordination 4-5 Emergency movement procedures 4-6 AUTODIN interface 4-7
V Recovery Recovery plans 5-1
VI Contingency Operations as Host Site Planning coordination 6-1 ADPE Configurations 6-2 Facilities, security, supplies, communication, and transportation 6-3 Personnel requirements 6-4 Billeting and messing requirement 6-5 MINIMIZE Processing plan 6-6
COOP Appendixes
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 14-3 COOP A. Letter of Agreement with COOP site
B. Key Personnel and points of contact at COOP site
C. Inventory list of COOP material at alternate files storage area
D. Inventory of COOP material prepositioned at COOP site
E. Magnetic media and supplies required at COOP site (items that will not be transported from home site, but are required for operations at the COOP site)
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 14-4 AIT Installation SECTION 15.0 AIT INSTALLATION
15.1 Overview The purpose of this document is to detail the activities needed to accomplish the installation of an AIT application onto SAAS-MOD Servers and Workstations. Installation for the Server will be from the SAAS-MOD CD, the workstation will install from the Server. These instructions will cover: Installation of the SAAS AIT application Hardware driver installation Handheld software installation Setting up AIT equipment
15.2 Installation of SAAS AIT Application
With the implementation of L6F-03-00 the application software for AIT will be no longer be automatically loaded when the baseline is installed. There are separate steps to install AIT application software. These steps are as follows:
15.3 Setting up your AIT Equipment
ASP The ASP can connect the following equipment: 1. Symbol HHT (Hand Held Terminal with Hand Held Device HHD) (Server) 2. SAVI Docking Station for Tag Writer (Server or Workstation) 3. Zebra Z4000 Label Printer (Server) 4. Gemplus GCR200 Smart Card Reader/Writer (Workstation)
ATP The ATP can connect the following equipment: 1. Symbol HHT (Hand Held Terminal with Reader) (Server) 2. Zebra PT403 Mobile Label Printer (Server or HHD) 3. Gemplus GCR200 Smart Card Reader/Writer (Server)
For additional information see Section 5.6 Adding AIT/SAVI BPS Devices at Section 5.6
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-1 AIT Installation 15.4 Connecting AIT to your computer
1. Connect the Symbol HHT (Hand Held Terminal with Hand Held Device HHD to the COM 1 port on your Server or Workstation. It needs to be configured according the instructions set forth in Section 15.7 so that others in the domain will have access to it.
2. Connect the SAVI Docking Station for Tag Writer to the COMM 2 port on your Server or Workstation.
3. Connect the Zebra Z4000 Label Printer to the parallel port on your Server. It needs to be configured according the instructions set forth in Section 15.7 so that others in the domain will have access to it.
4. Connect the Gemplus GCR200 Smart Card Reader/Writer to the COMM 1 port on your Workstation.
5. Connect the Zebra PT403 Mobile Label Printer to the HHD.
15.5 Driver Installation and settings
Note: You must be logged on as administrator on local machine.
Zebra Z4000 Label Printer
NOTE: During an upgrade to either Windows Server 2003 or Windows XP that your Zebra Z400 is attached to it will continue to display Found New Hardware for the Zebra Printer. Close the window and follow these instructions to reinstall your Zebra Z4000 printer.
1. Click on Start / Printers and Faxes 2. Right click on the Zebra Z4000 printer and select Delete and Yes to confirm 3. At the Found New Hardware Wizard (You may have to log off and back on to get this window) Select No, not at this time. 4. Click on Install from a specific location and click on Next. 5. Click on don't search and click on Next. 6. Uncheck the box to Show Compatible Hardware. 7. Select Generic as the Manufacturer and Text Only as the Model. 8. At the warning to update the driver Select Yes, then Next. 9. Select Finish.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-2 AIT Installation
Zebra PT403 Portable Label Printer
1. Double click on My Computer 2. Double click on CD (will bring up Zebra Accessories Window) 3. Click on Software 4. Click on Windows 2003/2000 Printer driver 5. Click on Install Windows 2003/2000 Printer driver 6. Click OK to message: Follow the Printer Wizard instructions, click the "Have Disk" button and paste (Shift +Ins, or Ctrl +v) the path 7. Click Next at Add Printer Wizard 8. Check COM1, press Next 9. Press <Ctrl +Ins>keys, click on OK (will fill in path for you) 10. Select Zebra PT400, click on Next 11. Click Next on Printer Name Window 12. Click Next on Sharing Window 13. Click Finish 14. Close all windows
15.6 Burn-In of the Hand Held Device
Note: You must be logged on as administrator on the Domain.
The following files should be on the hard drive of your PC: TCM7000.EXE -----\ FXVMAPI.DLL ------|----- image download program
If you are trying to rebuild a corrupted handheld, you might also need: SPLASH.HEX Startup Graphic. LOADER.HEX boot loader AISM-25-L6F-AJA-ZZZ-SA NK.HEX Windows CE itself. 11 October 2007 15-3 AIT Installation
Flashing the 7200 WinCE with SAAS-MOD Run TCM7000. Select the icon on the toolbar which looks like a cable end, the Load Terminal icon. Alternatively, choose the File menu option and select Load Terminal. Chose the appropriate COM port (often COM1:), and set the baud rate to 115200, the protocol to XON/XOFF and browse to the WINPT16M-2.HEX Partition Table file mentioned above. Cold boot the HHT by holding down both the power button and the trigger for a count of at least 16 (the HHT will reset itself even if you are still holding down the button and trigger). This puts the HHT into "IPL" mode. You will be presented with a menu of baud rates. Select 115200 by tapping on the up and down arrow keys on the left and right edges of the screen. When 115200 is selected, tap the word "Enter" at the bottom of the screen. The Partition image must be flashed *before* flashing the following images: Data, Application, and Platform. Flashing it after will wipe out the data just downloaded. Therefore, the first flash download should be a single download done first. Choose the "Multiple Images" selection on the HHT, and place it in the cradle. The HHT should display a screen reading: "Waiting for Data / Multiple Images / 115200". If the screen does not read this, return to the main IPL menu and repeat the HHT procedure. First, we download the Partition Table. After following the TCM7000 instructions above, you should be all set to do this. Press OK. The Partition Table is very small, and takes only a few seconds to complete. You will see a progress bar on the workstation, and a set of numbers counting down on the HHT. Each "block" of a partition is worth 8K. The Flash memory is erased first, and then data is downloaded and written to the HHT. After the Partition Table is downloaded, choose Load Terminal on the PC again. Your settings should be preserved from the last download (appropriate COM port, Baud Rate 115200, protocol XON/XOFF). Ensure this is true and press the "Multiple Hex File Download" button. Highlight the following files by holding down your Control key and left-clicking on the file name with the mouse: "DATA-3.HEX", "LOGIAPP3.HEX", "PLATFORM.HEX". The three file names should appear in the File name: box. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-4 AIT Installation Press Open to initiate the transfer. Each of the three files should be downloaded. This task will take approximately 10 minutes. If there is a problem, an error message will appear on the HHT. If you cannot successfully download all three files, repeat the steps listed above, substituting 57600 wherever it says 115200. Next, press menu, enter run system, enter calibrate to calibrate the HHT device. Note: Under WinCE you must go to Control Panel>Power Management>System>Wakeup and set AC Connection and Cradle Insertion to "yes". Also set the Time Zone to your locality under Regional Settings.
SAAS-Mod HHTServe
If you want multiple Cradles (each connected to a workstation) to transfer files to/from a central location, you must make a shared volume on your server. For example, C:
If you just want to transfer files to/from a single workstation, choose a partition where the transfer files will reside. Where the instructions below say C:, you will use the drive letter and a colon, e.g. D:
Copy the following files into C:\ HHTSERVE.EXE CRADLE.DLL DOCK.DLL FILEINFO.DLL RESPONDER.DLL RSTRING.DLL SIO32.DLL CONFIG.CFG
Create an AIT_IN folder and an AIT_OUT folder in C:\, i.e. C:\AIT_IN C:\AIT_OUT
And create subfolders for each module: C:\AIT_IN\COUNT C:\AIT_IN\INVENTORY C:\AIT_IN\QUICKISSUE C:\AIT_IN\RECEIPT C:\AIT_IN\STOCK C:\AIT_IN\STORE AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-5 AIT Installation C:\AIT_IN\SURVEY C:\AIT_IN\TRANSFER C:\AIT_OUT\COUNT C:\AIT_OUT\INVENTORY C:\AIT_OUT\QUICKISSUE C:\AIT_OUT\RECEIPT C:\AIT_OUT\STOCK C:\AIT_OUT\STORE C:\AIT_OUT\SURVEY C:\AIT_OUT\TRANSFER
Use Notepad to edit C:\CONFIG.CFG.
Set the PORT=1 to the proper COMM port for the workstations.
Open C:\ from each workstation, and run HHTSERV.
15.7 AITCFG Tool
This tool has been developed to help users implement additional printing capability that comes with AIT. These are the Zebra Label printer and the Hip Printer. All printers need to be configured for each system to define whether or not it is a host or client for print purposes. All computer systems come with only one parallel port to attach a printer. Therefore, one computer cannot have the printer for reports and print labels at the same time.
NOTE: INSTALL INTERNET EXPLORER 6.0 OR HIGHER. THIS IS ON YOUR UTILITY CD SHIPPED WITH L6F-06-00 PRIOR TO INSTRUCTIONS BELOW!
HHT INSTALL
1. Navigate to SAAS\AIT folder and double click on the AITCFG.exe file. 2. On screen Install AIT Modules, click on the HHT. 3. Click Yes to stay connected to COM1. NOTE: If using SAVI click NO. 4. Click on OK to reboot. 5. Click on OK to message "Installation Completed" 6. Reboot the system.
LABEL PRINTER (HOST)
1. Navigate to SAAS\AIT folder and double click on the AITCFG.exe file. 2. Click on the Printer. 3. Answer Yes to "Are you sure you want to use this share name?" and press enter. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-6 AIT Installation 4. Answer Yes to "Are you sure you want to use this share name?" and press enter. 5. Leave HOST as the choice and click OK. 6. At message, insert a floppy in drive A and click on OK. 7. At message "Configuration file ready for other stations", click on OK. 8. At message "Barcode Print Server files ready please reboot to begin" Click on OK. 9. Click on OK to Install Complete Remove the floppy and save. 10. Reboot your system for change to become effective.
LABEL PRINTER (CLIENT)
1. Navigate to SAAS\AIT folder and double click on the AITCFG.exe file. 2. Click on the Printer. 3. Enter "Client" in message "Please enter a choice Host or Client", Click on OK. 4. At message, insert the configuration floppy in drive A" and click on OK. 5. At message "Configuration file installed", click on OK. 6. At message "Barcode Print Server files ready please reboot to begin" Click on OK. 7. Click on OK to Installation Completed message and remove the floppy. 8. Reboot your system for change to become effective. 9. Repeat steps 1 thru 8 for all workstations to be able to print barcode labels. 15.8 Troubleshooting AIT The listed errors below are not all inclusive. These are just some of the most frequent error types encountered.
ORACLE ERRORS
Problem: SQL*Loader-522: lfiopn failed for file (C:\SAAS\AIT_IN\ERRORS\INVENTORY\INVENTORY_PROCESS_ERRORS.P RN)
Solution: The folder "ERRORS" was missing. Create the folder and rerun the process.
Solution: Oracle is not running. Reboot the system, or start Oracle Services and rerun the process. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-7 AIT Installation 15.9 AIT Practical Exercise
PRACTICAL EXERCISE BOOKLET
05 JULY 2006 (Date)
COURSE TITLE STANDARD ARMY AMMUNITION SYSTEM MODERNIZATION (SAAS-MOD) AUTOMATIC IDENTIFICATION TECHNOLOGY (AIT) NEW EQUIPMENT TRAINING (NET)
FOR THE AMMUNITION STORAGE AREA OPERATIONS
COURSE NUMBER SCP-03
THIS PACKAGE HAS BEEN DEVELOPED FOR: PROPONENT FOR THIS PE IS: SAAS-MOD ASA AIT
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-8 AIT Installation TABLE OF CONTENTS PAGE PREFACE 2 SECTION I ADMINISTRATIVE DATA 3 SECTION II INTRODUCTION 5 SECTION III PRACTICAL EXERCISE 7 A21 COURSE OVERVIEW 7 TASK 21A Log On As the System Administrator (SA) 7 TASK 21B Log On As a SAAS-MOD Operator 7 TASK 21C Review AIT and Related Processing on the ASP Executable Menu 8 A22 - INTRODUCTION TO AIT HARDWARE 11 TASK 22A Prepare the PC, 751G, Cradle, Bar Code Printer, And Portable Printer for SAAS-MOD Operations 11 TASK 22B Examine the Basic Features of the 751G Hand Held Terminal (HHT) 11 TASK 22C Examine the Basic Features of the Cradle 12 TASK 22D Connect the Cradle to a SAAS-MOD Workstation 13 TASK 22E Unpack and Inspect the Intermec PM4i Printer 14 TASK 22F Prepare the PM4i Printer for SAAS-MOD Processing 14 TASK 22G Prepare the Intermec PT403 Portable Printer for SAAS-MOD Processing 31 AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-9 AIT Installation A23 AIT SOFTWARE INSTALLATION 33 TASK 23A Install SAAS-MOD-UPLOAD-INSTALL Software 33 TASK 23B Install Microsoft ActiveSync 4.1 Software 39 TASK 23C Set Up a New Partnership 48 TASK 23D Load SAAS-MOD Software on the 751G 54 TASK 23E Improve Bar Code Readability with the 751G 58 TASK 23F Run SAAS-MOD on the 751G 59 C20 - PRINT 2D PACKAGE/PALLET LABELS FROM THE AIT 751G 62 C21 - PRINT SHIPPING LABELS FROM SAAS-MOD 69 C22 - PRINT 2D PACKAGE/PALLET LABELS FROM SAAS-MOD 71 C23 - MAINTAIN USER ACCOUNTS FOR AIT 751G USERS 77 C24 - USE AIT ASSIGNMENT STATUS TO VIEW/CHANGE WORKLOADS 80 C25 - USE WORKLOAD TO VIEW/CHANGE AIT 751G WORKLOADS 85 C26 - AIT EXCEPTION MAINTENANCE 90 C27 - USE AIT TO PROCESS AND STORE RECEIPTS 93 C28 - USE AIT TO STORE A TURN-IN 108 C29 - PERFORM A LOCATION SURVEY WITH AIT 117 C30 - INITIATE AN INVENTORY ON THE AIT 751G 125 C31 - PERFORM AN INVENTORY USING THE AIT 751G 123 C32 - USE AIT TO SELECT STOCK FOR AN ISSUE OR SHIPMENT 141 C33 - USE AIT TO SELECT STOCK AND STORE AN IDT 152
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-10 AIT Installation PREFACE Purpose: This practical exercise booklet is designed to be used with the Standard Army Ammunition System (SAAS-MOD) Ammunition Storage Area Operations AIT Training Course. SECTION I - ADMINISTRATIVE DATA TITLE: Practical Exercise for SAAS-MOD Storage Area Operations Using AIT Equipment COURSE NUMBER: SCP-03 COURSE TITLE: SAAS-MOD Storage Area Operations Using AIT CLEARANCE AND ACCESS: Unclassified STUDENT STUDY ASSIGNMENT: None EQUIPMENT REQUIRED FOR THE INSTRUCTION: 1 - SAAS-MOD File Server 1 SAAS-MOD Workstation per student 1 Intermec 751G Hand Held Terminal per student 1 Intermec PT403 Portable Printer per student 1 Intermec PM4i Thermal Bar Code Printer per table (1-2 students) MATERIALS REQUIRED: PE Booklet CLASSROOM, TRAINING AREA, AND/OR RANGE REQUIREMENTS: Classroom for 20 students equipped with one SAAS-MOD ASP system (file sever w/laser printer and workstation w/thermal printer per student. AMMUNITION REQUIREMENTS: None PROPONENT RESIDENT LESSON PLAN APPROVALS: NAME GRADE POSITION DATE AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-11 AIT Installation SECTION II - INTRODUCTION As an ammunition manager, you must know how to use automation to manage an ammunition stock record account. You must be aware that keeping all records up to date as changes occur assures the accuracy and integrity of the management structure you use to support your asset records. TERMINAL LEARNING OBJECTIVE: Using a SAAS-MOD server, workstation, AIT equipment, End Users Manual (EUM), and the System Administrator Manual (SAM), you must be able to operate SAAS-MOD utilizing state-of-the-art Automated Identification Technology (AIT). During this course, you will accomplish the following:
ACTION: Use the procedures in the EM and SAM to operate SAAS-MOD utilizing state-of-the-art AIT technology.
CONDITION: In a classroom environment, given an EM, SAM, SAAS-MOD server or workstation, and AIT equipment.
STANDARD: Correctly operate SAAS-MOD utilizing state-of-the-art AIT technology.
SAFETY REQUIREMENTS: None
RISK ASSESSMENT LEVEL: None
ENVIRONMENTAL ASSESSMENT: None
EVALUATION: None
INSTRUCTIONAL LEAD IN: None
GENERAL: This booklet contains the practical exercises for the SAAS-MOD Storage Area Operations using AIT equipment. Each time you logon to a Windows system, a User Name and Password is required. During the training, you will be required to log into SAAS-MOD as a SAAS-MOD operator and as the system administrator utilizing the user names and passwords as shown. (NOTE: In SAAS-MOD, both user name and password are case sensitive).
SAAS operator System Administrator USER NAME Saasmod Administrator PASSWORD saasmod1 Admin
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-12 AIT Installation
During training, you will logon to the 751G as shown below.
AIT 751G OPERATOR/RECORDER/COUNTER AITUSER1 AITUSER2 AITUSER3 AITUSER4 AITUSER5
Throughout the training, please follow these instructions: 1) All lessons begin with an instructor led exercise. 2) Listen and follow along with the instructor (i.e. dont get ahead of or fall behind the instructor). Always complete the tasks in the sequence directed by the instructions. 3) Complete each task before proceeding to the next task. 4) If information is not provided for a field, leave the field blank. 5) If you have any questions or need help at any time, please let the instructor know.
TRAINING SCENARIO: (This scenario will be used for all training exercises unless told otherwise) You are the Ammunition Manager for an ammunition storage area. The current structure consists of a management center (60M), a storage area (Z1), three storage points (Z1, Z2, & Z3) with ten storage sites (warehouses) at each storage point. Your operation is incorporating AIT technology into all phases of the storage operation. You as a supervisor are required to implement AIT into daily operations. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-13 AIT Installation SECTION III PRACTICAL EXERCISE A21- Course Overview
Each student will have the following equipment during this training course: 1) SAAS-MOD File Server-Workstation with an Intermec thermal bar code label printer attached. 2) 751G Hand Held Terminal (HHT) also called a Portable Display Terminal (PDT) with cradle (docking station) connected to a SAAS-MOD Workstation 3) Intermec Portable Printer w/communication cable. During the training you will be required log onto the SAAS-MOD workstation as an operator, the SAAS-MOD file server as the system administrator, and the 751G handheld as an AIT user. During the overview, we will review the logon procedures for SAAS-MOD and briefly describe the SAAS-MOD ASP Executable processes that are used with the 751G handheld.
Task 21A - Logon as the System Administrator (SA) Press the CTRL + ALT + DEL keys at the same time to display the Logon Information window. Then use the information in bold on the table beside the window to log on as the System Administrator.
Log on as the System Administrator User Name: administrator (case sensitive) Password: ******** (case sensitive) Domain: ASP
Click OK
Remember, when you log on as administrator you do not have access to the SAAS-MOD processes.
Click on the Start button and then click on Shutdown. When the Shutdown Window appears click on Close all programs and log on as a different user? Click on Yes
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-14 AIT Installation Task 21B - Log on as the SAAS-MOD Operator
Press the CTRL + ALT + DEL keys at the same time to display the Logon Information window. Then use the information in bold on the table beside the window to log on as the SAAS-MOD operator.
Logon Information Window Log on as the SAAS-MOD operator User Name SAAS-MOD (case sensitive) Password SAAS-MOD1 (case sensitive) Domain ASP
Click OK
When you log on as SAAS-MOD you have access to the SAAS-MOD functional processes.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-15 AIT Installation Task 21C - Review AIT and Related Processes on the ASP Executable Menu.
Select the Process. Start | Click on ASP Executable to display the ASP menu.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-16 AIT Installation
The AIT Assignment Status process allows you to review the workload currently assigned to a 751G. You can also use it to cancel and reassign workload assignments to the 751G.
The AIT Exceptions Maintenance process shows transactions that came from the 751G that SAAS-MOD could not process. This process can be used to delete or resubmit transactions.
The Prt Pkg Plt Label (Print Package/Pallet Label) process lets you print 2D package/pallet labels for on-hand assets. The system creates the label based on your selection and the packaging information on the ammunition item table for conventional ammunition and your selection of NSN and serial numbers for serialized ammunition.
The Prt Shp Lbl (Print Shipping Label) process allows you to print shipping labels for an outgoing shipment.
The Workload process allows you to review the current workload, including everything that currently assigned to the 751G, by transaction type. It can be used to cancel, assign, and reassign workloads to the 751G.
AIT is also used with the following ASP Executables:
SUMMARY FOR COURSE OVERVIEW During this overview, we reviewed the logon procedures for SAAS-MOD and briefly described the SAAS-MOD processes on the ASP Executable menus that are used with AIT. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-17 AIT Installation A22 - INTRODUCTION TO AIT HARDWARE
Introduction. The primary SAAS-MOD AIT equipment consists of a 751G Handheld Terminal (HHT) with cradle, a portable printer and a stationary thermal bar code label printer. Ribbons, labels, and spare batteries are also provided. Equipment Overview. SAAS-MOD AIT uses the 751G HHT to collect receipt, shipment, storage and inventory data from linear or 2D Pallet/Package labels at Ammunition Supply Points (ASP) and Ammunition Transfer Points (ATP). Once the data is collected, it is transferred to a SAAS-MOD workstation for processing in SAAS-MOD. The Intermec 751G is a specific type of hand held terminal (HHT), and in this section, the 751G and Portable Data Terminal (PDT) are interchangeable terms. The 751G HHT comes loaded with Windows CE.Net program. TASK 22A PREPARE THE PC, 751G HAND HELD, CRADLE, STATIONARY AND PORTABLE PRINTERS FOR SAAS-MOD AIT OPERATIONS. This is an instructor led exercise. Perform each step when directed by the instructor. TASK 22B Examine The Basic Features of the 751G Hand Held Terminal (HHT) Remove the 751G from the cradle and locate these basic features on the 751G
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-18 AIT Installation
TASK 22C Examine The Basic Features Of The Cradle Turn off the 751G and return it to the cradle. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-19 AIT Installation
The cradle is the communication link between the 751G and the SAAS-MOD workstation. It is used to store the 751G, transfer data to and from the 751G to the workstation and to print labels.
Task 22D Connect The Cradle to a SAAS-MOD Workstation Connect the USB cable to a USB port on the SAAS-MOD workstation. Plug the AC power cable with 12 volt converter into rear of the cradle and then connect it to an (120/210) AC power source.
TASK 22E - Unpack And Inspect The INTERMEC PM4i Bar Code Printer The items listed displayed below should be unpacked from the printer box. Inspect the contents of the box for all of the items and any damaged items. Report missing or damaged items to the instructor at this time. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-20 AIT Installation
Task 22F - Prepare the INTERMEC PM4i Bar Code Printer For SAAS-MOD Operations. The thermal printer is rugged construction, prints ANSI A grade Bar Codes and prints on a variety of paper & Synthetic 4 wide Media. It can be connected to a local port (COM1, or USB) on a SAAS-MOD workstation and prints 2D shipping labels and 2D Pallet/Package labels. All SAAS-MOD workstations on the LAN can use the printer to print labels. The printer is set up for SAAS-MOD use; however, you should familiarize yourself with the features on the printer before you install the media (labels and thermal print ribbon).
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-21 AIT Installation AISM-25-L6F-AJA-ZZZ-SA
11 October 2007 15-22 AIT Installation
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-23 AIT Installation
Locate items listed on the front panel Indicator Lamps Display Window Feed/Pause button Keyboard Side Door Print mechanism Front door
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-24 AIT Installation
Locate these items on the rear of the printer
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-25 AIT Installation
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-26 AIT Installation Now that you know the parts of the printer, your task is to install the media (paper and thermal print ribbon). Remember this is an instructor led exercise, so please do not get ahead of the instructor.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-27 AIT Installation
Install the Ribbon.
Push the ribbon all the way onto the Ribbon Supply Spindle (unroll from bottom).
Pull the end of the ribbon over the Ribbon Sensor, under the Print Head Assembly and up over the Ribbon Guide Plate. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-28 AIT Installation
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-29 AIT Installation
Close the Print Head Assembly, keeping the ribbon snug and in line with Guide Plate.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-30 AIT Installation
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-31 AIT Installation
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-32 AIT Installation
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-33 AIT Installation
Connect Thermal Printer to SAAS-MOD Workstation. Connect the parallel or USB printer cable to Bi-Directional Port on the printer. Connect the parallel or USB printer cable to the Port on the workstation.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-34 AIT Installation Perform the Printer Operational Check.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-35 AIT Installation
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-36 AIT Installation
Refer to the PM4I User Guide if problems occur to determine the cause.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-37 AIT Installation Task 22G - Prepare the Intermec PT403 Portable Printer for SAAS-MOD Operations. The Intermec PT403 portable printer is connected to the communications port on the 751G. It prints 2D Pallet/Package labels. The printer has already been configured for SAAS-MOD use.
Your task is to install the battery, media (paper and print ribbon), connect it to the 751G.
Locate these items on the printer. Top Cover Media Access Door Communications Port Battery Charging Receptacle
Battery Charging LED Peel Bar Locate these items on the control panel. Feed Button Power Button Power LED Error LED
Install Battery. Locate Battery compartment. Slide up battery compartment door. Install a fully charged battery with contacts facing up. Close compartment door.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-38 AIT Installation
Load the media (Install a Roll of Labels). Raise the Media Access Door and Top Cover. Lift the print head until it locks into place. Thread the roll of labels from bottom into the printer until it goes past the print head. Hold open Media Hangers and put the roll of labels on the hangers. Release Media Hangers so that the roll of labels locks in the right position.
Install the Ribbon Cartridge. Raise the Media Access Door and Top Cover. Lift the print head until it locks into place. Hold the ribbon cartridge as shown. Align the protrusions with channels on printer. Slide the cartridge past the print head and it will lock in the right position. Close the print head, the top cover and media access door. Press the Power button to turn the printer on. The printer uses three (3) labels to self calibrate every time it is turned on.
Connect the portable printer to 751G. Turn off the portable printer and 751G. Plug the communications cable into the RJ45 on the portable printer. Turn on the portable printer and 751G. Turn off the printer and 751G and remove the communications cable from the Comm. Port of the 751G.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-39 AIT Installation A23 INSTALL AIT SOFTWARE The following software must be loaded, in the order listed below, to operate the AIT equipment correctly with SAAS-MOD equipment. 1) ActiveSync 4.1. This will be installed on the workstation to allow the workstation to communicate with the 751G. 2) SAAS-MOD-UPLOAD-INSTALL.ZIP. This will be installed on all workstations requiring the use of AIT. 3) SAASMOD.CAB file. This file is installed on the 751G and is required to enable SAASMOD processing on the handheld. This software is provided to you on the SAAS Application CD included in the latest SCP package in folder \SAAS Utility\Intermec Files.
TASK 23A Install SAAS-MOD-UPLOAD-INSTALL
The first file that needs to be loaded is SAAS-MOD-UPLOAD-INSTALL.ZIP. It will unzip and build a folder on your system with all required files needed to run the AIT processes.
The following steps will help you to complete this process.
1. Locate the SAAS-MOD-UPLOAD-INSTALL.ZIP file in the WKS APPLICATION folder. You should double click on it to display the WINZIP screen.
2. Select extract to display extract line.
3. Enter the folder name: c:\saas_mod_upload.
4. Click on extract and the files will be copied into the specified folder.
5. Exit the WINZIP window.
6. Go to Explore and locate the c:\saas_mod_upload folder.
7. Select the file setup.exe and double click to load the SAAS-MOD Upload. Follow the instructions as they are displayed on the screen.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-40 AIT Installation 8. On the Welcome to the Install Shield Wizard for SAAS_MOD Upload screen, select Next to continue.
9. On the Choose Destination Location screen, accept the default destination folder by clicking Next.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-41 AIT Installation 10. On the Select Program Folder screen, select Next to accept the default SAAS_MOD Upload folder.
11. The files should start copying. Select Next to continue.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-42 AIT Installation AISM-25-L6F-AJA-ZZZ-SA 12. On the Install Shield Wizard Complete screen, select Finish to complete the load process.
At this point, check to ensure the following folders have been copied to the workstation as follows:
1. Go to C:\Program Files and check to be sure there is a folder named Northrop Grumman. This folder stores the AIT executable file SAAS_MOD Upload.exe.
2. The process also creates a log file for tracking problems with the program load. Go to c:\saas\logs folder to view the SAAS_MOD_Upload.log file. (Use Note Pad to view this file). If for some reason the log was not created, create it using Note Pad.
3. Go to desk top and double click on icon SAAS_MOD UPLOAD. Select the configuration and view how the folders have been set up on the PC.
This completes the SAAS-MOD Upload install.
If you have any questions, call the CAO at DSN: 687-1051 or commercial (804) 734- 0151.
11 October 2007 15-43 AIT Installation TASK 23B - Install Microsoft ActiveSync 4.1
Microsoft ActiveSync 4.1 is synchronization software that will enable your PC to communicate with the 751G Handheld mobile device for downloading and transferring of files.
The ActiveSync 4.1 installation file is located in the ActiveSync 4.1 folder.
1. Read the information below and follow the on screen instructions to complete the install process.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-44 AIT Installation 2. Click Next to install Microsoft ActiveSync 4.1 on your computer.
3. Read the entire license agreement by scrolling down to the bottom. Click on I accept the terms in the license agreement and click Next to continue.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-45 AIT Installation AISM-25-L6F-AJA-ZZZ-SA 4. Enter your name (i.e. John Doe) and your Organization name. Select Next to continue.
5. Click Next to accept the default destination folder.
11 October 2007 15-46 AIT Installation 6. Select Install to begin the installation of Microsoft ActiveSync 4.1.
7. The files should start copying. Wait approximately 4 minutes for this to complete. When the files have been copied, select Next to continue.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-47 AIT Installation 8. Select Finish to complete the Microsoft ActiveSync install.
9. You must restart your computer in order for the changes to take effect. Select Yes to restart your computer now.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-48 AIT Installation
10. Once the system has been restarted, log back onto the workstation. The IAW Upload and the Microsoft ActiveSync screens will appear as shown below.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-49 AIT Installation
Once ActiveSync has been loaded, follow the instructions below to establish a New Partnership.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-50 AIT Installation TASK 23C Set Up A New Partnership
1. On the Set up a Partnership screen, select Yes then select Next to continue.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-51 AIT Installation
2. On the Select Number of Partnerships screen, select Yes to synchronize with only this computer, then select Next to continue.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-52 AIT Installation
3. On the Select Synchronization Settings screen, remove all the checks from the boxes (click on each check mark to remove the check), then select Next to continue.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-53 AIT Installation
4. Read the information on the Setup Complete screen then click Finish to exit the install wizard.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-54 AIT Installation
5. Once the install is complete, the Microsoft ActiveSync splash screen will appear. Be sure that Connected and Synchronized are shown in the splash screen.
NOTE: The Microsoft ActiveSync splash screen will appear each time the 751G is placed into a cradle that is connected to a workstation.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-55 AIT Installation
6. The IAW Upload screen will also appear each time a connection has been established with the workstation and the 751G.
If you have any questions, contact the CAO at DSN: 687-1051 or Commercial: (804) 734-1051.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-56 AIT Installation TASK 23D - Load SAAS-MOD Software on the 751G Handheld
AISM-25-L6F-AJA-ZZZ-SA
SAAS-MOD .CAB FILE
Make sure that the SAASMODE-v4.0a-05-17-2006.CAB file is in the HHT APPLICATION folder (use Explore to check for this file).
This file can be dragged and dropped to the 751G.
1. Place the 751G into the cradle that is connected to the workstation. The Microsoft ActiveSync splash screen should appear. The moving green ball indicates that the two systems are connected. Be sure that Connected and Synchronized are displayed on the splash screen.
11 October 2007 15-57 AIT Installation 2. The IAW Upload screen below will also appear once the 751G is placed in the cradle.
3. Once the systems are connected and synchronized, required SAAS-MOD files must be copied from the workstation to the 751G.
First, locate the SAASMOD.CAB file and copy it into SDMMC Disk folder on the 751G. *Be sure to check that the file is read only before executing it. Otherwise, the file will not be saved in the folder.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-58 AIT Installation
4. Once the file is in the SDMMC folder on the 751G, remove the 751G from the cradle. On the 751G, use the stylus to:
Double tap on My Computer. Double tap on SDMMC Disk. Double tap on SAASMOD-UPLOAD-INSTALL-v1.0-05172006.CAB to install.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-59 AIT Installation
RELOAD SAAS-MOD CAB
If you need to reload the .CAB file, you must uninstall the existing .CAB file through the control Panel (Add/remove programs), then repeat step 4 above to reload the file.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-60 AIT Installation
TASK 23E To Improve Bar Code Readability with the INTERMEC 751G Handheld
1. The following steps should be taken to ensure the 751G Bar Code settings for the reading of Code 39 labels is maximized.
2. On the 751G, complete the following:
1) Click on Start 2) Select Settings 3) Select Control Panel 4) Select Intermec Settings 5) Select Scanners, Symbologies 6) Select Internal Scanner Select Symbologies Select Code 39 Select Options Select Full ASCII Conversion Select Enable Select Reading Range Select Extended 7) Select Imager Settings Check 1D Omni-directional Select Lighting Mode Select Illum LED priority Select Lighting goal=100 7) Select X to Exit (upper right hand corner) 8) Select Yes to save configuration changes
This completes the 751G handheld setup procedures.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-61 AIT Installation
TASK 23F - Run SAAS-MOD on the 751G Handheld
1. On the WindowsCE1 screen, tap START (Windows color box in the lower left corner of the screen). A drop down menu will appear.
2. Tap Programs and the next screen will be displayed.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-62 AIT Installation 3. Tap SAAMOD to bring up the SAAS-MOD 4.1 Login screen.
4. Click on User ID and enter SAASMOD as the username. A username can be up to 30 characters. Click OK to continue.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-63 AIT Installation
You are now logged in as a SAASMOD user.
The SAAS-MOD Select Location Menu screen will appear.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-64 AIT Installation C20 - PRINT 2D PACKAGE/PALLET LABELS FROM THE AIT 751G Introduction. The Print Label (Print Package/Pallet Label) process on the 751G lets you create and print 2D Package/Pallet labels from a portable printer attached directly to the 751G handheld. The process creates the labels for conventional DODIC and serialized DODIC based on the parameters (DODIC, NSN, Lot Number, and Serial Numbers) that you enter. The Print Label process on the 751G can be accessed and used in conjunction with any 751G process. It is selectable from the ASP and ATP menus. It is also selectable from the Receipt (Lot Data) Screen and the Linear Barcode/Manual Data Entry Screen that appears in all AIT processes. During this lesson, we will: 1) Review the AIT 751G/Portable Printer setup procedures. 2) Review the Login procedures for the AIT 751G. 3) Select the Print Label process from the menu. 4) Execute the process. 5) Print labels using the portable printer. I. General Instructions for Using the Portable Printer with the 751G Handheld 1) Ensure there is a fully charged battery in the battery compartment. 2) Ensure that you have a roll of labels and the printer ribbon cartridge properly installed. 3) Observe the two available connections that can be used to print labels using the 751G. a) The first connection is a printer adapter that attaches to the bottom of the 751 with two thump screws. This will allow the user to connect a cable between the 751G and the portable printer to print labels. b) The second connection is to connect the printer to the COM 1 (9 pin) port at the rear of the 751G cradle. II. Auto Calibrate the Portable Printer 1) Turn off the 751G handheld and the portable printer. 2) Plug the communications cable (9 pin cable end) into either the printer adapter on the 751G or into the 751G cradle. Then plug the other end into the portable printer. 3) Turn the 751G and the printer ON to auto calibrate and line up labels on the printer. Blank labels will feed through the printer to complete the auto calibration process. You are now ready to print labels.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-65 AIT Installation Task 1 - Login to the 751G and Execute the Print Label Process. Task 1 is an instructor led exercise; perform each task when directed by the instructor. Task 1A Login to the 751G and Select the Print Label Process. Login to SAAS- MOD.
Touch The User Id field to display the data entry screen.
On the Username Data Entry screen.
Enter AITUSER and touch OK to display the Login Screen.
Touch OK on the Login Screen to display SAAS- MOD Select Location Menu.
Touch ASP to display the ASP Menu.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-66 AIT Installation
ASP Menu
Touch Print Label at the bottom of the ASP Main Menu to display the Linear Barcode/Manual Data Entry Screen.
Conventional DODIC labels require a Lot Number, NSN, DODIC and quantity. Serialized DODIC labels require serial numbers.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-67 AIT Installation Task 1B - Print a Conventional DODIC Label with the 751G Print Label Process
Step 1. Enter Lot #, NSN, & DODIC.
Touch the Lot # field
Enter LC- 85A080-013 - touch OK.
Touch the NSN/NIIN/MPN field.
Enter 1305 011555459 - touch OK.
Touch the DODIC field.
Enter the A059 touch OK.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-68 AIT Installation
Step 2. Enter quantity data.
Touch the Quantity field.
Touch Box Qty and the Box Qty Standard Quantity Data Entry Screen displayed.
Enter 1680 and touch OK to display the SAAS- MOD Quantity Calculator Screen.
Touch OK again to display the SAAS-MOD Linear Bar Code/Manual Data Entry Screen. Step 3. Print box label.
Check Printer connection, and then touch Print Label to print the label.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-69 AIT Installation Task 1C - Print a Serialized DODIC Label with the 751G Print Label Process
Step 1. Enter Lot #, NSN, & DODIC.
Touch the Lot # field
Enter JAT98B001- 888 - touch OK.
Touch the NSN/NIIN/MPN field.
Enter 1340011490918 - touch OK.
Touch the DODIC field.
Enter the H108 touch OK.
Touch Edit Serials to display the SAAS- MOD Serial Number Manual Entry Screen.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-70 AIT Installation
Step 2. Enter Serial Numbers.
Touch From Serial # field.
Enter 771001 and touch OK.
Touch To Serial # field.
Enter 771006 and touch OK.
Touch Add. The six serial numbers (771001, 771002, 771003, 771004, 771005 & 771006) appear in the serial number list box.
Touch OK to display the Linear Bar Code/Manual Data Entry Screen.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-71 AIT Installation Step 3. Select Serial Numbers for each label.
Touch Print Label to display the SAAS- MOD Print Serialized Label Screen.
Touch these serial numbers for the first label (771001, 771002, 771003, 771004 & 771005). They will move to the bottom list box.
Check Printer connection then touch Print Label to print the first label.
Touch serial number 771006 to move it and touch print to print the second label.
After you print both labels touch Cancel to exit. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-72 AIT Installation SUMMARY FOR Print 2d Package/Pallet Labels From the 751G. The Print Label (Print Package/Pallet Label) process on the 751G lets you create and print 2D Package/Pallet labels on a portable printer attached directly to the COM port of the AIT 751G. The process creates the label for conventional DODIC and serialized DODIC based on the parameters DODIC, NSN, Lot Number, and Quantity or Serial Numbers that you enter. The Print Label process on the 751G can be accessed and used in conjunction with all other 751G processes. It is selectable from the ASP and ATP menus. It is also selectable from the Receipt (Lot Data) Screen and you can print a label any time there is data entered on the Linear Barcode/Manual Data Entry Screen. During the lesson we showed you how to select the process from the menu and how to print the labels. We also showed you how to selectively print serial numbers. Please keep all the labels you made during this portion of the PE as they may be required for the remainder of the exercises.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-73 AIT Installation
C21- PRINT SHIPPING LABELS FROM SAAS-MOD Introduction. The PRT SHP LBL (Print Shipping Label) process lets you print shipping labels for an outgoing shipment and let you delete document numbers for completed shipments. The document numbers in the Available List Box are displayed in DODAAC- date-serial number sequence. During this lesson, we will show how to select a shipment document number and print a shipping label for the shipment. We also show you how to delete old document numbers from the Available List on Box the Shipment Labels Print Window.
Select the Shipping Labels Print Process. Select (click on) Start | ASP Executables | Prt Shp Lbl Task 1 - SAAS-MOD Prt Ship Lbl Process. This is an instructor led exercise. Perform each step when directed by the instructor. TASK 1A - Follow these steps to and print Shipment Labels.
Step 1. Highlight (click on) the first document number in the Available list box and click on Select Doc Num. Step2. Highlight (click on) the first TCN and click on Select TCN to display it on the TCN work line. Step 3. Enter 2 (two) in the Num Lbls to Prt field and click on Enter. Step 4. Click on Print. Step 5. Click on OK in the dialog box. The system prints two labels on the thermal printer attached to the workstation. Task 1B Follow these steps to delete a Shipment Document Number from the Shipment Labels Print Window. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-74 AIT Installation
Step 1. Highlight (click on) the first document number in the Available list box and click on Delete Doc. Step2. Click on Yes in the Delete Confirm box Step 3. Click OK in the informational dialog box. The system deletes the document number. Task 2 There is no Task. SUMMARY FOR PRINT SHIPPING LABELS FROM SAAS-MOD. The Prt Shp Lbl (Print Shipping Label) process lets you print shipping labels for outgoing shipments and let you delete document numbers from the Print Shipping Labels process for completed shipments. The document numbers in the Available List Box are displayed in DODAAC-JULIAN DATE-SERIAL NUMBER sequence. During this lesson, we showed you how to select a document number from the available list box, select the TCN and identify label requirement, then print the shipping labels for the shipment. We also showed you how to delete old document numbers from the Available List Box on the Shipment Labels Print Window.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-75 AIT Installation
C22 - PRINT 2D PACKAGE/PALLET LABELS FROM SAAS-MOD
Introduction. The Prt Pkg-Plt Lbl (Print Package/Pallet Label) process lets you print 2D Package/Pallet labels on a thermal label printer attached to a SAAS-MOD work station. The process creates the label for conventional DODIC based on the parameters (Storage Point, Warehouse, DODIC, NSN and Lot Number) that you select and uses the package data (Rounds per Pallet or Rounds per Box) from the Ammunition Lot Item table for your selection. The process creates the label for serialized DODIC based on the parameters (Storage Point, Warehouse, DODIC, NSN, Lot Number, and Serial Numbers) that you select. During this lesson, we will show how to select the parameters for conventional DODIC and serialized DODIC, and how to print the labels. Please keep all the labels you make during this portion of the PE as they will be required for the remainder of the exercise. Select the Print Package/Pallet Label Process. Click on Start | ASP Executables | Prt Pkg-Plt Lbl Task 1 - SAAS-MOD Prt Pkg-Plt Lbl Process. This is an instructor led exercise perform each step when directed by the instructor. Task 1A - Follow these steps to print Package/Pallet Labels for Conventional DODIC. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-76 AIT Installation
Step 1. Select SP Z1 Step 2. Select or enter WHSE ID Z1016. Step 3. Enter the DODIC C787 and press Enter. Step 4. Select Lot Number MHM90A023-011. Step 5. Enter the Num Labels Requested (Non Serialized) 2 Step 6 Click on Pallet Step 7 Click on Confirm and click on OK when the dialog box appears. Remove the two labels from the thermal printer, put condition Code B Whse Z1016 on one label and condition Code K Whse Z1016 on the other label. Keep the labels with your PE as they may be used in some of the following exercises. Task 1B Follow these steps to print a package/pallet labels for a serialized DODIC. Step 1. Select SP Z1 Step 2. Select or enter WHSE ID Z1016. Step 3. Enter the DODIC C995 and press Enter.
Step 4. Select Lot Number JAT95L10199 to display the Serial Number List Window. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-77 AIT Installation
Step 5. Print a label with one serial number.
Click on serial number 35770 and click on Confirm.
Click on OK in the dialog box.
Step 6. Select and print a group of serial numbers not displayed in sequence.
Press and hold down the Ctrl key and click on serial numbers 46001, 46002, 46008, 46009, 46010.
Click on Confirm then click on OK in the dialog box.
Step 7. Select and print a group of serial numbers displayed in sequence.
Press and hold down the Shift key and click on serial numbers 46003, 46004, 46005, 46006, 46007
Click on Confirm then click on OK in the dialog box.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-78 AIT Installation
Step 8. Select and print a group of serial numbers displayed in sequence.
Press and hold down the Shift key and click on serial numbers 46011, 46012, 46013, 46015, 46016
Click on Confirm then click on OK in the dialog box.
Step 9. Select and print a group of serial numbers displayed in sequence.
Press and hold down the Shift key and click on serial numbers 46017 46021, 46114, 46133, 46134.
Click on Confirm, and then click on OK in the dialog box.
Remove all the labels from the thermal printer and put condition Code A Whse Z1016 on all five labels. Keep the labels with your PE as they will be used in some of the following exercises. Task 2 SAAS-MOD Prt Pkg-Plt Lbl Process. Perform this task on your own.
Task 2A Print Package/Pallet Labels for Conventional DODIC.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-79 AIT Installation Use the information in the table above to print two package/pallet labels for a conventional DODIC. After the labels are printed write the condition code, SP and warehouse on the labels. Keep the label with your PE as they may be used in some of the following exercises. Select the Print Package/Pallet Label Process. Click on Start | ASP Executables | Prt Pkg-Plt Lbl At the Print Packing Labels Window: Select Storage Point Z1 and Warehouse Z1013 using the arrow beside each field. Enter the DODIC B535 and press Enter to display the NSN and lot numbers for the DODIC. Select Lot Number LOW-6-15 (select either record). Enter the Number of Labels 2 and click on pallet to print a pallet label. Click on Confirm to complete your selection and click OK when the dialog box appears. Remove the labels from the thermal printer and put condition Code A Whse Z1013 on both labels. Keep the labels with your PE as they will be used in some of the following exercises. Task 2B Print Package/Pallet Labels for Serialized DODIC.
Use the information in the table above to print package/pallet labels for each group of serial numbers on the above table. After the labels are printed write the condition code, SP and warehouse on each label. Keep the labels with your PE as they will be used in some of the following exercises.
Select the Print Package/Pallet Label Process. Click on Start | ASP Executables | Prt Pkg-Plt Lbl At the Print Packing Labels Window: Select Storage Point Z1 and Warehouse Z1016 using the arrow beside each field. Enter the DODIC C995 and press Enter to display the NSN and lot numbers for this DODIC. Select Lot Number AT95L10388 to display the serial number list. Label 1 Use the Shift key and mouse to select and print a label for serial numbers 951002 thru 951006. Confirm your selection. Label 2 Use the Shift key and mouse to select and print a label for serial numbers 951011 thru 951015. Confirm your selection. Label 3 Use the Shift key and mouse to select and print a label for serial numbers 951020 thru 951024. Confirm your selection. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-80 AIT Installation Label 4 Use the Ctrl key and mouse to select and print a label for serial numbers 951001, 951010, 951019, 951028, 951029. Confirm your selection. Label 5 Use the Ctrl key and mouse to select and print a label for serial numbers 951007 951008, 951016, 951017, 951025. Confirm your selection. Label 6 Use the Ctrl key and mouse to select and print a label for serial numbers 951009, 951018, 951026, 951027. Confirm your selection. Remove all the labels from the thermal printer and put condition Code A Whse Z1016 on all six labels. Keep the labels with your PE as they will be used in some of the following exercises. SUMMARY FOR PRINT PACKAGE/PALLET LABELS FROM SAAS-MOD. The Prt Pkg-Plt Lbl (Print Package/Pallet Label) process lets you print 2D Package/Pallet labels on the thermal printer attached to a SAAS-MOD work station. The process creates the label for conventional DODIC based on the parameters (Storage Point, Warehouse, DODIC, NSN, and Lot Number) that you select and uses the package data (Rounds per Pallet or Rounds per Box) from the Ammunition Lot Item table for your selection. The process creates the label for serialized DODIC based on the parameters (Storage Point, Warehouse, DODIC, NSN, Lot Number, and Serial Numbers) that you select. During the lesson we showed you how to select the parameters for conventional DODIC. Then we showed you how to use the Ctrl Key (non-sequential) and Shift Key (sequential) to create a 2D Package/Pallet labels for serialized DODIC. C23 - MAINTAIN USER ACCOUNTS ON SAAS-MOD FOR AIT 751G USERS. Introduction. When you are using AIT in your operations, the first thing you need to do is identify in the SAAS-MOD Maintain User process the storage personnel that use the AIT hand held terminals (751G) in the storage area for inventory. The 751G user does not require access to SAAS-MOD but SAAS-MOD transfer files to the 751G based on the User Id logged on the 751G and the 751G process selected. Only users identified by SAAS-MOD on the Maintain User table can be assigned as recorder and counter in the Inventory Process for an AIT inventory. During this lesson, we will create AIT User ID on SAAS-MOD these User ID will not have access to the SAAS-MOD system. The Maintain Users Process identifies SAAS-MOD users and the SAAS-MOD procedures available to them. The only process required in the current profile for an AIT User Id is called AIT Processes.
Select the Maintain User Process. Click on Start | ASP Executables | Maintain Users Task 1 Use the SAAS-MOD Maintain User Process to Add an AIT User and User Profile. This is an instructor led exercise perform each step when directed by the instructor. Task 1A Follow these steps to Add an AIT 751G User Id with a User Profile to SAAS-MOD. Step 1. Click on User on the User Menu bar. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-81 AIT Installation Step 2. Click on Maintain User ID on the User pull-down menu to display the Maintain User Window.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-82 AIT Installation
Step 3. Enter AITUSER1 in the User D field. Step 4. Click in the Name field and enter SSG SMITH. Step 5. Click in the Organization field and enter 60 th OD CO. Step 6. Click in the Job Description field and enter Storage NCO. Step 7. Click on Actions/New and Click on OK to confirm. Step 8. Click on User Profile to display the Maintain User Profile Window. Step 9. Highlight (click on) AIT Processes in the Procedure Name list box. Step 10. Click on Actions/New and the system adds the procedure to the Current Profile list box. Step 11. Click on Actions/Exit to close the window and exit the process. Task 2 Use the SAAS-MOD Maintain User Process to Add AIT Users and User Profiles. Perform this task on your own. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-83 AIT Installation Select the Maintain User Process. Click on Start | ASP Executables | Maintain Users. Step 1: Add the first AIT User Id on this table to SAAS-MOD on the Maintain User Id Window. Enter the User Id, the User Name, the organization, and job description from the table above. Click on Actions/New and confirm. Step 2: Add the Procedure Name on the above table to the AIT User Id Profile. Click on User Profile on the menu bar of the Maintain User ID Window to display the Maintain User Profile Window. Click on AIT PROCESSES in the Procedure Name List Box. Click on Actions/New and confirm. Repeat step 1 and 2 for the remaining User Id. SUMMARY FOR MAINTAIN USER ACCOUNTS All AIT User ID must be added to SAAS-MOD in the Maintain User Process. AIT PROCESSES is the only process an AIT User ID must have. Normally AIT Users do not have access to the SAAS-MOD functional processes. The primary reasons for identifying AIT users are to facilitate file transfers between SAAS-MOD and the 751G and to identify the recorder and counter for AIT inventory history reports.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-84 AIT Installation
C24 - USE AIT ASSIGNMENT STATUS TO VIEW/CHANGE WORKLOADS Introduction. The AIT Assignment Status process lets you review the workload currently assigned and sent to the AIT 751G for a specific User ID. In addition, you can use the process to cancel current workload assignments and reassign them to another User ID. Only AIT workloads that have been assigned and sent to AIT are displayed in this process. The AIT Assignment Status process with the exception of the selection window uses the same windows and procedures as the Workload process. The Workload process can be accessed directly from the SAAS-MOD menu or from the Ammunition Stores Slip (3151) Window that is in the Issue, Turn-in, Shipment, Receipt, and IDT processes. During this lesson, we will show you how to view and change (un-assign and reassign) workloads for a User ID in SAAS-MOD. In this process the User ID entry is case sensitive and must match the User ID exactly as it appears in the Maintain User ID Window.
Select the AIT Assignment Status process click on Start | ASP Executables | AIT Assignment Status.
When AIT Assignment Status is selected an Error dialog box prompting for a User Id is displayed click on OK to continue. The system displays the Workload Assignment Window. Task 1 Use the SAAS-MOD AIT Assignment Status Process to View, Change or Delete AIT Workload Assignments for a User ID. This is an instructor led exercise perform each step when directed by the instructor. Task 1A Follow these steps to View AIT Assignment Status for a User ID. This is an instructor led exercise perform each step when directed by the instructor.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-85 AIT Installation
Step 1. Enter SAAS- MOD in the User/Team ID field and press Enter. The system displays the documents assigned to AIT for SAAS-MOD in the list box. Step 2. Highlight (click on) WASP6101440001. Step 3. Click on Details to display the Process Workload Window.
The Process Workload Window displays the document number information and the detail lines on the documents assigned to the User Id. Step 4. After viewing the lines, click on Close to return to the Workload Assignment Status Window.
Task 1B Follow these steps to Change the AIT Workload assigned to a User ID. This is an instructor led exercise; perform each step when directed by the instructor. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-86 AIT Installation
Step 1. Enter SAAS- MOD in the User/Team ID field and press Enter. The system displays the documents assigned to AIT for SAAS- MOD in the list box. Step 2. Highlight (click on) WASP6101440001. Step 3. Click on Details to display the Process Workload Window.
Step 4. Use the horizontal scroll bar in the box to display the Con IND and User ID field. Step 5. Highlight (click on) the line in the Document Details & Assignments box. The system displays the Detail Exception Window.
Step 6. Click on Un- assign.
The system closes the Detail Exception Window and displays the Process Workload Window with the Con IND and User Id field for the line blank. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-87 AIT Installation
Step 7. Highlight (click on) the line in the Document Details & Assignments box. Step 8. Click on Assign to display the Process Select User ID Window.
Step 9. Highlight (click on) SSG JONES AITUSER3 and click on Select. The system closes the window and displays the Process Workload Window. The AITUSER3 is now in the User ID field beside the line. Step 10. Click on Send. The system puts an A in the Con IND field and sends the highlighted line to the AIT Out table. Step 11. Click on Close to Exit.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-88 AIT Installation Task 2 Use the AIT Assignment Status Process to reassign all the remaining Transactions Assigned to the User Id SAAS-MOD and to AITUSER3. Perform this task on your own. Select the AIT Assignment Status Process. Click on Start | ASP Executables | AIT Assignment Status. Highlight (click on) the first document number line displayed in the list box. Click on Details to display it in the Process Workload Window. Highlight (click on) the transaction line displayed and the system displays the Detail Exception Window. Click on Un-assign to change the current assignment. Highlight (click on) the line to activate the Assign and Send buttons. Click on Assign to display the Process select User Id Window. Highlight (click on) AITUSER3 and click Select. Click on Send to transfer the workload to the 751G. Repeat this process until the list box on the Workload Assignment Status Window for SAAS-MOD is empty.
SUMMARY FOR AIT ASSIGNMENT STATUS PROCESS The AIT Assignment Status process lets you review the workload currently assigned and sent to a specific AIT User Id. You can use the process to reassign workloads to another 751G. During this lesson, we showed you how to view un-assign (cancel) and reassign workloads to an AIT User Id on SAAS-MOD. Remember all SAAS-MOD User Id entries are case sensitive.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-89 AIT Installation
C25 - USE WORKLOAD TO VIEW/CHANGE AIT 751G WORKLOADS Introduction. The workload process is similar to the AIT Assignment Status process. There are two major differences: The transactions are selected by transaction type (issue, turn-in, receipt, and shipment) not by user id. The process displays all open transactions (including those not assigned to AIT) that the SAAS-MOD system has processed on an Ammunition Stores Slip (3151) Window. The process is just like AIT assignments, its used view, change (un-assign and reassign), and assign workloads to the 751G. During this lesson, we will show how to select by transaction type, change (un-assign and assign) and assign workloads to 751G on SAAS-MOD.
Select the Workload Process. Click on Start | ASP Executables | Workload. Task 1 Use the SAAS-MOD Workload Process to View, Change or Assign Workloads to 751G. This is an instructor led exercise perform each step when directed by the instructor. Task 1A Follow these to View Current Workload by Transaction Type. Step 1. Click on Issue in the Document Type box. The system displays document numbers with number of lines for all open issue documents. Step 2. Highlight (click on) W4ZGAA20315001. Step 3. Click on Detail to display the Process Workload Window. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-90 AIT Installation The Process Workload Window displays the document number information and the detail lines on the document. Note that the Con IND and User ID fields are blank, that means the document did not go to AIT.
Step 4. After viewing the lines, click on Close to return to the Select Workload Window. Task 1B Follow these steps to Change (Un-assign and Reassign) Workload to Change the Workload Assignment for a Transaction Type.
Step 1. Click on Shipment in the Document Type box. The system displays document numbers with number of lines for all open Shipment documents. Step 2. Highlight (click on) WASP6101440001. Step 3. Click on Details to display the Process Workload Window. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-91 AIT Installation
Step 4. Use the horizontal scroll bar in the box to display the Con IND and User ID field. Step 5. Highlight (click on) the line in the Document Details & Assignments box. The system displays the Detail Exception Window.
Step 6. Click on Un-assign. The system closes the Detail Exception Window and displays the Process Workload Window with the Con IND and User Id field for the line blank. Step 7. Highlight (click on) the line in the Document Details & Assignments box. Step 8. Click on Assign to display the Process Select User ID Window. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-92 AIT Installation Step 9. Highlight (click on) SSG FOSTER AITUSER4 and click on Select.
The system closes the window and displays the Process Workload Window. The AITUSER4 is now in the User ID field beside the line.
Step 10. Click on Send. The system put an A in the Con IND field and sends the line to an AIT Out table. Step 11. Click on Close to Exit. Task 2 SAAS-MOD AIT Workload Process. Perform this task on your own. Task 2A Assign the Remaining Shipment Transaction to the AIT User Id AITUSER4. Highlight (click on) the document number line displayed in the list box. Click on Details to display it in the Process Workloads Window. Highlight (click on) a line. The system displays the Detail Exception Window. Click on Un-assign. The system returns to the Process Workload Window Click on Assign to display the Process select User Id Window. Highlight (click on) AITUSER4 and click Select. Click on Send to transfer the workload to the 751G.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-93 AIT Installation SUMMARY FOR AIT WORKLOAD PROCESS. The workload process is similar to the AIT Assignments process but it lets you review the current workload (all transactions that have had a DA3151 produced or that have been assigned to an AIT User Id by transaction type. You can use it to assign, un- assign, and send workload assignments to the 751G. This process can be selected from the SAAS menu to view all transactions or from the Ammunition Stores Slip (3151) Window in the issue, turn-in, receipt, or shipment processes.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-94 AIT Installation
C26 - AIT EXCEPTION MAINTENANCE. Introduction. The AIT Exception Maintenance process lets you view the transactions that came from the 751G to SAAS-MOD that could not be processed. The process can be selected from the SAAS-MOD menu. However, it appears whenever you select a transaction in the Issue, Receipt, Turn-in or Shipment process that did not process in properly. Some transactions that failed to process may be correctable (the process identifies correctable transactions) and processed but most transaction appearing in this process cannot be fixed. The process provides details about the transaction and the reason the system did not process it. If a transaction can be fixed and resubmitted it has a Y in the Correctable field on the detail window. After you correct a transaction you can complete it. During this lesson, we will show how to view the exception transactions, correct, resubmit and delete AIT exception transactions.
Select the Workload Process. Click on Start | ASP Executables | AIT Exceptions Maintenance. Task 1 Use the SAAS-MOD AIT Exception Maintenance Process to View, Delete, and Resubmit Transactions From 751G when directed by the instructor. Task 1A Follow these steps to View a Transaction in the AIT Exception Maintenance Process. The AIT Exceptions Window shows the DOC NO, SUFFIX, NSN, SER NO and LOT NO of transactions coming from the AIT-751G that the system cannot process. To view detailed information about a transaction. Step 1. Highlight (click on) the first document and click on Resubmit. The system displays the AIT Detail Window. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-95 AIT Installation
A correctable transaction has a Y in the Correctable field. ERR CD/DESCRIPTION fields explain the problem with the transaction. The remaining fields are part of the transaction. Step 2. Click on Close to exit. Task 1B Follow these Steps to Delete a Transaction in the AIT Exception Maintenance Process. Step 1. Highlight (click on) the first document and click on Delete. The system displays the Delete Confirmation Window. Step 2. Click on Yes to confirm the deletion. The system deletes the line. Step 3. Click on Close to exit.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-96 AIT Installation
Task 1C Follow these steps to Correct and Resubmit a Transaction in the AIT Exception Maintenance Process. Step 1. Highlight (click on) document number _______________ and click on Resubmit. The system displays the AIT Detail Window.
A correctable transaction has a Y in the Correctable field. Step 2. Correct the data causing the error. The ERR CD/Description fields explain the problem with the transaction. Based on the ERR CD, you must change at least one of the fields on the transaction. Step 2. Click on Resubmit to process the transaction. Task 2 There is no Task. SUMMARY FOR AIT EXCEPTION MAINTENANCE. The AIT Exception Maintenance process lets you view the transactions that came from the 751G to SAAS-MOD that cannot be processed. The AIT Exception Maintenance process displays the transactions that failed to process with an explanation and correctable indicator. Only a transaction with a Y in the Correctable field can be reprocessed. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-97 AIT Installation
C27 - USE AIT TO PROCESS AND STORE RECEIPTS. Introduction: Receipt processing using the 751G has these four distinct stages. It begins with the Receipt process on the 751G. The receipt information from the DD form 1348-1 is scanned into the AIT 751G. Next, the Receipt process on SAAS-MOD. The data from the 751G is transferred to SAAS-MOD and processed through site selection in the Receipt process. After site selection you flow to the Store process on the 751G. The store data (storage site) from SAAS- MOD is transferred to the 751G. The ammunition is stored and the storage site, lot data and quantity is confirmed on the 751G. The final stage is the Receipt process on SAAS-MOD. The last stage is transfer of the confirmed store data back to SAAS-MOD where the receipt is completed and the transaction closed. During this lesson, we will go through all four stages beginning at the 751G and finishing at the SAAS- MOD workstation. Task 1 Process Receipt Documents (Conventional and Serialized) using the 751G. Task 1 an instructor led exercise perform each task when directed by the instructor. Task 1A Login to the 751G and select the Receipt Process.
Step 1. Login to SAAS-MOD.
Touch The User Id field to display the data entry screen. On the Username Data Entry screen.
Enter AITUSER1 and touch OK to display the Login Screen.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-98 AIT Installation
Touch OK on the Login Screen to display SAAS-MOD Select Location Menu.
Step 2. Touch ASP to display the ASP Menu.
ASP Menu
Step 3. Touch Receipt at the top of the ASP Main Menu to display the SAAS-MOD Receipt (1348 Data) Screen.
You may scan in the information from the 1348 or enter the data manually. The data required is document number, NSN, Total Quantity.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-99 AIT Installation
Task 1B Scan Bar Codes on the DD FORM 1348 for a Conventional DODIC Receipt.
Step 4. Scan the document number label on the DD Form 1348. You must confirm the document number was scanned.
Touch Enter Lots to display the (Lot Data) Screen.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-101 AIT Installation Step 2. Scan the Lot Number labels on the DD 1348-1.
(Highlight) touch the line in the list box and touch the arrow in the serial number field to view the serial numbers scanned.
Touch Close (Next 1348).
Touch Yes on the Alert dialog box. To display a blank SAAS- MOD Receipt (1348 Data) Screen that is ready to process the next receipt or to transfer the receipt data to SAAS-MOD.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-102 AIT Installation
TASK 1C Transfer the 751G File to SAAS-MOD work station.
Step 1. Touch Done (XFER file), and touch Yes on the Alert Screen to put the 751G in the File Transfer mode and display the File Transfer Screen.
Step 2. Put the 751G in the docking station attached to the SAAS-MOD workstation.
Make sure the SAAS-MOD workstation is running and these processes (751G Dock Server and WBT AIT xfer.exe) are displayed on the task bar at the bottom of the window. The transfer is automatic and when the transfer ends, the 751G displays the SAAS-MOD Menu.
Task 1D Follow these steps to Process Receipts coming from the 751G. When the Receipt Processed in message is displayed on the SAAS-MOD workstation desktop select the Receipt process.
Select the Receipt Process. Click on Start | ASP Executables | Receipts. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-103 AIT Installation Step 1. Highlight document number WT4F1913654001 and click on Select. Click OK to display it in the Process Receipts Window.
Step 2. Complete the information required to process the Receipt. Enter the header data. UIC From field: WQL701 Sp CODE field: Z3 REC ACCT field: ZT3 Enter the Receipt Lot Info Select data. Highlight (click on) the line and click on Select to move it to the work line. WHSE ID field: Z3012 Step 3. Click on 3151 to display the Ammunition Stores Slip (3151) Window.
Step 4. Click on Workload to display the Process Workload Window. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-104 AIT Installation
Step 5. Highlight (click on) the line in the Document Details & Assignments box and click on Assign to display the Process Select User ID Window.
Step 6. Highlight (click on) SSG SMITH AITUSER1 in the list box and click on Select to display the Assign to display the Process Workload Window.
Step 7. Highlight (click on) the line in the Document Details & Assignments box and click on Send .The system Change Con IND field to A and puts the transaction in the AIT Out folder. Step 8. Click on Close to display the Receipts Document Window. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-105 AIT Installation
Step 9. Highlight document number WT4F1913654021 and click on Select. Click OK to display it in the Process Receipts Window. Repeat steps 2 through 8 again.
Step 2. Data for header information in step 2. UIC From field: WQL701 AISM-25-L6F-AJA-ZZZ-SA Sp CODE field: Z3 REC ACCT field: ZT3 Enter the Receipt Lot Info Select data. Highlight (click on) the line and click on Select to move it to the work line. WHSE ID field: Z3011 Step 3. Click on 3151 to display the Ammunition Stores Slip (3151) Window. Step 4. Click on Workload to display the Process Workload Window. Step 5. Highlight (click on) the line in the Document Details & Assignments box and click on Assign to display the Process Select User ID Window. Step 6. Highlight (click on) SSG SMITH AIT USER1 in the list box and click on Select to display the Assign to display the Process Workload Window. Step 7. Highlight (click on) the line in the Document Details & Assignments box and click on Send. The system Change Con IIND field to A and puts the transaction in the AIT Out folder. Step 8. Click on Close to display the Receipts Document Window.
Note that both document numbers now have a W in the Status field. Step 10. Click on Close to exit the Receipts process. The system automatically transfers the transactions to an 751G based on these conditions AITUSER1 is logged on, the ASP Store process is selected and the 751G is in the docking station attached to a SAAS-MOD work station. 11 October 2007 15-106 AIT Installation Task 1E Follow these Procedures to Login to the 751G and Select the Store Process.
Note: If you are logged in select the Store Process from the ASP Main Menu.
Step 1. Login to SAAS-MOD.
Touch The User Id field to display the data entry screen. On the Username Data Entry screen.
Enter AITUSER1 and touch OK to display the Login Screen.
Touch OK on the Login Screen to display SAAS-MOD Select Location Menu.
Step 2. Touch ASP to display the ASP Menu.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-107 AIT Installation
ASP Menu
Step 3. Touch work list at the top of the ASP Main Menu to display the SAAS- MOD File Transfer Screen.
No messages appear as files are moved. When the transfer is complete, the 751G SAAS-MOD work list Screen will be blank.
Task 1F Use these Procedure to Store the Receipts with the 751G. You may scan in the information from a 2D Package/Pallet Label or enter the data manually. For this exercise we will enter the data manually for the first transaction and scan the data in for the second transaction.
Task 1(M) Follow these steps to store the first receipt manually.
Step 1. Highlight (click on) the line in the list box and touch Manual Entry. The system displays the Store Confirm/Enter Data Screen.
Step 2. The only entry required is Quantity. Touch Quantity to display the SAAS-MOD Quantity Calculator Screen.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-108 AIT Installation
Step 3. The only entry required is Pallet Qty. Touch Pallet Qty to display the Standard Quantity Entry Screen.
On the Pallet Qty Screen, touch 528 and touch OK. The SAAS-MOD Quantity Calculator Screen is displayed.
Step 4. Verify entries on the SAAS-MOD Quantity Calculator Screen.
# Boxes/Pallets = 1 Pallet Qty = 528. Touch OK to display the SAAS-MOD Store Confirm/Enter Data Screen.
Step 5. Touch Data Confirmed to display the SAAS-MOD Store Screen.
Step 6. Highlight (touch) the line and the Name, NSN and Quantity Scanned are displayed beside the Change Loc button.
Step 7. Touch Close (XFER file) and an Alert Screen displayed. Touch Yes to display the next transaction or begin file transfer.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-109 AIT Installation
Task 1(A) Follow these steps to store the second receipt by scanning 2D Package/Pallet Labels.
Step 1. Highlight (touch) the line in the list box.
Step 2. Scan the 2D bar code label.
Step 3. After the beep highlight (touch) the line in the list box and the Qty Scanned field is now 10.
Step 4. Touch Close (xfer file) an Alert Screen is displayed. Touch Yes to display the next transaction or begin file transfer.
1G Follow these Procedures to Transfer the 751G File to SAAS-MOD work station.
Step 1. Touch Close (xfer file), and touch Yes on the Alert Screen to put the 751G in the File Transfer mode. ASP Main Menu is displayed
Step 2. Put the 751G in the docking station attached to the SAAS-MOD workstation. The file is then automatically transfers.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-110 AIT Installation
Make sure the SAAS-MOD workstation is running and these processes (751G ActiveSync, IAW Upload and WBT AIT xfer.exe) are displayed on the task bar at the bottom of the window. The transfer is automatic. When the transfer ends, the user may check the work list to see if the file was sent.
Task 1H Follow these steps to Process the Store Data for Receipts coming from the 751G. When the Store Processed in message is displayed on the SAAS-MOD workstation desktop select the Receipt process. Select the Receipt Process. Click on Start | ASP Executables | Receipts.
Step 1. Highlight document number WT4F1913654001 and click on Select. Click OK to display it in the Ammunition Stores Slip (3151) Window.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-111 AIT Installation The transaction line in the list box shows Con Ind I for all transactions coming from the 751G751G.
Step 2. Click on Post Doc and Save to complete the process for this document. Step 3. Click on Close to Exit and display the Receipt Documents Window.
Step 5. Highlight the remaining document number WT4F1913654021 in the Receipt Documents Window and click on Select. Click OK to display it in the Ammunition Stores Slip (3151) Window. Step 6. Click on Post Doc and Save to complete the process for this document. Step 7. Click on Close to Exit and display the Receipt Documents Window. Task 2 There is no task. SUMMARY FOR USE AIT TO PROCESS AND STORE RECEIPTS. Processing receipts using the 751G is a multi part process. Initially you process the information from the DD form 1348-1 on the 751G, then transfer the information to SAAS-MOD for site selection, then transfer the site selection back to the 751G to store the receipt and finally send the confirmed store back to SAAS-MOD to post and save the transaction.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-112 AIT Installation
C28 - USE AIT TO STORE A TURN-IN. Introduction: Processing turn-ins using the 751G uses the same Store process as a receipt. However, it is a three stages process. It begins with the Turn-in Process on SAAS-MOD where you enter the document number for a Turn-in or associate a Turn-in document number with a wrap-a-around Issue document number. The entered data and select the storage site for the items on the Turn-in and send it to the 751G to be stored. The next stage is the Store process on the AIT 751G. During this phase the items on the turn-in are stored in the location specified and then transferred back to SAAS-MOD. The final stage is done in the Turn-in process on SAAS-MOD when the turn-in is confirmed and completed. During this lesson we will review turn-in procedures on SAAS-MOD, transfer the turn-in to the AIT 751G, store the items on the turn-in, transfer it back to SAAS-MOD and review procedures for finalizing a turn-in on SAAS-MOD. Task 1 Process a Turn-in Document with Conventional and Serialized DODIC using the 751G. Task 1 an instructor led exercise perform each task when directed by the instructor. Task 1A Process the Turn-in on SAAS-MOD and Assign/Send it to the 751G. Select the Turn-In Process. Click on Start | ASP Executables | Turn-ins. Step 1. Enter the turn-in document number W4ZGA020315001, enter Type SER, and click on OK. Click on YES when the Document Confirmation Window is displayed. The system displays the Process Turn-in Window.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 15-113 AIT Installation Step 2. Complete the information required to process the Turn-in.
Enter the header data. Sp CODE field: Z3 REC ACCT field: ZT3 Trans code field: TAR Enter this data on Issue Lot Info work line for the first item.
16.1 Uninstall Norton Antivirus version 7.51 or earlier on the SERVER or Workstation. Note : Be sure to log in as the local Administrator of the system. (1) Click on Start/Settings/Control Panel
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 16-1 Norton 10.1 Installation
(2) Click on Add/Remove Programs
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 16-2 Norton 10.1 Installation
(3) Highlight Norton Antivirus Corporate Edition and click on Remove.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 16-3 Norton 10.1 Installation
(4) Click on Yes for confirmation to remove Norton Antivirus Corporate Edition.
(5) The removal program will gather information as shown below.
(6) When it finishes, Norton Antivirus Corporate Edition will no longer be displayed on the Add/Remove Programs window. Close the window.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 16-4 Norton 10.1 Installation
16.2 Install Norton Antivirus version 10.1 on the SERVER or Workstation
(1) Insert your most current SAAS MOD Security CD into your CD-ROM drive. Navigate to the Symantec Antivirus 10.0 folder/sav10_0_2_2000/CD1 and double click on Setup.exe you will see:
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 16-5 Norton 10.1 Installation (2) Click on Install Symantec Antivirus and you will see:
(3) Click on Install Symantec Antivirus and you will see:
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 16-6 Norton 10.1 Installation (4) Click Next on the Welcome window:
(5) Click on the I accept the License Agreement window then click on Next:
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 16-7 Norton 10.1 Installation (6) Leave on Client Install and click on Next.
(7) Leave default for complete Install and click on Next.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 16-8 Norton 10.1 Installation (8) Click on Next to the Unmanaged window.
(9) Uncheck Run Live Update and click on Next.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 16-9 Norton 10.1 Installation (10) Click on Install:
(11) You will see progress of the installation
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 16-10 Norton 10.1 Installation (12) Check the Box "Don't remind me again until after next update to the Old Virus Definition File window:
(13) Click on Finish to exit Symantec Antivirus Installation. (14) Navigate to the Symantec Antivirus 10.0 folder/Updates and double click on SAVCE_10_0_2_2001_ALLWIN_EN.msp you will see a Preparing to Install screen followed by Welcome to the Patch for Symantec Antivirus. Click on Update:
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 16-11 Norton 10.1 Installation (15) You will see a progress screen for updating:
(16) Update will complete. Click on Finish:
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 16-12 Norton 10.1 Installation (17) Install/Update will require a Reboot of your system. Click Yes to restart screen:
(18) When your computer restarts, log on as the administrator. Delete the following file: C:\Program Files\Symantec\LiveUpdate\S32luhl1.dll if it exists. (19) Rerun steps 14 -18 for SAV_10.0.2.2020_ALLWIN_EN.msp in the Updates folder. (20) Rerun steps 14-18 for SAVCE_10.0.2.2021_ALLWIN_EN.msp in the Updates folder. (21) Next go to Start/Programs/Symantec Client Security/Symantec Antivirus and click on LiveUpdate tab. This will update your signature files to the most current. See below.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 16-13 Norton 10.1 Installation
16.3 Norton Antivirus Updates Run the step 21 instruction above. The screen will look like the one displayed below. Click on LiveUpdate and follow the on-screen prompts.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 16-14 Reserved for Future Use SECTION 17.0 RESERVED FOR FUTURE USE
This process is used to extract IP address information to create Configuration Diskettes for workstations to connect to the Database. This is accomplished by the following steps:
1. Go to Start/Programs/SAAS Utilities/Oracle IP Tool. 2. You will see the screen Updating IP Addresses. 3. The process will then stop Oracle Services. 4. You will be prompted to insert a blank diskette and Press OK. 5. Next you will see the message Configuration files read for workstations. Remove floppy and click OK. 6. Oracle Services will be started. 7. IP address Update for SAAS Oracle completed. Remove disk and click on OK.
18.2 Archive Transactions
This process is used to extract transaction history information from the database to free space of older transactions. It is recommended to run this process periodically. Check with your local system administrator. This is accomplished by the following steps:
1. Go to Start/Programs/SAAS Utilities/Archive Transactions 2. Select Continue on screen "About to Archive Transactions" 3. Enter J ulian date in YYYYDDD format for the date of transactions to archive prior to this date ex. 2001001. Click on OK. 4. System will show you the number of records about to be archived, Press Enter to continue. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 18-1 SAAS Utilities 5. You will see the number of Rows exported. 6. Click on OK to message to view export log. 7. View export log mentioned above, making sure there were no errors.
User
18.3 Create Oracle User
This process allows you to create Oracle users. This is accomplished by the following steps:
1. Go to Start/Programs/SAAS Utilities/Create Oracle User 2. Select Continue on screen "Creating New User" 3. Enter new User name and click on OK. 4. Enter Domain Name of the new user or leave blank. If you are logging into a Domain, Enter it now, i.e.. NAE. 5. Click on OK to the message that the new user was created.
NOTE: A new Windows Server 2003 user group (ORA_SAAS_DBA) has been created. This group has special Oracle privileges that are needed to run some of the SAAS-MOD functions on the server. Each SAAS-MOD user that installs SCP's, ICP's performs backups or executes certain SAAS executables on the server, must be added to this group. An administrator must perform this function on the SAAS-MOD server. Follow these steps to add users to the new group:
NOTE: The CREATE ORACLE USER utility will function differently. If the user is a domain user, the domain must be entered when the Oracle user is created. If the user is a local machine user, then two Oracle users must be created. One must be created with the machine name where the local user exists. This is for SAAS application processes. A second Oracle user must be created with just the username. This is for Oracle Browser and SAAS Reports. 1. Logon to the SAAS-MOD server as an administrator. 2. Left click on Start | Programs |Administrative Tools Computer Management. Note: Double click on Groups under Local Users and Groups. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 18-2 SAAS Utilities 3. Double left click on ORA_SAAS_DBA under Groups on the bottom half of the User Manager window. 4. Left click on the Add button in the Select Users or Groups window. This will put you in the Add Users and Groups Window. 5. Left click on a user in the Names: box to highlight (select) it. 6. Left click Add button to put the user in the Add Names: box. Repeat steps 5 & 6 until all SAAS-MOD users appear in the Add Names: box. 7. Left click the OK button to return to the Select Users or Groups window. All the users you selected will now appear in the Members: box. 8. Left click the OK button to exit the Select Users or Groups window. 9. In the Computer Management window, click on the computer (in the upper left hand corner) and select Exit from the drop down menu.
User
18.4 Drop Oracle User
This process is used to remove Oracle users, such as personnel that are no longer with your unit for whatever reason. This is accomplished by the following steps: 1. Go to Start/Programs/SAAS Utilities/Drop Oracle User 2. Select Continue on screen "Dropping a User" 3. Enter the User name to be dropped and click on OK. 4. Enter Domain Name of the new user or leave blank. If you are logging into a Domain, Enter it now, i.e.. NAE. 5. Click on OK to the message that the user was dropped.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 18-3 SAAS Utilities
18.5 Export
This process is used to make a "snapshot" of the database to the file system. It is recommended to run this process daily. Whenever the asset posture has changed from issues, turn-ins, receipts or condition code changes you should run this process at the end of the business day. Check with your local system administrator. This is accomplished by the following steps: 1. Go to Start/Programs/SAAS Utilities/Export 2. Select Continue on screen "About to Export current Database" 3. Enter a file name relevant for identification such as Unit/Date and click on OK. 4. You will see the number of Rows exported for each table. 5. Click on OK to message to view export log. 6. View export log mentioned above, making sure there were no errors.
18.6 Import
This process is used to restore the database from the file system. It is recommended to run this process for recovery purposes only. It can also be used to "defragment" and re-index table structures. Check with your local system administrator. This is accomplished by the following steps: 1. Go to Start/Programs/SAAS Utilities/Import 2. Select Continue on screen "About to Import a new Database" 3. Select Continue on screen "Current data will be dropped". AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 18-4 SAAS Utilities 4. Select the file from the menu you wish to Import. This shows the default location of where dump files are placed, however, you can browse to other locations. Highlight the file and click on Open. 5. Click on OK to accept selected file. 6. You will see the number of Rows imported for each table. 7. Click on OK to message to view import log. 8. View import log mentioned above, making sure there were no errors.
18.7 Lock Database
This process is used to by the system administrator to lock the database for exclusive use. It locks out normal users only. You can use this process that requires exclusive use of the database such as Reconciliation. This is accomplished by the following steps: 1. Go to Start/Programs/SAAS Utilities/Lock Database. 2. Click on OK to message "Users can not logon now. Click on UNLOCK DB to enable users".
18.8 Logged-On DB Users
This process is used to by the system administrator to see what users are logged onto the database. This will always show the SYSTEM user which logged in for this view. This is accomplished by the following steps:
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 18-5 SAAS Utilities 1. Go to Start/Programs/SAAS Utilities/Logged-On DB Users 2. Click on continue to message "List of Active Users in the Database". 3. Press the Enter key to message displayed at the bottom of list of user "Hit Enter to continue". 4. Click on OK to message "Exiting".
18.9 System Backup Scheduler This process is used to back up your SAAS data such as dumps and communications data. This is accomplished by the following steps: 1. Go to Start/Programs/SAAS Utilities/System Backup Scheduler. 2. Select the days you wish to perform backups. 3. Select the time you wish the backups to run. 4. Click on Save and Exit when finished.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 18-6 SAAS Utilities
18.10 Restore Transactions
This process is used to restore the transaction history data to the database from the file system. It is recommended to run this process for recovery or review purposes only. Check with your local system administrator. This is accomplished by the following steps:
1. Go to Start/Programs/SAAS Utilities/Restore Transactions. 2. Select Continue on screen "About to restore archived transactions". 3. Select the file from the menu you wish to restore. This shows the default location of where dump files are placed, however, you can browse to other locations. Highlight the file and click on Open. 5. Click on OK to accept selected file. 6. You will see the number of Rows imported for the transaction history table. 7. Click on OK to message to view archtrans.log. 8. View archtrans.log mentioned above, making sure there were no errors.
18.11 Unlock Database
This process is used by the system administrator to unlock the database from exclusive use. It unlocks normal users previously locked out. This is accomplished by the following steps: 1. Go to Start/Programs/SAAS Utilities/Unlock Database. 2. Click on continue to message "Unlocking the Database". 3. Click on OK to message "Users can logon now".
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 18-7 SAAS Utilities
18.12 Change Oracle Password
This process is used to change user passwords to access the database whether it is a simple user or the database administrator account. This is accomplished by the following steps:
1. Go to Start/Programs/SAAS Utilities/Change Oracle Password. 2. Click on continue to message "Change User Password" 3. Enter User Name for account you want to change password for, i.e... "system" 4. Enter current password for the user entered above. 5. Enter new password and click on OK. 6. Reenter password to confirm and click on OK. 7. Click on OK to message User system's password changed message.
18.13 Oracle RA Tool (Restricted access)
1. Select the Oracle RA Tool.exe file from the c:\saas\utilities folder and double-click. 2. You will then be presented with the following screen:
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 18-8 SAAS Utilities 3. You may type over the 1 in the edit box for the total number of IP addresses from workstations, or other systems that have a legitimate need to connect to your Oracle database.
Note: once you apply this tool, only those IP addresses that you have selected can connect to your database to do any work. You must include the servers IP address also, or you will not be able to connect locally.
4. In the following example, I have selected 4 different IP addresses.
You then click the enter button.
5. This next screen appears, allow you to type in the IP addresses.
Enter the IP address of your 1 st selection.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 18-9 SAAS Utilities *Example IP address below:
Then click on the enter button. Repeat the process as needed, in order to complete the total number of IP addresses that you entered on the first screen.
6. Once you have completed the task, the following message appears:
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 18-10 SAAS Utilities
The restricted access filter has been applied.
7. The next window that pops up is a notepad window displaying a log file that is located in the c:\saas\logs folder. This file displays the IP addresses that you have selected for access. You may print, or save to another location. Close the notepad window when finished.
Note: This log file appends each time that you use the tool, in order to keep track of each time that you add an IP address. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 18-11 RFID (Radio Frequency Identification) SECTION 19.0 RFID (RADIO FREQUENCY IDENTIFICATION)
19.0 Installation Procedures for RFID on ASP Workstations The following instructions apply to installing the ASP RFID module on workstations. a. Insert the CD SAAS Application L6F-10-00 in the CD drive. b. Double click on My Computer and select the local drive for CDs. You can also access the CD drive using Explorer. c. Double click on SCP 10 RFID (VS 4.4) Install. d. Double click on RFID Install to begin installation.
e. Click on Continue to "Install RFID Module VS 4.4"/\. f. When prompted RFID Configuration is complete, click on OK to reboot. The RFID installation is complete. Do not remove CD.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 19-1
RFID (Radio Frequency Identification)
19.1 Tag Docking Station Hardware, Configuration Setup and Registration Procedures 19.1.1 Tag Docking Station Hardware a. Docking Station b. 12V AC-DC power adapter c. RS-232 serial port cable d. RFID tag
19.1.2. Tag Docking Station Hardware Setup Procedures a. Connect the Docking Station to workstation using the RS-232 serial port cable. NOTE: For workstations with multiple RS-232 serial ports, select a port, and record which port was used for the configuration steps described below. b. Connect the 12V AC-DC power adaptor to a power source and to the Docking Station. 19.1.3. Tag Docking Station Configuration Procedures NOTE: Mandatory entry fields are marked with an asterisk. Changes cannot be saved unless data is entered in these fields. a. Double click on My Computer and select the local drive for CDs. You can also access the CD drive using Explorer. b. Double click on SCP 10 RFID (VS 4.4) Install. c. Double click on TIPSWriteInstall_3_5_1_75.exe The InstallAnywhere window is displayed. If the Uninstall Previous TIPS Write Release Window is displayed, click OK. The Uninstall TIPS Write Window is displayed, click Uninstall. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 19-2
RFID (Radio Frequency Identification) Uninstall Complete, click Done. The Introduction Window is displayed, click Next. The Cryptography Component Export Regulators window is displayed click Next. Choose Install Folder window if c:\TIPSWrite3 is not displayed enter it and click Install. Install Compete, click Done. Close the My Computer window. d. Click on the TIPS Write 3 icon on the desk top to display the Tag Docking Station Verification dialog box. This dialog box appears only if the Docking Station has not been configured to a workstation.
e. Click on OK to display the Setup: Tag Docking Station window.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 19-3
RFID (Radio Frequency Identification)
19.1.4. Tag Docking Station Setup Location Procedures a. The Setup: Tag Docking Station window has one tab: Location.
b. Enter the Tag Docking Station Serial Number preceded by the letter "T" in upper case. This is a registration requirement of the docking station on the regional ITV server. NOTE: Repeat this step each time a different docking station is connected to the workstation. c. Enter the Device Name to identify the docking station. Use a different Device Name for each docking station in use on multiple workstations. d. Enter the Device Description to identify the location of the docking station. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 19-4
RFID (Radio Frequency Identification) e. Enter the Latitude and Longitude (use zeros (0) except for the last position.
19.1.5. Tag Docking Station Setup Communication Settings Procedures a. Click on Communication Settings to validate the default settings. Default values are Protocol: Auto-Detect and Com Port: 1. You can change the Com Port setting by clicking and the down arrow, if the RS-232 serial port cable is connected to another serial port. Click on Save if changes were made or click on Cancel to return to the previous window. If save was clicked a dialog box The settings have been saved is displayed, click OK.
b. Click on Save Settings to save the configuration changes.
c. Click on OK to continue setup and registration, click Close.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 19-5
RFID (Radio Frequency Identification)
19.1.6. Tag Docking Station Setup Registration Procedures a. The Setup: Station Information/Register window displays system defaults and the Docking Stations Serial Number (ID).
b. Click on the down arrow for Regional Service and select the Regional Server for your geographic area (CONUS, Germany, or Korea). NOTE: Regional Server configurations are set during installation and do not require changes. c. Click on the down arrow for Communication and select the mode (normally Network) to be used to transmit data files (Network, Modem, or Standalone).
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 19-6
RFID (Radio Frequency Identification)
d. Click on The Station Information Tab. The Setup Station Information/Registration window is displayed enter the following: Site/Post Location Name Telephone e. Click on Register to transmit the registration file (.TIP) created in the setup and configuration process. f. The save changes window is displayed, click Yes. g. The registration window is displayed, click OK, and click Close.
19.2 RFID Interrogator Hardware, Configuration, Setup, and Registration Procedures 19.2.1 Tag Docking Station Hardware a. RFID Fixed and/or Gate Readers. b. ITV Retriever.
19.2.2. Interrogator Hardware Setup Procedures NOTE: The setup procedures for interrogators are not applicable for SAAS-MOD systems.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 19-7
RFID (Radio Frequency Identification)
19.3 RFID Network and Modem Setup Procedures Changes to the workstations network TCP/IP Protocol properties must be made through the operating system a. To view the Network configuration, click on Setup in the tool bar and click on Network to display the Setup: Network window.
b. To view the Modem configuration, click on Setup in the tool bar and click on Modem to display the Setup: Network window. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 19-8
RFID (Radio Frequency Identification)
19.3.1 Dial-up Networking / Modem Setup TIPS-Read uses the Microsoft Windows operating system's Dial-up Networking (DUN) subsystem to make modem connections to the Internet. The modem must be configured with the operating system and a DUN Phonebook Entry name 'ITV Connection' must be created before TIPS-Read can transfer files (upload) via modem.
19.3.2 Configuring the modem with Windows Server 2003 The modem must be configured with the operating system before a Dial-up Networking (DUN) can be added. Chances are that the modem is already configured by Windows 2000 using the Plug & Play technology. If not, select Start | Settings | Control Panel | Phone and Modem Options to open the Phone and Modem Options window. Select the Modems tab and press the Add button to open the Install New Modem window. Use this to configure a new modem. Adding Modems is at Section 5.1 Make sure to not set the modem using the same Com Port/IRQ that the Tag Docking Station or SaviReader will use. After it has been configured properly, you can see the Com Port that the Tag Docking Station has been assigned by selecting Setup | Tag Docking Station | Communications from the menu. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 19-9
RFID (Radio Frequency Identification) Alternatively, for SaviReader, select Setup | Interrogator | Communication. The Hardware Communications Settings window will open showing a COM Port field. Set the modem so that the modem speaker is on initially to test so that you can confirm it dialing properly. After TIPS-Read has been properly configured, set so that modem speaker is off. Also, in the Phone and Modem Options window, select the Dialing Rules tab to set options for area code, outside line, long- distance calls, and to disable call waiting.
19.3.3 Creating a Dial-up Networking (DUN) Phonebook Entry Once the modem has been configured with the operating system (above) create a DUN phonebook entry that TIPS-Read will refer to and use. Note (below) that the user name and password must be saved with the entry and that the entry must be named 'ITV Connection'. This entry name is case sensitive and it must be entered exactly as shown. For Windows Server 2003 select Start | Settings | Network & Dialup Connections. Press the Make a New Connection option to open the Network Connection Wizard, then: 1. Click Next. 2. Select 'Dial-up to the Internet.' Press Next. 3. Select 'I want to setup my Internet connection manually, or I want to connect through a local area network (LAN).' Press Next. 4. Select 'I connect through a phone line and a modem.' Press Next. 5. Enter your ISP's (TSACS) local access phone number. Press Next. 6. Enter your user name and password. (The password must be saved with the phonebook entry.) Press Next. 7. For Connection name enter 'ITV Connection'. This entry name is case sensitive; it must be entered exactly as shown. AISM-25-L6F-AJA-ZZZ-SA 8. 'Do you want to set up an Internet mail account now?' Select No. Press Next. 11 October 2007 19-10
RFID (Radio Frequency Identification) 9. 'To connect to the Internet immediately, select this box and click finish.' Leave the box checked and press Finish. (You want to test this connection once before proceeding to the other configuration sections). 10 At the 'Dial-up Connection' dialog box, make sure that 'Save password' is checked. Press Connect. When the dialog box message window indicates that the connection has been established, test by opening the operating system Command Prompt (a.k.a. DOS Prompt) (Start | Programs | Accessories | Command Prompt) and enter the 'ipconfig' command. A successful connection will display an entry with 'PPP adapter ITV Connection' with non-zero IP address values for IP Address, Subnet Mask and Default Gateway. Disconnect the connection and close the Command Prompt window. 19.3.4 Viewing all Dial-up Networking phonebook entries from TIPS-Write To see a list of all the Dial-up Networking phonebook entries without having to go to the operating system, select Setup | Modem from the menu to open a window as shown below. This window lists all the phonebook entries. You can verify that 'ITV Connection' is among them. You cannot edit phonebook entries from this window. You must do this from the operating system as described above.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 19-11
RFID (Radio Frequency Identification)
19.3.5 Network Setup The Setup: Network screen displays the network connection information (such as the IP address) for the TIPS-Write station and the regional server that is being accessed. The information presented is for reference only and can not be edited from this screen. The Setup: Network screen can be accessed in the following ways: 1. Select Setup | Network from the menu. 2. Use the shortcut key (Alt - N)
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 19-12
RFID (Radio Frequency Identification)
Data Fields: This Station: Computer Name -- The name of the computer on which TIPS-Write is installed. IP Address -- The IP Address of the computer on which TIPS-Write is installed. Regional Server: Regional Server -- The name of the regional server to which the TIPS- Write station reports. IP Address -- The IP Address of the regional server. E-mail Address -- The contact e-mail for the regional server. To exit the Setup: Network screen, press the Close button.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 19-13
SAAS Security SECTION 20.0 SAAS SECURITY 20.1 Overview The SAAS Security CD implements the guidance of the DISA Security Gold Disk (Platinum Level) setting, as well as AR 25-2 guidance. It also includes the latest changes from the DA CIO/G6 (Department of the Army Chief Information Officer, G6) regarding alternate CCL implementation. The settings on the SAAS Security CD are a part of the SAAS DoD Information Technology Security Certification and Accreditation Process (DITSCAP) and should be implemented for the Approval To Operate/Interim Approval To Operate (ATO/IATO) to be valid. Instructions for installing SAAS Security are included on the security CD.
20.2 Security Features Users Guide (SFUG)
STANDARD ARMY AMMUNITION SYSTEM MODERNIZATION (SAAS-Mod) Security Features Users Guide (SFUG)
BY
SECURITY ENGINEERING
FOR
Assistant Project Manager Automated Logistics and Integrated Systems
JULY 2006
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-1 SAAS Security
Table of Contents 1 INTRODUCTION 1.1 Purpose 1.2 Scope..................................................................................................................................... 1.3 Document Organization 1.4 General Security Requirements ............................................................................................ 1.4.1.................................................................................................. Non-technical Safeguards 1.4.2.........................................................................................................Technical Safeguards 1.4.2.1 Discretionary Access Control (DAC) ....................................................................... 1.4.2.2 Object Reuse ............................................................................................................. 1.4.2.3 Audit 1.4.2.4 Identification and Authentication (I&A) .................................................................. 1.4.2.5 Anti-virus Software................................................................................................... 1.5 Additional Information ......................................................................................................... 2 SYSTEM SECURITY OVERVIEW 2.1 Overview of Windows XP Professional and Windows Server 2003.................................... 2.1.1............................. Windows XP Professional and Windows Server 2003 Enhancements 2.1.2............................................................................................................... Security Features 2.2 Basic Security Tenets............................................................................................................ 2.3 The Information Security Manager....................................................................................... 2.4 User Roles............................................................................................................................. 2.5 User Security Responsibilities .............................................................................................. 2.5.1............................................................................................................ Controlling Misuse 2.5.2.............................................................................................Security Awareness Training 2.5.3......................................................................................................................... Monitoring 2.5.3.1 Security Incident Reporting...................................................................................... 2.5.3.2 Configuration Maintenance and Monitoring ............................................................ 2.5.4...................................................................................................................Protecting I&A 2.5.5.......................................................................................................... Non-Working Hours 3 USER SECURITY GUIDANCE 3.1 Establishing and Ending a Session ....................................................................................... 3.1.1.................................................................................................Logging onto the Network 3.1.2................................................................................................... Locking the Workstation 3.1.3..................................................................................................... Logging off the System 3.2 User Identification and Authentication................................................................................. 3.2.1................................................................................................... Password Considerations 3.2.2............................................................................................................. Password Lifetime 3.3 User Profiles.......................................................................................................................... 3.4 Windows XP Professional and Windows Server 2003 Domains and Workgroups.............. 3.4.1....................................................................................................................... Workgroups AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-2 SAAS Security 3.5 File System Guidance ........................................................................................................... 3.5.1............................................................................................ Discretionary Access Control 3.5.2........................................................................................................................File Sharing 3.5.2.1 DAC for objects (files and directories)..................................................................... 3.5.2.2 Setting Directory or File Permissions....................................................................... 3.5.2.3 Changing Permissions............................................................................................... 3.5.2.4 Adding Users and Groups......................................................................................... 3.5.2.5 Removing Users and Groups .................................................................................... 3.5.3........................File Transfers and Secure File Transfer Protocol (FTP) (ssh2 compliant) 3.5.4............................................................................................................................. Auditing 3.5.5................................................................................................................. Auditing Events 3.5.6.............................................................................................................. Using the Modem 3.6 Protecting Removable Objects.............................................................................................. 3.7 Security Checklist ................................................................................................................. Appendix A Acronyms and Abbreviations Appendix B References
able 1. DAC Permission Definitions Table 2. Security Checklist ...............................................................................................................
INTRODUCTION Purpose The purpose of this Security Features Users Guide (SFUG) is to provide non-administrative users with instructions on the proper use of the security features of the Standard Army Ammunition System-Modernization (SAAS-Mod) functions. This guide also provides a description of the security safeguards required to ensure protection of the SAAS computer system; defines the SAAS philosophy of protection; provides a list of common threats and vulnerabilities related to SAAS; and outlines typical system security related roles and responsibilities. This SFUG identifies and explains the user-level security mechanisms in the SAAS computing environment and provides the guidance for consistent and effective protection AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-3 SAAS Security of SAAS information using the built-in security features of the Windows XP Professional and Windows Server 2003 network operating systems. Scope This document describes the security features available to the user within a controlled SAAS facility and is intended to provide desktop users with the fundamental information required to access information and operate securely in the SAAS environment. This document also includes information and recommendations on how to recognize and minimize security risks. Document Organization This document is divided into three chapters. Chapter 1, Introduction, describes the purpose, scope and audience for this document. Chapter 2, System Security Overview, provides an overview of SAAS system security principles, terminology, and user responsibilities. Chapter 3, User Security Guidance, describes the steps and procedures required for SAAS users to securely access and protect the SAAS system. General Security Requirements Protection of the SAAS computer system and the data processed by that system requires a combination of both technical and non-technical security safeguards. Non-technical safeguards may be based upon the facilitys geographical location; military service and local installation policy requirements; physical facility layout; and other mission related factors; however, the SAAS systems technical security safeguards will remain constant at each location regardless of where the system is installed because they are implemented in the software of the SAAS workstation.
Technical security safeguards will be implemented by the SAAS Windows operating systems software, database software, and application software, or by a combination of all three. Responsibility for the proper configuration and administration of the technical security safeguards normally rests with an individual responsible for system security. Many of these technical security safeguards are transparent to the system users. The following paragraphs provide a brief general description of non-technical and technical security safeguards that apply to SAAS. Non-technical Safeguards Non-technical security safeguards consist of procedural and administrative protective measures implemented within an operational environment to ensure that a computer system and its data are protected from unauthorized physical access, destruction, and modification. The policy and procedural requirements associated with non-technical safeguards are military service AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-4 SAAS Security and site oriented. Non-technical safeguards consist of administrative, personnel, physical and procedural security measures. These safeguards are documented in organizational security policy instructions or manuals and complement the technical safeguards implemented on the SAAS system. These safeguards are critical to ensuring the protection of a computer system and its data. Examples of non-technical safeguards include: The requirement for a policy that identifies security responsibilities for SAAS Limitation of access (isolation) to the SAAS computer system Maintenance of backup data offsite User awareness of security policies and their environment Identification of unauthorized users attempts to access the system Contingency Plans (including Continuity of Operations Plans)
Technical Safeguards Technical security safeguards consist of the automated security features implemented by the SAAS computer system to protect it and its data from unauthorized access, destruction, or modification. Unlike non-technical safeguards, the automated security features (i.e. technical safeguards) will remain consistent regardless of where the system is physically located. Technical safeguard requirements are established by Department of Defense (DoD) and US Army requirements and are based upon the classification of data processed by the system, clearance level of system users, and security mode of operation (e.g., dedicated, system high, multilevel, and partitioned). The following paragraphs provide a brief description of the critical technical safeguards associated with a sensitive, but unclassified (SBU) level of trust system such as SAAS. Discretionary Access Control (DAC) In multi-user systems, such as SAAS, the SA ensures that authorized users of the system are able to access only data and programs for which they have been granted appropriate access permissions and privileges. In SAAS, DAC is implemented via the assignment to an individual of a unique User ID and password, group assignment for each user, and use of permissions at the directory and/or file level to limit access to specific individuals. Object Reuse The SAAS system is an application system in which individual users are allocated their own storage space for personal and/or private data or programs associated with their work. The SAAS object reuse safeguards ensure that all objects (e.g., data, programs) are permanently deleted from a users assigned storage space prior to reassigning that storage space to a new user. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-5 SAAS Security This prevents new users from gaining access to a previous users personal and private data. In the SAAS system the reuse of storage space safeguard operation is transparent to individual users. Audit SAAS audit safeguards provide for user accountability by recording the events initiated by each individual user during their computer session. Events typically recorded by the audit function include: Use of identification and authentication (e.g., entry of User Identification (UID) and password) information Program initiation File creation, deletion, open, or close The type of event that created the log entry Other user related actions. Audit records identify (1) each individual user initiating an event, (2) the date and time an event occurred, (3) the success or failure of each event, and (4) the location (e.g., terminal or desktop computer station) from which each event was initiated. The SAAS audit function can be configured to record actions of all system users or those actions performed by any particular individual user. Different auditing functions are configured in both the Windows operating system and in the Oracle database. The system audit functions operations are transparent to the individual system users. Identification and Authentication (I&A) The SAAS I&A safeguard requires that users positively identify themselves to the computer system before being allowed to work on the system. This is accomplished by assigning an unique user identification (UID) and password to each individual, prior to their being granted access to the system. The UID and its associated password also serves as the mechanism for associating a specific user with the audit events recorded during their session on the computer. The UID and password must be presented to the SAAS system each, and every time, an individual user logs on the system. Entry of the user password will also be required to re-enter the SAAS system after an absence in which the screen saver has been activated. Incorrectly entering the UID and its associated password three times will result in the user being locked out of the system until his UID has been reset by the IASO. Anti-virus Software The SAAS anti-virus software requires that users have the capability to check incoming and outgoing files and electronic media for computer viruses. This is accomplished by providing AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-6 SAAS Security each workstation (desktop and laptop) with a licensed copy of Symantec Anti-Virus. The anti- virus software is set to automatically check email and all incoming files as they arrive. However, it is the responsibility of the user to initiate a check for viruses on files or media they intend to transfer to another computer, either through email or via other electronic media. Additional Information Any user who wishes to obtain additional information about the topics discussed in this document may go to the following documents: 1) Standard Army Ammunition System (SAAS) Security Authorization Agreement (SSAA). 2) Standard Army Ammunition System (SAAS) Trusted Facility Manual (TFM). 3) AR 25-2 Information Assurance. SYSTEM SECURITY OVERVIEW This section provides a brief background on SAAS primary software components (Windows XP/2003/Oracle) that are used to implement required security safeguards. It presents the many security features Windows has that users will employ to secure their information while it is stored and processed on a workstation. This chapter explains their use. Overview of Windows XP Professional and Windows Server 2003 The Windows XP Professional Operating System is the workstation model of the Windows XP platform and incorporates the best of Windows 2000 and Windows NT 4.0. Windows Server 2003 Operating System is the server model of the Windows platform. They are both being marketed by Microsoft as the easier-to-use Windows yet and are designed for inexperienced users. Windows XP Professional and Windows Server 2003 Enhancements Windows XP Professional and Windows Server 2003 include a number of enhancements to make end users less dependent on administrators. Improvements include an easy-to-use setup program, improved Help and Wizards, and an Active Desktop designed to conform to the way the user accesses desktop features. User Interface enhancements and features that improve the user interface include the following: Logon and shutdown dialog boxes - Logon and shutdown dialog boxes are easier to use, with fewer, better-organized choices. Task Scheduler - The enhanced Task Scheduler allows users to schedule scripts and programs to run at specific times. Support for Mobile Users - Microsoft Windows XP Professional and Windows Server 2003 support the latest laptop technologies based on the Advanced Configuration and AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-7 SAAS Security Power Interface (ACPI), which allows a user to change or remove devices without turning off the computer. ACPI also uses power management to lengthen battery life with suspend or resume capabilities. Additional features in Microsoft Windows XP Professional and Windows Server 2003 that provide support for mobile users include the following: o Telephony Interface o Fax Service o Phone Dialer o NetMeeting o Encrypting File System o Built-in Internet Services o Outlook For E-Mail And News reading o Connect ability To A Windows NT Domain o Modem and New Hardware Support o Internet Explorer The Network Connection Wizard which consolidates all of the processes for creating network connections. Users can now setup networking features from a single wizard. Microsoft Windows XP Professional and Windows Server 2003 includes many features that help reduce the overall cost of managing the computing environment, from installation of the operating system and applications to day to-day desktop management and support. Security Features Microsoft Windows XP Professional and Windows Server 2003 are the most secure Windows desktop operating system currently available, either when operating on a stand-alone computer or in any type of public or private network. Security features and enhancements in Microsoft Windows XP Professional and Windows 2003 Server include the following: Integration with Windows 2000 Active Directory Active Directory provides scalable, flexible account management for large domains with fine-grained access control and delegation of administration. Active Directory is not, however, used in the present SAAS system architecture. Kerberos 5 Kerberos 5 is an authentication protocol (an internet security standard) that is implemented as the default protocol for network authentication and provides a foundation for authentication interoperability. Public Key Certificates Authentication by using public key certificates, secure channels based on Secure Sockets Layer (SSL) 3 and CryptoAPI, delivers industry- standard protocols for data integrity and privacy across public networks. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-8 SAAS Security User Accessible File Encryption A feature allowing each user to encrypt his files. Internet Protocol Security (IPSec) - A security protocol, transparent to the user, providing a method of securing all network traffic against both insiders and outsiders. Virtual Private Networking (VPN) VPN allows the user to tunnel through foreign networks to prevent anyone on the foreign network from viewing his data. Basic Security Tenets The SAAS security implementation is based on a preventative approach and is executed by the site security staff with the cooperation of all system users. This section outlines the basic security tenets for SAAS: All users are responsible for becoming familiar with the security procedures required to carry out their daily tasks and duties. All users are responsible for reporting suspected misuse of the system. The Information Security Manager SAAS and US Army Security Policy require each SAAS site to have an Information Security Manager (ISM). The ISM is the person responsible for enforcing SAAS site security policies and procedures. The Information Security Manager (ISM)/Information Assurance Security Officer (IASO), or designee, is the person with whom the end-user should interact for most SAAS security related issues. He is the person the end-user should contact if there are any SAAS related security questions or concerns. Normally, the ISM, or designee, is the person to whom the end-user reports SAAS security incidents. The ISM responsibilities may vary slightly at each location, but the below listed responsibilities are typical. The ISM is the focal point for all assigned system, directorate, or department SAAS security matters and is responsible for the following: Implementing the SAAS Automated Information System (AIS) security program as it applies to a site-specific AIS, including preparing and submitting accreditation support documentation. Maintaining an inventory of all SAAS hardware, implemented system software releases, and major functional application systems. Monitoring system activity, including identifying the levels and types of data handled by SAAS, verifying password assignments, and reviewing audit trails, outputs, etc., to ensure compliance with SAAS security policies and procedures. Conducting and documenting the site SAAS risk assessment. Coordinating all system security matters with SAAS security management structure and system users. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-9 SAAS Security Completing an AIS security survey for SAAS and participating in the preparation of the customized Site Security Operational Procedures (SSOP). Supervising, testing, and monitoring changes affecting the AIS activity and SAAS network security posture. Implementing appropriate safeguards as required by directives. Monitoring system activity for security violations and reporting all security infractions to the appropriate authority. Supporting user training in correct AIS security procedures. Assisting in the implementing, developing, and testing the site SAAS contingency plan.
User Roles The design of the SAAS system includes a concept called role-based security to prevent abuse, misuse, or unauthorized actions by any user. A SAAS user gets assigned to one or more of these roles according to his position and responsibilities in his organization. The security manager and DBA should work closely together to ensure that the least privilege principle is applied. No one user should be assigned certain combinations of roles which would allow them to manipulate SAAS in a manner that is inconsistent with his job requirements. For example, a user assigned the Company Commander role should not also have the SAAS Officer role. If a user has mistakenly been assigned to a role which does not match his position or responsibilities, it is his duty to report this discrepancy to the ISM and his chain of command. User Security Responsibilities The SAAS system users play a key role in ensuring the secure operation of the computer system. While the operation of most system security features is not apparent to the user (they are transparent) and does not require user intervention, failure to follow the locally-established security policy could result in unauthorized disclosure of sensitive data, unauthorized system access, and unavailability of system resources. While unintentional security incidents sometimes cannot be avoided, the impact associated with these incidents can be minimized if they are reported to the appropriate security personnel as soon as possible. A general list of user security responsibilities includes the following: Complying with local security policy. Protecting passwords at the sensitivity level of data processed by the system (for SAAS this is SBU). Protecting system resources from damage, destruction, or unauthorized access. Protecting sensitive, unclassified information (e.g., printed products, monitor display screens) from unauthorized disclosure, alteration or loss. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-10 SAAS Security Ensuring that all printed output products are marked For Official Use Only (FOUO), the proper marking for SBU data. Reporting password compromise and suspected security violations to the appropriate security personnel.
Controlling Misuse Misuse of any Department of Defense system, including SAAS, is illegal under federal and local statutes. Users are responsible for abiding by policies and guidelines and must understand what constitutes system misuse. The site security staff can provide specific guidance on security issues that are of concern to the site. Security Awareness Training All new SAAS users are required to attend a security indoctrination/orientation training session. This program continues with security awareness training throughout the users tour of duty in the trusted facility and ends with a security debriefing at the tours end. It is imperative that each user understand what constitutes system misuse in order to prevent inadvertently violating policies and regulations, thereby increasing the risk to the systems effective and correct operation. Monitoring User activities on the SAAS system are regularly monitored and are capable of being archived and tracked from a historical perspective. When intentional acts of misuse or risky patterns of system related behavior occur, policy related enforcement mechanisms are expected to be enacted. Security Incident Reporting Each SAAS user is responsible for promptly reporting suspected security violations. In most cases, early detection of security violations will minimize the impact to SAAS. In the absence of site-specific reporting procedures, all suspected security violations should be reported immediately to the local ISM. These individuals will initiate an investigation to validate the suspected security violation and implement appropriate corrective measures. Users should not attempt to perform their own investigation or assess the potential system impact. These efforts will only delay investigation by the appropriate authorities followed by the implementation of corrective measures. A general list of suspected security incidents that should be reported includes the following: Suspected compromise of user passwords. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-11 SAAS Security Attempts to gain unauthorized system access. Attempts to circumvent SAAS system security features. Unauthorized disclosure of sensitive information. Attempts by authorized users to access sensitive data outside of their area of responsibility. Improper configuration of SAAS security safeguards (e.g., accessing SAAS without a password or accessing previously restricted SAAS functionality). Attempts to gain detailed information about SAAS security safeguards. Suspected unauthorized modifications to sensitive data. Denial of Service attacks. If users suspect or detect misuse, in-progress attacks, or other aberrant system activity, they should immediately contact the IASO. It is important to report the incident immediately to prevent further possible compromise or damage to the system. Users must be aware that the failure of a single site to ensure security puts all sites at risk. Configuration Maintenance and Monitoring The SAAS system security staff monitors workstations and servers to verify that the correct security configuration is maintained. Users must not attempt to load unauthorized software or change file permissions without security staff permission. Additionally, users must not change file permissions unless it is within the scope of their job or is required for the mission, and they have received proper authorization. Protecting I&A Each SAAS user plays a key role in the system security of the SAAS system network. Technical safeguards alone cannot protect sensitive system resources against unauthorized access, modification, or destruction unless each user consistently applies appropriate physical, personal, administrative, and procedural security measures. In this respect, each user is responsible for the following: Not revealing their passwords to others. Locking their workstations when they must be unattended for any length of time. Logging off their systems at the end of the day. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-12 SAAS Security
Non-Working Hours During non-working hours and when offices are left unattended, all doors and windows to offices that house SAAS equipment are to be locked. USER SECURITY GUIDANCE This chapter covers the security features of Windows XP Professional and Windows Server 2003 operating system that relate to SAAS users as well as steps and procedures users must take to protect their information. Establishing and Ending a Session This section discusses the mechanics of logging on and off the SAAS Windows XP Professional and Windows Server 2003 network and of locking the workstation during brief absences. SAAS provides the user with a Single Sign-on (SSO), which allows the user to access all authorized network resources, on the basis of a single user authentication process that is performed when the user initially accesses The Army Knowledge Online (AKO). Logging onto the Network All users must first log on to a Windows XP Professional and Windows Server 2003 system before being allowed access to any SAAS system or network resources. As described later, this logon may be to the local workstation or to a domain. To log on, users must first hit the CTRL+ALT+DEL keys simultaneously to receive the logon dialog box (Figure 1Error! Reference source not found.). The user must then enter his username and password. Guidance on password generation is provided in the following sections. The selection made in the Domain pull-down list defines which domain the user is attempting to log in to (e.g., an account on the local machine or an account in a domain to which the computer belongs).
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-13 SAAS Security Figure 1. Logon Information
Locking the Workstation When leaving their workstations for any length of time, users should either log off or lock the workstation in order to protect the workstation and the users data from passers-by who can take advantage of the open session. SAAS security policy requires users to utilize the terminal lock feature to prevent unauthorized access to the system and sensitive data in their absence. Once the terminal lock feature is executed, the monitor will display a blank screen or screen saver and prevent anyone from viewing sensitive data. After the terminal lock feature is activated, future access to the terminal is granted only after entry of a valid User ID and password.
SAAS has a default system registry setting that automatically locks the system after 300 seconds. This is not reconfigurable.
Logging off the System Logging off of a SAAS workstation allows other users with valid accounts to use the machine without disrupting the previous users data, whereas locking the workstation locks the interactive user interface, but does not close the currently active processes of the user that has logged onto the workstation. Logging off the system at the end of the workday or before a long absence is mandatory. Follow the steps below to log off of a SAAS workstation: To logoff, click on the Start button. Select Log Off. Click on the Log Off button as shown in Figure 2Error! Reference source not found..
Figure 2. Log Off Windows
User Identification and Authentication Logging on to a system establishes the users identity and authenticates the user, which is a necessary component of SAAS security. Once a user receives the logon dialog, he is required to AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-14 SAAS Security identify himself to the system (by username) and enter his password, as described above. Both username and password are looked up in the SAAS Security Account Manager (SAM) database. If there is a successful match, the system will give the user a unique security token that contains his user account information and establishes a session. This security token, called an access token, is used to identify the user for the duration of his session (until he logs off the system). The access token is transparent to the user and contains a users security identifier (SID), group IDs, and user rights. Password Considerations Passwords are unique to the individual and are the basis for user authentication. Each new user will be given his username along with a password by the site security staff. Users should never write their passwords down or share them with another user. Passwords for accessing the SAAS applications on SAAS clients or passwords for accessing the SAAS Enterprise software are subject to the constraints of AR 25-2 Information Assurance. Password constraints are controlled by registry settings for the SAAS system and by similar policies in effect at AKO. Passwords must include at least ten characters long and must contain at least two characters from each of the four following character groups: Uppercase alphabetic characters (AZ) Lowercase alphabetic characters (az) Numbers (09) Special characters (!, @, #, $, %, ^, &, *, (, ), <, >, etc.) Additionally, passwords must meet the following rules: Passwords must not be a word found in a dictionary, or a proper name spelled forwards or backwards. Passwords must not be based on a simple keyboard sequence or repetitious keystrokes. Passwords must not be a previously used password.
Password Lifetime SAAS and AKO passwords are valid for 60 days. The system will prompt a user 14 days before his password is about to expire and ask him to select/generate a new password. The user must make sure that he follows this prompt and obtains a new password or he runs the risk of being locked out of his account. If this happens, he should see his network administrator or security manager to unlock his account and generate a new password. SAAS is configured to lock accounts after three failed logon attempts. If a user becomes locked out, he must contact his network administrator or security manager to unlock his account. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-15 SAAS Security User Profiles When a SAAS user has been authenticated and has established a session, he sees a familiar desktop with applications and settings that are the same as the last time he logged on. This collection of assigned applications and settings is called a profile. Windows XP Professional and Windows Server 2003 assign these user profiles to each valid user. Windows XP Professional and Windows 2003 Server can create three types of User Profiles as described below. Local - Local profiles are specific to the local workstation on which they are created. Roaming - Roaming profiles are stored on a network server and accessed when a user logs on. Mandatory - Mandatory profiles are stored on a network server and are configured by the local network administrator. These profiles allow administrators to control the desktop of all users participating in the domain.
Windows XP Professional and Windows Server 2003 Domains and Workgroups SAAS Windows XP Professional and Windows Server 2003 systems may be configured to participate in a domain or workgroup. Active Directory is not authorized for use with the SAAS system. The user-visible differences between the domain and workgroups are presented in the following paragraphs. Workgroups Workgroups are a collection of related workstations that operate on a peer-to-peer level. This means that there is no centralized management of security or resources. Each workstation manages its own user account database. Logging onto these machines requires a user to have a local account. It must be noted that the members of any workgroup are still managed as part of the overall network and are subject to the restrictions of the network security policies and resource requirements. File System Guidance Windows XP Professional and Windows Server 2003 currently support two file systems: the New Technology File System (NTFS) and the File Allocation Table (FAT). NTFS is the file system created for Windows NT and later operating systems, whereas FAT is an older, insecure, but backward-compatible file system. FAT does not have the security features that NTFS supports. A workstation with a FAT volume runs the risk of having its files accessed by unauthorized users. It is a SAAS requirement for Windows XP Professional and Windows Server 2003 platforms to use NTFS. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-16 SAAS Security This section provides good information for all users, but is relevant only for Windows XP Workstation users who are permitted to create and control shared files, directories, or other system resources on their workstations. The items discussed below apply to resources that are shared between users, whether on the same workstation or between workstations. Discretionary Access Control An important feature of NTFS is file-level security. Windows XP provides the ability to specify access control permissions on each object (file, directory or folder). Each object has an Access Control List (ACL) that identifies the user or group accounts that have been granted access to that object and identifies the type of access granted to the object. File Sharing File sharing allows users to access resources on other machines on a network (a sample screen is shown in (Figure 3. File Sharing). Depending on the network configuration, network shares can be seen within local domains as well as remote trusted domains. The SAAS systems are configured such that the ability to share resources can only be created by the security staff. If a user has a requirement to share resources, they must see the System administrator. The user should be aware that if they make a mistake in any process, they can easily recover by canceling the process or backing up to the error point and then correcting their error.
Figure 3. File Sharing AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-17 SAAS Security 3.5.2.1 DAC for objects (files and directories) Error! Reference source not found. lists the available permissions a SAAS user can set on files and directories, along with the effects of that permission. Users can set the permissions on any objects that they own or to which they have been granted Full Control.
Table 1. DAC Permission Definitions Permission Effect No Access Prevents any access to the directory and its file event if the user has been granted full level control. List Allows the viewing and browsing of a directory, without access to files unless overridden by other files or directory permissions. Read Allows opening files and executing applications. Add Allows the adding of files and subdirectories without read access. Change Allows the combination of Add and Read permissions, plus Delete. Full Control Consists of the combination of Add, Read, Delete, and Change, plus taking ownership and assigning permissions.
Setting Directory or File Permissions In order to assign permissions to files and/or directories, users must own or have full control over that object. To edit file or directory permissions, perform the following steps: Open My Computer. Select and right-click on the target directory or file. Select Properties. Select the Security tab and choose the appropriate permissions. (See )
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-18 SAAS Security
Figure 4. Setting Permissions
Changing Permissions Selecting the user/group and selecting new permissions from the Permissions list will change a users or groups assigned permissions. Advanced permissions are accessible by clicking on the advanced button. Adding Users and Groups To grant access to another user, use the following steps: Click on the Add button on the Security tab (pictured in Figure 4.). From here, an administrator can add users or groups from the local machine or, if connected to a domain, users, computers, or groups from the domain or other trusted domains. Click on the advanced button to display the window shown in Figure 5. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-19 SAAS Security
Figure 5. Changing Permissions
Click on the View/Edit button to make changes to existing accounts.
Removing Users and Groups To remove another users access, select the appropriate entry from the list on the Security Tab and click on the Remove button. File Transfers and Secure File Transfer Protocol (FTP) (ssh2 compliant) The transfer of files between SAAS and the authorized interfaces will be accomplished by an embedded communications programs utilizing secure FTP.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-20 SAAS Security Auditing Auditing is a very useful SAAS security feature. Activating the auditing feature allows the system to trace accesses to certain sensitive files and directories that are suspected targets. Once an administrator has enabled the auditing of file and/or object accesses on a system, users have the ability to specify auditing on files and directories that they own. Users should consult with their site security officer or network administrator for local audit policies and guidance. Auditing Events Once auditing has been enabled, you can specify files and directories to be audited by following these steps:
Open My Computer Right-click on the file or directory on which to set auditing Select Properties, Security, Advanced, and the Auditing tab (Error! Reference source not found.)
Figure 6. Auditing
Select the users to be audited. For this example, we will use Authenticated Users. Click on Add. Select Authenticated Users from the Names list box. Click on OK and the window in Figure 7 will be displayed. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-21 SAAS Security
Figure 7. Auditing Entry
Check the appropriate audit events.
Note: Users should exercise care when specifying file and directory auditing. Auditing access to frequently accessed files and directories can rapidly fill up the security log. Not only does this create large log files to sift through, it also takes up a lot of disk space. The user should also be aware that if he makes a mistake, he can easily recover by canceling the process or backing up to the error point and then correcting their error.
Using the Modem The modem is to be used to provide connectivity to the servers for synchronization when network connectivity is not available. At no time should the modem and the network connection be concurrently active. Use one or the other, as appropriate, but never use both at the same time. The procedure outlined in this section will describe the means for accomplishing this.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-22 SAAS Security In order to use the modem, the user must click on the desktop icon for connecting to the modem. This causes the network card in the system to automatically disconnect and then activates the modem.
When the outgoing call is made, the user will enter the phone number and the call will go through.
After the user has completed the file transmission, another click on the desktop icon will disable the modem and re-activate the network card.
Protecting Removable Objects It is every bit as important to SAAS users that data stored as hardcopy or as soft copy for external storage is protected as fully as it is when on the SAAS computer system. External storage is defined as the following: Floppy disk Consumer-market tape or optical-magnetic drives, e.g., Iomega Zip and Jazz drives from SyQuest. Production tape drives, e.g. HP SureStore External hard drive Read/writeable CD/DVD-ROM drive Printed documents Portable USB drives
SAAS policies regarding copying and removing data from workstations or servers to external media, such as a floppy disk, will be fully described at each site. As part of the site security policy, each site will address when data can be copied, how it will be handled after it is copied, what must be done with it when the user is finished with the copy, etc.
Security Checklist This section proposes a partial checklist (Error! Reference source not found.) for users to use to verify that they have secured their workstations. The IASO or the user may add to this checklist as they feel appropriate. Table 2. Security Checklist AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-23 SAAS Security
Item Completed Checklist Yes No I have not revealed my password to anyone I have not written down my password I always log off my computer when I no longer need to use it I lock my workstation if I leave it unattended while I am logged on, and I use a password-protected screen saver to lock the workstation if I forget to lock it myself I always take care to use directory and file permissions to ensure only users who need to access my files can do so, and that they only have the type of access they need
Appendix A Acronyms and Abbreviations This section contains an alphabetized list of the acronyms and abbreviations used throughout this document. Each acronym or abbreviation is spelled out in its entirety the first time it is used in the document. Thereafter, only the acronym or abbreviation is used. ACL Access Control List ACPI Advanced Configuration and Power Interface AIS Automated Information System AKO Army Knowledge Online ALT Alternate Key APG Advanced Password Generator APIPA Automatic Private IP Addressing COE Common Operating Environment CTRL Control Key CPU Central Processing Unit DAA Designated Approval Authority DAC Discretionary Access Control DBA Database Administrator DEL Delete Key DHCP Dynamic Host Configuration Protocol DII Defense Information Infrastructure DoD Department of Defense FAT File Allocation Table AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-24 SAAS Security FOUO For Official Use Only GB Giga-Bytes (Billions of Bytes) GCSSArmy Global Combat Support System Army I&A Identification and Authentication IASO Information Assurance Security Office IPSec Internet Protocol Security ISM Information Security Manager ISSM Information Systems Security Manager MB Mega-Bytes (Millions of Bytes) NTFS New Technology File System SAM Security Account Manager SBU Sensitive-But-Unclassified SFUG Security Features Users Guide SID Security Identifier SSOP Site Security Operational Procedures TFM Trusted Facility Manual UID User Identification USB Universal Serial Bus
Computer security terms or phrases used throughout this document are the following: I&A - Identification and Authentication. Before gaining access to system resources or data, users must be identified to the system via a valid user account consisting of a user ID and password. DAC - Discretionary Access Control. Discretionary access control is the operating system feature that allows the system to determine who is able to read, write, or execute a system object (files, directories, printers, etc.). Authenticated users will have access only to system objects that are required for their functional role and that are granted via DAC controls. Importing and exporting file system objects. Users may be required to import files (bring files into their computer system from another computer system); export files (move or copy a file from the users workstation to another workstation or file server); or share files that reside on their workstation, another workstation or a file server. The user should be aware of any attendant security restrictions and precautions. Audit event generation - Users need to understand that the actions they perform on their workstations are audited by the SAAS operating system and database system, and that audit logs are maintained and reviewed by the Information Assurance Security Officer (IASO). This background security review activity is transparent to the user. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-25 SAAS Security Security Access Token A unique security token issued to each user by Windows XP Professional and Windows Server 2003 at the time they login. This token is used by the operating system to uniquely identify each user throughout the duration of their session.
Appendix B References
The policies, procedures and requirements applied to the SAAS were derived from the following program and security documents.
Army Regulation 25-2 Information Assurance, 12 December 2003
DoD Directive 8500.1 Information Assurance, 24 October 2002
DoD Instruction 8500.2, Information Assurance (IA) Implementation, 6 February 2003
Federal Information Security Management Act (FISMA), December 2002
OMB Circular A-130, A-123, A-127
Freedom of Information Act of 1986 (P.L. 99-570)
FIPS PUBs 31, 41, 65, 73, 112, 113
Computer Security Act of 1987, 40 U.S.C. 759
Privacy Act of 1974, 5 U.S.C. 552a (e)(10)
The Immigration and Nationality Act, 8 U.S.C. 1202, Section 222(f)
Federal Manager's Financial Integrity Act, 31 U.S.C. 1352
Computer Fraud and Abuse Act of 1986, 18 U.S.C. 1030
Executive Order No. 12958 entitled, "Classified National Security Information."
Executive Order 10421 entitled, "Providing for the Physical Security of Facilities Important to the National Defense."
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-26 SAAS Security "National Policy for Safeguarding and Control of Communications Security (COMSEC) Material," NCSC-1
"National Policy on Use of Crypto-Material by Activities Operating in High-Risk Environments," NCSC-5.
"National Policy on Secure Voice Communications," NCSC-8.
National Telecommunications and Information System Security Policy 3 (NTISSP 3), "National Policy for Granting Access to U.S. Classified Cryptographic Information."
National Telecommunications and Information System Security Policy 200 (NTISSP 200), "National Policy on Controlled Access Protection."
National Telecommunications and Information System Security Policy 300 (NTISSP 300), "National Policy on Control of Compromising Emanations."
National Telecommunications and Information System Security Directive 500 (NTISSD 500), "National Directive on Telecommunications and Automated Information Systems Security (TAISS) Education, Training, and Awareness."
National Telecommunications and Information System Security Directive 600 (NTISSD 600), "National Directive on Communications Security (COMSEC) Monitoring.
"National Policy on Telecommunications and Automated Information Systems: Director of Central Intelligence Directive 1/16 (DCID 1/16).
Office of Management and Budget Circular A-123 (OMB A-123).
Federal Personnel Manual
National Security Telecommunications and Information Systems Security Committee (NSTISSC) instructions and advisory memoranda.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-27 SAAS Security STANDARD ARMY AMMUNITION SYSTEM MODERNIZATION (SAAS-MOD) TRUSTED FACILITY MANUAL (TFM)
BY
SECURITY ENGINEERING
FOR
Assistant Project Manager Automated Logistics and Integrated Systems
JULY 2006
EXECUTIVE SUMMARY The Standard Army Ammunition System Modernization (SAAS-Mod) Trusted Facility Manual (TFM) is written for individuals with administrative responsibility for the SAAS-mod network operations at the site and server level. The TFM provides the administrator with detailed, accurate instructions for the installation, secure configuration, and function of the Microsoft Windows Server 2003, Oracle 10g, and Windows XP Professional. The TFM also describes for the administrator how to configure, operate, and use the system protection mechanism to control access to data, administrative functions, and databases. All this is intended to facilitate and AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-28 SAAS Security maintain the SAAS-mod system as certification and accreditation under the guidance provided by the DITSCAP. This document includes references to the Department of Defense (DoD) 8500 series requirements, NSA Guidelines, Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs), and the new Army Regulation (AR) 25-2).
TABLE OF CONTENTS Page Executive Summary 1.0 INTRODUCTION 1.1 Purpose 1.2 Scope 1.3 Recommended Use of This Manual 1.4 References 1.4.1 Resources 2.0 SYSTEM SECURITY OVERVIEW 2.1 Threats, Vulnerabilities, Attacks and Countermeasures 2.1.1 Threats 2.1.2 Vulnerabilities 2.1.3 Attacks 2.1.4 Countermeasures 2.2 Protection Mechanisms Available to Counter General Threats 2.3 Physical Security Assumptions 2.4 Confidentiality Level 2.5 Management 2.6 Documentation and Evaluation 2.6.1 Risk Assessment 2.6.2 Continuity of Operations Plan 2.6.3 Certification and Accreditation 3.0 PHYSICAL SECURITY 3.1 Physical Controls 3.1.1 Protection of the System 3.1.2 Facility Control 3.1.2.1 Computer Area Access Logs 3.1.2.2 Visitor Log 3.1.2.3 Maintenance Log 3.1.2.4 Facility Log 3.1.2.5 Audit Review Log 3.1.3 Facility Access by Authorized Individuals 3.1.4 System Access by Authorized Users 3.1.5 Access by Visitors 3.1.6 Access by Maintenance Personnel AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-29 SAAS Security 3.1.7 Movement of System Equipment and Media 3.2 Property Control and Distribution 3.3 General Guidelines and Procedures 4.0 PERSONNEL SECURITY 4.1 Visitors 4.2 Foreign Nationals 4.3 Maintenance Personnel 4.4 Security Awareness Training 4.4.1 Security Training Awareness Program 4.4.2 Periodic Security Training 5.0 COMPUTER SECURITY 5.1 System Integrity 5.2 System Baseline 5.3 Microsoft Windows Server 2003 5.6.2 Local Audit Policy Settings 5.6.3 User Rights Assignment 5.6.4 Security Option Settings 5.6.5 Event Log Settings 5.6.5.1 Security Options Settings. 5.6.5.2 Clearing Logs on System Halts 5.6.6 Registry Key Permission Settings 5.6.7 File Permission Settings 5.6.7.1 Modifying Permissions on a File or Folder. 5.6.7.2 Permissions Encompassing all Folders and Subfolders 5.6.7.3 Adding files or folders to the Security Configuration 5.6.7.4 Excluding an Object When Modifying the Configuration.. 5.6.7.5 File and Folder Permission Setting. 5.6.8 Special considerations for the Dr. Watson USER.DMP File 5.7 Windows Discretionary Access Controls 5.8 Windows Identification and Authentication 5.9 Oracle Database Management System 5.9.1 Current Relational Database Management System Version 5.9.2 RDBMS Software Monitoring 5.9.3 Oracle Discretionary Access Controls 5.9.4 Oracle Auditing 5.9.5 Oracle Identification and Authentication 5.10 SAAS-Mod Application Security 5.10.1 Application Discretionary Access Controls 5.10.2 Application Auditing 5.10.3 Application Identification and Authentication 5.11 C2 Protect Tools 5.12 Anti-Virus 5.13 Security Patches 6.0 WINDOWS XP PROFESSIONAL Software INSTALLATION AND CONFIGURATION AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-30 SAAS Security 6.1 Pre-Configuration Requirements 6.1.1 Hardware Compatibility List 6.2 Physically Securing Workstation and Software 7.0 Manual Security Configuration 7.1 Password Management 7.3 Configuring the Default Accounts 7.3.1 Administrator Account 7.3.2 Guest Account 7.4 Assigning Users to Groups 7.5 Print Auditing 7.6 Printer Restrictions 7.7 Additional Security Options Settings
Glossary. Acronyms and Abbreviations
Tables
Table 1. Password Policy Table 2. Account Lockout Policy Table 3. Recommended Audit Policy Table 4. Standard and Advanced User Rights Table 5. Security Option Settings Table 6. Event Log Settings Table 7. File and Folder Permission Settings Table 8. Dr Watson Crash Dump File Permission Settings Table 9. Database Table Audit Configuration Table 10. List of Audit Views Table 15. Administrator Account Configuration Table 16. Guest Account Configuration Table 17. Security Options
Figure
Figure 1. Auditable Event
STANDARD ARMY AMMUNITION SYSTEM MODERNIZATION (SAAS-MOD) AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-31 SAAS Security TRUSTED FACILITY MANUAL (TFM)
1.0 INTRODUCTION This Trusted Facility Manual (TFM) is addressed to the System Administrator (SA), Information Assurance Manager (IAM), and Information Assurance Security Officer (IASO) for the Standard Army Ammunition System Modernization (SAAS-Mod). The TFM is a comprehensive guideline for maintaining a secure operating environment for the SAAS-Mod system. The TFM presents cautions about functions and privileges that must be controlled in order to operate a secure system during both garrison and tactical operations. In addition, it provides the procedures for implementing and maintaining the audit files. A detailed audit record structure for each type of audit event is provided. 1.1 Purpose The SAAS-Mod TFM satisfies the Class C2 controlled access protection requirements outlined in Department of Defense (DoD) 5200.28-STD, Department of Defense Trusted Computer System Evaluation Criteria. That regulation has been superseded by the DoD 8500 series. The SAAS-Mod system must meet the requirements mandated by United States (U.S.) Army Regulation AR 25-2, DoD Directive 8500.1, and DoD Instruction 8500.2. This manual reflects the latest changes and guidance related to the new requirements. However, the previous guidance revisited here and in the Security Framework documents are still relevant for application and database security. This manual augments system hardware and software documentation by providing: a. Guidance for configuring and maintaining a secure system in accordance with (IAW) DISA STIGs for securing Microsoft Windows Server 2003 and MS Windows XP Professional operating environments. b. Guidance on how to operate the system in a secure manner. c. Information to make effective use of existing system privileges and protection mechanisms. d. Pertinent warnings about the possible misuse of administrative authority as they apply to the SAAS-Mod system. 1.2 Scope This manual augments the SAAS-Mod System Administrators Handbook, the Security Features Users Guide (SFUG), vendor documentation, and other system documentation. The TFM places emphasis on establishing and maintaining a secure system supplementing the information provided in those documents. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-32 SAAS Security
This manual addresses Physical Security, Personnel Security, Computer Security, Operations Security, Network Security, Security Awareness Training, and Security Incident Reporting. The TFM includes security guidelines and instructions for the server, workstation, and laptop configurations. This TFM does not attempt to detail safeguards at the site-specific level. Such detail is left to the discretion of the local site commander and supporting staff. 1.3 Recommended Use of This Manual This manual provides the SA and IASO with guidance to ensure secure operation of the SAAS- Mod system. This document consists of several sections identifying the required settings for operating a secure Windows 2003 or XP Professional environment. A warning icon, noted below, is associated with all warning or caution statements for any configuration setting that may affect the functionality of the system. Caution: This icon alerts the reader to use caution when implementing the following steps. It is also specific to the Registry Editor. Several configuration recommendations and mandatory items in this document require the use of the Registry Editor. Using the Registry Editor incorrectly can cause serious, system-wide problems, which may require the reinstallation of Windows Server 2003 or XP Professional software in order to correct. Use the Registry Editor tool with caution. A glossary is included with a list of acronyms used throughout this document. References and requirements documentation are listed in section 1.4 below. For any security setting links listed throughout this document that do not function properly, cut and paste the following Information Assurance Support Environment (IASE) Information Assurance (IA) Document Library link, in the web browser: http://iase.disa.mil/stigs/stig/index.html. The SA or IASO may need to download the appropriate Public Key Infrastructure (PKI) certificate to access the site. To download a PKI certificate, go to the public site, http://iase.disa.mil/index2.html. After accessing the IA Document Library website, browse the list of available resources for the specific title listed in the TFM. These URL addresses can only be accessed from a .mil or .gov domain.
1.4 References 1.4.1 Resources The below list are documents that define the requirements that must be met by the system or best practices that shall be incorporated into the system configuration: AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-33 SAAS Security a. Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, Transmittal Memorandum No. 4. b. Deputy Secretary of Defense, Memorandum, Department of Defense (DoD) Information Assurance Vulnerability Alert (IAVA), 30 December 1999. c. DoD Directive 8500.1, "Information Assurance (IA)," dated October 24, 2002 d. DoD 8510.1-M, Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP) Application Manual, 31 July 2000. e. DoD Directive 8500.1, Information Assurance (IA), 24 October 2002. f. DoD Directive O-8530.1, Computer Network Defense (CND), 8 January 2001. g. DoD Instruction 5200.40, DoD Information Technology Security Certification and Accreditation Process (DITSCAP), December 30, 1997. h. DoD Instruction 8500.2, Information Assurance (IA) Implementation, 6 February 2003. i. DoD Instruction O-8530.2, Support to Computer Network Defense, 9 March 2001. . j. NSA, Protection Profile for Single-level Operating Systems in Environments Requiring Medium Robustness, version 1.22, 23 May 2001.
k. DISA, Database Security Technical Implementation Guide, version 5, release 1, 18 October 2002. l. AR 190-13, The Army Physical Security Program, 30 September 1993. m. AR 190-51, Security of Unclassified Army Property (Sensitive and Nonsensitive), 30 September 1993. n. AR 25-2, Information Assurance
2.0 SYSTEM SECURITY OVERVIEW The following subsections provide: (1) a brief description of threats, vulnerabilities, attacks and countermeasures; and (2) a discussion of the available operational protection mechanisms, physical security assumptions, and the automated protection mechanisms provided by the SAAS- Mod. Effective use of these protection mechanisms will reduce the probability of success or the effect of attacks by eliminating or reducing vulnerabilities. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-34 SAAS Security 2.1 Threats, Vulnerabilities, Attacks and Countermeasures The SAAS-Mod system will be subject to constant threats. Any vulnerability of SAAS-Mod may present the opportunity for an attack on the system by a threat agent. The following paragraphs provide a brief insight into threats, threat agents, vulnerabilities and attacks. 2.1.1 Threats A threat is anything or anyone with the potential to cause a degradation of security or mission performance from the standards prescribed for the system in its security policy. The universe of threats includes both natural and man-made threats. Man-made threats are initially divided into "Insiders" and "Outsiders. An Insider is anyone who is authorized access to some portion of the system and trusted not to use this access to harm the system (e.g., SAs and authorized users). Outsiders are not authorized access to the system. Natural threats occur according to the laws of physics (e.g., wind, flood, and earthquake) and are usually geographically dependent. A threat agent is someone or something capable of bringing an attack to bear against a system. Fire, a disgruntled employee, or spies are examples of threat agents. Fire is a natural threat. A disgruntled employee is an Insider. Hackers and foreign intelligence agents are Outsiders. 2.1.2 Vulnerabilities A vulnerability is a flaw, weakness, or deficiency in the implementation of a security requirement that could be exploited to degrade (harm or neutralize) system security performance. For example, suppose an SA assigned all users a password of "users. It would not take long for a curious hacker or disgruntled employee to gain unauthorized access to the system. The vulnerability in this example is the mismanagement of passwords. 2.1.3 Attacks An attack is the activity whereby resources are brought to bear by a threat agent against a system, normally targeting any vulnerability. Attacks may take the form of Trojan horses (e.g., during development or maintenance), viruses (brought in on floppy disks or received over network), worms (received over networks), or direct user access. Some attacks may be implemented or facilitated by access to poorly managed passwords, access to systems via networks, poorly managed Discretionary Access Controls (DAC), ineffective protection of trusted audit functions, passive intercept of information, and active masquerading by tapping communications wire lines or fiber optic circuits. 2.1.4 Countermeasures The effective implementation of countermeasures serves to reduce or eliminate the susceptibility of vulnerabilities to successful attack. Countermeasures consist of physical, personnel, procedural, administrative, and automated security mechanisms or processes designed to protect system resources. Some specific examples of these mechanisms or AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-35 SAAS Security processes are effective password management, monitoring of audit data, staffed or locked facilities, security guards, and strict software and hardware configuration management. 2.2 Protection Mechanisms Available to Counter General Threats Effective system administration dictates that protection mechanisms are employed as needed, subject to cost-effectiveness, availability, and operational efficiency. The following examples of protection mechanisms may be used in one form or another: a. Effective password management. b. Severe limitation of Administrator privileges. Administrator privileges should be given only to the SA and the designated assistants. c. Limited assignment of "group" and "other" DAC privileges and permissions (mechanisms to isolate functional roles are also essential to prevent possible fraud) for NT 4.0 systems. d. Effective group policy management for W2K systems. e. Use of trusted audit functions and frequent review of audit trail data (preferably daily and not to exceed weekly). f. Code that prevents a user from simultaneously logging in from the same terminal or from more than one terminal. g. Effective configuration management. h. Contingency planning. i. Physical security measures. j. Strong procedural security. k. Personnel security screening. l. User Security Training and Awareness programs (at all levels that directly and indirectly affect users of the SAAS-Mod system). m. Effective implementation of a Defense-in-Depth (DiD) strategy. 2.3 Physical Security Assumptions All sites shall have physical security that meets the requirements of AR 190-13 and unit Standard Operating Procedures (SOPs). System administrators shall coordinate the SAAS- Mod physical security requirements with unit and organizational security elements. 2.4 Confidentiality Level Determining the sensitivity of the data is extremely important when the data will be distributed outside the SAAS-Mod security boundary. The SAAS-Mod data shall not be handled, processed, or distributed until the confidentiality level is determined. Unclassified-Sensitive AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-36 SAAS Security SAAS-Mod information shall not be distributed or released to individuals and/or systems that are not authorized to process or handle Unclassified-Sensitive SAAS-Mod information, and never without proper authorization. This includes both electronic and printed copies of SAAS-Mod reports and lists of ammunition status. 2.5 Management The SA, under the direction of an IASO/IAM, shall control the SAAS-Mod computer systems, local area network (LAN), computer center/facility, operations, and maintenance processes. Any deviations from the standard practices described in this TFM must be coordinated through the Site Commander and IASO. Minor changes made in the operating configuration or the security level must be approved by the CCB and IASO, and then documented in a facility or system log, as well as the System Security Authorization Agreement (SSAA). Major changes to the system must be approved by the Designated Approving Authority (DAA), as this may void the accreditation of the system. If a major change in the operating configuration or security level does occur, a new accreditation effort may be required IAW AR 25-2 and DoD 8510.1-M. 2.6 Documentation and Evaluation 2.6.1 Risk Assessment To determine proper security and protective measures to be used with the SAAS-Mod, several accompanying processes must be implemented. Perform a site risk assessment to: a. Identify security risks based on the analysis of threats to and vulnerabilities of the system. b. Determine the magnitude of the identified risks. c. Incorporate measures needed to safeguard against the identified risks. The results of the risk assessment shall be documented in the SAAS-Mod site Risk Assessment Review (RAR) Report. The site RAR Report will be used as a basis for site accreditation. 2.6.2 Continuity of Operations Plan The SAAS-Mod Continuity of Operations Plan (COOP) shall be utilized for system/application recovery and alternate operation plans. The COOP document includes instructions/procedures required to meet the contingency planning requirements described in AR 25-2. Security Incident Reports shall be used to document existing and potential vulnerabilities, and reviews and audits shall be compiled to correct any configuration security discrepancies. The configuration management controls documented in the SAAS-Mod Configuration Management Plan are employed to ensure the following:
a. Unauthorized changes are not made to the SAAS-Mod system. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-37 SAAS Security b. The master copy of the software is safeguarded and never used for actual production operations. c. Production copies of software are generated from the master copy, as required. d. System and application program libraries are protected and backup copies are maintained. e. Strict configuration management controls are enforced to reduce the risk of introducing untested or malicious software.
2.6.3 Certification and Accreditation The SAAS-Mod system is in phase 4 of its DITSCAP process life cycle. The DITSCAP process applies to all systems requiring certification and accreditation (C&A) throughout their life cycle. It is designed to be adaptable to any type of information system and any computing environment and mission. The IASO/IAM will conduct activities to monitor system management, configuration, and changes to the operational and threat environment to ensure an acceptable level of residual risk is preserved. Security management, configuration management, and periodic compliance validation reviews will be conducted. Changes to the system environment or operations may warrant beginning a new DITSCAP cycle as identified in DoD 8510.1-M, Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP) Application Manual. DoD 8510.1-M provides direction to the IASO/IAM to ensure compliance is maintained IAW DoD Instruction 5200.40, DoD Information Technology Security Certification and Accreditation Process (DITSCAP). The DITSCAP will be the process used for all future C&A efforts. 3.0 PHYSICAL SECURITY SAAS-Mod system hardware (including LAN equipment), software, documentation, and all Unclassified-Sensitive data handled by the SAAS-Mod system shall be protected to prevent unauthorized (intentional or unintentional) disclosure, destruction, or modification. This section provides procedures and guidance relative to physical controls. 3.1 Physical Controls The IASO, SA shall implement processes and policies that regulate the access, use, distribution, sensitivity, and management of SAAS-Mod assets, applications, and data. The IAM is responsible for ensuring these processes are enforced and policies disseminated to the lowest level. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-38 SAAS Security 3.1.1 Protection of the System The SAAS-Mod shall be installed and located in an area that protects it from unauthorized access. A Computer Area Access Log shall be maintained at the entrance to the area.
3.1.2 Facility Control 3.1.2.1 Computer Area Access Logs It is recommended that a Computer Area Access Log be established and maintained by the IASO. All authorized individuals shall be required to fill in the Computer Area Access Log upon entering/departing to/from the SAAS-Mod computer areas and work areas. The Computer Area Access Log, as a minimum, shall contain the date, time of arrival and departure, first and last name of the individual, signature, represented company/agency, purpose of visit, and if applicable the escort's name and signature. The Computer Area Access Log sheets shall be reviewed preferably daily, or at least weekly, by the IASO or other designees. The Computer Area Access Log sheets shall be monitored and protected by an authorized individual and retained for a minimum of 90 days. 3.1.2.2 Visitor Log The IASO or designee shall maintain a Visitor Log. Outside visitors shall be required to log into the Visitor Log upon access/departure to/from all SAAS-Mod computer areas and work areas. The Visitor Log, as a minimum, shall contain the date, time of arrival and departure, first and last name of the visitor, signature, represented company/agency or contractor, purpose of visit, clearance level, and the person authorizing access. The Visitor Access Log sheets shall be monitored and protected by an authorized individual and retained for a minimum of 90 days. 3.1.2.3 Maintenance Log A Maintenance Log shall be used to record major maintenance activity and/or preventive maintenance procedures performed on the SAAS-Mod system. Maintenance logs shall be kept separate from other logs and shall be limited to maintenance information only. The Maintenance Log sheets shall be monitored and protected by an authorized individual and retained for a minimum of 90 days. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-39 SAAS Security 3.1.2.4 Facility Log A Facility Log shall be maintained by the site to record all major changes in the SAAS-Mod operating configuration such as changing security levels of information and the installation of new hardware or software. 3.1.2.5 Audit Review Log An Audit Review Log must be established to track the periodic reviews of SAAS-Mod audit trails. The log must include, as a minimum, the date of the review, the file(s) reviewed, the name of the reviewer, and an indication of the results of the review. Refer to paragraph 5.6.2, Local Audit Policy Settings; paragraph 5.9.4, Oracle Auditing; and paragraph 5.10.2, Application Auditing, for additional procedures and guidance. 3.1.3 Facility Access by Authorized Individuals Physical access to the SAAS-Mod system and facility must be controlled during both Garrison and Tactical operations. Physical access to the SAAS-Mod LAN, computer systems, and general work areas shall be restricted to authorized personnel and positively identified. Only authorized personnel with a genuine need for access to perform management, technical, and administrative support, and/or other related daily job functions shall be granted access to these areas by the IASO or a cognizant authority. If access is granted, the individuals shall be indoctrinated into the security practices of the secure areas. The IASO or SA shall maintain a list/roster of individuals who are authorized to access a particular area/facility. The list/roster of authorized individuals shall be prominently posted in the area/facility. The list/roster shall be used to challenge individuals who are not authorized to be in the area. 3.1.4 System Access by Authorized Users To obtain system access for a particular user, a manager/supervisor responsible for a SAAS-Mod function shall submit to the IASO an Access Request Form or standard form letter specifying the particular individuals name, badge number, organization, and phone number. Upon approval, the IASO or a designee shall direct or be directed to include the user in the appropriate role and account. Requests for system privileges shall explain the need for such privileges in detail. If approved, the account shall be installed by the IASO or his/her designee (SA) on the server and the workstation, and passwords shall be assigned to the account IAW section 5. New users shall be indoctrinated into the security practices of the SAAS-Mod system prior to being allowed use of the system. All users of the system shall agree to adhere to all security practices documented in the TFM (for IASOs / SAs), or SFUG (for ordinary users) and the site SOP, by signing the Account Request Form. All users of the system shall understand that they will be subject to periodic monitoring of account activities and usage of system resources. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-40 SAAS Security Knowledge of the Administrator password shall be limited to only those individuals assigned IASO and System Administrator responsibilities. Individuals shall be responsible for providing protection, storage, and accountability for information at all times. Users shall log-off systems before leaving the area. Prior to departing the facility, all individuals shall be logged out of the Computer Access Log (if a Computer Access Log is established by the site). 3.1.5 Access by Visitors It is recommended that visitor requests for personnel indigenous to local and tenant commands must be submitted to and coordinated with the IASO. All requests shall contain the first and last name of the visitor, rank (as applicable), date and time of the requested visit, clearance or authorization level of the visitor, the purpose for the visit, and identification of the unit or organization to which the visitor is assigned. The visitors supervisor (as applicable) shall sign the request. The IASO shall approve the visit request in accordance with criteria of local operations, schedules, and security considerations and at the IASOs Commanding Officers direction. Upon arrival of the visitor, the IASO or delegate shall ensure compliance with the local facility visit procedures and supplemented with the procedures in this manual. It is emphasized that no visitor shall be permitted access to the facilities without prior notification and coordination with the IASO or designee. All visits by non-U.S. citizens and others whose identities are not known to the commander or manager shall be coordinated with the IASO. An authorized individual shall escort visitors at all times. The IASO will modify the above instructions to comply with local site security standing operating procedures. 3.1.6 Access by Maintenance Personnel Maintenance personnel shall be observed and their actions monitored during the maintenance operations by individuals with the technical expertise to detect obvious unauthorized modifications and accesses. 3.1.7 Movement of System Equipment and Media During system equipment and media movements, safeguards must be in place to prevent the unauthorized modification, loss, and casual viewing of Unclassified-Sensitive information, and unauthorized acquisition or destruction of: a. System hardware; AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-41 SAAS Security b. System software used in system operations; and c. System data or information in any form or on any media. 3.2 Property Control and Distribution Property control and distribution entails the procurement and allocation of SAAS-Mod assets and applications used by the Army or SAAS-Mod. Assets include workstations, LANs, and computer center hardware and applications, along with the operating system (OS) and program software. All property shall be controlled and subject to frequent random audits. Therefore, it is necessary to know the exact location of every piece of equipment and software. A property database shall be maintained containing the hardware type, serial number, SAAS-Mod tag number (if one exists), the software installed on the hardware, the software distribution serial number, location of hardware, and the custodian. Movement of all SAAS-Mod property, including information or hard copy output, shall be coordinated through the IASO or designee. The current custodian shall be responsible for all SAAS-Mod equipment, applications, and data assigned to him/her and the legality of all software not pertaining to SAAS-Mod. Only authorized software shall be installed on any part of the SAAS-Mod system. Public domain shareware or other privately purchased/attained software shall not be loaded/installed on any part of the SAAS-Mod system. Loading/installing unauthorized software will nullify the generic accreditation. Personnel shall be required to account for the disposition of any SAAS-Mod assets, software, and data prior to termination of employment or transfer to another group or program. 3.3 General Guidelines and Procedures Physical protection of SAAS-Mod assets is the responsibility of individual sites. Site-specific physical security measures can take the form of barriers (e.g., fences, armed perimeters, buildings, intrusion alarms, and approved storage containers) as well as implementing procedures. Employing cost-effective physical security measures shall protect the SAAS-Mod assets. The following generic physical security safeguards and procedures should be established and implemented to protect the SAAS-Mod hardware, software, and data: a. The system hardware, software, documentation, data, and LAN hardware (e.g., wiring, junction boxes, gateways, concentrators, and cables) shall be protected from unauthorized access, destruction, or modification (either intentional or unintentional). b. The LAN hardware shall be inspected frequently to ensure that no unauthorized hardware or devices are connected to the LAN (e.g., wire tapping devices). The procedures include inspecting LAN wiring and cables that are hidden from view (e.g., behind walls and in false ceilings). c. Buildings, which house the SAAS-Mod system and related sensitive areas (as applicable), shall be designated as restricted areas and mission essential or vulnerable areas in accordance with AR 190-13. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-42 SAAS Security d. Mainframe facilities shall be included in the installation physical security plan required by AR 190-13. e. Only personnel performing official duties shall be allowed to access the SAAS-Mod system documentation. f. Periodic physical security inspections shall be implemented IAW AR 190-13. g. Particular attention should be paid to the physical security of the SAAS-Mod system, which is not being operated or otherwise attended continuously. h. SAAS-Mod computer areas and support facilities shall be secured at the end of the duty day and at any other time the facilities are unoccupied. i. SAAS-Mod key and lock control shall be maintained IAW AR 190-51, appendix C. 4.0 PERSONNEL SECURITY This section describes the security policies for SAAS-Mod personnel. SAAS-Mod personnel are subject to the policies and procedures that regulate the access, use, distribution, confidentiality level, and management of SAAS-Mod system assets, applications, and data. 4.1 Visitors Visitors not having a need-to-know shall not be allowed access to the SAAS-Mod facility/installation or remote facility (workstation area) processing sensitive information unless all sensitive material is stored, laptop or workstation screens are blanked or obscured from view, and printers are disabled. An authorized individual shall escort visitors at all times. Refer to paragraph 3.1.5 for additional information pertaining to visitors. 4.2 Foreign Nationals The process of authorizing foreign national employees to work in a sensitive environment is under the control of the Organizational or Unit personnel/security office. The IASO shall maintain liaison with personnel and security offices for the purposes of either justifying the need to employ foreign nationals, or verifying their eligibility to be employed in the SAAS-Mod facility. No foreign national shall be allowed access to the SAAS-Mod facility without verification of his/her eligibility from cognizant personnel offices. 4.3 Maintenance Personnel Maintenance personnel accessing the SAAS-Mod facility on a regular basis shall be listed on the approved roster of authorized individuals (see paragraph 3.1.3). Including individuals on the list of authorized individuals shall be based upon IASO discretion. In the event maintenance personnel not on the approved roster require access, IASO agents with enough technical expertise to detect obvious malicious activity shall observe maintenance operations. Refer to paragraph 3.1.6 for additional information pertaining to maintenance. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-43 SAAS Security 4.4 Security Awareness Training A security program is only effective if the personnel using the protected system understand and are aware of the need for security and how they must participate in the protection of the system. A Security Training Awareness program shall be implemented by the IAM/IASO at the SAAS-Mod facility and remote sites. Each user of the SAAS-Mod system must complete training. All new users shall be required to complete the program prior to being given access to the system. A periodic review and update of security procedures shall be given to all SAAS-Mod system users. A security briefing shall be presented in the form of a handout or in a seminar. The security awareness program shall convey the significance of security and the role of each user in maintaining the security posture of the system. The importance of access controls (account, system, and physical), data integrity protection, and property control shall be conveyed to the users through the SAAS-Mod Security Awareness Training Program. Training is also given to all personnel who are responsible for the management, operation, and maintenance of the SAAS-Mod components. 4.4.1 Security Training Awareness Program The IAM/IASO is responsible for implementing a Security Training and Awareness Program IAW AR 25-2. All SAAS-Mod users, the SA, and all personnel under the SAs supervision must participate in Security Training and Awareness Program tailored for the SAAS-Mod system. The curriculum of the Security Awareness Program shall cover, as a minimum, the following: a. Threats, vulnerabilities, and risks associated with the system. Under this portion, specific information regarding measures to reduce the threat from malicious software will be provided, including prohibitions on loading unauthorized software, the need for frequent backup, and the requirement to report abnormal program behavior immediately. b. Information security objectives; that is, what is it that needs to be protected? c. Responsibilities associated with the system security. d. Information accessibility, handling, and storage considerations. e. Physical and environmental considerations, which are necessary to protect the system. f. System data and access controls. g. Emergency and disaster plans. h. Authorized system configuration and associated configuration management requirements. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-44 SAAS Security
4.4.2 Periodic Security Training The IAM/IASO shall implement and oversee periodic security training and awareness. This may include various combinations of: a. Self-paced or formal instruction; b. Security education bulletins; c. Security posters; d. Training films and tapes; and e. Computer-aided instruction.
5.0 COMPUTER SECURITY This section provides procedures and guidance relative to Computer Security (COMPUSEC). Computer security includes automated measures and controls that protect a system against denial- of-service and unauthorized (accidental or intentional) disclosure, modification, or destruction of the system and data. 5.1 System Integrity Windows Server 2003 and Windows XP Professional are operating systems in which the typical OS function and networking are integrated. Windows Server 2003 and Windows XP Professional provide many configurable security features to secure both the operating system and networking functions. System-level integrity consists of protecting both hardware and software resources. The IASO will ensure a Windows 2003 Server and Windows XP Professional workstation is configured to provide compliance with the security required by DoD Directive 8500.1 and OMB Circular A-130. The IAM will use the following guidelines in the acquisition and implementation of products to ensure that security-related issues are adequately addressed: a. Products will be evaluated for sensitive functions that could compromise Windows Server 200 and Windows XP Professional security, and will implement controls to protect those functions. All security controls implemented will be coordinated with, and approved by, the IAM or IASO. b. The SA, under the direction of the IASO, is responsible for creating, checking, and maintaining a current system baseline for all servers and critical workstations. The IASO is responsible for verifying the system baseline. The IAM is responsible for setting overall policy for system baseline creation and maintenance. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-45 SAAS Security c. Sites will use a baseline control tool on all servers and critical systems for which the tool is available. This does not apply to special purpose systems where it would degrade the security posture of the system. Examples are firewalls and SABI (Secret and Below Interoperability) secure guards that have a minimal operating system tailored to the specific requirements of the device.
5.2 System Baseline A baseline is a database that contains a snapshot of the system after it has been fully loaded with operating system files, applications, and users. Baseline control consists of comparing a current system snapshot with the original system snapshot. The purpose of maintaining and checking a system baseline is to detect unauthorized, undocumented system changes. Unauthorized changes may indicate system compromise and, if detected, could prevent serious damage. A baseline consists of files that change infrequently in terms of size, access permissions, modification times, checksums, etc. They are usually found in the system directories but could be in other locations. One of the Defense Information Systems Agency (DISA) recommended system baseline utilities used to obtain and check system baselines is the Axent Enterprise Security Manager (ESM) application. The following are minimum requirements for the SA: a. Perform weekly baseline reviews on each critical system. b. Maintain three weeks of baseline product reports and be able to provide them upon request. c. Maintain all baseline backups on write-protected media. d. Baseline and compare operating system *.exe, *.bat, *.com, *.cmd, and *.dll files. A quick way to perform a baseline review is to create a text file using the dir command. To create the initial baseline file, at the command prompt, enter dir /s c:\winnt\*.* >baseline.txt at the C: prompt. This will send the directory contents, including all files, to the file baseline.txt on the C: drive. Be sure to enter a space between *.* and the greater than sign (>). After changes have been made, run the same command, but change the filename (baseline2.txt). To compare the two files, open the new file (baseline2.txt) in MS Word, and perform a file comparison. In MS Word, this can be found on the menu under Tools-Track Changes-Compare Documents. Any file changes will be reflected. Changes shall only be implemented after a baseline freeze, through the Configuration Control Board (CCB), IAW the Configuration Management Plan. Intrusion detection should be provided at the system level. In many situations, full intrusion detection at the enclave level may not be possible due to virtual private network (VPN) or application layer encryption. The IAM/IASO will determine the most effective means to protect AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-46 SAAS Security data integrity. Applications or appliances installed to protect the system shall be from the approved Blanket Purchase Agreement (BPA) list for use on Army systems. 5.3 Microsoft Windows Server 2003 The following settings are provided in the event that it becomes necessary for the SA to manually configure a SAAS-Mod system. These settings are part of the system install image distributed by the PM LIS along with comprehensive installation instructions. Therefore, a manual configuration should not be necessary. However, the SA should periodically review these settings and verify that the system configuration has not been changed. Any deviation from the NSA security settings, as required by DoD Instruction 8500.1 for the operational system, shall be documented by the local IASO/IAM. These changes shall be considered and approved by the Configuration Control Board prior to any changes taking affect. System administrators should use the DISA Security Technical Implementation Guides for Windows 2003 Server as guidance to set up and maintain the SAAS-Mod 1B systems. Section 4 of the System Administrators Manual gives installation instructions for the server To achieve the highest level of Windows 2003 Server security, install Service Pack 1. For a complete list of available post service packs and hotfixes, go to the Windows 2003 Server Downloads website. Table 1 lists the recommended Password Policy settings. Table 1. Password Policy
Password Policy Options Recommended Settings Enforce password uniqueness by remembering last x passwords: Prevents users from toggling among their favorite passwords and reduces the chance that a hacker/password cracker will discover passwords. If this option is set to 0, users can revert immediately back to a password that they previously used. Allowable values range from 0 (do not keep password history) to 24. 24 Passwords Maximum Password Age: The period of time that a user is allowed to have a password before being required to change it. Allowable values include Forever (password never expires) or between 1 and 999 days. 90 days AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-47 SAAS Security Password Policy Options Recommended Settings Minimum Password Age: The minimum password age setting specifies how long a user must wait after changing a password before changing it again. By default, users can change their passwords at any time. Therefore, a user could change their password, then immediately change it back to what it was before. Allowable values are 0 (allow changes immediately) or between 1 and 42 days. 1 Day Minimum Password Length: Blank passwords and shorter-length passwords are easily guessed by password cracking tools. To lessen the chances of a password being cracked, passwords should be longer in length. Allowable values for this option are 0 or between 1 and 14 characters. 10 Characters (10 characters satisfies requirements for SBU systems per AR 25-2 Password must meet complexity requirements of installed password filter: Enforces strong password requirements for all users by use of a dynamic link library called passfilt.dll. Stronger passwords provide some measure of defense against password guessing and dictionary attacks launched by outside intruders. Passwords must contain characters from 3 of 4 classes: upper case letters, lower case letters, numbers, and special characters (e.g. punctuation marks). Also, passwords cannot be the same as the users logon name. Complexity requirements will take effect the next time a user changes his password. Already-existing passwords will not be affected. Enabled Password Policy Options Recommended Settings: Prevents users from changing their passwords without logging on. If the users password expires, the user will not be able to log on and an administrator will have to change the users password. Setting this value and requiring new users to change their password at first logon will generate the error You do not have permission to change your password. This setting can be temporarily disabled in order to allow new users to log on initially. Enabled
Account Lockout Policy Options Recommended Settings Account lockout count: Prevents brute-force password cracking/guessing attacks on the system. This option specifies the number of bad logon attempts that can be made before an account is locked out. Allowable values range from 0 (no account lockout) to 999 attempts. 3 Invalid logon attempts
Lockout account for: Sets the number of minutes an account will be locked out. Allowable values are Forever (until admin unlocks) or between 1 and 99999 minutes. Setting this value to Forever (until admin unlocks) may allow a potential denial of service attack. It is important to note that the built-in Administrator account cannot be locked out. Forever
Reset account lockout count after: Sets the number of minutes until the bad logon count is reset. 99999 Allowable values range from 1 to 99999 minutes.
5.6.2 Local Audit Policy Settings Table 3 lists the recommended Audit Policy settings. Table 3. Recommended Audit Policy
Audit Policy Options User Manager for Domain Names Recommended Settings Audit Account Management: User and Group Tracks changes to the Security account database (when accounts are created, changed, or deleted). Management Success, Failure AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-49 SAAS Security Audit Policy Options User Manager for Domain Names Recommended Settings Audit Logon Events: Logon and Logoff Success, Failure Tracks users who have logged on or off, or made a network connection. Also records the type of logon requested (interactive, network, or service). Track failures to record possible unauthorized attempts to break into the system. Audit Object Access: File and Object Access Failure Tracks unsuccessful attempts to access objects (directories, files, printers). Individual object auditing is not automatic and must be enabled in the objects properties.
Audit Policy Change: Success, Failure Security Policy Tracks changes in security policy, such as assignment of privileges or changes in the audit policy. Changes
Audit Privilege Use: Tracks unsuccessful attempts to use privileges. Privileges indicate rights assigned to administrators or other power users. Use of User Rights Failure Audit Process Tracking: Detailed tracking information for events such as program activation and exits. This option is useful to record specific events in detail if you believe your system is under attack. Process Tracking No Auditing Audit System Events: Tracks events that affect the entire system or the Audit log. Records events such as restart or shutdown. Restart, Shutdown and System
Success, Failure
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-50 SAAS Security The common administrative tools contain the Event Viewer, which allows the Administrator to view the application log, security log, or system log. Recommended audit settings available in section 9 of the System Administrators Manual. To enable file system auditing: 1. Click Start, click Run, type mmc /a (note the space between mmc and /a), and then click OK. 2. On the File menu, click Add/Remove Snap-in, and then click Add. 3. Under Snap-in, click Group Policy, and then click Add. 4. In Select Group Policy Object, click Local Computer, click Finish, click Close, and then click OK. 5. In Local Computer Policy, click Audit Policy. Local Computer Policy o Computer Configuration o Windows Settings o Security Settings o Local Policies o Audit Policy 6. In the details pane, double-click Audit Object Access. 7. In the Audit object access Properties dialog box, click the options you want, and then click OK. You must be logged on as an administrator or as a member of the Administrators group to set up auditing of files and folders. Group Policy is available only to administrators. If you have previously saved a console with Group Policy, you can open the saved console and go to step 5. After you enable auditing of files and folders, you must specify which files and folders to audit.
a. Select events to audit. a. To Audit the Directory Only: In the Apply To option: Change the pull down bar to This folder only. b. To Audit Directories and Its Files Only: In the Apply To option: Change the pull down bar to This folder and files. c. To Audit the Directory and Subdirectories Only, Not Files: In the Apply To option: Change the pull down bar to This folder and subfolders. d. To Audit Directories, Subdirectories, And All Files: In the Apply To option: Change the pull down bar to This folder, subfolders and files. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-51 SAAS Security
5.6.3 User Rights Assignment Table 4 lists the recommended audit policy settings. In the User Rights Assignment section. a. Right-click on the desired Attribute in the right frame b. Select Security (1) To Add a user or group: Add | Select user or group | Add | OK | OK (2) To Remove a user or group: Select user or group | Remove | OK
Table 4. Standard and Advanced User Rights
Standard/Advanced User Rights
All shaded areas represent advanced user rights. Windows Workstations
Windows Member Servers Access this computer from network: Allows a user to connect over the network to the computer. Administrators Authenticated Users Administrators Authenticated Users Act as part of the operating system: Allows a process to perform as a secure, trusted part of the operating system. Some subsystems are granted this right. (No One)
(No one) Add workstations to the domain: Allows a user to add workstations to a particular domain. This right is meaningful only on domain controllers. By default, the Administrators and Account Operators groups have the ability to add workstations to a domain and do not have to be explicitly given this right. (No one)
(No one)
Back up files and directories: Allows a user to back up files and directories. This right supersedes file and directory permissions. Administrators, Backup Operators Administrators Backup Operators Bypass traverse checking: Allows a user to change directories and (No one) (No One)
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-52 SAAS Security Standard/Advanced User Rights
All shaded areas represent advanced user rights. Windows Workstations
Windows Member Servers access files and subdirectories even if the user has no permission to access parent directories. Change the system time: Allows a user to set the time for the internal clock of the computer.
Administrators Administrators Create a pagefile: Allows a user to create new pagefiles for virtual memory swapping. Administrators Administrators Create a token object: Allows a process to create access tokens. Only the Local Security Authority should be allowed create this object. (No one)
(No one) Create permanent shared object: Allows a user to create special permanent objects, such as \\Device, that are used within Windows. (No one)
(No one) Debug programs: Allows a user to debug various low- level objects such as threads. (No one) (No one) Force shutdown from a remote system: Allows a user to shutdown a Windows system remotely over a network. Administrators Administrators Generate security audits: Allows a process to generate security audit log entries. (No one) (No one) Increase quotas: This right has no effect in current versions of Windows. (No one) (No one) AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-53 SAAS Security Standard/Advanced User Rights
Windows Workstations
Windows Member Servers All shaded areas represent advanced user rights. Increase scheduling priority: Allows a user to boost the execution priority of a process. Administrators Administrators Load and unload device drivers: Allows a user to install and remove device drivers. Administrators Administrators Lock pages in memory: Allows a user to lock pages in memory so they cannot be paged out to a backing store such as Pagefile.sys. (No one) (No one) Log on as a batch job: This right has no effect in current versions of Windows. (No one) (No one) Log on as a service: Allows a process to register with the system as service. Some applications such as Microsoft Exchange require a service account, which should have this right. Review the users/groups assigned this right on the system PRIOR to applying the security templates in order to determine which assignments are necessary. The .inf template files will remove all users/groups from this right unless you modify the setting. As Needed As Needed Log on locally: Administrators, Administrators, AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-54 SAAS Security Standard/Advanced User Rights
Windows Workstations
Windows Member Servers All shaded areas represent advanced user rights. Allows a user to log on at a systems console. Authenticated Users Backup Operators Manage auditing and security log: Allows a user to specify what types of resource access (such as file access) are to be audited and the ability to view and clear the security log. Note that this right does not allow a user to set system auditing policy using the Audit command in the Policy menu of User Manager. Members of the Administrators group always have the ability to view and clear the security log. Administrators Administrators Modify firmware environment variables: Allows a user to modify system environment variables stored in nonvolatile RAM on systems that support this type of configuration. Administrators Administrators Profile single process: Allows a user to perform profiling (performance sampling) on a process. Administrators Administrators Profile system performance: Allows a user to perform profiling (performance sampling) on the system. Administrators Administrators Replace a process-level token: Allows a user to modify a processs security access token. This is a powerful right used only by the system. (No one) (No one) Restore files and directories: Allows a user to restore backed-up files and directories. This right supersedes file and directory permissions. Administrators, Backup Operators Administrators, Backup Operators AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-55 SAAS Security Standard/Advanced User Rights
Windows Workstations
Windows Member Servers All shaded areas represent advanced user rights. Shut down the system: Allows a user to shut down Windows. Authenticated Users Administrators Administrators Take ownership of files or other objects: Allows a user to take ownership of files, directories, printers, and other objects on the computer. This right supersedes permissions protecting objects. Administrators Administrators
Recommended Security Setting Allow Server Operator to schedule tasks (Domain Controllers Only): Not Configured Allows Server Operators to use Schedule Service (AT command) or schedule task to automatically run. HKLM\System\CurrentControlSet\Services\Schedule
Allow system to be shutdown without having to logon: Disabled Normally, you can shut down a computer running Windows Workstation without logging on by choosing Shutdown in the Logon dialog box. This is appropriate where users can access the computers operational switches; otherwise, they might tend to turn off the computers power or reset it without properly shutting down. However, you can remove this feature if the CPU is locked away. This step is not required for Windows Server, because it is configured this way by default. HKLM\Software\Microsoft\WindowsNT\ CurrentVersion\Winlogon\ShutdownWithoutLogon = 0
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-56 SAAS Security Security Attribute
Recommended Security Setting Audit access to internal system object: There are a number of Windows system components that are accessible to individuals with programming knowledge that could be used to mount a denial of service attack. HKLM\System\CurrentControlSet\Control\Lsa\AuditBaseObjects = 1 Objects are not audited by default when this option is enabled. When File and Object auditing is enabled you may receive Event 560 failures in the event log. This behavior can occur when the task manager is polling, or is going out through the computer and reading objects. Enabled
Audit use of all user rights including Backup and Restore: The additional privileges audited with this option enabled are bypass traverse checking, debug programs, create a token object, replace process level token, generate security audits, back up files and directories, and restore files and directories. HKLM\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditin g User rights including Backup and Restore are not audited by default when this option is enabled. The SCM will show mismatch after configuration. This setting should be verified in the registry. Enabled AutoDisconnect: Allow sessions to be disconnected when they are idle: Disconnects a user session from any servers on the domain when it exceeds the AutoDisconnect Time. Not Configured AutoDisconnect: Amount of idle time required before disconnecting session: Set the amount of elapses idle time allowed before disconnecting the users session. Not Configured AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-57 SAAS Security Security Attribute
Recommended Security Setting Change Administrator account name to: The Administrator account is created by default when installing Windows on the server and/or workstation. Therefore, it is recommended that the Administrator account be renamed on all Windows machines. <Configure Locally>
Change Guest Account to: The Guest accounts are created by default when installing Windows on the server and/or workstation. The Guest account is disabled by default on the server, but not on the workstation. Even though it has been disabled, the account still exists. Therefore, it is recommended that the Guest accounts be renamed on servers and workstations. <Configure Locally>
Clear virtual memory pagefile when system Shuts down: Virtual Memory support in Windows uses a system pagefile to swap pages from memory when they are not being actively used. On a running system, this pagefile is opened exclusively by the operating system and hence is well protected. However, to implement a secure Windows environment the system page file should be wiped clean when Windows shuts down. This action ensures sensitive information, which may be in the pagefile, is not available to a malicious user. HKLM\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown = 1 Enabled Digitally sign client-side communication always: Not Configured Digitally sign client-side communication when possible: Not Configured Digitally sign server-side communication always: Not Configured Digitally sign server-side communication when possible: Not Configured Disallow enumeration of account names and shares by anonymous: Restricts the ability for anonymous logon users (also known as NULL session connections) to list account names and enumerate share names. HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous = 1 Enabled AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-58 SAAS Security Security Attribute
Recommended Security Setting Do not display last username in logon screen: By default, Windows places the user name of the last user to log on the computer in the User name text box of the Logon dialog box making it convenient for the most frequent user to log on. To enhance security, prevent Windows from displaying the user name from the last logon. This is especially important if a generally accessible computer is being used for system administration. Enabled HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\ DontDisplayLastUserName = 1 Forcibly logoff when logon hours expire: Disconnects a user account from any servers on the domain when it exceeds its logon hours. Enabled Message text for users attempting to log on: It is recommended that systems display a warning message before logon, indicating the private nature of the system. Many organizations use this message box to display a warning message that notifies potential users that their use can be monitored and they can be held legally liable if they attempt to use the computer without proper authorization. The absence of such a notice could be construed as an invitation, without restriction, to enter and browse the system. HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\ LegalNoticeText = "Text you want displayed" <see DoD Warning Banner text> Message title for users attempting to log on: In conjunction with the Logon Text it recommended that systems display a warning message title before logon, indicating the private nature of the system. HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\ LegalNoticeCaption = "Text you want displayed on title bar" <see DoD Warning Banner Title text> AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-59 SAAS Security Security Attribute
Recommended Security Setting Number of previous logons to cache in case Domain Controller not available: 0 The default Windows configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for system availability reasons such as the users machine is disconnected from the network or domain controllers are not available. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount = 0 Users will NOT be able to log on to the domain unless connected to the network. Prevent user from installing print drivers: Enabled Enables the system spooler to restrict adding printer drivers to administrators and print operators (on server) or power users (on workstation). HKLM\System\CurrentControlSet\Control\Print\Providers\LanMan PrintServices\Servers\AddPrintDrivers = 1 Users can still connect to Network Print shares on which they have permissions. Due to an implementation flaw, the .inf file does not set this registry key correctly. The manual change on page 75 is still required. Restrict CDROM access to locally logged on user only: By default, Windows allows any program to access files on CDROM drives. In a highly secure, multi-user environment, only allow interactive users to access these devices. When operating in this mode, the CD- ROM(s) are allocated to a user as part of the interactive logon process. These devices are automatically reallocated when the user logs off. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms = 1 Enabled AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-60 SAAS Security Security Attribute
Recommended Security Setting Restrict Floppy access to locally logged on user only: By default, Windows allows any program to access files on floppy drives. In a highly secure, multi-user environment, only allow interactive users to access these devices. When operating in this mode, the floppy disks are allocated to a user as part of the interactive logon process. These devices are automatically reallocated when the user logs off. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies = 1 Enabled Restrict management of shared resources such as COM1: Restrict the access of shared resources. HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\ProtectionMode Enabled Secure Channel: Digitally encrypt or sign secure channel data always: Not Configured Secure Channel: Digitally encrypt or sign secure channel data when possible: Not Configured Secure Channel: Digitally sign secure channel when possible: Not Configured Secure System partition (for RISC platforms only): Not Configured Send downlevel LanMan compatible password: This parameter specifies the type of authentication to be used. For a homogeneous Windows Network this key should be set to 5. HKLM\System\CurrentControlSet\Control\Lsa\LMCompatibilityLev el Value = 5 Not Compatible Send unencrypted password in order to connect to 3rd Party SMB server: Some non-Microsoft SMB servers only support unencrypted (plain text) password exchanges during authentication. Check with the vendor of the SMB server product to see if there is a way to support encrypted password authentication, or if there is a newer version of the product that adds this support. HKLM\System\CurrentControlSet\Services\Rdr\Parameters\ EnablePlainTextPassword = 0 Disabled AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-61 SAAS Security Security Attribute
Recommended Security Setting Shutdown system immediately if unable to log security audits: Enabled If events cannot be written to the security log, the system should be halted immediately. If the system halts as a result of a full log, an administrator must log onto the system and clear the log. HKLM\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail = 1
5.6.5 Event Log Settings Event Log settings that can be configured with the SCM include maximum size, guest access, how long logs will be retained, and how the operating system handles logs at the maximum size. To view event log settings of an SCM template double-click the following: a. Security Configuration Manager b. Configurations c. Default configuration file directory (%SystemRoot%\Security\Templates) d. Specific configuration file e. Event Log To modify Event Log settings via the Security Configuration Manager, double-click the following path: Event Log | Settings for Event Logs | specific option to view or edit. Table 6 lists recommended Event Log settings for the Application, Security, and System logs. Table 6. Event Log Settings
Event Log Settings Recommended Settings AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-62 SAAS Security Event Log Settings Recommended Settings Maximum Log Size for Application Log: 4194240 kilobytes (KB) Maximum Log Size for Security Log:
Maximum Log Size for System Log: If the event logs are too small, logs will fill up often and administrators must save and clear the event logs more frequently than required. Allowable values range from 64 KB to 4194240 KB. Restrict Guest access to Application Log: Enabled Restrict Guest access to Security Log: . Restrict Guest access to System Log: Default configuration allows guests and null logons the ability to view event logs (system and application logs). While the security log is protected from guest access by default, it is viewable by users who have the Manage Audit Logs user right. This option disallows guests and null logons from viewing any of the event logs.
Retain Application Log for: Retain Security Log for: Retain System Log for: These options control how long the event logs will be retained before they are overwritten. Since it is not recommended that any event logs be overwritten when they become full, this option should not be configured. Not configured AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-63 SAAS Security Event Log Settings Recommended Settings Retention method for Application Log: Manually Retention method for Security Log: Retention method for System Log: How the operating system handles event logs that have reached their maximum size. The event logs can be overwritten after a certain number of days, overwritten when they become full, or have to be cleared manually. To ensure that no important data is lost, especially in the event of a security breach of the system, the event logs should not be overwritten. Shutdown system when security audit log becomes full: Enabled If events cannot be written to the security log, the system should be halted immediately. If the system halts as a result of a full log, an administrator must restart the system and clear the log.
5.6.5.1 Security Options Settings The Security Options settings recommend enabling Audit access to internal system object and Audit use of all user rights including Backup and Restore. If these options are enabled large amounts of audit data will be generated requiring the logs to be cleared regularly. In order to save and clear audit logs select: a. Start | Programs | Administrative Tools (Common) | Event Viewer. b. Select Event log from the Log menu. c. Select Clear All Events. d. Yes to save settings with unique file name. e. Save. f. Yes to clear the log. g. Repeat the above steps for each log. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-64 SAAS Security
5.6.5.2 Clearing Logs on System Halts If the system halts as a result of a full log, an administrator must restart the system and clear the log. Before the auditor clears the security log, ensure the data is saved to disk. Then Use the Registry Editor to modify the following Registry key value: Select Start | Run | Type Regedt32.exeOpen Hive: HKEY_LOCAL_MACHINE Key: \System\CurrentControlSet\Control\Lsa Name: CrashOnAuditFail Type: REG_DWORD Value: 1 This value is set by the operating system just before it crashes due to a full audit log. While the value is 2, only the administrator can log on to the computer. This value confirms the cause of the crash. Reset the value =1.
5.6.6 Registry Key Permission Settings The editing of the registry is not recommended. However, there will be site-specific guidance or updates relating to security that require changes to registry keys The SA should read this guidance prior to making any changes to the registry. 5.6.7 File Permission Settings The necessary changes can be made in one of two ways. The first method is to use an automated script., the second method is to change permissions on each file and folder manually. 5.6.7.1 Modifying Permissions on a File or Folder To modify the security settings on a particular file or folder already specified in the inf file: a. In the right frame, double-click on the file or folder to be changed. b. Ensure that the Overwrite radio button is selected. c. Click Edit Security. d. Uncheck the Allow inheritable permissions from parent to propagate to this object checkbox. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-65 SAAS Security e. If the inheritable permissions checkbox was previously checked, click on the Remove button in the Security dialog box. f. Add/remove users and groups to reflect the recommended permissions. g. For each user and/or group, set the permissions by clicking on the permission checkboxes.
5.6.7.2 Permissions Encompassing all Folders and Subfolders If the folder permissions should encompass the folder itself, all files within the folder, and all subfolders: a. Click the Apply | OK. Stop here. b. Otherwise, click the Advanced button. c. Double-click on a user and/or group. A Permission Entry dialog box will appear. d. In the Apply To pull-down menu, select the correct configuration (e.g. This folder only). e. Click OK |Apply | OK | OK.
5.6.7.3 Adding files or folders to the Security Configuration To add a file or folder to the security configuration: a. Right-click on File System. b. Select Add Files or Add Folder from the pull-down menu. c. Select the file or folder to be added. d. Click OK. e. A Configuration Security dialog box will appear. f. Configure the permissions according to the steps detailed in the previous Modifying Permissions on a File or Folder section.
5.6.7.4 Excluding an Object When Modifying the Configuration There are occasions where a specific file or folder should retain its current security settings. To ensure that parent folders dont propagate their new permissions down to such files or folders, exclude the object from configuration. To exclude an object: AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-66 SAAS Security a. In the right frame of File System, double-click on the file or folder to be changed. b. Click the Ignore radio button. c. Click OK.
5.6.7.5 File and Folder Permission Settings Folders and files not explicitly listed below are assumed to inherit the permissions of their parent folder. Folders with Ignore are explicitly excluded from configuration and retain their original permissions. The following system variables are referenced in the file permissions within the OS configuration file: %SystemDrive% - The drive letter on which Windows is installed. This is usually C:\. %SystemRoot% - The folder containing the Windows operating system files. This is usually %SystemDrive%\winnt. %SystemDirectory% - %SystemRoot%\system32.
Table 7. File and Folder Permission Settings
Folder or File User Groups Recommended Permissions %SystemDirectory% folder, subfolders, and files Contains many operating system DLLs, drivers, and executable programs. Administrators Authenticated Users Creator Owner System Full Control Read, Execute Full Control Full Control %SystemDirectory%\config folder, subfolders, and files Contains registry hive files. Administrators System Full Control Full Control AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-67 SAAS Security Folder or File User Groups Recommended Permissions %SystemDirectory%\Ntbackup.exe file File system backup program. Administrators System Full Control Full Control %SystemDirectory%\rcp.exe file Program used to execute remote procedure calls. Administrators System Full Control Full Control %SystemDirectory%\Rdisk.exe file Program used to create an Emergency Repair Disk. Administrators System Full Control Full Control %SystemDirectory%\Regedt32.exe %SystemDirectory%\Regedt32.cnt %SystemDirectory%\Regedt32.hlp file Registry editing tool and associated help files. Administrators System Full Control Full Control %SystemDirectory%\repl\export folder, subfolders, and files Folder containing scripts and files to be replicated to other replication servers.
Administrators Authenticated Users Creator Owner Replicator System Full Control Read, Execute Full Control Read, Execute Full Control %SystemDirectory%\repl\import folder, subfolders, and files Folder containing scripts and files that have Administrators Authenticated Users Full Control Read, Execute AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-68 SAAS Security Folder or File User Groups Recommended Permissions been replicated from other replication servers.
Creator Owner Replicator System Full Control Modify Full Control %SystemDirectory%\rexec.exe file Program used to execute remote calls. Administrators System Full Control Full Control %SystemDirectory%\rsh.exe file Program used to execute a remote shell. Administrators System Full Control Full Control %SystemDirectory%\spool\Printers folder, subfolders, and files Printer spool.
Administrators Authenticated Users Creator Owner Replicator System Full Control Modify Full Control Modify Full Control %SystemDrive% folder, subfolders, and files Drive on which Windows is installed. Contains important system startup and configuration files. Administrators Creator Owner System Authenticated Users Full Control Full Control Full Control Read, Write, Execute %SystemDrive%\autoexec.bat c:\autoexec.bat file Initialization file for DOS applications. Administrators Authenticated Users System Full Control Read, Execute Full Control AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-69 SAAS Security Folder or File User Groups Recommended Permissions %SystemDrive%\boot.ini c:\boot.ini file Boot menu. Administrators System Full Control Full Control %SystemDrive%\config.sys c:\config.sys file Initialization file for DOS applications. Administrators Authenticated Users System Full Control Read, Execute Full Control %SystemDrive%\io.sys file Initialization file for DOS applications. Administrators Authenticated Users System Full Control Read, Execute Full Control %SystemDrive%\msdos.sys file Initialization file for DOS applications. Administrators Authenticated Users System Full Control Read, Execute Full Control %SystemDrive%\ntdetect.com c:\ntdetect.com file Hardware detector during Windows boot. Administrators System
Full Control Full Control %SystemDrive%\ntldr c:\ntldr file Windows operating system loader. Administrators Creator Owner System
Full Control Full Control Full Control AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-70 SAAS Security Folder or File User Groups Recommended Permissions %SystemDrive%\NTReskit folder, subfolders, and files Only exists if Windows Resource Kit has been installed. Contains resource kit files. Administrators Creator Owner System Authenticated Users Full Control Full Control Full Control Read, Write, Execute %SystemDrive%\pagefile.sys file System pagefile. Cannot be accessed since it is being used. (Ignore) %SystemDrive%\Program Files folder, subfolders, and files Default folder for installed applications.
Administrators Creator Owner System Authenticated Users Full Control Full Control Full Control Read, Write, Execute %SystemDrive%\Users folder, subfolders, and files If folder exists (from a previous windows version), leave permissions intact. (Ignore) %SystemDrive%\Win32app folder, subfolders, and files If folder exists (from a previous windows version), leave permissions intact. (Ignore) %SystemRoot% folder only Folder in which the Windows operating system is installed. By default, this is called winnt. Administrators Creator Owner System Authenticated Full Control Full Control Full Control Read, Write, AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-71 SAAS Security Folder or File User Groups Recommended Permissions Users Execute %SystemRoot% subfolders and files
Administrators Authenticated Users Creator Owner System Full Control Read, Execute Full Control Full Control %SystemRoot%\$NtServicePackUninstall$ folder, subfolders, and files Contains older versions of system files necessary to back off a service pack. Administrators System Full Control Full Control %SystemRoot%\Cookies folder, subfolders, and files Folder in which cookies generated in web browsing are kept. Administrators Creator Owner System Authenticated Users Full Control Full Control Full Control Read, Write, Execute %SystemRoot%\drwtsn32.log file Dr. Watson application error log file.
Administrators Authenticated Users Creator Owner System Full Control Modify Full Control Full Control %SystemRoot%\Help folder, subfolders, and files System Help files. In order for authenticated users to use the full capabilities of help, they must be able to add index files to this folder. Administrators Creator Owner System Authenticated Users Full Control Full Control Full Control Read, Write, Execute AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-72 SAAS Security Folder or File User Groups Recommended Permissions %SystemRoot%\History folder, subfolders, and files History folder for web browsing. Administrators Creator Owner System Authenticated Users Full Control Full Control Full Control Read, Write, Execute %SystemRoot%\mapiud.ini file File needed for Outlook Express.
Administrators Authenticated Users Creator Owner System Full Control Modify Full Control Full Control %SystemRoot%\nsreg.dat file File needed for Netscape.
Administrators Authenticated Users Creator Owner System Full Control Modify Full Control Full Control %SystemRoot%\Profiles folder, subfolders, and files Contains user profile settings. Because the Profiles folder needs to retain specific user permissions, it will be configured manually in chapter 13 of the NSA recommendation guide. (Ignore) %SystemRoot%\regedit.exe Administrators Full Control file Full Control System Registry editing tool. %SystemRoot%\repair folder, subfolders, and files Administrators System Full Control Full Control AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-73 SAAS Security Folder or File User Groups Recommended Permissions Backup files of SAM database and other important registry and system files to be used during a system repair.
%SystemRoot%\Security Administrators Full Control folder, subfolders, and files System Full Control SCM databases and templates. SystemRoot%\SendTo Administrators Full Control folder, subfolders, and files Creator Owner Full Control Folder needed for Outlook Express. System Full Control Authenticated Users Read, Write, Execute %SystemRoot%\Temporary Internet Files Administrators Full Control folder, subfolders, and files Creator Owner Full Control Folder needed for web browsing System Full Control Authenticated Users Read, Write, Execute
5.6.8 Special considerations for the Dr. Watson USER.DMP File By default, the Everyone group has Full Control of the Dr. Watson crash dump file (user.dmp). This file contains various program error details, including information on the computer and the user logged in at the time the error took place. If a user successfully gained access to this file, they could obtain confidential information such as username and password. To prevent users from getting access to potentially sensitive information, select from one of the following options for protecting the crash dump file: a. If information from the crash dump file is not required, delete the drwtsn32.exe entry from the HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AeDebug registry key. This will cause Dr. Watson to be replaced with a simple Application Error box. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-74 SAAS Security b. If information from the crash dump file is desired, create a directory that will be used to hold the crash dump files. Set the permissions for this directory as described in Table 8.
Table 8. Dr Watson Crash Dump File Permission Settings
Group/User Name Permissions Administrators Authenticated Users Creator Owner System Full Control Modify (This folder only) Full Control Full Control
5.7 Windows Discretionary Access Controls Windows Explorer gives the SA the ability to view and change access permissions for files and directories. By default, members of the Administrators group can use Windows Explorer to control auditing for and take ownership of specific files and directories. Users logged on as members of other groups can use Windows Explorer to view and change permissions for files and directories they own or for which they have permission to do so. The SA should use the list of files and directories provided in the SA Manual to insure that the files and directories are properly set on Access Control Lists. Additional guidance for ACLs is given in the DISA Security Technical Implementation Guide document. Normal SAAS-Mod users should have the ability to access any OS or database management system (DBMS) files. Print Manager allows members of the Administrator and Power User groups to create (install) and configure new printers and to manage the forms that can be used by printers. By default, Administrators can control auditing for and take ownership of any printer. Within limits established by permissions protecting a printer, all users can use Print Manager to set the properties of the printer, set permissions on a particular printer, take ownership of a printer, and manage documents in the print queue. The DISA Security Technical Implementation Guide document lists all the rights that can be assigned by the Administrator to users. Remote Access Server requires separate permissions. The DISA Security Technical Implementation Guide document describes configuration settings for Remote Access Service (RAS) section 11.2 of the System Administrators Manual also gives guidance for setting up RAS. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-75 SAAS Security 5.8 Windows Identification and Authentication System administrators should NOT use the default Administrator UserID. The default Administrator password should be changed immediately to a random set of characters. The SA should create a unique UserID for each SA and assign the SA users to the Group Administrators. The password for the UserID Administrator should be written down and placed in a secure container for use only when the SA can no longer function or is incapacitated. The DISA Security Technical Implementation Guide document contains guidance for the account policies in Figure 8-2.
5.9 Oracle Database Management System UPDATE: Use the Database Security Technical Implementation Guide, v7r2, May 2006. The IASO/ Database Administrator (DBA) is responsible for documenting deviations from the DB Security Technical Implementation Guides (STIG). 5.9.1 Current Relational Database Management System Version The integrity of the Relational Database Management System (RDBMS) software executables and data files is crucial to the optimal and correct operation of all database applications using the RDBMS. To protect the RDBMS environment, the IASO will ensure that the database RDBMS version is a vendor-supported product version. Vendor supported product versions are those that continue to receive security updates by the vendor upon discovery of vulnerabilities. The DBA will ensure that the database RDBMS patch level is in accordance with Information Assurance Vulnerability Management (IAVM) requirements. Systems unable to support upgrades require an extension for non-compliance filed with a signed acceptance of risk by the system DAA. The RDBMS host should be an approved/certified platform to host the database. The IASO will ensure that the database RDBMS version is a vendor supported product version. The database RDBMS patch level will be maintained by the DBA in accordance with IAVM requirements.
5.9.2 RDBMS Software Monitoring The RDBMS software installed on the host system will be monitored monthly for unauthorized modification. Trojan horses and other malicious code could be implanted in standard database executables that could corrupt database integrity or allow unauthorized access. Host systems AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-76 SAAS Security should baseline their systems after application installation to collect data on application directories and files for future comparison in order to determine unauthorized modification. The host SA will monitor the RDBMS software on a regular basis no less frequently than monthly to detect unauthorized modifications. 5.9.3 Oracle Discretionary Access Controls The Database Security Technical Implementation Guide, v7r2, May 2006 document contains guidance for using profiles, and managing privileges to users. 5.9.4 Oracle Auditing The Database Security Technical Implementation Guide, v7r2, May 2006 document contains guidance for auditing. The IASO shall update this TFM accordingly if additional auditing is necessary to meet updated requirements. Table 9 lists 23 SAAS-Mod DB tables, which are audited for update, delete, and insert events after the audit.sql file is executed during installation.
The Database Security Technical Implementation Guide, v7r2, May 2006 document contains guidance for managing Oracle audits. SAAS-Mod 1B contains the Oracle Browser, which enables the DBA to customize the view of the information in the audited table. Refer to the interactive documentation for Oracle Browser loaded on the SAAS-Mod 1B computer for more information. The Oracle audit data must be reviewed at least once per week or when abnormal/malicious activity is suspected. Oracle contains an SQL script file named cataudit.sql, which the DBA can execute to support the audit review process. Table 10 lists the Oracle views, which are created when cataudit.sql is executed.
Table 10. List of Audit Views
Audit Views 1 STMT_AUDIT_OPTION_MAP 2 AUDIT_ACTIONS 3 ALL_DEF_AUDIT_OPTS 4 DBA_STMT_AUDIT_OPTS 5 USER_OBJ_AUDIT_OPTS DBA_OGJ_AUDIT_OPTS 6 USER_AUDIT_TRAIL DBA_AUDIT_SESSION 7 USER_AUDIT_SESSION DBA_AUDIT_SESSION 8 USER_AUDIT_STATEMENT DBA_AUDIT_STATEMENT 9 USER_AUDIT_OBJECT DBA_AUDIT_OBJECT AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-78 SAAS Security Audit Views 10 DBA_AUDIT_EXISTS 11 USER_AUDIT_SESSION DBA_AUDIT_SESSION 12 USER_TAB_AUDIT_OPTS The Database Security Technical Implementation Guide, v7r2, May 2006 document contains guidance on how to set up audit triggers when abnormal/suspicious activity is suspected or when trying to follow the movements of a suspicious user.
5.9.5 Oracle Identification and Authentication Use the Database Security Technical Implementation Guide, v7r2, May 2006, to securely configure the Oracle identification and authentication (I&A) settings. Password complexity must be in accordance with DISA and Army guidelines.
5.10 SAAS-Mod Application Security This section provides guidance and procedures for SAAS-Mod Application DAC, Auditing, and I&A.
5.10.1 Application Discretionary Access Controls ALLFusion provides access in Maintain Users processes. See Section 16.0 of the SAAS-Mod 1B End Users Manual for specific details on the security access controls provided by the Maintain Users processes. 5.10.2 Application Auditing The SAAS-Mod DB Transaction History Table contains a limited audit trail of all communication activity. Refer to the SAAS-Mod 1B System Administrators Manual for detailed information pertaining to the Transaction History Table. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-79 SAAS Security 5.10.3 Application Identification and Authentication Procedures and guidance pertaining to the SAAS-Mod Application I&A are to be IAW the DISA Desktop Application Security Technical Implementation Guide, 06 February 2006. Applications unable to conform shall have deviations to these requirements documented and maintained by the IASO. 5.11 C2 Protect Tools Brigade and above should have an IASO familiar with C2 Protect Tools and AR 25-2, when published. Coordination with the IASO is essential for maintaining the correct versions of the C2 Protect Tools.
5.12 Anti-Virus Each computer in SAAS-Mod 1B should have the Norton Anti-Virus software program running resident in memory at all times. Floppy disks placed into a floppy drive on any SAAS-Mod 1B computer and files received from external sources should automatically be scanned for viruses. Do not open a file on a floppy disk until the entire disk is scanned for viruses. Each computer should have automatic times to scan the hard drive for viruses. The anti-virus software should scan the entire hard disk each time the computer cold boots. The IASO should be notified immediately when a virus is detected. Do not continue processing until the IASO is notified and the IASO verifies the virus has been cleaned. Procedures and guidance pertaining to the proper Norton settings shall be IAW Army Antivirus Policy messages and the DISA Application STIG. The IASO shall ensure the Antivirus .dat files are updated at least every 30 days. 5.13 Security Patches Maintaining the security of a Windows system requires frequent reviews of security bulletins. Many security bulletins mandate the installation of a software patch or hotfix, to overcome security vulnerabilities. The IASO and SA must ensure that the latest security patches to correct known vulnerabilities are installed on SAAS-Mod. The IASO and SA shall subscribe to the DoD- Computer Emergency Response Team (CERT) Information Assurance Vulnerability Alert (IAVA) list. Send an email to: majordomo@cert.mil. The body of the message should consist of the one line text below: subscribe iavalist The IASO/SA will receive a message from the list server requesting confirmation. The message will contain a confirmation number. The IASO/SA will have to respond with the confirmation number to complete the subscription process. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-80 SAAS Security The IASO and SA should keep abreast of the latest countermeasures (security patches) by periodically reviewing information published by organizations such as the CERT Carnegie Mellon University, Forum of Incident Response Security Teams (FIRST), DISA Automated Systems Security Incident Support Team (ASSIST), and Computer Incident Advisory Capability (CIAC). Specific procedures and guidance pertaining to security patches are included with the release of Systems Change Package. See the Software Version Descriptor (SVD) for installation instructions. Before a patch or hotfix is applied to the system, the Configuration Control Board must approve the change to the baseline. The Configuration Management Plan should include an emergency process to quickly incorporate security patches or configurations into the system baseline. If the security patch or configuration change is in response to an IAVM message, the fix must be applied in accordance with the IAVM Process. If the IASO/SA is unable to apply the fix within the time limit established in the IAVA, the IAM/IASO will need to request, through the DAA, an extension or exemption from the Army Computer Emergency Response Team (ACERT). 6.0 WINDOWS XP PROFESSIONAL Software INSTALLATION AND CONFIGURATION The security configuration discussed in this document applies to Windows XP Professional used by SAAS-Mod with any new or existing installation. In most cases, no distinction will be made. All sites should use this document in conjunction with instructions regarding the installation of Windows XP Professional standard configuration options. The recommendations presented will strengthen security measures implemented during the installation phase of the operating system software.
6.1 Pre-Configuration Requirements 6.1.1 Hardware Compatibility List The follow points should be considered when selecting hardware: Only hardware listed on the Microsoft Hardware Compatibility List should be used for Windows XP environments. Using hardware that does not conform to Windows XP standards may cause serious compatibility problems and have potential security consequences. 6.1.2 Patches and Hotfixes Patches and hotfixes are applied to fix operational and security flaws that Microsoft has discovered. Administrators are required to apply the latest Windows service packs and hotfixes as directed by the PM LIS IASO. Often, these will be applied via interim change package (ICP) issued by the IASO. See paragraph 5.13 for further guidance. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-81 SAAS Security 6.2 Physically Securing Workstation and Software The physical security requirements for system hardware are contained in AR 190-13, The Army Physical Security Program. System hardware and software installation disks that have not been physically secured can make the operating system and data stored on hard drives vulnerable. For example, a personal computers floppy drive can easily be used to subvert the operating systems controls if certain precautions are not taken. Booting from a DOS floppy and then running a simple shareware program allows the contents of a NTFS (Windows XP Professional workstation) formatted hard drive to be read. Likewise, software can be installed and then used to recover an Administrators password to gain unauthorized control of the operating system. On occasion, the subversion can be unintentional, such as allowing the floppy device to be part of the boot sequence and accidentally booting from a virus infected disk that releases malicious and damaging code. The mandatory precautions to safeguard the Windows XP Professional Workstations are: Physically restrict and limit access to Windows XP Professional workstations to persons other than the user of that workstation. Physically secure the hard drives by locking them in place or locking the case to a fixed building support. Physically secure software, particularly the Windows XP Professional workstation installation disks and CDs. Implement passwords to protect the BIOS in order to prevent the floppy drives being activated without authorization Virus scanning software must be installed and regularly used to detect and remove viruses. The Department of Defense owns a site license for Norton Antivirus for Windows XP Professional.
7.0 Manual Security Configuration The following settings are provided in the event that it becomes necessary for the SA to manually configure a SAAS-Mod system. These settings are part of the system install image distributed by the PM LIS along with comprehensive installation instructions. Therefore, a manual configuration should not be necessary. However, the SA should periodically review these settings and verify that the system configuration has not been changed. Any deviation from the NSA security settings, as required by DoD Directive 8500.1, for the operational system shall be documented by the local IASO/IAM. These changes shall be considered and approved by the Configuration Control Board prior to any changes taking affect. 7.1 Password Management a. Passwords must be used. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-82 SAAS Security b. Passwords must be at least 10 characters long. c. Passwords must contain characters from the following four classes: (1) English Upper Case Letters (A, B, C, Z) (2) English Lower Case Letters (a, b, c, z) (3) Westernized Arabic Numerals (0, 1, 2, 9) (4) Non-alphanumeric, Special characters (!, @, #^, *) 7.3 Configuring the Default Accounts 7.3.1 Administrator Account Table 15 lists the configurations used for the local Administrator account on a Windows XP Professional workstation. Table 15. Administrator Account Configuration Administrator Account Configuration Administrator User Properties Parameters User Name Rename the default Administrator account. Full Name Administrator Description Keep the same. Password Password must meet complexity requirements. User Must Change Password at Next Logon Should not be selected. Users Cannot Change Password Should not be selected. Passwords Never Expire Department policy requires that users passwords change every 90 days. Using this feature, the system administrator can force a users password to expire automatically. Alternatively, the administrator may elect to handle this process manually. Account Disabled Do not select. Groups The Administrator account should only belong to the local Administrator group. Profile Do not configure for local Administrator.
7.3.2 Guest Account The Guest account must be password protected and disabled. Use Table 16 to configure the guest account. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-83 SAAS Security Table 16. Guest Account Configuration Guest Account Configuration Guest User Properties Parameters User Name Rename the default Guest account. Full Name Guest Description Keep the same. Password Password must meet complexity requirements. User Must Change Password at Next Logon Should not be selected. Users Cannot Change Password Should be selected. Passwords Never Expire Department policy requires that users passwords change every 90 days. This applies to disabled accounts as well as active accounts Account Disabled Do not select. Groups The Guest account should only belong to the local Guest group. Profile Disable this account.
7.4 Assigning Users to Groups Recommendation: Use the following rule of thumb to manage security-using groups: a. Devise a Windows XP Professional workstation group architecture based on functional/operational needs. b. Create the user accounts and add them to these functional/operation groups. c. Apply Windows XP Professional workstation permissions against functional/operational groups by adding only groups to the ACL for objects (e.g., files and printers). NOTE: The system administrator must follow the principle of least privilege when assigning users to groups. Membership in a group must be determined by the users need to access the collective resource permissions and system rights of the group. All groups must be created by the system administrator, and possess only those privileges required by the group to perform assigned duties. 7.5 Print Auditing Print auditing, as supported by the Print Manager program, may be useful for certain classes of users. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-84 SAAS Security Enable print auditing depending on post requirements and security accountability needed for some application specific print tasks. Auditing of printer activity is enabled in the Printer Manager program, and should address print event logging by group. The following steps must be performed for printer auditing to be enabled: a. From the Control Panel, select Printers. b. From the File menu, select Properties. c. From within Properties, select the Security area. d. From within Security, select Auditing. e. Click the Add button and choose the Everyone group name. f. Select the Failure check box for all Audit Events.
7.6 Printer Restrictions Users must be restricted to printers within their functional areas. Additionally, only authorized system staff is to be granted Full Control over any dedicated or shared printer. By default, users are permitted to print and delete their print jobs. No further access is required of general users. In some cases, it may be useful to assign a user to the Print Operators group in Windows XP environments, and modify the ACL of a particular printer object to allow that group Manage Printers permission. This can be implemented at the discretion of the SA. 7.7 Additional Security Options Settings Use the settings shown in Table 17 to configure the local security policy. Table 17. Security Options Security Options Security Option Setting Additional restrictions for anonymous connections: HKLM\System\CurrentControlSet\Control\Lsa\ No access without explicit anonymous permissions RestrictAnonymous = 2 Allow system to be shutdown without having to logon Not Defined Allowed to eject removable Windows XP Professional workstation media Administrators Amount of idle time required before disconnecting session 15 minutes Audit the access of global system objects Enabled Audit use of Backup and Restore privilege Enabled AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-85 SAAS Security Security Options Security Option Setting Automatically log off users when logon time expires Enabled Automatically log off users when logon time expires (local) Enabled Clear virtual memory pagefile when system shuts down Enabled Digitally sign client communication (always) Disabled Digitally sign client communication (when possible) Enabled Disable CTRL+ALT+DEL requirement for logon Disabled Do not display last username in logon screen Enabled Send NTLMv2 response only\refuse LM Registry value = 4. AN Manager Authentication Level: Some Windows XP processes, such as Cluster Services, use NTLM to authenticate. Use of the recommended setting may cause these services to fail.
IF the AD Services client have not been installed set Send NTLM response only Registry value=2. In this instance the IASO must document the settings as a deviation to system configuration requirements and have a contingency plan to mitigate vulnerabilities associated with LM authentication. This setting should be verified in a test environment prior to making any changes on an operational server or workstation. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-86 SAAS Security Security Options Security Option Setting WARNING! This computer is the property of the United States Department of Defense and may be accessed only by authorized users. Unauthorized use of this system is strictly prohibited and may be subject to criminal prosecution. The Department may monitor any official or personal activity or communication on this system and retrieve any information stored within this system. By accessing and using this computer, you are consenting to such monitoring and information retrieval for any lawful purpose, including, but not limited to, a properly authorized law enforcement or counter-intelligence investigation, information systems security monitoring, an Inspector General Inspection, or other authorized administrative investigation. Users have no expectation of privacy with respect to any information, either official or personal, transmitted over, or stored within this system, including information stored locally on the hard drive or other media used with this computer to include removable media or hand-held peripherals devices. Message text for users attempting to log on Message title for users attempting to log on DOD Warning Banner Number of previous logons to cache 1 Prevent system maintenance of computer account password Disabled Prevent user from installing print drivers Disabled Prompt user to change password before expiration 14 days Recovery Console: Allow automatic administrative logon Disabled AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-87 SAAS Security Security Options Security Option Setting Recovery Console: Allow floppy copy and access to all drives and all folders Disabled Rename administrative account Configure Locally Rename guest account Configure Locally Restrict CD-ROM access to locally logged-on user only Disabled Restrict floppy access to locally logged-on user only Disabled Secure Channel: Digitally encrypt or sign secure channel data (always) Disabled Secure Channel: Digitally encrypt secure channel data (when possible) Enabled Secure Channel: Digitally sign secure channel data (when possible) Enabled Secure Channel: Require strong session key Disabled Secure system partition (for RISC platforms only) Not defined Send unencrypted password in order to connect to 3 rd Party SMB servers Disabled Shutdown system immediately if unable to log security audits Disabled Smart card removal behavior Lock workstation Strengthen default permissions of global system objects (e.g. Symbolic Links) Enabled Unsigned driver installation behavior Warn but allow installation Unsigned non-driver installation behavior Warn but allow installation
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-88 SAAS Security
This page intentionally left blank. GLOSSARY ACRONYMS AND ABBREVIATIONS
ACL Access Control List AD Active Directory AR Army Regulation ASSIST Automated Systems Security Incident Support Team
BIOS Basic Input Output System BPA Blanket Purchase Agreement
C&A certification and accreditation CCB Configuration Control Board CD-ROM compact disk-read only memory CERT Computer Emergency Response Team CIAC Computer Incident Advisory Capability CM configuration management CND Computer Network Defense COMPUSEC Computer Security COOP Continuity of Operations Plan
DAA Designated Approving Authority DAC Discretionary Access Control DBA Database Administrator DBMS database management system DiD Defense-in-Depth DISA Defense Information Systems Agency DITSCAP DoD Information Technology Security Certification and Accreditation Process DLL dynamic linked library DoD Department of Defense
I&A identification and authentication IA Information Assurance IAM Information Assurance Manager IASE Information Assurance Support Environment IASED Information Assurance and Security Engineering Directorate IASO Information Assurance Security Officer IAVA Information Assurance Vulnerability Alert IAVM Information Assurance Vulnerability Management IAW in accordance with ICP interim change package IEF Integrated Engineering Facility
KB kilobyte KB Knowledge Base
LAN local area network
MMC Microsoft Management Console MS Microsoft
NSA National Security Agency NT New Technology NTFS New Technology File System
OMB Office of Management and Budget OS operating system
PKI Public Key Infrastructure PM Program Manager
RA Risk Assessment RAR Risk Assessment Review RAS Remote Access Service RDBMS Relational Database Management System RISC Reduced Instruction Set Computer
SA system administrator SAAS-Mod Standard Army Ammunition System Modernization AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-90 SAAS Security SABI Secret and Below Interoperability SAM Security Account Manager SBU sensitive but unclassified SCM Security Configuration Manager SCP Systems Change Package SFUG Security Features Users Guide SMB Server Message Block SMS Systems Management Server SOP standard operating procedures SP Service Pack SSAA System Security Authorization Agreement STIG Security Technical Implementation Guide SVD Software Version Descriptor
TASO Terminal Area Security Officer TFM Trusted Facility Manual
URL Uniform Resource Locator U.S. United States USAISEC United States Army Information Systems Engineering Command UserID user identification
VPN virtual private network
W2K2 MS Windows 2003 WXP MS Windows XP Professional
20.4 AKO Security Update and Downloads
Reference: AKO----The Armys Portal Website
Note: This amendment is divided into three different parts. The first part explains how to gain access to the SAASMOD folder on the Armys AKO Website. The second and third parts briefly detail the steps required to download files from the Armys AKO Website, and how to install the files on your respective computers.
AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-91 SAAS Security
Part 1.) How to Gain Access to the SAASMOD Folder on the Armys AKO Website:
To gain access to the SAASMOD information that has been placed on the Armys AKO website you must perform the actions as outlined below. The Uniform Resource Locator (URL) for the Armys AKO website is as follows: https://www.us.army.mil
To access this website you will need to Register with the Army's Portal website. During the registration process you will be able to obtain a Logon Id and Password to their website. Once you have registered properly, you can access the SAAS MOD folder and download applicable files to your system by following the on screen prompts.
Perform the following steps to access the information that has been placed in the SAASMOD folder for your use: --click on Files tab (Formerly Collaborate) located near the top of the Home page on the Army's AKO website --click on U. S. Army Organizations --click on Logistics --click on PM LIS --click on ALIS --click on SAAS MOD --click on L6F-xx-00 Interim Changes folder where xx is the current SAAS Release number. --click on your appropriate level of SAAS.
Please remember to record your Logon Id and Password from the Armys AKO website and retain this information in a secure place. If you have any questions or encounter any problems when attempting to install downloaded files from this website, please call the Customer Assistance Office at Fort Lee, Virginia at the following phone numbers and request guidance from our office: Commercial: (804) 734-1051 DSN: 687-1051
Part 2.) Downloading Instructions from the Armys AKO Website:
Once you have gained access to the Armys AKO website and the SAAS-MOD folder, you will see a plus sign (+) located immediately to the left of SAAS-MOD. Click on the + sign to view the main sub-folders aligned under the SAAS-MOD folder. Click on the main sub-folders to view either additional sub-folders or the files contained therein. AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-92 SAAS Security Notice that the displayed window is divided into two parts. As you click on the sub- folders located on the left part of the screen to open them, the sub-folders and or files will be displayed on the right side of the screen. Follow the sequence of steps listed below to download the selected file. You can only download one file at a time:
--Select the file that you want to download by placing a checkmark in the box adjacent to the file --Click on the selected file to be downloaded --A File Download window will pop up on your screen --Click on the SAVE button --A SAVE AS window will be displayed on your screen --Select the folder location of your choice as to where you want to save the file --In the SAVE AS window, click on SAVEthe File Download process will start automatically --When the File Download process has completed, the Download Complete window will be displayed on your screen with this message displayed, Download Complete --Click on Close --Close any remaining window(s) that are open until you return to the AKO screen displaying the Collaborate Tab and the SAAS MOD folders and files. --You may now download another file or Logout from the AKO Website AISM-25-L6F-AJA-ZZZ-SA 11 October 2007 20-93 SAAS Security --The LOGOUT button is located at the top right side of the Collaborate Tab --Downloading the file to your Hard drive is now complete. The next step is file installation.
Part 3.) Installation of SAASMOD Downloaded Files from the Armys AKO Website:
After completing Parts 1 and 2 above successfully, you now have the downloaded file saved to your hard drive on your computer system. To implement the essentials of the file that you have downloaded follow the sequence of steps listed below: --You must be logged on as the Administrator with the Administrative Password --Using either Microsoft Explorer or File Manager, proceed to the location of where you SAVED the downloaded file on your hard drive --Remember that most of these downloaded files are executable file(s)the file extension is .exe --Double Left Click on the downloaded file and the execution of the downloaded file will start --Follow any on-screen prompts during the execution process --After the execution process has completed, Re-start your system so that the changes will take effect --Remember that in most instances, your system will Re-Start automatically upon completion of the execution process. If it does not, then perform the Re-Start manually so that the changes will be implemented on your system. --After the Re-Start is completed proceed with normal operations.