Admin Handbook Cisco

SAAS MOD
SYSTEMS ADMINISTRATOR HANDBOOK

Table of Contents
TABLE OF CONTENTS

1.0 Introduction
1.1 Manual Overview...1-1
1.2 Roles of a System Administrator.1-1
1.3 Hardware Environment.1-2
1.3.1 MMC Hardware Environment.1-2
1.3.2 ASP Hardware Environment.............1-3
1.3.3 DAO/ATP Hardware Environment.1-4
1.3.4 MMC/ASP/DAO/ATP Software Environment..............1-4
1.4 Maintenance Contract1-5

2.0 Information Sheet
2.1 Information Sheet...2-1
2.2 Server Install Checklist..2-3
2.3 Workstation Install Checklist....2-7
2.4 ATP Install Checklist..2-10

3.0 Software Needed
3.1 Server Software..3-1
3.2 Workstation Software.3-2

4.0 Installing Windows 2003 Server
4.1 Upgrade to 2003 Server4-1
4.2 Install Service Pack 14-9
4.3 Install Server Security4-10
4.4 Install Fresh Copy of Windows 2003 Server..4-11

5.0 Adding Hardware
5.1 Adding Modems..5-1
5.2 Adding Printers...5-6
5.3 Adding AIT/RFID Hardware.5-14

6.0 Installing SAAS Server Software
6.1 Installing SAAS-MOD Server Software..............6-1
6.2 Server Cleanup..............6-2
6.3 Installation on ATP..6-2
6.4 SAAS Folder Layout..............6-3
6.5 Installing WinZip..6-4

7.0 Installing Windows XP Software
7.1 Install Procedures as part Installing L6F-09-00.....7-1
7.2 Install Service Pack7-8
7.3 Install Security.7-8
7.4 Installing Fresh Copy of Windows XP.7-10
AISM-25-L6F-AJ A-ZZZ-SA
11 October 2007
TOC-1
Table of Contents

8.0 Installing SAAS Workstation Software
8.1 Software Needed....8-1
8.2 Workstation Installation..8-1

9.0 Server Administration
9.1 User Administration...............9-1
9.1.1 Domain User Accounts9-2
9.1.2 Local User Accounts.9-7
9.1.3 Remaining User Accounts9-8
9.1.4 Deleting Users..............9-10
9.1.5 Changing Passwords9-11
9.1.6 Adding Users to Groups..............9-12
9.1.7 Removing Users from Groups.9-15
9.1.8 Assigning User Rights..9-16

10.0 Periodic Maintenance
10.1 Backups...10-1
10.1.1 Full System Backup.10-2
10.1.2 Backing up a Dump file...10-4
10.1.3 Using the SAAS-MOD System Backup Scheduler.10-5
10.1.4 Restoring the Full System Backup10-5
10.1.5 Restoring the Dump file..10-6
10.2 Checking the Event Log...10-7
10.3 Maintaining Hard Drives...10-8
10.3.1 Setting Security on Hard Drives.10-8
10.3.2 Setting up Shares.10-9
10.3.3 Allowing Users to Access a Computer..10-11
10.3.3.1 Permissions10-11
10.3.3.2 Mapping..10-13
10.3.4 Maintaining Adequate Disk Space.10-14
10.4 Creating Emergency Repair Disk...10-16
10.5 SpaceMaker...10-16
10.6 Server System Maintenance10-16

11.0 Communications
11.1 Introduction to SAAS Communications..11-1
11.2 COMSETUP.exe Operation Instructions...11-6
11.2.1 Initial Setup Instructions...11-6
11.2.2 COMSETUP Instructions for Adding other DODAACs.......11-9
11.2.3 Other COMSETUP Functions.11-14
11.3 COMRUN.exe Operation Instructions11-15
11.4 Remote Access Service Installation...11-17
11.5 GlobalSCAPE Secure FTP..11-17
11.6 User Manager Setup for Dial in RAS..11-17
11.7 Duplicate File Ship Instructions...11-20
11 October 2007
TOC-2
Table of Contents
11.8 COMRPT.exe Operation Instructions.11-21
11.9 COMMO File Description.11-21
11.10 COMMO Troubleshooting..11-26
11.11 Remote Dial-Up Processing..11-26

12.0 Importing/Exporting Databases
12.1 Importing Databases.12-1
12.2 Exporting Databases.12-2
13.0 Troubleshooting
13.1 User Problems...13-1
13.1.1 Cant Log In13-1
13.1.2 Cant partition or format while doing setup13-1
13.1.3 Formatting the 2
nd
Hard Drive.13-2
13.2 Database Problems...13-2
13.3 Data Browser Problems13-4
13.3.1 To Remove the Default Limitations on Data Browsers.......13-4
13.4 Comwatch Errors...13-5
13.5 System Running Slow...13-15
13.6 Relationship between SAAS and Oracle...13-16
13.7 Customer Assistance FTP Process Using Secure FTP..13-17

14.0 COOP
14.1 General...14-1
14.2 Sample14-1

15.0 AIT Installation
15.1 Overview.15-1
15.2 Installation of SAAS AIT Application..15-1
15.3 Setting up your AIT Equipment...15-1
15.4 Connecting AIT to your Computer..15-2
15.5 Driver Installation and Settings15-2
15.6 Burn-in of the Hand Held Devices..15-3
15.7 AITCFG Tool..15-6
15.8 Troubleshooting AIT..15-7
15.9 AIT Practical Exercise......15-8

16.0 Norton 10.1 Installation
16.1 Uninstall Norton Server and Workstation..16-1
16.2 Install Norton 10.1 on the Server or Workstation.16-5
16.3 Norton Antivirus Updates.16-14

17.0 Reserved for Future Use....................................................................17-1

11 October 2007
TOC-3
Table of Contents
18.0 SAAS Utilities
18.1 Oracle IP Tool18-1
18.2 Archive Transactions18-1
18.3 Create Oracle User...18-2
18.4 Drop Oracle User..18-3
18.5 Export..18-4
18.6 Import..18-4
18.7 Lock Database...18-5
18.8 Logged-On Users..18-5
18.9 System Backup Scheduler...18-6
18.10 Restore Transactions..18-7
18.11 Unlock Database.18-7
18.12 Change Oracle Password..18-8
18.13 Oracle RA Tool....18-8

19.0 RFID (Radio Frequency Identification)
19.0 Installation Procedures for RFID on ASP Workstations..19-1
19.1 Tag Docking Station Hardware, Configuration Setup and
Registration...19-2
19.1.1 Tag Docking Station Hardware ..19-2
19.1.2 Tag Docking Station Hardware Setup Procedures..19-2
19.1.3 Tag Docking Station Configuration Procedures...19-2
19.1.4 Tag Docking Station Setup Location Procedures....19-4
19.1.5 Tag Docking Station Setup Communications Settings
Procedures..19-5
19.1.6 Tag Docking Station Setup Registration Procedures..19-6
19.2 RFID Interrogator Hardware, Configuration, Setup and Registration
Procedure19-7
19.2.1 RFID Interrogator Hardware19-7
19.2.2 Interrogator Hardware Setup Procedures.19-7
19.3 RFID Network and Modem Setup Procedures.19-8
19.3.1 Dial-up Networking / Modem Setup...19-9
19.3.2 Configuring the Modem with Windows 2003.19-9
19.3.3 Creating a Dial-up Networking (DUN) Phonebook Entry19-10
19.3.4 Viewing all Dial-up Networking Phonebook Entries from TIPS-
Write19-11
19.3.5 Network Setup...19-12

20.0 SAAS Security
20.1 Overview.20-1
20.2 Security Features Users Guide (SFUG)20-1
20.3 Trusted Facilities Manual (TFM).20-28
20.4 AKO Security Update and Downloads ..20-91

11 October 2007
TOC-4
Introduction

SECTION 1.0 INTRODUCTION
1.1 Manual Overview
The purpose of this manual is to guide a System Administrator (SA) in managing
the Standard Army Ammunition System Modernization (SAAS-MOD) system.
This manual defines the role of the SA, the electronic environment, and relevant
applications running on the system.

1.2 Roles of a System Administrator
The site System Administrators role is to keep the SAAS Modernization system
functioning. The SA position carries a great deal of responsibility. Some of the
specific technical responsibilities of the SA are to:
a. Understand the system architecture.
b. Maintain the NT Server and Workstation.
c. Bring the system up and down.
d. Control access to the system.
e. Communicate on-line with system users.
f. Modify the system to add new users and printers.
g. Make the system reasonably secure from tampering.
h. Maintain the operating system software and troubleshoot problems.
i. Monitor system usage and performance.
j. Act as the focal point for questions/concerns that are to be addressed to
the support hotline.

1.3 Hardware Environment
The SAAS Hardware is described below in generic terms. The actual equipment
used at each site may vary but should be equivalent to the descriptions below.

1.3.1 MMC Hardware Environment
11 October 2007
1-1
Introduction

11 October 2007
1-2
Introduction
1.3.2 ASP Hardware Environment

11 October 2007
1-3
Introduction

1.3.3 DAO/ATP Hardware Environment.

1.3.4 MMC/ASP/DAO/ATP Software Environment
The MMC/ASP/DAO SAAS software operating environment will be client/server.
This environment will be supported by Windows 2003 Server operating system
(OS) on a single server computer and Windows XP OS with Service Pack #2
(operating system) on multiple workstation (user) computers. The application
executable will reside on each workstation and will execute on that workstation.
The SAAS database will reside on the server and will be managed by the Oracle
Relational Database Management System (RDBMS). Components of Oracle will
reside on both the server and each workstation for the purpose of communicating
and satisfying application requests for data during processing. The exception to
this client/server environment will be the ATP. The Windows 2003 Server OS,
Oracle RDBMS, Database and application executables will all reside and operate
on a single laptop/notebook computer. This provides a "standalone" operating
environment requiring only one computer system which can easily be transported
to meet the needs of an ammunition transfer point.
11 October 2007
1-4
Introduction
Communications between SAAS systems and outside of SAAS will be
accomplished primarily with secure and non-secure File Transfer Protocol (FTP).
When direct network connections are not available to support FTP, the Remote
Access System (RAS) will be used in conjunction with a modem to establish a
connection which will also support FTP. For the ASP system only, a unique
communication environment will be used to support the communication interface
with the Training Ammunition Management Information System (TAMIS) using
web browsers to access it.

1.4 Maintenance Contract
The Project Manager maintains the maintenance contract for the SAAS-MOD
system. The PM has outlined the procedure to obtain the maintenance support
as follows:
Call the on-site system administrator.
If the problem cannot be resolved, the SA should call the SEC-LEE Customer
Assistance Office (CAO) at 804-734-1051 (commercial) or 687-1051 (DSN).
If the problem still cannot be fixed, CAO will contact the responsible contractor.
As needed, the contractor may call Microsoft or ORACLE for further assistance.

NOTE: Users should not attempt to open any system hardware to fix it. This will
violate the terms of the maintenance contract and may cause loss of
maintenance support.
11 October 2007
1-5
Information Sheet
SECTION 2.0 INFORMATION SHEET

2.1 Information Sheet
The following information is needed to complete the installation of Windows
2003
TM
Server and Windows XP Workstation. This information should be
supplied by the site System Administrator.

1. Name: SAAS-MOD
2. Organization: U.S. Army

Note: For computer name, Active Directory Domain name and IP addresses
check with your local DOIM for compliance with installation standards and to
avoid duplication.

3. Computer Name: ____________________________ (Use your installations
naming standards)
4. Domain Name: _____________________________ (May be your Installation
Domain or Regional Active Directory name)
5. Type of Install: Server OR Workstation
6. IP Address: ___.___.___.___
7. Subnet Mask: ___.___.___.___
8. Gateway IP Address: ___.___.___.___
9. DNS Server Address: ___.___.___.___
10. WINS Server Address: ___.___.___.___
11. Printer:
Local or Remote (Circle one).
Type: _______________ Port: _____ Shared? Yes or No
Printer Name: ________________________________
12. Network Adapter:
Type (i.e. NE 2000): ______________
IRQ (if not a PCI adapter): _____ IF REQUIRED
Base I/O Address (if not a PCI adapter): _____ IF REQUIRED
13. Administrator Name:______________________
Administrator Password: ___________________
14. Product ID Number: ______________________ (may be required depending
on CD type.)
15. Communications Information Needed for Servers using RAS:
Static Address Pool of IP's: (should be contiguous) _______________ thru
_______________
Site System Info:
DODAAC: _______________________
FTP Username: ____________________
FTP Password: ____________________
Terminal Server Info (if required):
Terminal Server Phone Number: ______________
11 October 2007
2-1
Information Sheet
Terminal Server Username: __________________
Terminal Server Password: __________________ (may change every 90 days)
Destination System Info:
DODAAC: _________________________
FTP Username: _____________________
FTP Password: _____________________
11 October 2007
2-2
Information Sheet
2.2 Server Install Checklist Using Windows 2003 Server CD's

I. INFORMATION NEEDED PRIOR TO INSTALLATION:

__ 1. Name and Organization for Software Registration: ________________

Product ID Number on Software: __________________________

__ 2.Type of Network Adapter: ________________________________

Active Directory Domain Name: ___________________________

Server Name (DODACC): _______________________________
(Also known as Machine Name; must adhere to installation naming
conventions)

Server IP: __________________________________________

Subnet Mask: _______________________________________

Gateway IP: ________________________________________

DNS IP: (P): ______________________(S): ________________

DNS Domain (if applicable): ________________

WINS IP: (P): _____________________ (S): _________________

Static IP Address Pool (if loading RAS): _____________________
(Must be 3 contiguous IP Addresses)

__ 3. Check BIOS and modify in Setup, if applicable. Boot device sequence
should be CD ROM, Hard Drive 0 then Floppy.

11 October 2007
2-3
Information Sheet

II. LOAD SERVER SOFTWARE AND DEVICES:

NOTE: IF LOADING A GATEWAY 6400 SERVER THE LSI DUAL ULTRA 160
DRIVER AND WILL NEED TO BE CREATED FROM THE ORIGINAL
GATEWAY SERVER COMPANION CD; THIS DRIVER WILL BE USED DURING
INITIAL INSTALLATION SO THAT THE HARDRIVES ARE RECOGNIZED BY
THE OPERATING SYSTEM.

1. Load W2K3 and current Service Pack. Service Pack 1 included with W2K3
install software.

2. Load SAAS Server Baseline (SA 6). Be sure to select correct level (MMC,
ASP, DAO or ATP).

3. Check the AKO Website for Interim Changes since the last SAAS Software
Release. (SA 20.10)

4. Install WinZip (SA 6.5)

5. Import the file CDdriveletter\ SCP0xDB.dmp where x is the current change
package release number

6. Install the Oracl10G (L6F-0x-00) change package where x is the current SCP
package.

7. Restore backup taken prior to this installation unless this is a fresh install. (SA
10.1.5) or copy the files back from D drive if you copied them there as part of the
pre-installation procedures.

8. Set up COMMO Group, users and permissions:

a. Must create FTPUSERS global group. (SA 11.6)

b. Must create ftp***user and make member of FTPUSERS group. (SA
Manual, section 11.6) Where *** is platform of system being installed
(mmc, asp, dao).

c. Set PERMISSIONS on Files and Directories. (SA 11.6) FTPUSERS Full
Control of Dodaacom, saas_ftp, winnt\system32\drivers\etc, and c:\comwatch.log
*On folders be sure to check box that refers to replacing permissions on
sub-folders and files.
Right click on file or folder. Select Properties ->Security ->Permissions.

11 October 2007
2-4
Information Sheet
Click on Add. Click on Users. Click on Add. Change Access to
Full Control. Click on OK. Click on Yes. Click on OK.

d. Create saasmod user account and other users determined by SA. (SA 9.1.1
general info) Give right to [log on locally] to users.

9. Import your database dump file as was backed up as part of the pre-
installation instructions. (SA 12.1)

10. Set up FTP in Internet Service Manager. (SA 11.5)

11. Load SAAS documentation to D:\wwwroot and share. (SA 18) If you already
have it, delete the wwwroot directory first. This will allow the copy to run much
quicker.

12. Load Microsoft Internet Explorer 6.0 and Service Pack 1 from the SAAS
Utility CD. Follow the on-screen prompts. Refer to section 17 in the SA Manual.
NOTE: ASP(s) must have Microsoft Internet Explorer for TAMIS. Also set
HOMEPAGE to point to D:\WWWROOT. (SA 18.3.1)

13. Load Norton Antivirus Software, refer to Server install (SA 16.0Norton 10.1
Installation Updated) unless you are directed by local military authorities to use a
different anti-virus software.

14. Install SAAS Security CD. (Server or Workstation Install for W2K3 on CD).
Check the AKO website for updates since the last SAAS Software Release. (SA
20.10)

15. Add Printer (SA 5.2)

16. Set Time Zone to your local time. Double click the clock/Time Zone/Drop
down menu to your locality.

17. Set Short Date format to MMDDYYYY in Control Panel/Regional
Settings/Date/Short Date format.

18. Install RFID (IF APPLICABLE) (SA 19)

19. Setup System Backup Scheduler. (SA 10.1.3)

20. Update Repair Info and create updated Emergency Repair Diskette. (SA
10.4.1)
Start ->Run: RDISK. (SA 10.4)

21. Perform an EXPORT of the Database (SA 12.2). Recommend EXPORT
file is copied on to a 4mm DAT tape for future restoration purposes.
11 October 2007
2-5
Information Sheet

22. Change Administrative password. (SA 9.1.5)
*Try for consistency for Administrator password on Server and all
Workstations.

23. W2K3 Full System Backup. Be sure to backup C: and D: and Registry. (SA
10.1.1)

24. Run script for restoring Oracle Users: RECREATE_USERS.SQL

- OR -

NOTE: All SAAS Users need to have an Oracle User created. See SA 18.3
Create Oracle User.
If the SAAS User also needs to perform Backups, install SCP or ICP
packages, or access
Specific executables located on the Server, and then they also need to be a
member of the ORA_SAAS_DBA group.

Follow these steps to Add Users to the new group:
1. Logon to the SAAS-MOD server as an administrator.
2. Left click on Start | Programs | Administrative Tools (Common) |Computer
Management | Users and Groups | Groups.
3. Double left click on ORA_SAAS_DBA under Groups on the right half of the
window.
4. Left click on the Add button in the Local Group Properties window. This will
put you in the Add Users and Groups Window.
5. Left click on a user in the Names: box to highlight (select) it.
6. Left click Add button to put the user in the Add Names: box. Repeat steps 5 &
6 until all SAAS-MOD users appear in the Add Names: box.
7. Left click the OK button to return to the Local Group Properties window. All
the users you selected will now appear in the Members: box.
8. Left click the OK button to exit the Local Group Properties window.
9. In the User Manager window, left click on User (in the upper left hand corner)
and select Exit from the drop down menu.

11 October 2007
2-6
Information Sheet
2.3 Workstation Install Checklist

Using SAAS Supplied Software
(Microsoft Windows XP Professional with Service Pack 2 - September 2004)


___1. Name and Organization for Software Registration: _Use SAAS MOD U. S.
ARMY____________

Product ID Number on Software: ___See sticker on the back sleeve of
the CD_______________

Example: J C4Y8-J 2V9R-4J GY6-Y69W4-TYCMQ

___2. Type of Network Adapter: _____________________________

Active Directory Domain Name: ________________________

Workstation Name: __________________________________
(also known as Machine Name; must adhere to installation naming
conventions)

Workstation IP: _____________________________________

Subnet Mask: ______________________________________

Gateway IP: _______________________________________

DNS IP: (P): ____________________(S): _______________


WINS IP: (P): __________________ (S): ________________

___3. Check BIOS and modify in Setup, if applicable. Boot device sequence

11 October 2007
2-7
Information Sheet

II. LOAD WORKSTATION SOFTWARE AND DEVICES:

____ 1. Load Windows XP Workstation (Professional) using CD provided (SA 7).

____ 2. Load SAAS Workstation Baseline (SA 6). Be sure to select correct level
(MMC, ASP, and DAO).

____ 3. Load SAAS documentation to D:\wwwroot and share. (SA 17)

____ 4. Load Microsoft Internet Explorer 6.0 and Internet Explorer Service Pack
#1 from the SAAS Utility CD. Follow the on-screen prompts. Refer to section
17 in the SA Manual.
NOTE: ASP(s) must have Microsoft Internet Explorer for TAMIS.

____ 5. Load Norton Antivirus Software, and Uninstall McAfee Antivirus
software, refers to Workstation
install (SA 16.0Norton 10.1 Installation Updated) unless you are
directed by local military authorities to use different anti-virus software.

COMPLETE ITEM #7 BELOW FOR ASP Workstations ONLY!

____ 6. RFID Setup: Install RFID from the CD if your installation used RFID.

NOTE: SAAS AIT software is installed automatically with the
installation of the Application install.
Refer to SA 15 for all AIT instructions.

____ 7. Install SAAS Security CD. (Workstation Install for Windows XP on CD)

III. CHECK COMMUNICATIONS:

____ 1. Check network connectivity.

____ 2. Manually ping your server from Command Prompt.

11 October 2007
2-8
Information Sheet

IV. MISCELLANEOUS INSTRUCTIONS FOR THE SAASMOD SYSTEM:

Verify that each user created can log onto the system___________

Add Printer _______________________________________ (SA 5.2)

V. FINAL SETUP AND REVIEW:

____ 1. Update Repair Info and create updated Emergency Repair Diskette.
(SA 10.4)

NOTE: Label and place diskette in secure storage area.
11 October 2007
2-9
Information Sheet
2.4 ATP Install Checklist


___1. Name and Organization for Software Registration: ______________

Product ID Number on Software: ___________________________

___2. Type of Network Adapter: ________________________________

Active Directory Domain Name: ___________________________

Server Name (DODACC): _______________________________
(also known as Machine Name; must adhere to installation naming
conventions)

Server IP: ___________________________________________

Subnet Mask: ________________________________________

Gateway IP: _________________________________________

DNS IP: (P): ____________________(S): ________________


WINS IP: (P): __________________ (S): ___________________

Static IP Address Pool (if loading RAS): ____________________
(must be 3 contiguous IP Addresses)

___3. Check BIOS and modify in Setup, if applicable. Boot device sequence

11 October 2007
2-10
Information Sheet

II. LOAD SERVER SOFTWARE AND DEVICES:

____1. Load W2K SERVER (SA 4).

____ 2. Create saasmod user account and other network users determined by
SA.
(SA 9.1.1 general info)
____ Give right to logon locally to domain users.
*Passwords will expire after 90 days and must be alpha/numeric with
special characters and 10 characters in length. Refer to AR 25-2.

____ 3. Restore backup taken prior to installation unless this is a fresh install.

____ 4. Set up COMMO Group, users and permissions:

a. OPTIONAL GROUP CREATION:
Create a Commo group if desired. Add usernames that will be
responsible for performing Commo determined by SA.

b. Must create FTPUSERS global group. (SA 11.6)

c. Must create ftp***user and make member of FTPUSERS group. (SA
Manual, section 11.6)
*Fill in *** with platform of system loading (mmc, asp, dao).

d. Set PERMISSIONS on Files and Directories. (SA 11.6)
FTPUSERS Full Control of Dodaacom;
Domain Users or Commo Group Full Control of Dodaacom,
saas_ftp, winnt\system32\drivers\etc, and comwatch.log
*On folders be sure to check box that refers to replacing permissions
on sub-folders and files.
Right click on file or folder. Select Properties ->Security ->
Permissions.
Click on Add. Click on Domain Users. Click on Add.
Change Access to Full Control. Click on OK. Click on Yes. Click on
OK.

____ 5. Load SAAS Server Baseline (SA 6). Be sure to select correct level
(ATP).

____ 6. Import the database dump file. (SA 12.1)

____ 7. Set up FTP in Internet Service Manager. (SA 11.5)

11 October 2007
2-11
Information Sheet
____ 8. Load SAAS documentation to D:\wwwroot and share. (SA 17)

____ 9. Load Microsoft Internet Explorer 6.0 and Internet Explorer Service Pack
1 from the SAAS Utility CD. Follow the on-screen prompts. Refer to
section 17 in the SA Manual.

NOTE: ASP(s) must have Microsoft Internet Explorer for TAMIS.

____ 10. Load Norton Antivirus Software, refer to Server install (SA 16.0
Norton 10.1 Installation Updated) unless you are directed by local military
authorities to use a different anti-virus software.

____ 11. Load current Service Pack.

____ 12. Logon as saasmod, and go into Maintain User to create SAAS users.

COMPLETE ITEM # 13 BELOW FOR ASP SERVERS ONLY!

____ 13. AIT Setup:

NOTE: SAAS AIT software is installed automatically with the
installation of the Application install.
Refer to SA 15 for all AIT instructions.

____ 14. Install SAAS Security CD.

III. CHECK COMMUNICATIONS:

____ 1. Check network connectivity.

____ 2. Manually FTP from Command Prompt.

IV. CREATING ORACLE USERS FOR THE SAASMOD SYSTEM:

NOTE: All SAAS Users need to have an Oracle User created. See SA 18.3
Create Oracle User.
If the SAAS User also needs to perform Backups, install SCP or ICP
packages, or access specific executables located on the Server, then they also
need to be a member of the ORA_SAAS_DBA group.

11 October 2007
2-12
Information Sheet

Follow these steps to Add Users to the new group:
2. Left click on Start | Programs | Administrative Tools (Common) |Computer
Management |Users and Groups | Groups.
3. Double left click on ORA_SAAS_DBA under Groups on the right half of the
window.
4. Left click on the Add button in the Local Group Properties window. This will
6. Left click Add button to put the user in the Add Names: box. Repeat steps
5 & 6 until all SAAS-MOD users appear in the Add Names: box.
7. Left click the OK button to return to the Local Group Properties window. All
8. Left click the OK button to exit the Local Group Properties window.
9. In the User Manager window, left click on User (in the upper left hand
corner) and select Exit from the drop down menu.

Verify that each user created can log onto the system___________

Add Printer _____________________________________ (SA 5.2)

Set SHORT DATE FORMAT
to MMDDYYYY in CONTROL
PANEL->REGIONAL SETTINGS ______________________________

11 October 2007
2-13
Information Sheet

V. FINAL SETUP AND REVIEW:

____ 1. Have User change Administrative password before you depart location.
(SA 9.1.5)
*Administrator password on Server and all Workstations should comply
with AR 25-2, Section IV, Procedure Security, Section 4-12, and
Password Control.

____ 2. Setup System Backup Scheduler. (SA 10.1.3)

____ 3. Update Repair Info and create updated Emergency Repair Diskette.
(SA 10.4)

____ 4. Perform an EXPORT of the Database (SA 12.2). Recommend
EXPORT file is copied on to a 4mm DAT tape for future restoration
purposes.

____ 5. Perform a Full System Backup. Be sure to backup C: and D: and
Registry. (SA 10.1.1)

11 October 2007
2-14
Software Needed
SECTION 3.0 SOFTWARE NEEDED

3.1 Server Software

The following software will be required on the Server:

Microsoft Windows 2003 Server Standard Edition
Microsoft Windows 2003 Server Standard Edition Service Pack 1
SAAS Application Software CD-ROM
SAAS Security CD-ROM
SAAS RFID CD-ROM

Order of loading:
1. Do a complete load on the server first before starting with the
workstations.
2. The server load is started by loading Windows 2003 Server. (Section 4.0)
3. Windows 2003 Service Pack * (Section 4.2) * or current release after
Service Pack 1
4. Add Users (Section 9.0)
5. Add Printers/Modems (Section 5.0)
6. Load the SAAS Application Software. (ASP, MMC, DAO, ATP) (Section
6.0)
Communication Applications (Section 11.5) NOTE: on a fresh install you
will get an error for missing dll for cominter.exe until you load Oracle
7. Load Oracle (Insert CD and double click on Oracle Install.exe)
8. RFID (ASP, ATP only) (Section 15.0)
9. Norton Anti Virus (Section 16.0)
10. Load SAAS Security CD (Both Policy and IAVA) (Section 4.3)

11 October 2007
3-1
Software Needed

3.2 Workstation Software

The following software will be required on the Workstations:

Windows XP Professional with Service Pack 2
SAAS Application Software CD-ROM and Diskette created from Server Install
SAAS Security CD-ROM
SAAS RFID CD-ROM

Order of loading:
1. The workstation load is started by loading Windows XP Professional on
the workstation. (Section 7.0)
2. The second software to be loaded is Windows XP Service Pack *
(Section 7.2) * or current release after Service Pack 2
3. Load the SAAS Application Software. (Section 8.0)
4. Load Oracle (Insert CD and double click on Oracle Install.exe)
5. SAAS Security CD (Section 7.3)
6. Norton Anti Virus (Section 16.0)

11 October 2007
3-2
Installing Windows Server 2003
SECTION 4.0 INSTALLING WINDOWS SERVER 2003

4.1 Upgrade to Windows Server 2003

1. Insert CD labeled "Microsoft Windows Server 2003" into the CD drive.
2. Click on Start/Run/Browse/CD drive/setup.exe, select Open then OK as below:

11 October 2007
4-1

3. Select Install Windows Server 2003, Standard Edition:

11 October 2007
4-2

4. On the Welcome Screen select Next for the default which is Upgrade:

11 October 2007
4-3

5. On the License Agreement screen, select I Agree and click on Next:

11 October 2007
4-4

6. Enter Product ID from label on the back of the sleeve for the CD and click on
Next:

11 October 2007
4-5

7. Click Next on Get Updated Setup Files:

11 October 2007
4-6

8. On Report System Compatibility screen click Next.

11 October 2007
4-7

9. After a few minutes the system will reboot as shown below:

10. Click on OK to Terminate Batch Processes.

11. System will continue to install with progress in the areas of Preparing
installation, Installing Windows and Finalizing installation
Average time is about 50 minutes depending on your Processor speed.

11 October 2007
4-8

12. When complete the system will Reboot and Windows 2003 Server Standard
Edition will be installed.

(Install Windows 2003 Server Service Packs)

4.2 Install Service Pack 1

The current Service Pack (Service Pack 1) is included with the upgrade
installation. Any new Service Packs can be installed by contacting your local
DOIM or AKO.
11 October 2007
4-9

(Getting Windows Server 2003 IAVA Compliant)

4.3 Install Server Security

1. Insert CD labeled SECURITY CD for L6F-10-00 with SAAS Security Policy

a. Logon as administrator.

b. Insert the SAAS-MOD Security CD into your CD drive.

c. Double click on My Computer.

d. Right click on the CD ROM.

e. Left click on Explore.

f. Double click on SAAS Security Policy.exe (Note: the .exe will not
appear if you have turned off display of file extensions).

g. You will be prompted to "Install Security Policy?" Two options will
be displayed, Continue or Quit. Select "Continue." The install will now
analyze your system and verify that it is a SAAS-Mod system.
NOTE: If the system is not a SAAS-Mod system the security program
will not install. Click on OK to exit and refer to paragraph 4.1 above.

Several windows will flash before you. At the message, Policy installation
completed. You MUST RE-BOOT for changes to take effect! click on OK
and the system will re-boot causing the security modifications to take
effect.

2. Next will be to install Security Updates to make SAAS IAVA Compliant


b. Do NOT start communications. If you do, terminate communications
by clicking on the Start button and select SAAS Communications.
Then double click the TERMINATE COMMO icon. You MUST wait for
the Comrun.exe task block at the bottom of your screen to disappear
11 October 2007
4-10
BEFORE proceeding to the next step. Please be patient, this may take
a few minutes.

c. Insert the SAAS-MOD Security CD into your CD drive.

d. Double click on My Computer.

e. Right click on the CD ROM.

f. Left click on Explore.

g. Double click on SAAS IAVA Updates.exe (Note: the .exe will not

h. You will be prompted to "Install IAVA Updates?" Two options will be
displayed, Continue or Quit. Select "Continue." The install will now
will not install. Click on OK to exit and refer to paragraph 4.1 above.

Several windows will flash before you. At the message, IAVA installation
completed. You MUST RE-BOOT for changes to take effect!, click on OK
effect.

4.4 Install Fresh Copy of Windows Server 2003

NOTE: These procedures are designed for those units that for whatever reason,
such as the hard drive crashed, need to reinstall their Operating System back to
Windows Server 2003. The L6F-10-00 baseline was developed to upgrade
Windows Server 2000 to Windows Server 2003 only. Therefore, these
instructions will be to manually reinstall your Operating System.

1. Begin by printing the checklist for Server Install at Section 2.2 above. Please
read before beginning because there is information you must obtain prior to
starting the installation.

2. Insert the CD labeled Microsoft Windows Server 2003 Standard Edition
(Volume License Product Key Required) and starts your system.

NOTE: If you are loading a Gateway 6400 you will need to press F6 when
you see the message Setup is inspecting your configuration and select the option
to install additional drivers. The LSI Dual Ultra 160 driver can be obtained via
11 October 2007
4-11
your original Server Companion CD or off of the driver folder on the Application
CD.

3. At the Welcome to setup Press Enter to setup Windows Server 2003 now.

4. Scroll down to the end of the Licensing Agreement and Press F8 for I Agree.

5. At the select Partition Screen Press "D" to Delete.

6. Press Enter to Delete

7. Press "L" to confirm delete of partition.

8. Press "C" to Create Partition.

9. Leave default value of entire disk drive and Press Enter.

10. Press Enter to Install

11. Press Enter to format partition using NTFS.

After formatting the drive, setup will copy files to the hard drive and reboot.

12. After Reboot, the system will continue on its own

13. At the Regional Settings screen, click on Next.

14. Enter Name as SAAS MOD. Enter Organization as U. S. Army and click on
Next.

15. Enter Product Key which is located on a label on the back of the sleeve of the
CD.

16. Enter the Computer Name per your local naming conventions, Administrative
Password and Confirm Password and click on Next.

17. Enter Date/Time and Time Zone for your region and click on Next.

18. At the Network Settings do the following: Select Custom Settings and Press
Next.

19. Highlight Internet Protocol (TCP/IP) and click on Properties.

20. Select "Use the following IP Address"
Enter your IP address, local Subnet Mask, Default Gateway, Preferred DNS
Server, and Alternate DNS Server.
11 October 2007
4-12
Click on Advanced tab, WINS tab and enter WINS addresses if applicable.
Click on OK, OK then Next

21. On Networking Components screen, click Next.

22. For Workgroup or Computer Domain: Click Yes, Enter appropriate data and
provide credentials and click on Next.

23. If you get message "To improve appearance of visual elements Press OK",
Press OK. When box appears "If you can read this Press OK" Press OK.

24. System will finalize installation and reboot.

Note: Some users may get the screen for Windows Server Post Installation...
Critical Update Screen. Scroll to the bottom and click Finish and Yes to the
message screen. This is to configure Automatic Microsoft Windows Update
which is a local DOIM Policy and should be skipped at this point.

25. At Manage your Server. Check the box Don't display this page at logon and
close the window.

26. Click on Start, Right click My Computer, Manage

27. Click on Device Manager.

28. For any devices show the yellow ?, it means that the driver was not installed.
You must Right click on the device and select Update Driver.

29. Some drivers are located in the Application CD, driver folder. Most new
systems should have come with a driver utility CD.

30. Update drivers for all devices required.

31. Continue with instructions in Server Install Checklist.

11 October 2007
4-13
Adding Hardware
SECTION 5.0 ADDING HARDWARE

5.1 Adding Modems

1. Connect a modem to a com port and turn it on.
2. From the Desktop, click on Start, Control Panel. Click on Add Hardware. An
Add Hardware Wizard will appear. Click on Next.

11 October 2007
5-1
Adding Hardware
3. Windows 2003 will try to detect your connected modem.

4. Check Yes, I have already connected the hardware and click on Next.

11 October 2007
5-2
Adding Hardware
5. Scroll down and highlight Add a new hardware device and click on Next.

6. Select Search for and install hardware automatically. Click Next.

11 October 2007
5-3
Adding Hardware
7. Select Modems and click on Next.

8. At the install new modem window click on Next.

11 October 2007
5-4
Adding Hardware
9. Highlight the Com Port and click on Next.

10. At the notification of successful installation, click on Finish.

11 October 2007
5-5
Adding Hardware

5.2 Adding Printers

1. Unpack the printer and connect it to your Server or Workstation. Refer to the
documentation with the printer for this step. Most Printers will be connected to
the LPT1 port on your computer.

2. Power up the printer. Power on the computer if not already running.

NOTE: Be sure to be logged on as the Administrator before attempting to a
printer or any other hardware.

3. From the desktop click on Start, Printers and Faxes, then click on Add Printer.

11 October 2007
5-6
Adding Hardware

4. On the Add Printer Wizard screen click on Next.

5. Select Local printer if printer is directly connected to your computer and make
sure the box to automatically detect and install my Plug and Play printer is
checked, or select Network printer if connecting to a printer on your network, then
click on Next. For Network printer go to step 13.
11 October 2007
5-7
Adding Hardware

6. If you selected Local printer above, you will see the New Printer Detections
window like below:

11 October 2007
5-8
Adding Hardware
7. Your printer should automatically be installed. If so, check Yes to print a test page and
click on Next. If your printer is not detected, then you will have to supply to driver,
click on Have Disk and point to the correct location of your driver.

8. Click on Finish to complete adding a printer.

11 October 2007
5-9
Adding Hardware
9. Click on OK if test page printed, otherwise click on Troubleshoot and follow the
prompts.

10. To share your printer click on Start/Printers and Faxes on 2003 Server or
Start/Settings/Printers and Faxes for XP and click on Properties

11. Click on the Sharing Tab
11 October 2007
5-10
Adding Hardware

12. Click on Share this printer, enter a Share name and click on OK.

11 October 2007
5-11
Adding Hardware
For connecting (mapping) to a Network Printer do the following:
13. If you know the name of the printer enter in format "\\computer name\shared
name"

14. If you do not know the name then click on next to browse for a network
printer

11 October 2007
5-12
Adding Hardware
15. Highlight the printer and click on Next.
16. Select if you want this system to use this printer as the default printer "Yes".
Click on Next.

17. Click on finish to complete the setup of your printer.

11 October 2007
5-13
Adding Hardware
18. If all else fails in attempting to connect to a shared printer, contact your local
DOIM or CSSAMO representative.

5.3 Adding AIT/RFID Hardware

Currently we have 2 serial devices that can be attached to ASP and ATP
systems in SAAS; the Symbol PDT7200 HHT and the SAVI RFID tag
reader/writer. With the Windows 2003 operating system, we may be able to use
some or all of the devices via USB (USB 2.0) port(s).

The communications settings: To view these settings, right click on My
Computer, Manage, Device Manager, then click on the (+) next to Ports (Com
and LPT):

To see the desired port, right click on the port, select properties then click on the
Port settings Tab.

11 October 2007
5-14
Adding Hardware
RFID Tag reader/writer:

HHT:

11 October 2007
5-15
Adding Hardware
Configuration file control exists for the HHT and RFID tag reader/writer:

RFID Tag reader/writer:
Log into TAV Tools as an Administrator and go to the TAV Tools configuration
window.

Select the com port

Then select the communications settings:

11 October 2007
5-16
Adding Hardware

HHT:

Log on as an administrator, and go to C:\saas\ait and run AITCFG.exe.

Select HHT and this option appear:

11 October 2007
5-17
Installing SAAS Server Software
SECTION 6.0 INSTALLING SAAS SERVER SOFTWARE

6.1 Installing the SAAS-MOD Application on Server

Windows 2003
TM
Server installed on system (SA 4).
SAAS Application (Latest Release) software on CD

Installing SAAS from CD
1) Sign on as administrator.
2) Insert SAAS MOD Application CD into CD-ROM drive
3) Go to my Computer and click on CD-ROM drive.
4) Double click on the install.exe file. (Flag icon if using explorer)
5) Read the notice, and then click on Next.
6) On the screen to install the latest release of SAAS-MOD click Yes.
7) Select system type to install, ASP, MMC, DAO or ATP. Not required for
reinstall or upgrade.
8) Select type installation either Server or Combined, which is server and
workstation on a single computer. Not required for reinstall or upgrade.
9) Insert a blank diskette on message and click OK. Not required for reinstall
or upgrade.
10) Remove diskette when prompted and click OK. Not required for reinstall
or upgrade.
11) At message Core installation complete, adhere to message on database and
click on OK to reboot.

If this is a new install, you must now import a database. The instructions on
importing databases are in Section 12.1 Importing Databases. If you have a
current database, simply import it. If your database is a previous release, you will
need to import it then you will need to run the utility located at
C:\SAAS\UTILITIES\db_chgs_rollup.exe. This utility will make all structure
changes to your database and bring it up to date with the latest SAASMOD
release.

11 October 2007
6-1
NOTE: Users created previously should still exist. May want to check User
Manager for Domains for requested users. (For example, saasmod user should
still exist.) Once Workstation is loaded, check database connectivity. Also if old
database is desired, copy it back into \saas\dumps\backups and perform an
import.

6.2 Server Cleanup

With the latest release of the SAAS MOD baseline is now over writable. This
means that there is no requirement to remove the previous baseline prior to
reinstalling a new baseline. You also have the capability to completely uninstall
SAAS-MOD. You can do this by going to <Start, Settings, Control Panel,
Add/Remove Programs>, select SAAS-MOD and remove.

6.3 Installation for ATP

The ATP baseline is loaded on a laptop/notebook computer. Unlike other loads
which uses a different machine for a server and each workstation, the whole ATP
system (database and executable) are included on just one laptop. However,
with the fielding of SAASMOD latest release, ATP baseline install has been
added to completely load the ATP application, server and workstation both in one
load.

NOTE: THE FOLLOWING ACTIONS/PROCEDURES ARE ASSUMED TO HAVE
BEEN PERFORMED CORRECTLY;
a.) Windows Server 2003 Operating System has been loaded.
b.) Windows XP Operating System with the latest Service Pack installed.
c.) Page File Size has been reset to 150 / 200 (or more).
d.) Video Display has been reset if required.
e.) Install Printer if required.
f.) Network Card must be installed into Drive 1 even if not connected to a
network.

NOTE: THIS CONCLUDES THE LOAD OF THE ATP EXECUTABLES. IF
REQUIRED, YOU MAY PROCEED TO LOAD AIT (Section 15) and COMMO
(Section 11.0).

11 October 2007
6-2
6.4 SAAS Folder layout

This structure will be in effect with the SAASMOD latest release.

Server:

\SAAS
AIT (on ASP and ATP only) * will be shared on ASP server only
(Drivers for Intermec 4400 printer; on ASP server only)

APPS
(SAAS MOD program executables; replaces c:\iefenv21)
UPDATES (this folder is used for tracking interim updates)

AIT (Scanning technology for SAAS)

BROWSERS
(new default location for queries)

DATABASE
(Actual residence of your data)

DUMPS
(*.dmp will default to reside here - previously c: saas\dumps\backups)

ORACLE
(Oracle application system files)

REPORTS (ASP only)

UTILITIES
(Executables accessed from Start>Programs>SAAS Utilities)

DATABASE (will exist on C: and D: drives)

LOGS
(Import, Export, etc. Previously under separate folders)

11 October 2007
6-3

WORKSTATION:

\SAAS
APPS
BROWSERS
ORACLE
REPORTS
UTILITIES
LOGS

6.5 Installing WinZip

1. Navigate to C:\Dodaacom with Windows Explorer
2. Double click on WinZip32
3. Click Next on WinZip Setup screen
4. Click Yes on License Agreement screen
5. Click on Start with WinZip Classic, then Next
6. Click on Finish
7. Close WinZip window
8. Close Explorer window

11 October 2007
6-4
Installing Windows XP Software
SECTION 7.0 INSTALLING WINDOWS XP SOFTWARE

7.1 Install Procedures for Windows XP Software

1. Must be logged on to the computer as Administrator to perform the
procedures.

2. Insert CD labeled "Microsoft Windows XP Professional with (latest) Service
Pack into the CD drive.

3. Click on Start/Run/Browse/CD drive/setup.exe, select Open then OK as below:

11 October 2007
7-1

4. Select Install Windows XP.

11 October 2007
7-2

5. On the Welcome Screen select Next for the default which is Upgrade:

11 October 2007
7-3

6. On the License Agreement screen, select I accept this agreement and click on
Next:

11 October 2007
7-4

7. Enter Product ID from label on the back of the sleeve for the CD and click on
Next:

11 October 2007
7-5

8. Click Next on Get Updated Setup Files:

11 October 2007
7-6

9. After a few minutes the system will reboot as shown below:

10. Click on OK to Terminate Batch Processes.

11. System will continue to install with progress in the areas of Preparing
installation, Installing Windows and Finalizing installation.
Average time is about 60-90 minutes depending on your Processor speed.

12. When complete the system will Reboot and Windows XP Professional will be
installed.

11 October 2007
7-7
7.2 Install Service Pack

(Install Windows XP Service Pack 2)

This version of the system supplied already came complete including Windows
XP Service Pack 2 so there are no instructions to follow.

7.3 Install Security

(Getting Windows XP IAVA/Security Compliant)

1. Insert CD labeled SECURITY CD with SAAS Security Policy


b. Insert the SAAS-MOD Security CD into your CD drive.

c. Double click on My Computer.

d. Right click on the CD ROM.

e. Left click on Explore.

f. Double click on SAAS Security Policy.exe (Note: the .exe will not

g. You will be prompted to "Install Security Policy?" Two options will
be displayed, Continue or Quit. Select "Continue." The install will now
will not install.

Several windows will flash before you. At the message, Policy installation
effect.

2. Next will be to install Security Updates to make SAAS IAVA Compliant


11 October 2007
7-8
b. Do NOT start communications. If you do, terminate communications
by clicking on the Start button and select SAAS Communications.
Then double click the TERMINATE COMMO icon. You MUST wait for
the Comrun.exe task block at the bottom of your screen to disappear
BEFORE proceeding to the next step. Please be patient, this may take
a few minutes.

c. Insert the SAAS-MOD Security CD into your CD drive.

d. Double click on My Computer.

e. Right click on the CD ROM.

f. Left click on Explore.

g. Double click on SAAS IAVA Updates.exe (Note: the .exe will not

h. You will be prompted to "Install IAVA Updates?" Two options will be
displayed, Continue or Quit. Select "Continue." The install will now

will not install.

Several windows will flash before you. At the message, IAVA installation
effect.

11 October 2007
7-9

7.4 Installing a Fresh Copy of Windows XP Professional

NOTE: These procedures are designed for those units that for whatever reason,
such as the hard drive crashed, need to reinstall their Operating System back to
Windows XP. The L6F-09-00 baseline was developed to upgrade Windows
2000 Professional to Windows XP Professional only. Therefore, these
instructions will be to manually reinstall your Operating System.

1. Begin by printing the checklist for Workstation Install at Section 2.3 above.
Please read before beginning because there is information you must obtain
prior to starting the installation.

2. Insert the CD labeled Microsoft Windows XP Professional with Service Pack 2
(Volume License Product Key Required) and start your system.

3. At the Welcome to setup Press Enter to setup Windows XP now.

4. Scroll down to the end of the Licensing Agreement and Press F8 for I Agree.

5. At the select Partition Screen Press "D" to Delete.

6. Press Enter to Delete

7. Press "L" to confirm delete of partition.

8. Press "C" to Create Partition.

9. Leave default value of entire disk drive and Press Enter.

10. Press Enter to Install

11. Press Enter to format partition using NTFS.
After formatting the drive, setup will copy files to the hard drive and reboot.

12. After Reboot, the system will continue on its own

13. At the Regional Settings screen, click on Next.

14. Enter Name as SAAS MOD. Enter Organization as U. S. Army and click on
Next.

15. Enter Product Key which is located on a label on the back of the sleeve of the
CD.

11 October 2007
7-10
16. Enter the Computer Name per your local naming conventions, Administrative
Password and Confirm Password and click on Next. Be sure to record your
Administrative Password in a secure location.

17. Enter Date/Time and Time Zone for your region and click on Next.

18. At the Network Settings do the following:
If your installation for workstations requires you to use DHCP (Dynamic Host
Control Protocol) which will automatically assign IP addresses, Press Next.
Go to step 21.

19. Highlight Internet Protocol (TCP/IP) and click on Properties.

20. Select "Use the following IP Address"
Enter your IP address, local Subnet Mask, Default Gateway, Preferred DNS
Server, and Alternate DNS Server.
Click on Advanced tab, WINS tab and enter WINS addresses if applicable.
Click on OK, OK then Next

21. On Networking Components screen, click Next.

22. For Workgroup or Computer Domain:
If not on network, click Next, otherwise
Click Yes, Enter appropriate data and provide credentials and click on Next.

23. If you get message "To improve appearance of visual elements Press OK",
Press OK. When box appears "If you can read this Press OK" Press OK.

24. System will finalize installation and reboot.

25. At Welcome screen Press Next to set up your system.

26. At Help Protect your PC, Select Not Right Now and click on Next.

27. At Checking Internet connectivity, Select Skip.

28. At Ready to register with Microsoft, Select No, Not at the time and click on
Next.

29. At who will use the computer enter "saasmod" at first line and click on Next.

30. At Thank you, click on Finish.

31. Continue with instructions in Workstation Install Checklist.
11 October 2007
7-11
Installing SAAS Workstation Software
SECTION 8.0 INSTALLING SAAS WORKSTATION SOFTWARE
8.1 Software needed
1. Microsoft Windows XP Professional (Workstation) installed on system.
2. SAAS Server software on CD-ROM.
8.2 Installing SAAS on Workstation
1. Sign on as administrator on the workstation.

2. Insert the CD labeled as the current software release L6F-xx-00, x being the
latest.
3. Navigate to the CD and double click on install.exe. Flag icon if using explorer.
4. Read the notice and click on Next to continue.
5. On question to install latest release click Yes.

6. Select type of workstation to install (MMC, ASP, and DAO). Not required for
reinstall or upgrade.
7. Insert diskette created from the server install when prompted and click on OK.
Not required for reinstall or upgrade.

8. Remove diskette when prompted and click OK. Not required for reinstall or
upgrade.
9. At Core Installation complete message, click on OK to reboot.
10. Workstation install is now complete.

11 October 2007
8-1
Server Administration
SECTION 9.0 SERVER ADMINISTRATIONS

9.1 User Administration
A user account is required to log on to a Windows Server 2003 computer. This
section will cover the procedure on creating user accounts, deleting user
accounts, and joining groups in Windows Server 2003.
There are two ways to log on to a machine. One way is by using a domain user
account stored in the Windows Server 2003. The other way is by using a local
account stored in the local user account database.
In using the SAAS-MOD application, all workstations should log on as part of the
domain. Therefore all user accounts should be made at the server. The only
local account on the workstation should be the Administrator account which was
created during the Windows XP operating system installation.
The Windows Server 2003 user account gives an individual a means to log-on
into Windows Server 2003. To create a user account follow instructions in
Section 9.1.1.
With the release of a System Change Package (SCP), Oracle has been installed
to accept Windows Server 2003 login authentication and will no longer require a
separate login when a SAAS-MOD application process is executed. This will
require that an Oracle user is created with the same name as the Windows
Server 2003 user. Along with the new SCP, a new user group has been created
named ORA_SAAS_DBA. This group has special Oracle permissions that are
needed to run some of the SAAS-MOD functions on the server. Each user must
be added to this group. An administrator must perform this function on the
server. Follow these steps to add users to the new group:
1. Logon to the SAAS-MOD server as the administrator.
2. Click on Start | Programs | Administrative Tools| Computer
Management | Local Users and Groups| Groups
3. Click on ORA_SAAS_DBA under groups on the bottom half of the
window.
4. Click on the Add button in the Local Group Properties window. This will
5. Click on a user in the Names box to highlight (select) it.
6. Click on Add to put the user in the Add names box. Repeat 5 & 6 for all
users.
7. Click OK to return to the Local Group Properties window. All users
selected will now appear in the Members box.
8. Click on OK to exit the Local Group Properties window.
9. Click on User in the User Manager window and select Exit.
11 October 2007
9-1

9.1.1 Domain User Accounts

1. To create a server user account, log on as administrator and do the following
steps on the Server:
Right click My Computer, Manage
Note: Must Create SAASMOD user in order to create other SAAS-Mod
application users. SAASMOD user should be disabled after creating other SAAS-
Mod application users.

11 October 2007
9-2

2. Highlight Users, click on Action on the menu tab.

3. Select New User and the New User dialog box will open.

11 October 2007
9-3

4. Type a username in the Username box.
5. Type the users password in the Password box.
6. Type the same password in the Confirm Password box.
7. Make sure to uncheck boxes for User Must Change Password at Next
Logon, Password Never Expires and User Cannot Change Password.
8. Click Create and the new account will be added to the account database.

11 October 2007
9-4
Note: SAAS-MOD has developed new security measures concerning user
accounts and passwords. See below for these setting.

Security Settings Procedures - Servers and Workstations
Server and workstation users are to implement security settings on the local
machines. The following is a guideline to implement these settings. Security
settings are done automatically when you install the SAAS MOD Security from
the CD-ROM. To view,
1. Click Start, Programs, Administrative Tools, Local Security Policy.
2. Click on Password Policies.
3. In the resulting window (below), implement the settings according to the
screen print below.

11 October 2007
9-5
4. Under Local Policies, highlight Audit Policy
screen print below.

11 October 2007
9-6
6. Under Account Policy, highlight Account Lockout Policy.
screen print below.

9.1.2 Local User Accounts

Creating a local user account is no different from when you created a server user
account on the Server. Actually, relative to the Server the domain user account is
also a local user account. Therefore, when creating a local account, other than in
the Server, remember that it only works for the particular machine it was made
from.

11 October 2007
9-7
9.1.3 Renaming User Accounts

When renaming an account, its properties, rights, permissions are held intact.
This is because renaming a user account does not change the account's Security
Identifier (SID). The SID is a unique number that Windows uses when assigning
permissions to the user or when adding a user to various groups, which grant
and restrict permissions to members of the group.

NOTE: FOR SECURITY REASONS, ARMY NETWORK SECURITY HAS
DETERMINED THAT USERS RENAME THE ACCOUNT 'ADMINISTRATOR' TO
SOME OTHER NAME.

To rename an account, do the following steps:

1. Right click My Computer, Manage.

11 October 2007
9-8
2. Highlight a User Account you wish to rename by highlighting it.

3. Click on Action/ Rename.

4. No dialog box will appear, however the name will be highlighted. Simply type
a new name and press the Enter key.

11 October 2007
9-9

9.1.4 Deleting User Accounts

Deleting and recreating a user account is not equivalent to renaming a user
account. Deleting and recreating a user account assigns a new SID to a user, so
the user does not retain any permissions or group memberships that were based
on his or her original user account. If there is any chance that the user in
question will be granted access to the network in the future, it is advisable that
the account be disabled instead.
To delete a user account, do the following steps:
1. Right click My Computer, Manage.
2. Select the account to be deleted.
3. Press the Delete key or click on Action/Delete.
4. User Manager for Domains will display a dialog box which asks for
reconfirmation whether you want to delete the account or not. Click Yes and the
account will be deleted. Click No to abort deleting the user.

11 October 2007
9-10

9.1.5 Changing Password

1) To change your User password, begin by right clicking on My Computer, then
selecting Manage.
2) Double click on Local Users and Groups to open up Users and Groups sub
folders.
3) Click once on Users to show users on right side of the window.
4) Highlight a user, click on Action to show menu option "Set Password".

5) Click on Set Password.
11 October 2007
9-11

6) Type in new password in both the "Password" and "Confirm Password" boxes.
7) When finished click "OK".

9.1.6 Adding Users to Groups

1) To add a user to a Local or Global Group you must first right click on My
Computer and select Manage.
2) Double click on Local Users and Groups to open up Users and Groups sub
folders.
3) Click once on Groups to show groups on right side of the window.

11 October 2007
9-12

4) Highlight a group, click on Action to show menu option "Add to Group".

5) Click on Add to Group.
11 October 2007
9-13

6) Click on Add.
11 October 2007
9-14

7) Click on a user, click on Add. Repeat for all users to add. Click OK when
youre done.

9.1.7 Removing Users from Groups

11 October 2007
9-15

9.1.8 Assigning User Rights

1) To assign User Rights, first click on Start, Programs, Administrative Tools, and
Local Security Policy.

11 October 2007
9-16

2) Click on the plus next to Local Policies on the left hand side, and then click on
User Right Assignment

11 October 2007
9-17

3) Scroll down to desired User Right such as Log on Locally and Right Click on it.

4) Click on Security....
11 October 2007
9-18

5) Click on Add....
11 October 2007
9-19

6) Select user or users and click on Add, then OK to exit Select Users or Groups
window.
11 October 2007
9-20

7) Click on OK to exit Local Security Policy Setting window.
8) Close Local Security Setting window.

11 October 2007
9-21
Periodic Maintenance
SECTION 10.0 PERIODIC MAINTENANCE

10.1 Backups
Backups will save you one of these days. Therefore it is important that it is done
religiously and correctly. It is also advisable to schedule backups during low
network traffic.

It is recommended that whenever you update any part of the operating system
with new office automation software, patches to software, install service packs,
loading of SAAS SCP (System Change Package) or ICP (Interim Change
Package), you should perform a full manual system backup. If in doubt, do a
backup!

Keep at least 3 of your most recent full system backups. Remember, the
scheduled backup in SAAS only backs up SAAS data. It does not back up
system files!

Check the file C :\( your system root)\security\logs\backup.log and C :\( your
system root)\autobackup.log periodically. The first is the default file name for a
manual backup, and the second is the name used by the scheduled backup
utility. These files are appended to, so they should be checked for errors and
deleted when you are satisfied that the backup is good. Either process will
recreate the file.

Before doing a backup you must shut down the database, stop Oracle and
Netlogon services. To do this, do the following steps:
1. Log on as Administrator or Backup Operator on the Server. Make sure to
stop all background processes including commo.
2. Right click My Computer | Manage | Services and Applications |
3. Click Services.
4. Scroll down to Netlogon, right click it, and click Stop. (Note: this will stop
Netlogon service and prevent users from connecting to the server.
However, this will not cut off connection to users already logged on. It is
highly recommended to have users log off their workstation.)
5. Scroll down to OracleSAASORATNSListenrLSNR, right click it, and click
Stop.
6. Highlight OracleServiceSAAS and right click it, click Stop. A window will
pop-up then click OK. (Note: this will also stop services for
OracleStartORCL.)
11 October 2007
10-1
7. Click Close.
8. The backup procedure discussed here will start with a full system backup
at the beginning of the week and a daily backup of an exported dump file
through out the remaining week. In this way, restoring will involve the full
system backup and then the exported dump file. It is recommended that
the dump file be named according to the date it was made. (i.e.:
04151998.dmp)

(Note: To make backups or restore files, you must be a member of the
Administrators or Backup Operator group.)

10.1.1 Full System Backups
Note: Perform Full System Backup once a week.
1. Click Start | Programs | Accessories| System Tools | Backup.
2. A Backup window will appear. If you click on the Backup on the toolbar it will
show you the available drives to backup. If you click on Restore it will show you
the available tapes for restore options.
11 October 2007
10-2

3. Click on the check box for drive C and D. This will backup the whole C and D
drive. NOTE: If you check System State it will also back up the Registry.

4. Click on Start Backup on the right lower corner of the window. A Backup
Information dialogue box will appear.

11 October 2007
10-3
5. Default Backup type is Normal. (Under Advanced....)

6. Click Start Backup to start the backup process.

7. Follow the on-screen prompts.

10.1.2 Backing up a Dump file

Note: Perform Backing up a Dump file daily and also use 5 day rotating 4mm
DAT tape drive (e.g. one tape for Monday. One tape for Tuesday... and so on).

1. To create a dump file follow procedure in Section 12.2 (Exporting the
Database).
2. To backup the dump file to tape click on Start | Programs | Accessories|
System Tools | Backup.
3. Make sure the Drives window is open.
4. In the Drives window double click on the C drive icon. (Note: don't click the
check box.)
5. Another window will pop-up showing you the directory tree of the C drive.
6. Double click on the folders SAAS, Dumps, and backups. (Note: don't click on
any check box as you move thru the folders)
7. Once inside the backups folder click on the dump file you created. (i.e.
06191998)
8. Click on Backup on the toolbar. A Backup Information dialogue box will
appear.
9. In the Backup Set Information section type in the name of the dump file (i.e.
06191998) for description. Choose Normal for Backup Type.
10. Click OK.
11. Close window and remove tape.

11 October 2007
10-4

10.1.3 Using the SAAS-MOD System Backup Scheduler

Note: This process does an export of the database so there is no need to shut
down oracle services.

The scheduled backup must be set up by the System Administrator as no other
user has permission to use the Scheduler. Also if the computer is shutdown, the
backup must be setup again when the computer is turned on. The settings
previously chosen may appear in the setup screen, but the System Administrator
has to click OK again to schedule the backup.

1. Double click on the short cut desktop icon SAAS | Utilities | System Backup
Scheduler or Start | Programs | SAAS | Utilities | System Backup Scheduler.
2. A Window will appear called System Backup Schedule. Click the check boxes
for the appropriate days backup should occur.
3. Enter the time you want backup to occur during selected days, in the format
shown below the box.
4. Click Save and Exit.
5. Make sure there is a properly labeled tape in the tape drive during scheduled
backup.

10.1.4 Restoring the Full System Backup

If you are restoring and Windows 2003 is still working then start with step 1.
However, if for some reason the server just dies (e.g. the hard drive crashes and
needs to be replaced.) thus Windows 2003 is not accessible then you would
have to install Windows Server 2003 (Section 4.1) and possibly the drivers for
the Tape drive.

1. Click on Start | Programs | Accessories| System Tools | Backup.
2. Open the Tapes window.
3. Insert the tape with the latest Full System Backup. After inserting tape, Backup
will read the whole tape.
11 October 2007
10-5
4. Double Click on the C folder found on the right side of the window. This will
create a list of what are backed-up on the tape. Make sure you check both the C
and D folder then click on the Restore button.
5. The Restore Information dialog box will appear.
6. On the Restore to Drive option make sure it is to the C: drive also.
7. Check Restore File Permissions, and Restore Local Registry.
8. Click OK.
9. A Restore Status box will appear. Click OK when restore is successfully
completed.
Note: The procedure discussed above assumes that you are restoring to the
original computer. If you are restoring it to a different computer it has to be
identical with the original one. Another computer might have a different set of
hardware and not match with the data stored in the backup. (I.e. different drivers)

Note: Restoring the Full System Backup will only restore the system up to the
point when that backup was made. To make the database current, you have to
restore the latest dump file as well.

10.1.5 Restoring the Dump file

1. Insert the tape with the dump file. After inserting tape, Backup will read the
whole tape.
2. Click on Start | Programs | Accessories| System Tools | Backup.

NOTE: You may get the message New Import Media since the tape was
originally created on an NT machine. Check the box to allocate this media to
backup now and check the box to do not show this message again and click on
OK.

3. Click on the Restore tab on the menu bar. Do not click on Restore Wizard.
4. Check the dump file you wish to restore by double clicking on the tape icon.
5. On the Restore files to option make sure it is to the original location.
6. Click on Start Restore.
7. The Restore Information dialog box will appear.
11 October 2007
10-6
8. A Restore Status box will appear. Click Close when restore is successfully
completed.
9. Now that you have the latest dump file in place you need to import it back to
the database, follow the procedures described in Section 12.1.

10.2 Checking the Event Log

To view the event logs, do the following steps:
Click on Start | Programs | Administrative Tools | Event Viewer.

11 October 2007
10-7

There are three event logs that you can look into by clicking on Log from the pull
down menu. They are:

System Log
Records events related to Windows 2003
components. For example, if a service fails
to start when Windows 2003 starts, Windows
2003 records the event in the System Log.
Whenever a problem occurs, you should
check the System Log for error messages.
Security Log
Records security-related events. Security
events include logon attempts and audit
events. Only Administrators can view the
Security Log.
Application
Log
Records application events, including errors
and warnings. Application developers
decided which events should be logged.
Some Windows 2003 components, such as
Winlogon and HP J etDirect print monitor,
record events in the Application Log.

10.3 Maintaining Hard Drives

10.3.1 Setting Security on Hard Drives

By default, the hard drives are administratively shared. When you look at your
Windows explorer after booting you will notice that the drive icons has a hand
underneath them. This will allow an administrator account to access the hard
drive from the network. One way to improve security is to take out these shares
and or other shares every time you boot the system, and share it only when
needed.

11 October 2007
10-8
10.3.2 Setting up Shares

1) To share or not share a drive or folder, do the following steps:
2) Go to the Windows explorer by right clicking on Start | My Computer |
Explore.
3) Right click on the hard drive or folder and choose Sharing.

11 October 2007
10-9

4) Click on the Not Shared or Shared As radio button depending on what you
want to do.

5) If you choose Shared As the Share Name box option will be accessible. You
can use the default share name or come up with your own share name. Also, if
you put a dollar sign ($) after the name, the name will be hidden when someone
tries to map to the machine.
6) Click OK to accept your settings.

11 October 2007
10-10
10.3.3 Allowing Users to Access a Computer

Users can access files from another computer on the same network. To do this,
the user needs to map a network drive and the folder where the file resides
should be shared. Also, the file should have the correct permissions.

10.3.3.1 Permissions

To configure the permissions on a file do the following steps:
1) Go to the Windows explorer by right clicking on My Computer | Explore.
2) While in explorer, locate the desired file and right click on the mouse.
3) A short cut menu will show up. Choose Properties.

4) Click on the Security Tab.
5) A security window will show up.
11 October 2007
10-11

6) The permissions box will appear showing the current permission of the file.
The default setting is Everyone with Full control. What this means is that
everyone has access to this file and has full control. If you want to limit the
access to this file, Remove Everyone and click Add to add the specific user
accounts to access the file. You can also change the type of access to No
access, Read, Change, Full Control, or Special Access.

11 October 2007
10-12

10.3.3.2 To map a network drive, do the following steps:

1) Go to Windows explorer by right clicking on My Computer | Explore.
2) Once in explorer click on Tools | Map Network Drive.

3) Choose the Computer you want to access. The shared folders of that
particular computer will show up. Click on the particular shared folder. The path
box will AutoFill. Click OK.
4) A new drive with a network icon will show up on the left side of explorer.
5) Click on the folder tab and the previous mapped connections will show up.
11 October 2007
10-13

10.3.4 Maintaining Adequate Disk Space

1) Whenever other users have access to a server with shared files you run the
risk of it being used as a place to dump files on. It wont be long and those files
will begin to take up a lot of the servers hard disk space. From time to time it
would be wise to do some house cleaning and take those files out. However,
make sure that you inform the owner of those files first before you start deleting
anything.
2) To check for ownership right click on the file and a shortcut box will appear.
3) Click on Properties and a Properties box will appear.
4) Click on the Security Tab.
5) On the Security box...
11 October 2007
10-14

6) Here you will see the owner of the file. Click Close to exit.
7) One type of file that you might want to monitor is the Dump file created after
doing an Export. After awhile the number of Dump files created gets big and
takes up a huge amount of disk space on the C drive. Especially with units that
process large quantities of transactions or have a big database, C drive disk
space is very precious. Therefore, it is suggested that the Dump files found in
C:\SAAS\dumps\backups be transferred to the D drive. You can also run the
utility SpaceMaker under the SAAS Commo Utilities.

11 October 2007
10-15
10.4 Emergency Repair Disk

With the advancement beyond the Windows 2000 Platform, there is no more
capability to create or utilize an Emergency Repair Disk. This feature is no
longer available.

10.5 SpaceMaker

This procedure was initially written when SAAS MOD was first deployed and the
disk drives were only 2-4 GB in size. This is no longer the case however this
procedure still merits value to clean out old data no longer required.
This desktop icon (SAAS| COMMO| SpaceMaker) will move selected data from
your C: hard drive to the tape archive freeing up space. The following type of
files will be moved and a print out of all affected directories and files will be
generated.
A. Communications history files for all incoming and outgoing data
1. *.DAT; *.CHK; *.ZIP and *.END
2. WARS history files
3. DAAS_CCSS history files
B. Oracle dump files
C. FTP Log files
1. Set the number of days you wish to keep on your system. Default is 15.
2. Place a properly labeled tape in the tape drive.

10.6 Basic Schedule of Server System Maintenance

DAILY:
1) Check c:\(your system root)\autobackup.log first thing in AM to ensure
Scheduled Backup performed correctly.
2) Insert next day's tape for System Backup. Go to Start ->Programs ->
Administrative Tools ->Backup. Select Operations ->Erase Tape.
Execute Start Commo (Icon) prior to leaving for day (before time set to send files
1800 at Huachuca).
11 October 2007
10-16
NOTE: Have communication interval set for 1 min. Commo should be set to run
first - 1800; then backup - 2000.
Follow local Security Guidelines relative to departing your work area at the end of
each work day.

WEEKLY:
1) Perform export and check c:\SAAS\dumps\explogs\exp.log. (Section 12 all
users logged off).
Check Event Viewer in Start ->Programs ->Administrative Tools ->Event
Viewer.
NOTE: Default on Event Viewer log in NT is 7 days. Be sure to check all STOP
signs. (Section 10)
3) May want to reboot (actually Power Down) Server once\week to flush all
memory.

BIWEEKLY:
Execute SPACEMAKER icon on desktop (Section 10.5). Keep maybe 15 days on
the Server.
NOTE: This will append to tape. Should keep several months worth on tape.
When get <25M free space on C: drive a warning will appear.

MONTHLY:
Perform an export and immediately turn around and import the database. All
users must be logged off.
NOTE: This is done since the export process does a routine similar to a "defrag",
but is on exported database. Therefore user doesn't get the advantage of the
"defrag" unless user imports database back in. Be sure to check exp.log and
imp.log. (Section 12)
2) Perform Archive Audit Table in SAAS Utilities. (see sheet with instructions -
users logged off) Section 18.1.
11 October 2007
10-17
NOTE: Audit table grows much faster than any other table in the database. Users
should check the #of records in the table and, when that number reaches a
threshold of 100,000, archive. Based on this threshold number and number of
days to reach that number they can decide the periodicity of Archiving audit
table.

QUARTERLY:
1) Perform Archive Transactions in Saas Utilities. (see sheet with instructions -
users logged off) Section 18.2
NOTE: Rule of thumb: aim to have <5000 transactions in Transaction_History
table.

MISCELLANEOUS MAINTENANCE NOTES:
1) If there is a problem with commo there will be an error message. Comview
Icon (made up of saasftp.log and comftp.log) - only really need to check Icon if
there is a problem. Mandatory to keep this log for 90 days. The SAAS system
takes care of it for you. Comwatch.log - check only if problems. (Section 11)
2) A Full System Backup should be executed whenever deemed necessary; i.e.,
before new ICP loaded, new SW, etc... Users must be logged off. (Section 10)

11 October 2007
10-18
Communications
SECTION 11.0 COMMUNICATIONS

11.1 Introduction to SAAS communications

With all fielded baselines, communications software will be loaded automatically.
Once this is done there will be two directories built on the C drive for
communications: DODAACOM and SAAS_FTP. Sub directories will be built once
COMSETUP is run.

SAAS communications is automated to the point that there is little user interface.
The system will automatically perform the rest of the SAAS communications
functions. The communications programs are designed to use the NIPRNET, if
the NIPRNET is not available, or you are unable to connect to it, the program will
initiate the remote access service using a modem. You must configure your
communications setup (COMSETUP) records to let SAAS know the exact
communications process to use to communicate.

Microsoft has simplified remote LAN access considerably by building a Remote
Access Service (RAS) into Windows 2003. RAS integrates smoothly with
Windows 2003 and does not require you to learn a new method of using LAN
resources. The only difference between a remote user and a local user is the
initial dial-in step. Once you dial-in, everything works as though the computers
were directly attached to the LAN cable.

The SAAS communications programs are designed to use RAS if the NIPRNET
or terminal server is not available. The only intervention you have is to connect
modems to the system and add the phone number(s) in the SAAS
communications setup utility. All levels of SAAS operate the communications in
the exact same manner. No matter how the connections are made, File Transfer
Protocol (FTP) is the means used to transfer data between SAAS elements. The
driving force is all files created by the system will begin the file name with the
DODAAC which the user defines within the setup utility as to how to
communicate with that particular DODAAC.

There are numerous functions to the SAAS communications. They are named as
follows: COMSTART, COMSETUP, COMVIEW, COMRPT, WARSCOM,
DAASCOM, SPBSIN, TERMINATE COMMO, SpaceMaker, TAMIS missing
batch, and TAMISreship. These programs constitute the entire SAAS
communications capability which is described below.

With the release of SCP L6F-09-00, SAAS communications has
incorporated secure FTP. Commercial off the shelf software (COTS)
AISM-25-L6F-AJA-ZZZ-SA
11 October 2007
11-1
Communications
developed by GlobalScape will be added to the SAAS baseline. There is no
new look. The communications programs will simply transmit the data
calling the new program instead of regular, non secure FTP.
a. COMSTART: This program is initiated at startup and will run in background
mode on the server only at all times. It serves as the driver for all SAAS
communications functions, whether it be to send files via NIPRNET, dial-out,
receive calls for incoming files, write files to disk, update communications log files
and check the database for outgoing data. There is a program called
COMWATCH that is the program interface with the database. The program
COMRUN will call COMWATCH. With SCP 04 you may see a
comwatcherr.exe icon appear on the task bar and the system will be
beeping. If there were errors detected, click on the comwatcherr.exe icon
on the task bar to determine what error there is. You may need to
terminate communications. The error will be described and appropriate
action will need to be taken. You can view a list of all errors in Section
13.4.

b. COMSETUP: This program allows the user to establish the mode of
communications and define what type of communications will occur for each
communications interface. It is here that you will enter the required data to define
how you communicate with each user. You enter the data by DODAAC, IP
Address or Phone number, if you will connect via terminal server , if you will
generate diskette only for this user, number of attempts before reporting errors
and number of minutes between each attempt to connect to communicate. This
is the maintenance utility for SAAS communications.
c. COMRPT: This program allows the user to check duplicates either coming into
the system or that are system generated.
d. COMVIEW: This program allows the user to view the communications log file
by bringing it into the Microsoft Notepad facility. This program has been updated
to allow the user to view additional communications log files to include:
comftp.log; comftpget.log; comwatch.log; copylog.log; nlacftp.log; psftp.log;
savicom.log; tamiscomerr.log; tamisftphistory.log and warsftp.log. A menu
window will be displayed allowing the user to select which log they wish to view.
Highlight the log you want to view, click on display. When you are finished, close
the log by closing the window to notepad, then click on exit.
e. WARSCOM: This program allows the user to send files to WARS that were
previously skipped. To change your password, which is a regulatory function of
WARS, at the Password field on the login and transmit screen, enter old
password - forward slash new password, without spaces. This program is only
loaded on SAAS MMC Servers. Ex. roip23xe/ii97bgrw2.
11 October 2007
11-2
Communications
f. DAASCOM: This program allows the user to send files to DAAS that were
previously skipped.
g. SPBSIN: This program allows the user to read in SPBS-R diskettes that have
been received. This program is only loaded on SAAS MMC Servers. It will no
longer be needed when PBUSE is fully fielded.
h. TERMINATE COMMO: This program will check the comrun.exe program at a
point that will not corrupt files. Previously, termination of communications while
entering data for processing to Oracle or pulling data for user distribution from
Oracle has created transactional duplication. This process monitors the
communications program and waits until it is a safe point to terminate the
program. NOTE: If you lose power to your server and the communications
process was running, then you will have to delete the file c:\commrunning.
This file tells the COMSTART program that the communications process is
running already, so it won't start another copy.
i. SpaceMaker: This program allows the user to "clean" old data from the
system. It targets certain commo and dump files for removal from the hard drive
and archived to tape.
j. AEPS Output: SAAS MOD can now create "automated" transactions for DIC's
A05 and A0E which only requires operator input the first time it is run. If any log
on information changes, the update capability exists within the
COMSETUP program. (See Section 11.2.3) Once run, the AEPS log on data will
be saved to your comini.ini file and can be viewed by the COMSETUP program.
See below. Once you have obtained a UserID and password through AEPS, and
you have generated output, a message will be displayed to run COMSETUP and
enter the AEPS IP Address, your AEPS Userid and AEPS password and click on
test. For the first connection, enter "y" to cache your system information with the
host (AEPS) and enter bye to exit. When you return to the COMSETUP screen,
the test button will read SAVE. Click on SAVE and your data will be saved. No
further input will be required unless your password changes, which can be
accomplished by simply running COMSETUP.
k. TAMIS-R Communications: Enhanced Training Ammunition Management
Information System Revised (TAMIS-R) interface. This interface will require
two way secure ftp traffic between the SAAS ASP system and TAMIS-R. The
SAAS user must set up a ftp account for TAMIS-R to send electronic DA581 data
to. The SAAS user should contact his/her local DOIM to determine all
information required to establish a firewall rule at the local installation. Then the
SAAS user should contact Mr. Guoqing Tian at TAMIS-R, phone (301) 794-8200
or email GTian@aim4value.com, to obtain all the required information. Mr. Tian
will also minimally need the IP address and the ftp account information for the
SAAS system. An alternate POC at TAMIS-R is Mr. William Ford, (301) 794-
8200 or email wford@aim4value.com. The new TAMISCOM uses secure FTP
11 October 2007
11-3
Communications
and will use batch numbers for tracking data transmissions. Incoming will track
batch numbers and will be displayed if there is a batch out of sequence. User
will be able to request transmission of missing batch. For outgoing transmissions,
the user will have the capability to resend by selecting a specific batch number.
File names will be in the format of DODAAC, Batch number.TAMIS.
l. TAMIS Missing Batch. This program is designed to keep users in line with
batch numbers. Each interface with TAMIS should generate a new sequential
serial batch number. If for some reason, a missing batch number should appear
in your in folder from TAMIS, when comrun.exe calls the TAMIS process and
sees it, it will display a screen like below:

You may select any or all batches to be deleted, or with coordination
with your TAMIS representative, have the missing batch number
reshipped to your. To delete a batch, highlight select batch(s) and
click on the DELETE BATCH(s) button. Click on EXIT to exit this
screen. This process can also be run from the SAAS Communications
Menu.
m. TAMISreship. This process is for reshipping missing batch files to TAMIS.
Execute from the SAAS Communications Menu and you will see the following
screen:
11 October 2007
11-4
Communications

You can enter the batch number or click on SELECT to see the next
screen:

If this is the correct file you wish to reship to TAMIS click on Send. If
you are not sure and what to examine the transactions click on
DISPLAY DATA. If this is not the correct batch, click on Select
Different Batch. Once you are sure of the correct file, click on SEND.
When finished, click on EXIT.
n. NLAC Communications: Requisitions for configured load will be sent to the
National Level Ammunition Capability (NLAC). Status will come back through the
normal DAAS channels. SAAS communications has been modified to recognize
a configured load requisition and prompt the user for NLAC login information.
The requisitions will be sent via ftp. A process was added to the catalog
maintenance process to allow the user to add, delete, and update configured
load codes.

11 October 2007
11-5
Communications

11.2 COMSETUP.exe Operation Instructions

11.2.1 Initial setup instructions:

NOTE: This is done when system is first installed and refers to information about
YOUR system.

1) Enter your Organization Level (ASP, ATP, DAO, or MMC) at Organization
Level of Remote Site. Use ASP for sites operating as an ATHP.
2) Enter your DODAAC.
3) Enter your IP Address. NOTE: Currently, you may now enter names
rather than IP addresses. In the case of FORSCOM, TRADOC and NGB
users can enter ftp.osc.army.mil in the IP address field.
11 October 2007
11-6
Communications
4) Enter NONE or Phone Number. NONE Must be Uppercase!
5) Enter a User Name that has FTP privileges (EX: ftpaspuser - see User
Manager Setup Instructions.)
6) Enter the PASSWORD for that USER.
NOTE: Password is case-sensitive.
7) You may set retry count (default is 3) and Communication Interval (default is 1
minute). To set each field, type in a value and Click on ENTER.
NOTE: The Communication Interval field determines how often to send data. For
example, enter 1 to transmit every minute, or enter 5 to transmit every 5 minutes.
The Retry Count gives the number of times to try to connect at each interval
before an error is reported.
8) Setting Call time HOUR
NOTE: This is when to START transmissions at a specific HOUR - determined
by SA at site.
a) Enter HOUR in Call time HOUR (military time 0 through 24).
NOTE: A 0 in Call time HOUR means to send whenever there is data available.
This is dependent on the Communications Interval.
b) Click on ENTER under Communications Interval.
NOTE: This field is for how often to send (1 for 1 minute; 5 for every 5 minutes).
c) To Call every Interval ENTER 0 in Call time HOUR
(when 0 is entered COMRUN will call whenever there is data to send.
9) If using a terminal server for phone connections:
a) Enter Terminal server Phone number.
b) Enter Terminal server User Name.
c) Enter Terminal server User Password.
d) Select Terminal server YES.
10) Click on SAVE SAAS.
11) You now have the capability to change your DODAAC. You can perform this
by doing the following actions:
a) Double click on CHANGE DODAAC tab.
b) Enter DODAAC in the box next to the tab CHANGE DODAAC
11 October 2007
11-7
Communications
c) Do steps 1 thru 10 above and you system DODAAC will be changed to the
new DODAAC.
NOTE: The following table gives a summation of the required fields for the local
site regardless of the type of connection.
COMSETUP FOR LOCAL SITE
COMSETUP FIELD
REQUIRED ENTRIES FOR LOCAL
SITE
ORGANIZATION
LEVEL
SELECT LOCAL SITE'S
ORGANIZATION LEVEL -- MMC, ASP,
DAO, OR ATP
DODAAC
ENTER DODAAC OF LOCAL SERVER
- SHOULD ALSO BE THE NAME OF
THE LOCAL SERVER
IP ADDRESS
ENTER IP ADDRESS OF LOCAL
SERVER
FTP USER NAME
ENTER FTP USER NAME OF LOCAL
SERVER
FTP PASSWORD
ENTER FTP USER PASSWORD ON
LOCAL SERVER
RETRY COUNT LEAVE DEFAULT SETTING
COMMUNICATION
INTERVAL
LEAVE DEFAULT SETTING
CALL TIME HOUR
VALUE WILL BE ECHOED FROM
OTHER SCREENS
DUPLICATE
CHECK FIELD
ENTER NUMBER OF DAYS TO
CHECK FOR DUPLICATE RECORDS
IN HISTORY
THIS SYSTEM
USING A
TERMINAL
SERVER
NOT APPLICABLE ON THIS SCREEN
DESTINATION
SYSTEM IS USING
A TERMINAL
SERVER
NOT APPLICABLE ON THIS SCREEN
TERMINAL
SERVER ID
NOT USED
TERMINAL
SERVER
PASSWORD
NOT USED
PHONE NUMBER ENTER NONE (CAPS)

11 October 2007
11-8
Communications
11.2.2 COMSETUP instructions for adding OTHER DODAAC's:
NOTE: Add DODAAC's you communicate with.
1) Required information for Destination systems.
NOTE: ALL information supplied by SA at destination site.
a) DODAAC of system.
b) User LOGON name.
c) User Password.
d) IP address.
e) Phone number (if applicable).
If using a terminal server for phone connections:
f) Terminal server Phone number.
g) Terminal server User Name.
h) Terminal server User Password.
2) Double click on COMSETUP ICON.
3) Click on appropriate Organizational Level of Destination System.
4) Enter DODAAC name of Destination System.
5) Enter IP address of Destination System.
NOTE: If you want the DODAAC to ALWAYS generate a floppy disk,
enter xxx.xxx.xxx.xxx for IP address)
6) Enter Phone number of Destination System or enter NONE (If using a network
connection)
7) Enter USER NAME for Destination System.
8) Enter USER PASSWORD for Destination System.
NOTE: This is case-sensitive, ensure it is correct.
11 October 2007
11-9
Communications
9) Enter Retry count.
NOTE: This is the number of times to try connecting before error is reported;
recommend 3-5.
10) Enter Communications Interval.
NOTE: This is how often you want to transmit data:
1 minute Minimum, 11080 minutes Maximum
11) If using a terminal server for phone connections:
a) Enter Terminal server Phone number.
b) Enter Terminal server User Name.
c) Enter Terminal server User Password.
d) Select Terminal server YES.
12) Duplicate Check Period in Days.
This is set to check for duplicate records for the number of days entered. If it
were set to 7, then Commo will keep a history of records sent for the preceding 7
days. Commo will check this history file for duplicates before each transmission.
13) Click on SAVE SAAS to ENTER DATA or QUIT to ABORT.
NOTE: Once the information is entered, it can be modified at any time. When you
change the way you connect to one of your sites, you will change the information
for the DODAAC in COMSETUP. When necessary, changes can be made by
doing the following: click on the COMSETUP icon on the server, change the
information as needed, and save it. The following tables are a summation of the
fields required in COMSETUP for the four ways to communicate with other sites
in SAAS. A screen must be completed for each unit the local site connects to.
The sites may not use the same connection method.
COMSETUP FOR NETWORK CONNECTION
COMSETUP FIELD
REQUIRED ENTRIES FOR NETWORK
CONNECTION
ORGANIZATION
LEVEL
SELECT DESTINATION
DAO, OR ATP
11 October 2007
11-10
Communications
DODAAC
ENTER DODAAC OF DESTINATION
SERVER
IP ADDRESS
IP ADDRESS OF DESTINATION
SERVER
FTP USER NAME
FTP USER NAME ON DESTINATION
SERVER
FTP PASSWORD
FTP USER PASSWORD ON
DESTINATION SERVER
RETRY COUNT
ENTER NUMBER OF ATTEMPTS
BEFORE ERROR IS REPORTED
COMMUNICATION
INTERVAL
ENTER NUMBER OF MINUTES
BETWEEN TRANSMISSIONS (1 TO
11080)
CALL TIME HOUR
ENTER NUMBER FROM 01 TO 24
INDICATING WHEN TO BEGIN
TRANSMISSION -- VALUE WILL BE
ECHOED TO OTHER SCREENS
DUPLICATE
CHECK FIELD
IN HISTORY
THIS SYSTEM IS
USING A
TERMINAL
SERVER
DO NOT SELECT
DESTINATION
SYSTEM IS USING
A TERMINAL
SERVER
DO NOT SELECT
TERMINAL
SERVER ID
NOT USED
TERMINAL
SERVER
PASSWORD
NOT USED
PHONE NUMBER ENTER NONE
* LOCAL DECISION ON TIME. DO NOT USE 0, UNLESS YOU WANT THE
SYSTEM TO CHECK EVERY MINUTE FOR DATA.
COMSETUP FOR MODEM TO MODEM CONNECTION
COMSETUP FIELD
CONNECTION
ORGANIZATION
LEVEL
SELECT DESTINATION
DAO, OR ATP
DODAAC ENTER DODAAC OF DESTINATION
11 October 2007
11-11
Communications
SERVER
IP ADDRESS
SERVER
FTP USER NAME
SERVER
FTP PASSWORD
DESTINATION SERVER
RETRY COUNT
COMMUNICATION
INTERVAL
11080)
CALL TIME HOUR
DUPLICATE
CHECK FIELD
IN HISTORY
THIS SYSTEM IS
USING A
TERMINAL
SERVER
NOT USING TERMINAL SERVER --
DO NOT SELECT
DESTINATION
SYSTEM IS USING
A TERMINAL
SERVER
IF USER REPORTING BY TERMINAL
SERVER, THIS FIELD WILL BE
SELECTED BY MMC
TERMINAL
SERVER ID
NOT USED
TERMINAL
SERVER
PASSWORD
NOT USED
PHONE NUMBER
PHONE NUMBER OF DESTINATION
SERVER
* LOCAL DECISION ON TIME. DO NOT USE 0, UNLESS YOU WANT THE
COMSETUP FOR TERMINAL SERVER CONNECTION
COMSETUP FIELD
CONNECTION
ORGANIZATION
LEVEL
SELECT DESTINATION
DAO, OR ATP
DODAAC ENTER DODAAC OF DESTINATION
11 October 2007
11-12
Communications
SERVER
IP ADDRESS
SERVER
FTP USER NAME
SERVER
FTP PASSWORD
DESTINATION SERVER
RETRY COUNT
COMMUNICATION
INTERVAL
11080)
CALL TIME HOUR
DUPLICATE
CHECK FIELD
IN HISTORY
THIS SYSTEM IS
USING A
TERMINAL
SERVER
YES, SELECT THAT THIS SYSTEM IS
USING A TERMINAL SERVER
DESTINATION
SYSTEM IS USING
A TERMINAL
SERVER
IF USER REPORTING BY TERMINAL
SERVER, THIS FIELD WILL BE
SELECTED BY MMC
TERMINAL
SERVER ID
ENTER TERMINAL SERVER ID
TERMINAL
SERVER
PASSWORD
ENTER TERMINAL SERVER
PASSWORD
PHONE NUMBER
ENTER PHONE NUMBER OF
TERMINAL SERVER
*LOCAL DECISION ON TIME. DO NOT USE 0, UNLESS YOU WANT THE
** IF SYSTEM IS MMC, AND REPORTING USER IS USING A TERMINAL
SERVER TO SEND DATA, SELECT 'DESTINATION SYSTEM IS USING A
TERMINAL SERVER'. THIS ALLOWS DESTINATION USER TO PULL BACK
DATA FROM THE MMC.

11 October 2007
11-13
Communications

11.2.3 Other COMSETUP Functions
1) Read>A: button is to read in floppy disk data
2) To display the data for a DODAAC already entered in the system
a) Highlight the desired DODAAC in EXISTING ORGANIZATIONS.
b) Click on Display DODAAC.
c) You may modify entry information and SAVE.
3) To delete a DODAAC:
a) Highlight the desired DODAAC to delete in EXISTING ORGANIZATIONS.
b) Click on DELETE ORGANIZATION.
4) To modify AEPS connection data:
a) Highlight and change AEPS IP Address if required.
b) Highlight and change AEPS User Name if required.
c) Highlight and change AEPS Password if required.
d) Click on SAVE AEPS adjacent to the AEPS date elements. (Not the SAVE
SAAS at the bottom as this saves DODAAC entries only)
5) To modify TAMIS connection data:
a) Highlight and change TAMIS IP Address if required.
b) Highlight and change TAMIS User Name if required.
c) Highlight and change TAMIS Password if required.
d) Click on SAVE TAMIS adjacent to the TAMIS date elements. (Not the SAVE
6) To modify NLAC connection data:
a) Highlight and change NLAC IP Address if required.
11 October 2007
11-14
Communications
b) Highlight and change NLAC User Name if required.
c) Highlight and change NLAC Password if required.
d) Click on SAVE NLAC adjacent to the NLAC date elements. (Not the SAVE

11.3 COMRUN.exe Operation Instructions
COMRUN instructions for correcting DODAAC's if SETUP Screen appears
1) Required information for Destination systems.
(ALL information supplied by system admin at destination)
a) DODAAC of system
b) User LOGON name
c) User Password
d) IP address
e) Phone number (if applicable)
If using a terminal server for phone connections
f) Terminal server Phone number
g) Terminal server LOGON ID
h) Terminal server Password
1) Select Terminal server YES
2) If SETUP screen appears the system had problems connecting with the
DODAAC displayed.
a) Check connection status report for error
b) If error displayed refers to no answer, access denied, not logged on check
your entries in displayed area.
You may correct the IP address phone number, User name and password.
If the DODAAC is INCORRECT you must use COMSETUP to enter the
correct DODAAC information. If you make corrections you must SAVE.
11 October 2007
11-15
Communications
c) If the error refers to a busy line you may increase the Retry count and/or just
Continue. Continue will use the existing information and retry connecting.
If you wish to correct only one Entry you may do that and skip directly to
SAVE. ONLY USE SAVE IF YOU HAVE CHANGED one or more ENTRIES.
3) Enter IP address (if you want the DODAAC to ALWAYS generate a floppy
disk, enter xxx.xxx.xxx.xxx for IP address)
4) Enter Phone number or NONE
5) Enter USER NAME
6) Enter USER PASSWORD ( this is CASE sensitive ensure it is correct)
7) Click on SAVE ONLY IF YOU HAVE CHANGED ONE or MORE of the ABOVE
ENTRIES
8) Enter Retry count CLICK on ENTER then CONTINUE (this is the number of
times to try connecting before error is reported, recommended 5)
9) Enter Communications Interval CLICK on ENTER then CONTINUE (this is
how often you want to transmit data. (1 minute Minimum and Maximum equals
10080 minutes)
10) To display the data for a DODAAC already entered in the system:
a) Highlight the desired DODAAC in EXISTING ORGANIZATIONS
b) Click on Display DODAAC
c) You may modify entry information and SAVE.
11) To delete an DODAAC:
a) Highlight the desired DODAAC to delete in EXISTING ORGANIZATIONS
b) Click on DELETE ORGANIZATION
12) Setting Call time HOUR (to start transmissions at a specific hour)
a) Enter HOUR in Call time HOUR (military time 0 through 24)
b) Click on ENTER under Communications Interval
c) To Call every Interval ENTER 0 in Call time HOUR\
(when 0 entered COMRUN will call whenever there is data to
send, as often as the Communications Interval is set i.e.: every minute for 1
every 5 minutes for 5)

11 October 2007
11-16
Communications
11.4 Remote Access Service Installation
SAAS MOD no longer supports the use of Remote Access Service. This is a
feature designed for allowing users to connect via Modems. This is no longer
allowed by AR 25-2.

11.5 GlobalSCAPE Secure FTP
SAAS now installs this product for secure communications which replaces the
need for Microsoft Internet Information Services which controlled the FTP site.
All settings and configuration are self contained during the installation of SAAS
communications package. FTP Publishing Service is also no longer required and
has been disabled with the implementation of SAAS communications.
GlobalSCAPE is set for secure FTP transmissions, but will also accept regular
(non-secure) FTP if the sender does not have secure FTP installed.

11.6 User Manager Setup
1) Open User Manager by a right click on My Computer| Manage..

2) Click on Local Users and Groups.

3) Right click on Groups and select New Group.
11 October 2007
11-17
Communications

4) Create a Group called FTPUSERS (or their SA choice) and click on Create.
5) Click on Create, and then close.

6) Right click on the new group and click on Properties..

7) Click on Add and select your user.
11 October 2007
11-18
Communications

8. Click on Add.
9. Click on OK and exit Computer Management.

NOTE: FTPUSERS Group must have full control of C:\dodaacom directory
and files
All Domain users must have full control of the following
c:\comwatch.log file
c:\dodaacom directory and all sub directories and files
c:\saas_ftp directory and files
c:\winnt\system32\drivers\etc directory and files
11 October 2007
11-19
Communications

11.7 Duplicate File ship Instructions
A) Required information to send duplicate Data
1. FILE NAME to transmit
2. DODAAC name you want to transmit to.
3. User Logon to that DODAAC for Dial-In and FTP
4. User password
5. DODAAC's IP address
B) Instructions to implement DUPLICATE FILE SHIPMENTS ( TO SEND A FILE
ALREADY SENT BUT NOT RECEIVED BY THE RECIPIENT)
1. Stop COMRUN.EXE
2. Use Explorer or File Manager to locate the File to be sent
a. file will be located in
c:\dodaacom\(this systems DODAAC name)\OUT\(DODAAC to be
transmitted to) \Trans_history\ (file.zip & file.end)
3. Copy these files to c:\users\default
4. Use Dial-up Networking to connect to the destination DODAAC
a. Dial-up Networking is located in - START PROGRAMS
ACCESSORIES
b. Select DODAAC name
c. Click on DIAL
d. Enter User name & password (if asked for)
e. Wait for Connection
5. Start command prompt
a. located in - START PROGRAMS
6. Do Dir (enter) to check that you are in c:\users\default if you are not
in that Directory CD to it.
Type FTP (IP address) (enter)
a. Enter User name
b. Enter Password
c. Type put (filename.zip) (destination DODAAC)\IN\filename.zip)
d. If you receive Transfer complete. go to e. (if you receive an error check the
directories and file name)
e. Type/put (filename.end) (destination DODAAC)\IN\filename.end)
f. If you receive Transfer complete. go to g. (if you receive an error check the
directories and file name)
11 October 2007
11-20
Communications
g. Type bye
h. Type exit
i. Use Dial-up Networking and HANG UP
Double click on COMSTART icon.

11.8 COMRPT.exe Operation Instructions
1. To display a DODAAC duplicate record report
a) Highlight the DODAAC you wish to see.
b) Click on DISPLAY DODAAC REPORT.
This will display ALL duplicate records shipped to that DODAAC. You may
print this list or delete it.
2. To display INPUT duplicate records received.
a) Click on DISPLAY INPUT REPORT.
3. Click on QUIT to exit.

11.9 COMMO File Descriptions
ASP/MMC/DAO/ATP
Header File Descriptions
File Names
Eight characters before the period and three characters after period as an
extension. First two characters will be the first two characters from the level
indicator, Like AS for ASP, MM for MMC, DA for DAO and AT for ATP. The next
six characters form a unique number. The extension is HDR.
Header File Contents
Mandatory header file keywords and descriptions are:
SOURCE_ID: DODAAC, UIC, RIC of the sender.
DEST_ID: DODAAC, UIC, RIC of the receiver.
FILE_ID: The absolute path of the data file (No Special Characters).
Example of a Data Header File
Name : AS5202.HDR
11 October 2007
11-21
Communications
ATTRIBUTE SOURCE_ID: SAASM2ATTRIBUTE DEST_ID:
W83J HTATTRIBUTE FILE_ID: C:\dodaacom\SAASM2\OUT\AS5202.DAT
Data File Descriptions
File Names
Eight characters before the period and three characters after the period as an
extension. First two characters will be the first two characters from the level
indicator, Like AS for ASP, MM for MMC, DA for DAO and AT for ATP. The next
six characters form a unique number. The extension is DAT.

Data File Contents
All the attributes in the data field are delimited by a tilde character (~).

Sender: SAAS ASP - MMC Receiver: SAAS MMC - WARS - TAMIS
Source: Transaction
rocessing P
Action: Transaction Processing
Itm
Data Name
Le
n
Cls Data Name Len Cls Posn Remarks
1
Transaction
Format Ind
1 Text Transaction Format Ind 1 Text 1
Constant
'W' for
LMP
2 Record Type 1 Text Record Type 1 Text 2
Constant
'A' for
Asset
Transactio
n
3 Item_ID 15 Text NSN 15 Text 3-17
4 Lot_Number 18 Text LOT.NO 18 Text 18-35
5 Serial_Number 18 Number SER.NO 18 Text 36-53
6 Condition_Code 1 Text COND.CD 1 Text 54
7 RIC 3 Text RIC 3 Text 55-57
8 Purpose_Code 1 Number PURP.CD 1 Number 58
9 Transaction_Code 3 Text TRANS.CD 3 Text 59-61
10 TrnsctnQty 9 Number
TRANSACTION/LOT.QT
Y
12 Number 62-73
right-
justified,
zero fill
11 Obligated Qty
TRANSACTION/OBLIG
QTY
12 Number 74-85
right-
justified,
zero fill
11 October 2007
11-22
Communications
12 DateMFG 6 Number YR.MON.MFG.DT 6 Number 86-91YYYYMM
13 DefectCd 6 Text QUAL.DEF.CD 6 Text 92-97
14 DefectCd2 6 Text QUAL.DEF.CD 6 Text
98-
103

104-
109

110-
115

17 RestrictionCd 5 Text RESTR.CD 3 Text
116-
118

18 RestrictionCd 5 Text RESTR.CD 3 Text
119-
121

19 AmmoUseCd 5 Text AMMO.USE.CD 3 Text
122-
124

20 AmmoUseCd 5 Text AMMO.USE.CD 3 Text
125-
127

21 FUNC COND CD 1 Text 128
22 ACCEPT CD 1 Number 129
23 AMMO OWNER CD 1 Text 130
24 SHELF LIFE 1 Text 131
25 SHELF LIFE EXPIR 6 Text
132-
137
YYYYMM
26 TypStorCd 1 Text TY.STOR.SP.CD 1 Text 138
27 TypLastInsp 1 Text TLI.CD 1 Text 139
28 DtLastInsp 6 Number MO.YR.LST.INSP 6 Number
140-
145
MMYYYY
29 TypNextInsp 1 Text TNI.CD 1 Text 146
30 DtNextInsp 6 Number MO.YR.NXT.INSP 6 Number
147-
152
MMYYYY
31 DtTimeGp 13 Number DT.TM 13 Number
153-
165
YYYYDDD
HHMMSS
32 WARS CMD CD 3 Number
166-
168

33 DODAAC 6 Text DODAAC/UIC 6 Text
169-
174
XREF SP
to Mil_Org
34 DODAAC/UIC 6 Text
DODAAC/UIC
(TO/FROM)
6 Text
175-
180
XREF SP
to Mil_Org
35 DOC NBR/TCN 17 Text DOCUMENT NBR/TCN 17 Text
181-
197

36 Batch_Number 6 Number BATCH.NO 6 Number
198-
203
Batch
number,
right-
justified,
zero fill
37 Batch Record Nbr 9 Number BATCH.REC.NO 9 Number
204-
212
Record
number in
11 October 2007
11-23
Communications
batch,
right-
justified,
zero fill
38
LMP
Owner/Purpose
Cd
1 Text LMP Owner/Purpose Cd 1 Text 213
39 12
214-
225
Spaces
40
Training_Event_C
ode
3 Text TRAINING EVENT CD 3 Text
226-
228

41 4
229-
232
Spaces
42
Recording_Accou
nt_Code
3 Text Recording ACCT CD 3 Text
233-
235

43 TIN or Container 12 Text TIN_OR_CONTAINER 12 Text
236-
247

44 Crop 12 Text CROP 12 Text
248-
259

45 Config Load 12 Text CONFIG LOAD 12 Text
260-
271

46 Storage Space Cd 3 Text Storage Space Code 3 Text
272-
274

47 LMP FSA RIC 3 Text LMP FSA RIC 3 Text
275-
277

48 Typ Stg To 1 Text Typ Stg To 1 Text 278
49 Purp To 1 Text Purp To 1 Text 279
50 20
280-
300
Spaces
51 StorPtCd 2 Text Storage Point Code 2 Text
301-
302

52 CompGP 1 Text Compatibility Group 1 Text 303
53 TypePkCd 2 Text Type Pack Code 2 Text
304-
305

54 LineNo 4 Number Line_Number 4 Number
306-
309

55 ContainerInd 1 Text Container Indicator 1 Text 310
Blank or 'C'
if container
56 DODIC 4 Text DODIC 4 Text
311-
314

57 TrnsctnType 1 Text Transaction_Type 1 Text 315
58 TurnAroundInd 1 Text Turn Around Indicator 1 Text 316
59 UnitDsgntn 12 Text DODAAC_Name 12 Text
317-
328

60 WhsidentNo 5 Text Storage_Site_ID 5 Text
329-
333

11 October 2007
11-24
Communications
61 CondCdTo 1 Text Condition_Code_To 1 Text 334
62 WhsIdentNoTo 5 Text Storage_Site_Id_To 5 Text
335-
339

63 RDD 3 Text
Required Delivery Date -
Period
3 Text
340-
342

64 StorPtCdTo 2 Text Storage_Point_Code_To 2 Text
343-
344

65 ProjectCd 3 Text Project Code 3 Text
345-
347

66 PD 2 Number Priority Designator 2 Number
348-
349

67 RICTo 3 Text RIC To 3 Text
350-
352

68 ReqQuantity 9 Number Requested Quantity 9 Number
353-
361

69 AcctCdAmmoTo 3 Text
Account Code
Ammunition To
3 Text
362-
364

70 ModeOfShip 1 Text Mode Of Shipment 1 Text 365
71 ActualPullDt 7 Number Actual Pull Date 7 Number
366-
372

72 GBL 11 Text
Government Bill Of
Lading
12 Text
373-
384

73 SecDocNo 14 Text
Secondary Document
Number
14 Text
385-
398

74 3
399-
401
Spaces
75 DIC 3 Text
Document Identifier
Code
3 Text
402-
404

76
TAMISInstallation
Cd
4 Text TAMIS Installation Code 4 Text
405-
408

77 USERID 10 Text USERID 30 Text
409-
438

78 62
439-
500
Reserved
for SAAS

Example of a Data File

Name : AS5202.DAT
2005061~0001001 090143 ~15315~TAR~ASA W81K5Y~WA1305001823217
LC-04A920-054 A TAR000000003080 000000 W 000000
0000002005061090143 W81K5YW8GLAAW90HB450342001SER
020000201TTRP2005TRA NES 0001 A080BYHQ 209TH REGH460 NE 00
000003080TRA 0000000 W90HB442092004FEB michael. ~0~0~0

11 October 2007
11-25
Communications
11.10 Communications Troubleshooting
1. Communications won't start. If this is the problem you are having, there
may be a reason. When commo is started, comrun.exe creates a file at the root
of C drive called "comrunning". If for some reason commo was not ended
properly, i.e.. killed by task manager or sudden power failure, this may be the
reason. When commo starts it checks to see if the file above is there, and if so,
thinks that commo is already running and won't start to keep more than one copy
of comrun.exe from executing. Delete this file and commo will start.
2. Sending zero byte zip files. When this problem occurs it could be one of
two things. First, it may be that you are attempting to send duplicate data. If your
not sure, you can go to the folder of the DODAAC you are attempting to send to.
Navigate to the folder chk_history and delete the file chkhist.chk. If problem
persists it may be the next problem. This same problem will occur if you do not
have WinZip 9.0 SR-1 installed. It must be installed also in the Dodaacom folder.
This program was released with SCP 07and can be found on your Utility and
Database CD as part of the SCP package.
3. Terminating Commo. The communications process must be shut down
properly. Always use the Terminate Commo Icon in the SAAS Application
(COMMO) to stop commo. Killing the process using Task Manager can and
probably will create additional problems for you. How it works is that when you
click on it, it simply creates a file at the root of C drive called Terminatecom.
Comrun.exe periodically checks to see if this file exists and if so, will shut it down
and delete the Terminatecom file and Comrunning file. See one above.

11.11 Remote Dial-Up Processing
SAAS MOD no longer supports the use of Remote Access Service. This
is a feature designed for allowing users to connect via Modems. This is no
longer allowed by AR 25-2.

11 October 2007
11-26
Importing / Exporting Databases
SECTION 12.0 IMPORTING AND EXPORTING DATABASES
All users must be logged off the database before an import or export is executed.
If a user is logged on and updating data during an export, it is possible that some
tables will not be updated. At the same time, the EXP.LOG will not reflect an
error message for this occurring. An import will not be successful as well if users
are logged onto the database. Fortunately, an error message will occur and be
logged into the IMP.LOG file.
12.1 Importing the Database
Database import utility uses an operating system file generated by export utility to
restore the database.
The IMPORT icon does the following:
Recreates user SAASDB.
Drops public synonyms for SAASDB objects.
Creates tables under SAASDB.
Loads data into the tables.
Creates indexes on the tables.
Create views, synonyms, sequences and any other objects that belong to
SAASDB.
Grant privileges on SAASDB tables to other users.
Creates public synonyms for SAASDB.
To Import the Database:
1. Go to Start | Programs | SAAS Utilities | Import.
2. At " About to Import a new Database" , click on Continue.
3. At " Current data will be dropped" , click on Continue.
4. Enter password for System Account and click on OK.
5. Enter database name (asp, dao, mmc) and click on OK.
6. User will be prompted for the name of file to import. It will display all files
under C:\SAAS\DUMPS\BACKUPS. Users can also move to other
location wherever the file maybe save at. Select the file to be imported
and click on OPEN.
NOTE: Any data that existed in the database before the import will be
replaced by the data in the .DMP file selected.
7. Click on OK to confirm file to be imported. Importing will then start.
8. At " Database import is complete..." , click on OK to exit import utility.
9. Check the import log file for any errors that may have occurred. The log
file will be generated with the name of IMP.LOG under
C:\SAAS\DUMPS\IMPLOGS and is overwritten with each import. At the
end of IMP.LOG you should see "Import terminated successfully without
warnings."
11 October 2007
12-1

12.2 Exporting the Database:
Database export utility does a logical backup of the data in the database. It
backups the data in the database to an operating system file. The file thus
created can only be used by import utility to import the data back into the
database.
The EXPORT icon of the SYSTEM group backups following items:
Definitions of the tables owned by SAASDB.
Definitions of indexes on tables of SAASDB.
Definitions of views, sequences, synonyms and other objects owned by
SAASDB.
Data stored in the tables of SAASDB.
Privileges on tables of SAASDB granted to other users.
To Export the Database:
1. Go to Start | Programs | SAAS Utilities | Export.
2. At " About to Export current Database" , click on Continue.
3. Enter password for SAASDB Account and click on OK. The system will try
to logon to Oracle with the password entered. If it is wrong, it will be
prompted again.
4. Enter database name of system to be exported (asp, dao, mmc).
5. Enter filename of dmp file (EX: 980601) and click on OK. The file will be
created under C:\SAAS\DUMPS\BACKUPS with an extension of .DMP.
(Note: Do not use spaces when naming dump files.)
6. Check the export log file for any errors that may have occurred. The log
file will be generated with the name of EXP.LOG under
C:\SAAS\DUMPS\EXPLOGS and is overwritten with each report. At the
end of EXP.LOG you should see "Export terminated successfully without
warnings."
ERROR MESSAGES:
" Unable to logon, check the database." - Invalid database name was entered.
See #5 under Importing a Database or #4 under Exporting a Database.
Possibly user typed in "asp" instead of "mmc", or entered a typo such as "asd"
instead of "asp".
" Invalid System Password. Enter again." - Invalid System password entered
on Import.
See #4 under Importing a Database.
11 October 2007
12-2
" Object already exists."
This error message may be seen in IMP.LOG if a user was logged onto the
database during an import.
See #9 under Importing a Database. Start Import again without users logged
onto the database.
11 October 2007
12-3
Troubleshooting
SECTION 13.0 TROUBLESHOOTING

13.1 User Problems

The problems that are attempted to be corrected in this subsection pertain to the
Windows Server 2003 environment. For now we have identified four possible
problems that system administrators might encounter. Upon fielding the SAAS
application there maybe more problems arise. Those problems with its solutions
will be included in future documentation.
In trying to solve any problem, we will first need to identify its root cause. In this
subsection we will check on those possible causes one by one to make sure they
are correct. If any configuration error is found, we will correct them and hopefully
solve the problem.

13.1.1 Can't Log in

All users should log into the domain. The first thing they should check is to make
sure that the user name is correct, the password is correct, and the domain is
correct. The user name is not case sensitive however the password is, so make
sure it is typed exactly how it should be. Also, make sure you are using the right
domain name. We have found out that a lot of people make a mistake of logging
into the local computer account instead.
If after making absolutely sure that everything was correct and still the user can't
log in, check to make sure that there is a user account on the server. When
checking the user account, go to Local Users & Groups on the server. If the
user account is not there, follow the instructions on section 9.1.1 on how to
create a user account.

13.1.2 Can't partition or format during setup

You were trying to load Windows Server 2003 and in the middle of setup it would
not want to partition or format and couldn't continue with setup. Well, have no
fear because we have the solution for that particular problem.
The first thing you need to do is to get a hold of the latest version of MS-DOS you
can find. Insert disk #1 and re-boot the computer. Once inside MS-DOS setup,
press F3 twice to exit. On the A prompt, type fdisk. Select option 3 for delete.
Next, select option 4 to delete non-dos partition. Once that is done, re-boot the
computer and leave the disk in the drive. Again press F3 twice to exit setup.
Once on the A prompt, type format C:. This will format your C drive.
Replace the MS-DOS disk with Windows Server 2003 CD-ROM and try again to
install Windows Server 2003 by re-booting the computer.

11 October 2007
13-1
Troubleshooting
13.1.3 Formatting the 2nd Hard Drive
1. As administrator, open My Computer.
2. Click on File, then Format.
3. Click on down arrow at File System and select NTFS (default is FAT).
4. Click on Start.
5. Click on OK at Warning screen.
6. Formatting begins. Click on OK when Format completes.
7. Click on Close.

13.2 Database Problems
The following problems can occur, which are related to the database:
ERROR: ORA-12203: Connect error, cant get error text
This error occurs if neither the Oracle service nor the TNS listener has been
started on the server.
Start the Oracle related services from CONTROL PANEL / SERVICES.
ERROR: ORA-12500: Connect error, cant get error text
This error occurs if the Oracle service has not been started but TNS listener
has been started on the server.
Start the Oracle related services from CONTROL PANEL / SERVICES.
ERROR: ORA-12203: TNS: unable to connect to destination
This error occurs if the Oracle service has been started but TNS listener has
not been started on the server.
Start the Oracle related services from CONTROL PANEL/ SERVICES.
ERROR: ORA-01034: ORACLE not available
ORA-09243: smsget: error attaching to SGA
11 October 2007
13-2
Troubleshooting
OSD-04101: invalid SGA: SGA not initialized
These error occur when Oracle service and TNS listener have been started
but database is not available on the server.
It might so happen that the status is shown as started for all Oracle related
services in the SERVICES box of CONTROL PANEL but the database is not up
and running. This may happen due to invalid or missing INITORCL.ORA file or
one or all of control files, data files or log files. If the problem is with
INITORCL.ORA then only that file need to be restored from the backup. If the
problem is with any of the control files or data files or log files then all of them will
have to be restored from the same backup and it will involve redoing the work
done between the dates of the backup being restored till date.
ERROR: ORA-12154: TNS: could not resolve service name
This error occurs if TNSNAMES>ORA file on the workstation is either corrupt
or missing.
Copy the file from another working workstation.
ERROR 2140: An internal Windows Server 2003 error occurred.
This error occurs while starting TNS listener service if LISTENER.ORA file on
the server is either missing or corrupt.
Restore the file from the backup.
ORA-01652: unable to extend (name) segment by (size) in tablespace
(tablespace)
This error occurs if the available space in the tablespace mentioned is not
sufficient for the operation, which caused the error.
NAME is the object for which space is required.
SIZE is the amount of space required.
TABLESPACE is the location of the object where space is required.
The error can occur either because all allocated space for the tablespace is
utilized or space is not available on the hard disk. If the tablespace is
SAAS_ROLL or SAAS_TEMP, doing the same operation at a later time when no
other user is accessing Oracle might solve the problem. If it is any other
tablespace more space will have to be made available.
11 October 2007
13-3
Troubleshooting
13.3 Data Browser Problems

13.3.1 To Remove The Default Limitations on Data Browser:
There are 2 parameters which need to be set to proper value, MAXROWS and
MAXVMEM. To reset them, perform the following:
1) Start browser.
On Workstation: Start => Programs => Oracle for Windows Server 2003 =>
Data Browser
or Start => MMC Executables => Browser.
On Server: Start=> Programs => Oracle for Windows Server 2003 => Data
Browser
2) Login as saasuser.
3) At Create New Query window click on OK.
4) At Select Data Tables window click on Close.
5) Click on Edit => Preferences.
6) Click on Command Line on the 'Preferences for' slide bar.
7) Click on All Documents button.
8) Change the values for MAXROWS to more than the maximum
rows in any table (i.e. 100,000) and MAXVMEM (i.e. to 100M).
NOTE: These values may need to be raised on some databases to 200,000 and
200M.
9) Click on OK to close the window.
NOTE: This procedure IS MACHINED specific!
This procedure must be accomplished for each machine where Data Browser will
be executed (Workstation and Server) and these parameters are desired to be
reset. It is not user specific (either Windows or ORACLE).
11 October 2007
13-4
Troubleshooting
13.4 Comwatch Errors
Message Displayed:
COMWATCH - Unable to open COMINI.INI. Can not continue with
program execution.
Explanation:
COMINI.INI file contains the system DODAAC. If this file can not be opened,
COMWATCH can not find the system DODAAC.
Action:
Run COMSETUP to establish all DODAACs that the system communicates
including the system DODAAC. Start over again.
Message Displayed:
COMWATCH - System DODAAC not found in COMINI.INI file. Run com
setup.
COMWATCH - Can not continue with program execution.
Explanation:
COMINI.INI file contains the system DODAAC. If there is no line starting with
"MY_DODAAC" in this file, this error results.
Action:
Message Displayed:
COMWATCH - No permission to create file in \system32\drivers\etc directory.
Explanation:
Some of the parameters required for successful execution of COMWATCH are
stored in this folder. If the files containing those parameters don't exist, the
program creates them with initial values. Hence, the program needs the
11 October 2007
13-5
Troubleshooting
permission to create files in this folder. If that permission is not available, this
error occurs.
Action:
Log on as Administrator of the machine and grant the permission to the user that
runs COMWATCH.

Message Displayed:
COMWATCH - COM_SCR.TXT file not found in system root. Run Com
Setup.
Explanation:
COM_SCR.TXT file contains all the DODAACs that the system communicates
with and their level (ASP, DAO, MMC, ATP). If this file is missing, COMWATCH
will not be able to identify the destination of data.
Action:
Run COMSETUP to establish all DODAACs that the system communicates with

Message Displayed:
COMWATCH - System DODAAC not found in com_scr.txt file. Run Com
Setup.
Explanation:
COM_SCR.TXT file contains the DODAAC and the level(ASP, DAO, MMC, ATP)
of the system. If there is no entry for the system DODAAC in this file, this
error is returned.

11 October 2007
13-6
Troubleshooting
Action:

Message Displayed:
COMWATCH - COM_SCR.TXT has not been set up properly. Run Com
Set Up.
Explanation:
COM_SCR.TXT file contains the DODAAC and the level(ASP, DAO, MMC, ATP)
of the system. If the DODAAC that is to receive data is not in this file, this error is
returned.
Action:
Message Displayed:
COMWATCH - WARS_SEQ.FILE can not be opened. Check directory
permissions.
COMWATCH - WARS processing can not be done.
Explanation:
WARS_SEQ.FILE file contains the next batch number to send to WARS. If the
file does not exist, COMWATCH creates it and sets initial batch number to 1. If
COMWATCH can not create the file, this error results.
Action:
runs COMWATCH.

11 October 2007
13-7
Troubleshooting
Message Displayed:
COMWATCH - WARS_YR.FILE can not be opened. Check directory
permissions.
COMWATCH - WARS processing can not be done.
Explanation:
WARS_YR.FILE file contains the year. If the system year is same as the year in
this file COMWATCH adds 1 to batch number in the WARS_SEQ.FILE and uses
it to send the file to WARS. If they are not same, COMWATCH sets the year in
the file to system year and sets the batch number to 1 to send to WARS. If the
file does not exist, COMWATCH creates it and sets the year to system year and
batch number to 1. If COMWATCH can not create the file, this error results.
Action:
runs COMWATCH.
Message Displayed:
COMWATCH - HOLD_CUR_DAY.FILE can not be opened. Check
directory permissions.
COMWATCH - CCSS processing can not be done.
Explanation:
HOLD_CUR_DAY.FILE contains the day of the month. COMWATCH uses this
number to reset the sequence number in CCSS_SEQ.FILE to 1 when the first file
for the day is received. If COMWATCH can not open this file to write, then it
returns the above error.
Action:
runs COMWATCH.
Message Displayed:
COMWATCH - CCSS_SEQ.FILE can not be opened. Check directory
permissions.
COMWATCH - CCSS processing can not be done.
11 October 2007
13-8
Troubleshooting
Explanation:
CCSS_SEQ.FILE contains the sequence number that COMWATCH uses for file
sequence number in the file header sent to CCSS. This number must be unique
within a day. It checks in HOLD_CUR_DAY.FILE for the day, and if it is same as
system day, it adds 1 to the number in CCSS_SEQ.FILE file and uses it for file
sequence number. If it is not same, then it sets the day in
HOLD_CUR_DAY.FILE to system day, sets the number in CCSS_SEQ.FILE to 1
and uses 1 for file sequence number. If COMWATCH can not open this file to
write, then it returns the above error.
Action:
runs COMWATCH.
Message Displayed:
COMWATCH - Non Group Out data file <<file name>>can not be created.
COMWATCH - Can not process outgoing SAAS data
Explanation:
COMWATCH is not able to create an out-going file.
Action:
This may be because there is no space on the hard drive or the user that is
executing COMWATCH does not have permission to create files on C:\DODAAC
folder. Check the source of the problem and fix it.

Message Displayed:
COMWATCH - Out data file <<file name>>can not be created.
Explanation:
COMWATCH is not able to create the outgoing file either because there is no
space on the hard disk or file create permission is not given to the user running
COMWATCH.
11 October 2007
13-9
Troubleshooting
Action:
Check for the possible problems and correct.
Message Displayed:
COMWATCH - An incorrect group is present in the Database.
Explanation:
Grouped transactions, like RECON, have a group number and sequence number
within the group. Group number is set to the number of transactions within the
group. Before creating a file for this grouped transactions, COMWATCH checks
whether the group has all the transactions that make up the group. If not,
COMWATCH gives this error.
Action:
Delete the transactions from TRANSACTION_COM_OU and regenerate the
transactions.
Message Displayed:
COMWATCH - For level indicator <<system level>>Destination DODAAC is not
defined in COM_SCR.TXT.
COMWATCH - Can not process outgoing data.
Explanation:
TRANSACTION_COM_OU table has an attribute called DESTINATION.
Programs set this to three character system level followed by a space and,
optionally, DODAAC. COMWATCH checks the COM_SCR.TXT for DODAACs
that match the level in DESTINATION attribute. If no DODAAC is found in the file
for that level, the transaction can not be sent. Hence, COMWATCH gives this
error.
Action:
Run COM Setup and establish all DODAACs.

11 October 2007
13-10
Troubleshooting
Message Displayed:
COMWATCH - Unable to create <<file name>>file, Function terminating.
COMWATCH - Can not process outgoing ULLS data.
Explanation:
COMWATCH is unable to create the outgoing ULLS file because there is no
COMWATCH.
Action:

Message Displayed:
COMWATCH - The file RI.TXT does not exist.
COMWATCH - Can not process outgoing CCSS data
Explanation:
RI.TXT file has router identifier and office symbol. This information is put in the
header of the file sent to CCSS. If RI.TXT does not exist, then COMWATCH
gives this error.
Action:
Create RI.TXT file with the above information.

Message Displayed:
COMWATCH - Record has incorrect ric - <<ric>>, Record to be corrected.
COMWATCH - <<data record>>
COMWATCH - Can not process outgoing CCSS data.

11 October 2007
13-11
Troubleshooting
Explanation:
COMWATCH checks the transaction code of outgoing transaction to CCSS. If it
is A0E or A05 and RIC is not B14 or B64 then COMWATCH gives this error.
Action:
Delete the transaction form TRANSACTION_COM_OU.
Message Displayed:
COMWATCH - Unable to open wars outbound file <<file name>>. Contact
Support.
COMWATCH - Can not process outgoing WARS data
Explanation:
COMWATCH is unable to create the outgoing WARS file because there is no
COMWATCH.
Action:
Message Displayed:
COMWATCH - Unable to open ILAP outbound file <<file name>>. Contact
Support.
COMWATCH - Can not process outgoing ILAP data.
Explanation:
COMWATCH is unable to create the outgoing ILAP file because either there is
no space on the hard disk or file create permission is not given to the user
running COMWATCH.
Action:

11 October 2007
13-12
Troubleshooting

Message Displayed:
COMWATCH - Unable to open <<file name>>file, Function terminating.
COMWATCH - Can not process incoming ULLS data.
Explanation:
COMWATCH is unable to open the incoming ULLS file because file read
permission is not given to the user running COMWATCH or the file is corrupted.
Action:

Message Displayed:
COMWATCH - DAAS_IN_SEQ.FILE can not be opened. Check directory
permissions.
COMWATCH - DAAS processing can not be done.
Explanation:
DAAS_IN_SEQ.FILE contains a number that COMWATCH uses for
CONTINUATION_SEQ attribute of TRANSACTION_COM_IN table when loading
data from DAAS/SPBSR. Every time an incoming file is loaded into the table,
COMWATCH reads this file adds 1 to it and stores in the and uses it. If
COMWATCH can not open this file to write, then it returns the above error.
Action:
runs COMWATCH.

11 October 2007
13-13
Troubleshooting
Message Displayed:
COMWATCH - DAAS incoming file cannot be removed. File name :<<file
name>>
COMWATCH - <<rec count>>no of erroneous transactions found
COMWATCH - <<rec count>>no of correct records found out of <<rec
count>>nos, please check daas incoming file
COMWATCH - Erroneous DAAS incoming file. Can not process DAAS
incoming file.
Explanation:
An incoming DAAS file has NULL at the beginning of some lines.
Action:
Correct the file.

Message Displayed:
COMWATCH - Incomplete Group Present in the Data File :<<file name>>
COMWATCH - Can not process this file
Explanation:
Total number of transactions in the file does not match MAX_GROUP_SEQ.
Every line in the incoming file has a sequence number and the highest sequence
number in the group. If the transactions are not grouped, then both these
numbers are zeros (0). For grouped transactions, like RECON transactions,
highest sequence number represents the number of transactions in the group
and sequence number is the sequence of the transactions within the group.
Action:
Get source of the file to resend the file.

11 October 2007
13-14
Troubleshooting

13.5 System Running Slow
1. Whats running?
a. Check Taskbar at bottom of screen
b. Go to Task Manager via (CNTRL-ALT-DEL)
Look at applications tab and CPU performance, also can check memory usage
(good to check at bottom of Task Mgr screen)
c. Antivirus software may have become activated.
2. Make a screen print and send it to CAO.
3. How much disk space is on C: and D:?
Go to My Computer->Right click on C: drive. Go to Properties.
See Used and Free space.
Repeat above for D: drive, if needed.
4. Ways to free up space on Server:
a. Run Spacemaker.
b. Archive Transaction History Files - This may not actually free up space on
the system but may make the db run faster.
c. If it has been some time since an import was performed (not a recent SCP),
an export followed by an immediate import of the database just exported
will do a cleanup of the db.
Below is for both Server and Workstations:
d. Go to Start->Programs->Administrative Tools ->Computer Management.
Look in the Storage area and click on Disk Defragmenter.
In the right window will be Analyze and Defragment buttons.
11 October 2007
13-15
Troubleshooting
Select Analyze. System will respond if defragmentation is recommended or
not and will have buttons to Exit or Defragment. If they decided to
Defragment they should close any open files/processes.
NOTE: On the Server, a defrag followed by an export and an immediate
import of the db just exported is considered an ultimate cleanup.
e. Go to Internet Explorer. Select Tools->Internet Options.
On the General tab, have user select and confirm the following buttons:
Delete Files
Delete Cookies
and even hit Clear History button (less here probably)
If the above suggestions fail to resolve a users complaints, then come and
inform us. There are a few other things that could be checked, however more
than likely at this point it may be an issue for their local IT people or a hardware
issue.

13.6 Relationship between SAAS and Oracle
Understanding the Relationship between SAAS and Oracle Users
*As of SCP-08 Maintain Users will accept more than just 8 characters. Windows
OS limits to 20 characters. Username should match Windows OS username and
SAAS Oracle User usernames below. Is case-sensitive.
Maintain Users
This is an exe in SAAS Application Install and a user should be created matching
the Windows OS Usernames that run SAAS application. Access can be
controlled by transaction. SAAS does not authenticate, but gives privileges.
Windows OS usernames
General username to logon to system and/or network. Probably assigned to user
by DOIM. Must match username created in Create Oracle User in order to use /
in iefgdic.ini and avoiding the 2nd logon screen. Is case-sensitive.
11 October 2007
13-16
Troubleshooting
Create Oracle User
Create an oracle user to logon to the db. This is needed in order to create SAAS
application transactions and run reports. As stated above, must match Windows
OS username in order to use / in iefgdic.ini and avoid 2nd logon screen.
ORA_SAAS_DBA Group
Only those users that need to startup or shutdown the database need to be in
this local group. NOT a good idea to put all users in this group! Startup/Shutdown
Oracle DB is needed by those who run Scheduled Backup, MMC Reconciliation,
Lock/Unlock the Database (via SAAS->Utilities) or login to SQL Plus and
startup/shutdown the db.
*The Oracle Install script also uses sql scripts that require this ability. If NOT a
member of the ORA_SAAS_DBA group, sql scripts will not properly backup and
recreate the Oracle usernames and passwords (created via SAASOracle User)
during the Oracle Install (resulting in them having to be manually re-created).
13.7 Customer Assistance FTP Process Using Secure FTP
This is a process provided by Fort Lee for users to be able to send files such as
your database or to get files from Fort Lee to help with problem resolution. The
address and login information is provided below to connect to the SAAS MOD
FTP site.
If you experience problems connecting then there is probably a firewall filter at
your location that will not allow you to FTP out. If so, contact your local DOIM.
This site is in the public domain and has no restrictions for access. We
recommend that you use the GlobalScape Secure FTP as the means to do so.
Follow the instructions below when needed or instructed by SAAS MOD
Customer Assistance Personnel from the Start\Programs\GlobalScape\Cute FTP
Professional\Cute FTP 7 Professional.
Use the following to connect to the Fort Lee (SAAS) FTP Server:
UserID Password
saasftp AB!#rt89ee
saasftp2 Mpn7y9rs.*
saasftp3 *.sr9y7npM

11 October 2007
13-17
Troubleshooting

1.) Click on File\New\SFTP (SHH2 Site) and the following screen will pop up.

11 October 2007
13-18
Troubleshooting
2.) Enter the data as shown below using the data from above. The address is
static; however you may use any of the above user names and passwords. Each
has the same level of permissions.

11 October 2007
13-19
Troubleshooting

3.) On the screen under "source" (the upper left window) you may select
location of file to transfer using the drop down to the level to select a specific
file. On the "destination" (the upper right window) you may select the location to
send the file to as well. Recommend you go to the Upload folder and then your
folder. You can also create a folder if one does not exist by clicking the Create
New Folder Icon on the top Menu Bar.

11 October 2007
13-20
Troubleshooting

4.) When you are ready to send the file you can right click and select Upload
or you may simply drag and drop the file to its destination:

11 October 2007
13-21
Troubleshooting

5.) Once the file begins transmitting, you will see the progress as shown in the
status window which is the bottom portion of the screen:

11 October 2007
13-22
Troubleshooting
6.) To go back to the first folder you click on the IP address of 132.159.16.40
under other Places. To close out click on the X in the upper right-hand corner.

11 October 2007
13-23
Troubleshooting
7) When it completes you will see 100% of the file. Select another file if you have
more to send and repeat the steps above.

8) When you are finished. Right click on the tab at the bottom of the
destination window (upper right window) with the name you used for your
connection and Select close. Then close the window.
NOTE: The next time you have a need for this procedure,
GlobalScape will have saved these settings and under the Site
Manager, right click on your connection and click on Connect.
11 October 2007
13-24
COOP
SECTION 14.0 CONTINUITY OF OPERATIONS PLAN (COOP)

14.1 General
All Army Data Processing Installations (DPI) require a COOP to allow continued
operation of critical data processing functions that could be interrupted due to the
loss of hardware, software, and data. The standards, procedures, and
responsibilities for the COOP are contained in Department of the Army Technical
Bulletin No. 18-108, Army Automation, Continuity of Operations Plan (COOP).
Assistance in preparing a COOP should be obtained from the organization
automation or security office.

14.2 Sample
Sample COOP Outline. TB 18-108, Appendix A, contains a sample COOP
outline. That sample outline is reproduced below. It is intended only to be used
as a guideline.

DEPARTMENT OF THE ARMY
DATA PROCESSING INSTALLATION (DPI NUMBER)
FORT BLANK, MARYLAND 12345-7890

CONTINUITY OF OPERATION PLAN (COOP)

DATE: ____________

11 October 2007
14-1
COOP

Table of Contents

Section Paragraph
I General
Purpose 1-1
Mission 1-2
Responsibilities 1-3
Contingencies or Risk Analysis 1-4
Job or Systems Priorities 1-5
Succession of Personnel 1-6

II Protection of Records and Documentation
List of records and documentation 2-1
Procedures for safeguarding essential materials 2-2

III Emergency Response
Detail Procedure 3-1

IV Backup Operations
11 October 2007
14-2
COOP
Designation of COOP site 4-1
ADPE Configurations 4-2
Facilities, security, supplies, and communication 4-3
Personnel requirements 4-4
Planning coordination 4-5
Emergency movement procedures 4-6
AUTODIN interface 4-7

V Recovery
Recovery plans 5-1

VI Contingency Operations as Host Site
Planning coordination 6-1
ADPE Configurations 6-2
Facilities, security, supplies, communication, and
transportation
6-3
Personnel requirements 6-4
Billeting and messing requirement 6-5
MINIMIZE Processing plan 6-6

COOP Appendixes

11 October 2007
14-3
COOP
A. Letter of Agreement with COOP site

B. Key Personnel and points of contact at COOP site

C. Inventory list of COOP material at alternate files storage
area

D. Inventory of COOP material prepositioned at COOP site

E. Magnetic media and supplies required at COOP site
(items that will not be transported from home site, but are
required for operations at the COOP site)

11 October 2007
14-4
AIT Installation
SECTION 15.0 AIT INSTALLATION

15.1 Overview
The purpose of this document is to detail the activities needed to accomplish the
installation of an AIT application onto SAAS-MOD Servers and Workstations.
Installation for the Server will be from the SAAS-MOD CD, the workstation will
install from the Server.
These instructions will cover:
Installation of the SAAS AIT application
Hardware driver installation
Handheld software installation
Setting up AIT equipment

15.2 Installation of SAAS AIT Application

With the implementation of L6F-03-00 the application software for AIT will be no
longer be automatically loaded when the baseline is installed. There are
separate steps to install AIT application software. These steps are as follows:

15.3 Setting up your AIT Equipment

ASP
The ASP can connect the following equipment:
1. Symbol HHT (Hand Held Terminal with Hand Held Device HHD)
(Server)
2. SAVI Docking Station for Tag Writer (Server or Workstation)
3. Zebra Z4000 Label Printer (Server)
4. Gemplus GCR200 Smart Card Reader/Writer (Workstation)

ATP
The ATP can connect the following equipment:
1. Symbol HHT (Hand Held Terminal with Reader) (Server)
2. Zebra PT403 Mobile Label Printer (Server or HHD)
3. Gemplus GCR200 Smart Card Reader/Writer (Server)

For additional information see Section 5.6 Adding AIT/SAVI BPS Devices at
Section 5.6

11 October 2007
15-1
AIT Installation
15.4 Connecting AIT to your computer

1. Connect the Symbol HHT (Hand Held Terminal with Hand Held Device HHD to
the COM 1 port on your Server or Workstation. It needs to be configured
according the instructions set forth in Section 15.7 so that others in the domain
will have access to it.

2. Connect the SAVI Docking Station for Tag Writer to the COMM 2 port on your
Server or Workstation.

3. Connect the Zebra Z4000 Label Printer to the parallel port on your Server. It
needs to be configured according the instructions set forth in Section 15.7 so that
others in the domain will have access to it.

4. Connect the Gemplus GCR200 Smart Card Reader/Writer to the COMM 1 port
on your Workstation.

5. Connect the Zebra PT403 Mobile Label Printer to the HHD.

15.5 Driver Installation and settings

Note: You must be logged on as administrator on local machine.

Zebra Z4000 Label Printer

NOTE: During an upgrade to either Windows Server 2003 or Windows XP that
your Zebra Z400 is attached to it will continue to display Found New Hardware
for the Zebra Printer. Close the window and follow these instructions to reinstall
your Zebra Z4000 printer.

1. Click on Start / Printers and Faxes
2. Right click on the Zebra Z4000 printer and select Delete and Yes to confirm
3. At the Found New Hardware Wizard (You may have to log off and back on to
get this window) Select No, not at this time.
4. Click on Install from a specific location and click on Next.
5. Click on don't search and click on Next.
6. Uncheck the box to Show Compatible Hardware.
7. Select Generic as the Manufacturer and Text Only as the Model.
8. At the warning to update the driver Select Yes, then Next.
9. Select Finish.

11 October 2007
15-2
AIT Installation

Zebra PT403 Portable Label Printer

1. Double click on My Computer
2. Double click on CD (will bring up Zebra Accessories Window)
3. Click on Software
4. Click on Windows 2003/2000 Printer driver
5. Click on Install Windows 2003/2000 Printer driver
6. Click OK to message: Follow the Printer Wizard instructions, click the "Have
Disk" button and paste (Shift +Ins, or Ctrl +v) the path
7. Click Next at Add Printer Wizard
8. Check COM1, press Next
9. Press <Ctrl +Ins>keys, click on OK (will fill in path for you)
10. Select Zebra PT400, click on Next
11. Click Next on Printer Name Window
12. Click Next on Sharing Window
13. Click Finish
14. Close all windows

15.6 Burn-In of the Hand Held Device

Note: You must be logged on as administrator on the Domain.

The following files should be on the hard drive of your PC:
TCM7000.EXE -----\
FXVMAPI.DLL ------|----- image download program

Image files:
WINPT16M-2.hex Partition Table
LOGIAPP3.HEX SAAS-MOD Application
DATA-3.HEX SAAS-MOD AIT_IN/AIT_OUT Data partition
PLATFORM.HEX Symbol-specific partition

If you are trying to rebuild a corrupted handheld, you might also need:
SPLASH.HEX Startup Graphic.
LOADER.HEX boot loader
NK.HEX Windows CE itself.
11 October 2007
15-3
AIT Installation

Flashing the 7200 WinCE with SAAS-MOD
Run TCM7000. Select the icon on the toolbar which looks like a cable end, the
Load Terminal icon. Alternatively, choose the File menu option and select Load
Terminal.
Chose the appropriate COM port (often COM1:), and set the baud rate to
115200, the protocol to XON/XOFF and browse to the WINPT16M-2.HEX
Partition Table file mentioned above.
Cold boot the HHT by holding down both the power button and the trigger for a
count of at least 16 (the HHT will reset itself even if you are still holding down the
button and trigger). This puts the HHT into "IPL" mode. You will be presented
with a menu of baud rates. Select 115200 by tapping on the up and down arrow
keys on the left and right edges of the screen. When 115200 is selected, tap the
word "Enter" at the bottom of the screen.
The Partition image must be flashed *before* flashing the following images: Data,
Application, and Platform. Flashing it after will wipe out the data just downloaded.
Therefore, the first flash download should be a single download done first.
Choose the "Multiple Images" selection on the HHT, and place it in the cradle.
The HHT should display a screen reading: "Waiting for Data / Multiple Images /
115200". If the screen does not read this, return to the main IPL menu and repeat
the HHT procedure.
First, we download the Partition Table. After following the TCM7000 instructions
above, you should be all set to do this. Press OK. The Partition Table is very
small, and takes only a few seconds to complete.
You will see a progress bar on the workstation, and a set of numbers counting
down on the HHT. Each "block" of a partition is worth 8K. The Flash memory is
erased first, and then data is downloaded and written to the HHT.
After the Partition Table is downloaded, choose Load Terminal on the PC again.
Your settings should be preserved from the last download (appropriate COM
port, Baud Rate 115200, protocol XON/XOFF). Ensure this is true and press the
"Multiple Hex File Download" button.
Highlight the following files by holding down your Control key and left-clicking on
the file name with the mouse: "DATA-3.HEX", "LOGIAPP3.HEX",
"PLATFORM.HEX". The three file names should appear in the File name: box.
11 October 2007
15-4
AIT Installation
Press Open to initiate the transfer. Each of the three files should be downloaded.
This task will take approximately 10 minutes.
If there is a problem, an error message will appear on the HHT. If you cannot
successfully download all three files, repeat the steps listed above, substituting
57600 wherever it says 115200.
Next, press menu, enter run system, enter calibrate to calibrate the HHT device.
Note: Under WinCE you must go to Control Panel>Power
Management>System>Wakeup and set AC Connection and Cradle Insertion to
"yes". Also set the Time Zone to your locality under Regional Settings.

SAAS-Mod HHTServe

If you want multiple Cradles (each connected to a workstation) to transfer files
to/from a central location, you must make a shared volume on your server. For
example, C:

If you just want to transfer files to/from a single workstation, choose a partition
where the transfer files will reside. Where the instructions below say C:, you will
use the drive letter and a colon, e.g. D:

Copy the following files into C:\
HHTSERVE.EXE
CRADLE.DLL
DOCK.DLL
FILEINFO.DLL
RESPONDER.DLL
RSTRING.DLL
SIO32.DLL
CONFIG.CFG

Create an AIT_IN folder and an AIT_OUT folder in C:\, i.e.
C:\AIT_IN
C:\AIT_OUT

And create subfolders for each module:
C:\AIT_IN\COUNT
C:\AIT_IN\INVENTORY
C:\AIT_IN\QUICKISSUE
C:\AIT_IN\RECEIPT
C:\AIT_IN\STOCK
C:\AIT_IN\STORE
11 October 2007
15-5
AIT Installation
C:\AIT_IN\SURVEY
C:\AIT_IN\TRANSFER
C:\AIT_OUT\COUNT
C:\AIT_OUT\INVENTORY
C:\AIT_OUT\QUICKISSUE
C:\AIT_OUT\RECEIPT
C:\AIT_OUT\STOCK
C:\AIT_OUT\STORE
C:\AIT_OUT\SURVEY
C:\AIT_OUT\TRANSFER

Use Notepad to edit C:\CONFIG.CFG.

Set the PORT=1 to the proper COMM port for the workstations.

Open C:\ from each workstation, and run HHTSERV.

15.7 AITCFG Tool

This tool has been developed to help users implement additional printing
capability that comes with AIT. These are the Zebra Label printer and the Hip
Printer. All printers need to be configured for each system to define whether or
not it is a host or client for print purposes. All computer systems come with only
one parallel port to attach a printer. Therefore, one computer cannot have the
printer for reports and print labels at the same time.

NOTE: INSTALL INTERNET EXPLORER 6.0 OR HIGHER. THIS IS ON YOUR
UTILITY CD SHIPPED WITH L6F-06-00 PRIOR TO INSTRUCTIONS BELOW!

HHT INSTALL

1. Navigate to SAAS\AIT folder and double click on the AITCFG.exe file.
2. On screen Install AIT Modules, click on the HHT.
3. Click Yes to stay connected to COM1. NOTE: If using SAVI click NO.
4. Click on OK to reboot.
5. Click on OK to message "Installation Completed"
6. Reboot the system.

LABEL PRINTER (HOST)

2. Click on the Printer.
3. Answer Yes to "Are you sure you want to use this share name?" and press
enter.
11 October 2007
15-6
AIT Installation
4. Answer Yes to "Are you sure you want to use this share name?" and press
enter.
5. Leave HOST as the choice and click OK.
6. At message, insert a floppy in drive A and click on OK.
7. At message "Configuration file ready for other stations", click on OK.
8. At message "Barcode Print Server files ready please reboot to begin" Click on
OK.
9. Click on OK to Install Complete Remove the floppy and save.
10. Reboot your system for change to become effective.

LABEL PRINTER (CLIENT)

2. Click on the Printer.
3. Enter "Client" in message "Please enter a choice Host or Client", Click on OK.
4. At message, insert the configuration floppy in drive A" and click on OK.
5. At message "Configuration file installed", click on OK.
6. At message "Barcode Print Server files ready please reboot to begin" Click on
OK.
7. Click on OK to Installation Completed message and remove the floppy.
8. Reboot your system for change to become effective.
9. Repeat steps 1 thru 8 for all workstations to be able to print barcode labels.
15.8 Troubleshooting AIT
The listed errors below are not all inclusive. These are just some of the
most frequent error types encountered.

ORACLE ERRORS

Problem: SQL*Loader-522: lfiopn failed for file
(C:\SAAS\AIT_IN\ERRORS\INVENTORY\INVENTORY_PROCESS_ERRORS.P
RN)

Solution: The folder "ERRORS" was missing. Create the folder and rerun the
process.

Problem: SQL*Loader-704: Internal error: ulconnect: OCIServerAttach [0] ORA-
12541: TNS: no listerner

Solution: Oracle is not running. Reboot the system, or start Oracle Services
and rerun the process.
11 October 2007
15-7
AIT Installation
15.9 AIT Practical Exercise

PRACTICAL EXERCISE BOOKLET

05 JULY 2006
(Date)

COURSE TITLE
STANDARD ARMY AMMUNITION SYSTEM MODERNIZATION (SAAS-MOD)
AUTOMATIC IDENTIFICATION TECHNOLOGY (AIT) NEW EQUIPMENT
TRAINING (NET)

FOR THE
AMMUNITION STORAGE AREA OPERATIONS

COURSE NUMBER
SCP-03

THIS PACKAGE HAS BEEN DEVELOPED FOR:
PROPONENT FOR THIS PE IS:
SAAS-MOD ASA AIT

11 October 2007
15-8
AIT Installation
TABLE OF CONTENTS PAGE
PREFACE 2
SECTION I ADMINISTRATIVE DATA 3
SECTION II INTRODUCTION 5
SECTION III PRACTICAL EXERCISE 7
A21 COURSE OVERVIEW 7
TASK 21A Log On As the System Administrator (SA)
7
TASK 21B Log On As a SAAS-MOD Operator 7
TASK 21C Review AIT and Related Processing on the
ASP Executable Menu
8
A22 - INTRODUCTION TO AIT HARDWARE 11
TASK 22A Prepare the PC, 751G, Cradle, Bar Code Printer,
And Portable Printer for SAAS-MOD Operations
11
TASK 22B Examine the Basic Features of the 751G Hand
Held Terminal (HHT)
11
TASK 22C Examine the Basic Features of the Cradle 12
TASK 22D Connect the Cradle to a SAAS-MOD Workstation 13
TASK 22E Unpack and Inspect the Intermec PM4i Printer 14
TASK 22F Prepare the PM4i Printer for SAAS-MOD
Processing
14
TASK 22G Prepare the Intermec PT403 Portable Printer for
SAAS-MOD Processing
31
11 October 2007
15-9
AIT Installation
A23 AIT SOFTWARE INSTALLATION 33
TASK 23A Install SAAS-MOD-UPLOAD-INSTALL Software 33
TASK 23B Install Microsoft ActiveSync 4.1 Software 39
TASK 23C Set Up a New Partnership 48
TASK 23D Load SAAS-MOD Software on the 751G 54
TASK 23E Improve Bar Code Readability with the 751G 58
TASK 23F Run SAAS-MOD on the 751G 59
C20 - PRINT 2D PACKAGE/PALLET LABELS FROM THE AIT 751G 62
C21 - PRINT SHIPPING LABELS FROM SAAS-MOD 69
C22 - PRINT 2D PACKAGE/PALLET LABELS FROM SAAS-MOD 71
C23 - MAINTAIN USER ACCOUNTS FOR AIT 751G USERS 77
C24 - USE AIT ASSIGNMENT STATUS TO VIEW/CHANGE WORKLOADS 80
C25 - USE WORKLOAD TO VIEW/CHANGE AIT 751G WORKLOADS 85
C26 - AIT EXCEPTION MAINTENANCE 90
C27 - USE AIT TO PROCESS AND STORE RECEIPTS 93
C28 - USE AIT TO STORE A TURN-IN 108
C29 - PERFORM A LOCATION SURVEY WITH AIT 117
C30 - INITIATE AN INVENTORY ON THE AIT 751G 125
C31 - PERFORM AN INVENTORY USING THE AIT 751G 123
C32 - USE AIT TO SELECT STOCK FOR AN ISSUE OR SHIPMENT 141
C33 - USE AIT TO SELECT STOCK AND STORE AN IDT 152

11 October 2007
15-10
AIT Installation
PREFACE
Purpose: This practical exercise booklet is designed to be used with the Standard Army
Ammunition System (SAAS-MOD) Ammunition Storage Area Operations AIT Training
Course.
SECTION I - ADMINISTRATIVE DATA
TITLE: Practical Exercise for SAAS-MOD Storage Area Operations Using
AIT Equipment
COURSE NUMBER: SCP-03
COURSE TITLE: SAAS-MOD Storage Area Operations Using AIT
CLEARANCE AND ACCESS: Unclassified
STUDENT STUDY ASSIGNMENT: None
EQUIPMENT REQUIRED FOR THE INSTRUCTION:
1 - SAAS-MOD File Server
1 SAAS-MOD Workstation per student
1 Intermec 751G Hand Held Terminal per student
1 Intermec PT403 Portable Printer per student
1 Intermec PM4i Thermal Bar Code Printer per table
(1-2 students)
MATERIALS REQUIRED:
PE Booklet
CLASSROOM, TRAINING AREA, AND/OR RANGE REQUIREMENTS:
Classroom for 20 students equipped with one SAAS-MOD ASP system (file sever
w/laser printer and workstation w/thermal printer per student.
AMMUNITION REQUIREMENTS: None
PROPONENT RESIDENT LESSON PLAN APPROVALS:
NAME GRADE POSITION DATE
11 October 2007
15-11
AIT Installation
SECTION II - INTRODUCTION
As an ammunition manager, you must know how to use automation to manage an
ammunition stock record account. You must be aware that keeping all records up to date
as changes occur assures the accuracy and integrity of the management structure you use
to support your asset records.
TERMINAL LEARNING OBJECTIVE:
Using a SAAS-MOD server, workstation, AIT equipment, End Users Manual (EUM),
and the System Administrator Manual (SAM), you must be able to operate SAAS-MOD
utilizing state-of-the-art Automated Identification Technology (AIT).
During this course, you will accomplish the following:

ACTION: Use the procedures in the EM and SAM to operate SAAS-MOD utilizing
state-of-the-art AIT technology.

CONDITION: In a classroom environment, given an EM, SAM, SAAS-MOD server or
workstation, and AIT equipment.

STANDARD: Correctly operate SAAS-MOD utilizing state-of-the-art AIT technology.

SAFETY REQUIREMENTS: None

RISK ASSESSMENT LEVEL: None

ENVIRONMENTAL ASSESSMENT: None

EVALUATION: None

INSTRUCTIONAL LEAD IN: None

GENERAL: This booklet contains the practical exercises for the SAAS-MOD Storage
Area Operations using AIT equipment.
Each time you logon to a Windows system, a User Name and Password is required.
During the training, you will be required to log into SAAS-MOD as a SAAS-MOD
operator and as the system administrator utilizing the user names and passwords as
shown. (NOTE: In SAAS-MOD, both user name and password are case sensitive).

SAAS operator System Administrator
USER NAME Saasmod Administrator
PASSWORD saasmod1 Admin

11 October 2007
15-12
AIT Installation

During training, you will logon to the 751G as shown below.

AIT 751G
OPERATOR/RECORDER/COUNTER
AITUSER1
AITUSER2
AITUSER3
AITUSER4
AITUSER5

Throughout the training, please follow these instructions:
1) All lessons begin with an instructor led exercise.
2) Listen and follow along with the instructor (i.e. dont get ahead of or fall behind
the instructor). Always complete the tasks in the sequence directed by the
instructions.
3) Complete each task before proceeding to the next task.
4) If information is not provided for a field, leave the field blank.
5) If you have any questions or need help at any time, please let the instructor know.

TRAINING SCENARIO: (This scenario will be used for all training exercises unless
told otherwise)
You are the Ammunition Manager for an ammunition storage area.
The current structure consists of a management center (60M), a storage area (Z1),
three storage points (Z1, Z2, & Z3) with ten storage sites (warehouses) at each storage
point.
Your operation is incorporating AIT technology into all phases of the storage
operation.
You as a supervisor are required to implement AIT into daily operations.
11 October 2007
15-13
AIT Installation
SECTION III PRACTICAL EXERCISE
A21- Course Overview

Each student will have the following equipment during this training course:
1) SAAS-MOD File Server-Workstation with an Intermec thermal bar code label
printer attached.
2) 751G Hand Held Terminal (HHT) also called a Portable Display Terminal
(PDT) with cradle (docking station) connected to a SAAS-MOD Workstation
3) Intermec Portable Printer w/communication cable.
During the training you will be required log onto the SAAS-MOD workstation as an
operator, the SAAS-MOD file server as the system administrator, and the 751G handheld
as an AIT user.
During the overview, we will review the logon procedures for SAAS-MOD and briefly
describe the SAAS-MOD ASP Executable processes that are used with the 751G
handheld.

Task 21A - Logon as the System Administrator (SA)
Press the CTRL + ALT + DEL keys at the same time to display the Logon Information
window. Then use the information in bold on the table beside the window to log on as the
System Administrator.

Log on as the System Administrator
User Name: administrator (case
sensitive)
Password: ******** (case sensitive)
Domain: ASP

Click OK

Remember, when you log on as administrator you do not have access to the SAAS-MOD
processes.

Click on the Start button and then click on Shutdown. When the Shutdown Window
appears click on Close all programs and log on as a different user? Click on Yes

11 October 2007
15-14
AIT Installation
Task 21B - Log on as the SAAS-MOD Operator

Press the CTRL + ALT + DEL keys at the same time to display the Logon Information
window. Then use the information in bold on the table beside the window to log on as the
SAAS-MOD operator.

Logon Information Window Log on as
the SAAS-MOD operator
User Name SAAS-MOD (case
sensitive)
Password SAAS-MOD1 (case
sensitive)
Domain ASP

Click OK

When you log on as SAAS-MOD you have access to the SAAS-MOD functional
processes.

11 October 2007
15-15
AIT Installation
Task 21C - Review AIT and Related Processes on the ASP Executable Menu.

Select the Process. Start | Click on ASP Executable to display the ASP menu.

11 October 2007
15-16
AIT Installation

The AIT Assignment Status process allows you to review the workload currently
assigned to a 751G. You can also use it to cancel and reassign workload assignments to
the 751G.

The AIT Exceptions Maintenance process shows transactions that came from the 751G
that SAAS-MOD could not process. This process can be used to delete or resubmit
transactions.

The Prt Pkg Plt Label (Print Package/Pallet Label) process lets you print 2D
package/pallet labels for on-hand assets. The system creates the label based on your
selection and the packaging information on the ammunition item table for conventional
ammunition and your selection of NSN and serial numbers for serialized ammunition.

The Prt Shp Lbl (Print Shipping Label) process allows you to print shipping labels for an
outgoing shipment.

The Workload process allows you to review the current workload, including everything
that currently assigned to the 751G, by transaction type. It can be used to cancel, assign,
and reassign workloads to the 751G.

AIT is also used with the following ASP Executables:

Inter-Depot Transfers (IDT)
Inventory
Location Survey
Receipts
Shipments
Turn-Ins

SUMMARY FOR COURSE OVERVIEW
During this overview, we reviewed the logon procedures for SAAS-MOD and briefly
described the SAAS-MOD processes on the ASP Executable menus that are used with
AIT.
11 October 2007
15-17
AIT Installation
A22 - INTRODUCTION TO AIT HARDWARE

Introduction.
The primary SAAS-MOD AIT equipment consists of a 751G Handheld Terminal (HHT) with cradle, a
portable printer and a stationary thermal bar code label printer. Ribbons, labels, and spare batteries are also
provided.
Equipment Overview.
SAAS-MOD AIT uses the 751G HHT to collect receipt, shipment, storage and inventory data from linear or
2D Pallet/Package labels at Ammunition Supply Points (ASP) and Ammunition Transfer Points (ATP). Once
the data is collected, it is transferred to a SAAS-MOD workstation for processing in SAAS-MOD.
The Intermec 751G is a specific type of hand held terminal (HHT), and in this section, the 751G and Portable
Data Terminal (PDT) are interchangeable terms. The 751G HHT comes loaded with Windows CE.Net
program.
TASK 22A PREPARE THE PC, 751G HAND HELD, CRADLE, STATIONARY AND
PORTABLE PRINTERS FOR SAAS-MOD AIT OPERATIONS.
This is an instructor led exercise. Perform each step when directed by the instructor.
TASK 22B Examine The Basic Features of the 751G Hand Held Terminal (HHT)
Remove the 751G from the cradle and locate these basic features on the 751G

11 October 2007
15-18
AIT Installation

TASK 22C Examine The Basic Features Of The Cradle
Turn off the 751G and return it to the cradle.
11 October 2007
15-19
AIT Installation

The cradle is the communication link between the 751G and the SAAS-MOD workstation. It is used to store
the 751G, transfer data to and from the 751G to the workstation and to print labels.

Task 22D Connect The Cradle to a SAAS-MOD Workstation
Connect the USB cable to a USB port on the SAAS-MOD workstation.
Plug the AC power cable with 12 volt converter into rear of the cradle and then connect it to an (120/210) AC
power source.

TASK 22E - Unpack And Inspect The INTERMEC PM4i Bar Code Printer
The items listed displayed below should be unpacked from the printer box. Inspect the contents of the box for
all of the items and any damaged items.
Report missing or damaged items to the instructor at this time.
11 October 2007
15-20
AIT Installation

Task 22F - Prepare the INTERMEC PM4i Bar Code Printer For SAAS-MOD Operations.
The thermal printer is rugged construction, prints ANSI A grade Bar Codes and prints on a variety of paper
& Synthetic 4 wide Media. It can be connected to a local port (COM1, or USB) on a SAAS-MOD
workstation and prints 2D shipping labels and 2D Pallet/Package labels. All SAAS-MOD workstations on the
LAN can use the printer to print labels.
The printer is set up for SAAS-MOD use; however, you should familiarize yourself with the features on the
printer before you install the media (labels and thermal print ribbon).

11 October 2007
15-21
AIT Installation

11 October 2007
15-22
AIT Installation

11 October 2007
15-23
AIT Installation

Locate items listed on the front panel
Indicator Lamps
Display Window
Feed/Pause button
Keyboard
Side Door
Print mechanism
Front door

11 October 2007
15-24
AIT Installation

Locate these items on the rear of the printer

11 October 2007
15-25
AIT Installation

11 October 2007
15-26
AIT Installation
Now that you know the parts of the printer, your task is to install the media (paper and thermal print ribbon).
Remember this is an instructor led exercise, so please do not get ahead of the instructor.

11 October 2007
15-27
AIT Installation

Install the Ribbon.

Push the ribbon all the way onto the Ribbon Supply Spindle (unroll from bottom).

Pull the end of the ribbon over the Ribbon Sensor, under the Print Head Assembly and up over the Ribbon Guide Plate.
11 October 2007
15-28
AIT Installation

11 October 2007
15-29
AIT Installation

Close the Print Head Assembly, keeping the ribbon snug and in line with Guide Plate.

11 October 2007
15-30
AIT Installation

11 October 2007
15-31
AIT Installation

11 October 2007
15-32
AIT Installation

11 October 2007
15-33
AIT Installation

Connect Thermal Printer to SAAS-MOD Workstation.
Connect the parallel or USB printer cable to Bi-Directional Port on the printer.
Connect the parallel or USB printer cable to the Port on the workstation.

11 October 2007
15-34
AIT Installation
Perform the Printer Operational Check.

11 October 2007
15-35
AIT Installation

11 October 2007
15-36
AIT Installation

Refer to the PM4I User Guide if problems occur to determine the cause.

11 October 2007
15-37
AIT Installation
Task 22G - Prepare the Intermec PT403 Portable Printer for SAAS-MOD Operations.
The Intermec PT403 portable printer is connected to the communications port on the 751G. It prints 2D Pallet/Package
labels.
The printer has already been configured for SAAS-MOD use.

Your task is to install the battery, media (paper and print ribbon), connect it to the 751G.

Locate these items on the printer.
Top Cover
Media Access Door
Communications Port
Battery Charging Receptacle

Battery Charging LED
Peel Bar
Locate these items on
the control panel.
Feed Button
Power Button
Power LED
Error LED

Install Battery.
Locate Battery compartment.
Slide up battery compartment door.
Install a fully charged battery with contacts
facing up.
Close compartment door.

11 October 2007
15-38
AIT Installation

Load the media (Install a Roll of Labels).
Raise the Media Access Door and Top Cover.
Lift the print head until it locks into place.
Thread the roll of labels from bottom into the
printer until it goes past the print head.
Hold open Media Hangers and put the roll of labels
on the hangers.
Release Media Hangers so that the roll of labels
locks in the right position.

Install the Ribbon Cartridge.
Raise the Media Access Door and Top Cover.
Lift the print head until it locks into place.
Hold the ribbon cartridge as shown. Align the
protrusions with channels on printer.
Slide the cartridge past the print head and it will
lock in the right position.
Close the print head, the top cover and media
access door.
Press the Power button to turn the printer on.
The printer uses three (3) labels to self calibrate
every time it is turned on.

Connect the portable printer to 751G.
Turn off the portable printer and 751G.
Plug the communications cable into the RJ45 on
the portable printer.
Turn on the portable printer and 751G.
Turn off the printer and 751G and remove the
communications cable from the Comm. Port of
the 751G.

11 October 2007
15-39
AIT Installation
A23 INSTALL AIT SOFTWARE
The following software must be loaded, in the order listed below, to operate the AIT
equipment correctly with SAAS-MOD equipment.
1) ActiveSync 4.1. This will be installed on the workstation to allow the
workstation to communicate with the 751G.
2) SAAS-MOD-UPLOAD-INSTALL.ZIP. This will be installed on all
workstations requiring the use of AIT.
3) SAASMOD.CAB file. This file is installed on the 751G and is required to
enable SAASMOD processing on the handheld.
This software is provided to you on the SAAS Application CD included in the latest SCP
package in folder \SAAS Utility\Intermec Files.

TASK 23A Install SAAS-MOD-UPLOAD-INSTALL

The first file that needs to be loaded is SAAS-MOD-UPLOAD-INSTALL.ZIP. It will
unzip and build a folder on your system with all required files needed to run the AIT
processes.

The following steps will help you to complete this process.

1. Locate the SAAS-MOD-UPLOAD-INSTALL.ZIP file in the WKS
APPLICATION folder. You should double click on it to display the WINZIP screen.

2. Select extract to display extract line.

3. Enter the folder name: c:\saas_mod_upload.

4. Click on extract and the files will be copied into the specified folder.

5. Exit the WINZIP window.

6. Go to Explore and locate the c:\saas_mod_upload folder.

7. Select the file setup.exe and double click to load the SAAS-MOD Upload.
Follow the instructions as they are displayed on the screen.

11 October 2007
15-40
AIT Installation
8. On the Welcome to the Install Shield Wizard for SAAS_MOD Upload screen, select
Next to continue.

9. On the Choose Destination Location screen, accept the default destination folder by
clicking Next.

11 October 2007
15-41
AIT Installation
10. On the Select Program Folder screen, select Next to accept the default
SAAS_MOD Upload folder.

11. The files should start copying. Select Next to continue.

11 October 2007
15-42
AIT Installation
12. On the Install Shield Wizard Complete screen, select Finish to complete the load
process.

At this point, check to ensure the following folders have been copied to the workstation
as follows:

1. Go to C:\Program Files and check to be sure there is a folder named Northrop
Grumman. This folder stores the AIT executable file SAAS_MOD Upload.exe.

2. The process also creates a log file for tracking problems with the program load. Go
to c:\saas\logs folder to view the SAAS_MOD_Upload.log file. (Use Note Pad to
view this file). If for some reason the log was not created, create it using Note Pad.

3. Go to desk top and double click on icon SAAS_MOD UPLOAD. Select the
configuration and view how the folders have been set up on the PC.

This completes the SAAS-MOD Upload install.

If you have any questions, call the CAO at DSN: 687-1051 or commercial (804) 734-
0151.

11 October 2007
15-43
AIT Installation
TASK 23B - Install Microsoft ActiveSync 4.1

Microsoft ActiveSync 4.1 is synchronization software that will enable your PC to
communicate with the 751G Handheld mobile device for downloading and transferring of
files.

The ActiveSync 4.1 installation file is located in the ActiveSync 4.1 folder.

1. Read the information below and follow the on screen instructions to complete the
install process.

11 October 2007
15-44
AIT Installation
2. Click Next to install Microsoft ActiveSync 4.1 on your computer.

3. Read the entire license agreement by scrolling down to the bottom. Click on I
accept the terms in the license agreement and click Next to continue.

11 October 2007
15-45
AIT Installation
4. Enter your name (i.e. John Doe) and your Organization name. Select Next to
continue.

5. Click Next to accept the default destination folder.

11 October 2007
15-46
AIT Installation
6. Select Install to begin the installation of Microsoft ActiveSync 4.1.

7. The files should start copying. Wait approximately 4 minutes for this to complete.
When the files have been copied, select Next to continue.

11 October 2007
15-47
AIT Installation
8. Select Finish to complete the Microsoft ActiveSync install.

9. You must restart your computer in order for the changes to take effect. Select Yes
to restart your computer now.

11 October 2007
15-48
AIT Installation

10. Once the system has been restarted, log back onto the workstation. The IAW
Upload and the Microsoft ActiveSync screens will appear as shown below.

11 October 2007
15-49
AIT Installation

Once ActiveSync has been loaded, follow the instructions below to establish a New
Partnership.

11 October 2007
15-50
AIT Installation
TASK 23C Set Up A New Partnership

1. On the Set up a Partnership screen, select Yes then select Next to continue.

11 October 2007
15-51
AIT Installation

2. On the Select Number of Partnerships screen, select Yes to synchronize with
only this computer, then select Next to continue.

11 October 2007
15-52
AIT Installation

3. On the Select Synchronization Settings screen, remove all the checks from the
boxes (click on each check mark to remove the check), then select Next to continue.

11 October 2007
15-53
AIT Installation

4. Read the information on the Setup Complete screen then click Finish to exit the
install wizard.

11 October 2007
15-54
AIT Installation

5. Once the install is complete, the Microsoft ActiveSync splash screen will appear. Be
sure that Connected and Synchronized are shown in the splash screen.

NOTE: The Microsoft ActiveSync splash screen will appear each time the 751G is
placed into a cradle that is connected to a workstation.

11 October 2007
15-55
AIT Installation

6. The IAW Upload screen will also appear each time a connection has been
established with the workstation and the 751G.

If you have any questions, contact the CAO at DSN: 687-1051 or Commercial: (804)
734-1051.

11 October 2007
15-56
AIT Installation
TASK 23D - Load SAAS-MOD Software on the 751G Handheld


SAAS-MOD .CAB FILE

Make sure that the SAASMODE-v4.0a-05-17-2006.CAB file is in the HHT
APPLICATION folder (use Explore to check for this file).

This file can be dragged and dropped to the 751G.

1. Place the 751G into the cradle that is connected to the workstation.
The Microsoft ActiveSync splash screen should appear. The moving green ball indicates
that the two systems are connected. Be sure that Connected and Synchronized are
displayed on the splash screen.

11 October 2007
15-57
AIT Installation
2. The IAW Upload screen below will also appear once the 751G is placed in the
cradle.

3. Once the systems are connected and synchronized, required SAAS-MOD files must be
copied from the workstation to the 751G.

First, locate the SAASMOD.CAB file and copy it into SDMMC Disk folder on the
751G. *Be sure to check that the file is read only before executing it. Otherwise, the
file will not be saved in the folder.

11 October 2007
15-58
AIT Installation

4. Once the file is in the SDMMC folder on the 751G, remove the 751G from the cradle.
On the 751G, use the stylus to:

Double tap on My Computer.
Double tap on SDMMC Disk.
Double tap on SAASMOD-UPLOAD-INSTALL-v1.0-05172006.CAB to
install.

11 October 2007
15-59
AIT Installation

RELOAD SAAS-MOD CAB

If you need to reload the .CAB file, you must uninstall the existing .CAB file through the
control Panel (Add/remove programs), then repeat step 4 above to reload the file.

11 October 2007
15-60
AIT Installation

TASK 23E To Improve Bar Code Readability with the INTERMEC 751G
Handheld

1. The following steps should be taken to ensure the 751G Bar Code settings for the
reading of Code 39 labels is maximized.

2. On the 751G, complete the following:

1) Click on Start
2) Select Settings
3) Select Control Panel
4) Select Intermec Settings
5) Select Scanners, Symbologies
6) Select Internal Scanner
Select Symbologies
Select Code 39
Select Options
Select Full ASCII Conversion
Select Enable
Select Reading Range
Select Extended
7) Select Imager Settings
Check 1D Omni-directional
Select Lighting Mode
Select Illum LED priority
Select Lighting goal=100
7) Select X to Exit (upper right hand corner)
8) Select Yes to save configuration changes

This completes the 751G handheld setup procedures.

11 October 2007
15-61
AIT Installation

TASK 23F - Run SAAS-MOD on the 751G Handheld

1. On the WindowsCE1 screen, tap START (Windows color box in the lower left corner
of the screen). A drop down menu will appear.

2. Tap Programs and the next screen will be displayed.

11 October 2007
15-62
AIT Installation
3. Tap SAAMOD to bring up the SAAS-MOD 4.1 Login screen.

4. Click on User ID and enter SAASMOD as the username. A username can be up
to 30 characters. Click OK to continue.

11 October 2007
15-63
AIT Installation

You are now logged in as a SAASMOD user.

The SAAS-MOD Select Location Menu screen will appear.

11 October 2007
15-64
AIT Installation
C20 - PRINT 2D PACKAGE/PALLET LABELS FROM THE AIT 751G
Introduction. The Print Label (Print Package/Pallet Label) process on the 751G lets you create and print 2D
Package/Pallet labels from a portable printer attached directly to the 751G handheld. The process creates the
labels for conventional DODIC and serialized DODIC based on the parameters (DODIC, NSN, Lot
Number, and Serial Numbers) that you enter.
The Print Label process on the 751G can be accessed and used in conjunction with any 751G process. It is
selectable from the ASP and ATP menus. It is also selectable from the Receipt (Lot Data) Screen and the
Linear Barcode/Manual Data Entry Screen that appears in all AIT processes.
During this lesson, we will:
1) Review the AIT 751G/Portable Printer setup procedures.
2) Review the Login procedures for the AIT 751G.
3) Select the Print Label process from the menu.
4) Execute the process.
5) Print labels using the portable printer.
I. General Instructions for Using the Portable Printer with the 751G Handheld
1) Ensure there is a fully charged battery in the battery compartment.
2) Ensure that you have a roll of labels and the printer ribbon cartridge properly installed.
3) Observe the two available connections that can be used to print labels using the 751G.
a) The first connection is a printer adapter that attaches to the bottom of the 751 with two thump
screws. This will allow the user to connect a cable between the 751G and the portable printer to print
labels.
b) The second connection is to connect the printer to the COM 1 (9 pin) port at the rear of the 751G
cradle.
II. Auto Calibrate the Portable Printer
1) Turn off the 751G handheld and the portable printer.
2) Plug the communications cable (9 pin cable end) into either the printer adapter on the 751G or into
the 751G cradle. Then plug the other end into the portable printer.
3) Turn the 751G and the printer ON to auto calibrate and line up labels on the printer. Blank labels
will feed through the printer to complete the auto calibration process.
You are now ready to print labels.

11 October 2007
15-65
AIT Installation
Task 1 - Login to the 751G and Execute the Print Label Process. Task 1 is an instructor led exercise;
perform each task when directed by the instructor.
Task 1A Login to the 751G and Select the Print Label Process.
Login to SAAS-
MOD.

Touch The User Id
field to display the
data entry screen.

On the Username
Data Entry screen.

Enter AITUSER
and touch OK to
display the Login
Screen.

Touch OK on the
Login Screen to
display SAAS-
MOD Select
Location Menu.

Touch ASP to
display the ASP
Menu.

11 October 2007
15-66
AIT Installation

ASP Menu

Touch Print Label
at the bottom of
the ASP Main
Menu to display
the Linear
Barcode/Manual
Data Entry Screen.

Conventional
DODIC labels
require a Lot
Number, NSN,
DODIC and
quantity.
Serialized DODIC
labels require
serial numbers.

11 October 2007
15-67
AIT Installation
Task 1B - Print a Conventional DODIC Label with the 751G Print Label Process

Step 1. Enter Lot
#, NSN, &
DODIC.

Touch the Lot #
field

Enter LC-
85A080-013 -
touch OK.

Touch the
NSN/NIIN/MPN
field.

Enter 1305
011555459 - touch
OK.

Touch the DODIC
field.

Enter the A059
touch OK.

11 October 2007
15-68
AIT Installation

Step 2. Enter
quantity data.

Touch the
Quantity field.

Touch Box Qty
and the Box Qty
Standard Quantity
Data Entry Screen
displayed.

Enter 1680 and
touch OK to
display the SAAS-
MOD Quantity
Calculator Screen.

Touch OK again
to display the
SAAS-MOD
Linear Bar
Code/Manual
Data Entry
Screen.
Step 3. Print box
label.

Check Printer
connection, and
then touch Print
Label to print the
label.

11 October 2007
15-69
AIT Installation
Task 1C - Print a Serialized DODIC Label with the 751G Print Label Process

Step 1. Enter Lot #,
NSN, & DODIC.

Touch the Lot # field

Enter JAT98B001-
888 - touch OK.

Touch the
NSN/NIIN/MPN
field.

Enter
1340011490918 -
touch OK.

Touch the DODIC
field.

Enter the H108
touch OK.

Touch Edit Serials to
display the SAAS-
MOD Serial Number
Manual Entry Screen.

11 October 2007
15-70
AIT Installation

Step 2. Enter Serial
Numbers.

Touch From Serial #
field.

Enter 771001 and
touch OK.

Touch To Serial #
field.

Enter 771006 and
touch OK.

Touch Add. The six
serial numbers
(771001, 771002,
771003, 771004,
771005 & 771006)
appear in the serial
number list box.

Touch OK to display
the Linear Bar
Code/Manual Data
Entry Screen.

11 October 2007
15-71
AIT Installation
Step 3. Select Serial
Numbers for each
label.

Touch Print Label to
display the SAAS-
MOD Print
Serialized Label
Screen.

Touch these serial
numbers for the first
label (771001,
771002, 771003,
771004 & 771005).
They will move to
the bottom list box.

Check Printer
connection then
touch Print Label to
print the first label.

Touch serial number
771006 to move it
and touch print to
print the second
label.

After you print both
labels touch Cancel
to exit.
11 October 2007
15-72
AIT Installation
SUMMARY FOR Print 2d Package/Pallet Labels From the 751G.
The Print Label (Print Package/Pallet Label) process on the 751G lets you create and print 2D
Package/Pallet labels on a portable printer attached directly to the COM port of the AIT 751G. The
process creates the label for conventional DODIC and serialized DODIC based on the parameters
DODIC, NSN, Lot Number, and Quantity or Serial Numbers that you enter.
The Print Label process on the 751G can be accessed and used in conjunction with all other 751G
processes. It is selectable from the ASP and ATP menus. It is also selectable from the Receipt (Lot
Data) Screen and you can print a label any time there is data entered on the Linear Barcode/Manual
Data Entry Screen.
During the lesson we showed you how to select the process from the menu and how to print the labels.
We also showed you how to selectively print serial numbers.
Please keep all the labels you made during this portion of the PE as they may be required for the
remainder of the exercises.

11 October 2007
15-73
AIT Installation

C21- PRINT SHIPPING LABELS FROM SAAS-MOD
Introduction. The PRT SHP LBL (Print Shipping Label) process lets you print shipping
labels for an outgoing shipment and let you delete document numbers for completed
shipments. The document numbers in the Available List Box are displayed in DODAAC-
date-serial number sequence.
During this lesson, we will show how to select a shipment document number and print a
shipping label for the shipment. We also show you how to delete old document numbers
from the Available List on Box the Shipment Labels Print Window.

Select the Shipping
Labels Print Process.
Select (click on) Start |
ASP Executables | Prt
Shp Lbl
Task 1 - SAAS-MOD Prt Ship Lbl Process. This is an instructor led exercise. Perform
each step when directed by the instructor.
TASK 1A - Follow these steps to and print Shipment Labels.

Step 1. Highlight
(click on) the first
document number in
the Available list box
and click on Select
Doc Num.
Step2. Highlight (click
on) the first TCN and
click on Select TCN to
display it on the TCN
work line.
Step 3. Enter 2 (two)
in the Num Lbls to Prt
field and click on
Enter.
Step 4. Click on Print.
Step 5. Click on OK in
the dialog box.
The system prints two
labels on the thermal
printer attached to the
workstation.
Task 1B Follow these steps to delete a Shipment Document Number from the
Shipment Labels Print Window.
11 October 2007
15-74
AIT Installation

Step 1. Highlight
document number in
the Available list
box and click on
Delete Doc.
Step2. Click on Yes
in the Delete
Confirm box
Step 3. Click OK in
the informational
dialog box.
The system deletes
the document
number.
Task 2 There is no Task.
SUMMARY FOR PRINT SHIPPING LABELS FROM SAAS-MOD.
The Prt Shp Lbl (Print Shipping Label) process lets you print shipping labels for outgoing
shipments and let you delete document numbers from the Print Shipping Labels process
for completed shipments. The document numbers in the Available List Box are displayed
in DODAAC-JULIAN DATE-SERIAL NUMBER sequence.
During this lesson, we showed you how to select a document number from the available
list box, select the TCN and identify label requirement, then print the shipping labels for
the shipment. We also showed you how to delete old document numbers from the
Available List Box on the Shipment Labels Print Window.

11 October 2007
15-75
AIT Installation

C22 - PRINT 2D PACKAGE/PALLET LABELS FROM SAAS-MOD

Introduction. The Prt Pkg-Plt Lbl (Print Package/Pallet Label) process lets you print 2D
Package/Pallet labels on a thermal label printer attached to a SAAS-MOD work station.
The process creates the label for conventional DODIC based on the parameters (Storage
Point, Warehouse, DODIC, NSN and Lot Number) that you select and uses the package
data (Rounds per Pallet or Rounds per Box) from the Ammunition Lot Item table for your
selection. The process creates the label for serialized DODIC based on the parameters
(Storage Point, Warehouse, DODIC, NSN, Lot Number, and Serial Numbers) that you
select.
During this lesson, we will show how to select the parameters for conventional DODIC
and serialized DODIC, and how to print the labels.
Please keep all the labels you make during this portion of the PE as they will be required
for the remainder of the exercise.
Select the Print Package/Pallet Label
Process. Click on Start | ASP
Executables | Prt Pkg-Plt Lbl
Task 1 - SAAS-MOD Prt Pkg-Plt Lbl Process. This is an instructor led exercise
perform each step when directed by the instructor.
Task 1A - Follow these steps to print Package/Pallet Labels for Conventional
DODIC.
11 October 2007
15-76
AIT Installation

Step 1. Select SP Z1
Step 2. Select or
enter WHSE ID
Z1016.
Step 3. Enter the
DODIC C787 and
press Enter.
Step 4. Select Lot
Number
MHM90A023-011.
Step 5. Enter the
Num Labels
Requested (Non
Serialized) 2
Step 6 Click on
Pallet
Step 7 Click on
Confirm and click
on OK when the
dialog box appears.
Remove the two labels from the thermal printer, put condition Code B Whse Z1016 on
one label and condition Code K Whse Z1016 on the other label. Keep the labels with
your PE as they may be used in some of the following exercises.
Task 1B Follow these steps to print a package/pallet labels for a serialized DODIC.
Step 1. Select SP Z1
Step 2. Select or
enter WHSE ID
Z1016.
Step 3. Enter the
DODIC C995 and
press Enter.

Step 4. Select Lot
Number
JAT95L10199 to
display the Serial
Number List
Window.
11 October 2007
15-77
AIT Installation

Step 5. Print a label
with one serial
number.

Click on serial number
35770 and click on
Confirm.

Click on OK in the
dialog box.

Step 6. Select and
print a group of serial
numbers not displayed
in sequence.

Press and hold down
the Ctrl key and click
on serial numbers
46001, 46002, 46008,
46009, 46010.

Click on Confirm then
click on OK in the
dialog box.

Step 7. Select and
numbers displayed in
sequence.

Press and hold down
the Shift key and click
on serial numbers
46003, 46004, 46005,
46006, 46007

Click on Confirm then
click on OK in the
dialog box.

11 October 2007
15-78
AIT Installation

Step 8. Select and
sequence.

Press and hold down
the Shift key and
click on serial
numbers 46011,
46012, 46013, 46015,
46016

Click on Confirm
then click on OK in
the dialog box.

Step 9. Select and
sequence.

Press and hold down
the Shift key and
click on serial
numbers 46017
46021, 46114, 46133,
46134.

Click on Confirm,
and then click on OK
in the dialog box.

Remove all the labels from the thermal printer and put condition Code A Whse Z1016 on all five labels.
Keep the labels with your PE as they will be used in some of the following exercises.
Task 2 SAAS-MOD Prt Pkg-Plt Lbl Process. Perform this task on your own.

Task 2A Print Package/Pallet Labels for Conventional DODIC.

11 October 2007
15-79
AIT Installation
Use the information in the table above to print two package/pallet labels for a conventional DODIC. After
the labels are printed write the condition code, SP and warehouse on the labels. Keep the label with your
PE as they may be used in some of the following exercises.
Select the Print Package/Pallet Label Process. Click on Start | ASP Executables | Prt Pkg-Plt Lbl
At the Print Packing Labels Window:
Select Storage Point Z1 and Warehouse Z1013 using the arrow beside each field.
Enter the DODIC B535 and press Enter to display the NSN and lot numbers for the DODIC.
Select Lot Number LOW-6-15 (select either record).
Enter the Number of Labels 2 and click on pallet to print a pallet label.
Click on Confirm to complete your selection and click OK when the dialog box appears.
Remove the labels from the thermal printer and put condition Code A Whse Z1013 on both labels. Keep
the labels with your PE as they will be used in some of the following exercises.
Task 2B Print Package/Pallet Labels for Serialized DODIC.

Use the information in the table above to print package/pallet labels for each group of serial numbers on
the above table. After the labels are printed write the condition code, SP and warehouse on each label.

Select the Print Package/Pallet Label Process. Click on Start | ASP Executables | Prt Pkg-Plt Lbl
At the Print Packing Labels Window:
Select Storage Point Z1 and Warehouse Z1016 using the arrow beside each field.
Enter the DODIC C995 and press Enter to display the NSN and lot numbers for this DODIC.
Select Lot Number AT95L10388 to display the serial number list.
Label 1 Use the Shift key and mouse to select and print a label for serial numbers 951002 thru 951006.
Confirm your selection.
11 October 2007
15-80
AIT Installation
Label 4 Use the Ctrl key and mouse to select and print a label for serial numbers 951001, 951010,
951019, 951028, 951029. Confirm your selection.
Label 5 Use the Ctrl key and mouse to select and print a label for serial numbers 951007 951008, 951016,
951017, 951025. Confirm your selection.
Label 6 Use the Ctrl key and mouse to select and print a label for serial numbers 951009, 951018,
951026, 951027. Confirm your selection.
Remove all the labels from the thermal printer and put condition Code A Whse Z1016 on all six labels.
SUMMARY FOR PRINT PACKAGE/PALLET LABELS FROM SAAS-MOD.
The Prt Pkg-Plt Lbl (Print Package/Pallet Label) process lets you print 2D Package/Pallet labels on the
thermal printer attached to a SAAS-MOD work station.
The process creates the label for conventional DODIC based on the parameters (Storage Point,
Warehouse, DODIC, NSN, and Lot Number) that you select and uses the package data (Rounds per Pallet
or Rounds per Box) from the Ammunition Lot Item table for your selection.
The process creates the label for serialized DODIC based on the parameters (Storage Point, Warehouse,
DODIC, NSN, Lot Number, and Serial Numbers) that you select.
During the lesson we showed you how to select the parameters for conventional DODIC. Then we
showed you how to use the Ctrl Key (non-sequential) and Shift Key (sequential) to create a 2D
Package/Pallet labels for serialized DODIC.
C23 - MAINTAIN USER ACCOUNTS ON SAAS-MOD FOR AIT 751G USERS.
Introduction. When you are using AIT in your operations, the first thing you need to do is identify in the
SAAS-MOD Maintain User process the storage personnel that use the AIT hand held terminals (751G) in
the storage area for inventory.
The 751G user does not require access to SAAS-MOD but SAAS-MOD transfer files to the 751G based
on the User Id logged on the 751G and the 751G process selected.
Only users identified by SAAS-MOD on the Maintain User table can be assigned as recorder and counter
in the Inventory Process for an AIT inventory.
During this lesson, we will create AIT User ID on SAAS-MOD these User ID will not have access to the
SAAS-MOD system.
The Maintain Users Process identifies SAAS-MOD users and the SAAS-MOD procedures available to
them. The only process required in the current profile for an AIT User Id is called AIT Processes.

Select the Maintain User Process.
Click on Start | ASP Executables |
Maintain Users
Task 1 Use the SAAS-MOD Maintain User Process to Add an AIT User and User Profile. This is an
instructor led exercise perform each step when directed by the instructor.
Task 1A Follow these steps to Add an AIT 751G User Id with a User Profile to SAAS-MOD.
Step 1. Click on User on the User
Menu bar.
11 October 2007
15-81
AIT Installation
Step 2. Click on Maintain User ID
on the User pull-down menu to
display the Maintain User
Window.

11 October 2007
15-82
AIT Installation

Step 3. Enter AITUSER1 in the
User D field.
Step 4. Click in the Name field
and enter SSG SMITH.
Step 5. Click in the
Organization field and enter
60
th
OD CO.
Step 6. Click in the Job
Description field and enter
Storage NCO.
Step 7. Click on Actions/New
and Click on OK to confirm.
Step 8. Click on User Profile to
display the Maintain User
Profile Window.
Step 9. Highlight (click on)
AIT Processes in the Procedure
Name list box.
Step 10. Click on Actions/New
and the system adds the
procedure to the Current Profile
list box.
Step 11. Click on Actions/Exit
to close the window and exit the
process.
Task 2 Use the SAAS-MOD Maintain User Process to Add AIT Users and User
Profiles. Perform this task on your own.
11 October 2007
15-83
AIT Installation
Select the Maintain User Process. Click on Start | ASP Executables | Maintain Users.
Step 1: Add the first AIT User Id on this table to SAAS-MOD on the Maintain User Id
Window.
Enter the User Id, the User Name, the organization, and job description from the table
above.
Click on Actions/New and confirm.
Step 2: Add the Procedure Name on the above table to the AIT User Id Profile.
Click on User Profile on the menu bar of the Maintain User ID Window to display the
Maintain User Profile Window.
Click on AIT PROCESSES in the Procedure Name List Box.
Click on Actions/New and confirm.
Repeat step 1 and 2 for the remaining User Id.
SUMMARY FOR MAINTAIN USER ACCOUNTS
All AIT User ID must be added to SAAS-MOD in the Maintain User Process. AIT
PROCESSES is the only process an AIT User ID must have. Normally AIT Users do not
have access to the SAAS-MOD functional processes.
The primary reasons for identifying AIT users are to facilitate file transfers between
SAAS-MOD and the 751G and to identify the recorder and counter for AIT inventory
history reports.

11 October 2007
15-84
AIT Installation

C24 - USE AIT ASSIGNMENT STATUS TO VIEW/CHANGE WORKLOADS
Introduction. The AIT Assignment Status process lets you review the workload currently
assigned and sent to the AIT 751G for a specific User ID. In addition, you can use the
process to cancel current workload assignments and reassign them to another User ID.
Only AIT workloads that have been assigned and sent to AIT are displayed in this
process.
The AIT Assignment Status process with the exception of the selection window uses the
same windows and procedures as the Workload process. The Workload process can be
accessed directly from the SAAS-MOD menu or from the Ammunition Stores Slip
(3151) Window that is in the Issue, Turn-in, Shipment, Receipt, and IDT processes.
During this lesson, we will show you how to view and change (un-assign and reassign)
workloads for a User ID in SAAS-MOD.
In this process the User ID entry is case sensitive and must match the User ID exactly as
it appears in the Maintain User ID Window.

Select the AIT
Assignment Status
process click on Start |
ASP Executables | AIT
Assignment Status.

When AIT Assignment Status is selected an Error
dialog box prompting for a User Id is displayed click
on OK to continue. The system displays the Workload
Assignment Window.
Task 1 Use the SAAS-MOD AIT Assignment Status Process to View, Change or
Delete AIT Workload Assignments for a User ID. This is an instructor led exercise
perform each step when directed by the instructor.
Task 1A Follow these steps to View AIT Assignment Status for a User ID. This is an
instructor led exercise perform each step when directed by the instructor.

11 October 2007
15-85
AIT Installation

Step 1. Enter SAAS-
MOD in the User/Team
ID field and press Enter.
The system displays the
documents assigned to
AIT for SAAS-MOD in
the list box.
Step 2. Highlight (click
on) WASP6101440001.
Step 3. Click on Details
to display the Process
Workload Window.

The Process
Workload
Window displays
the document
number
information and
the detail lines on
the documents
assigned to the
User Id.
Step 4. After
viewing the lines,
click on Close to
return to the
Workload
Assignment Status
Window.

Task 1B Follow these steps to Change the AIT Workload assigned to a User ID. This
is an instructor led exercise; perform each step when directed by the instructor.
11 October 2007
15-86
AIT Installation

Step 1. Enter SAAS-
MOD in the
User/Team ID field
and press Enter. The
system displays the
documents assigned
to AIT for SAAS-
MOD in the list box.
Step 2. Highlight
(click on)
WASP6101440001.
Step 3. Click on
Details to display the
Process Workload
Window.

Step 4. Use the
horizontal scroll bar
in the box to display
the Con IND and
User ID field.
Step 5. Highlight
(click on) the line in
the Document Details
& Assignments box.
The system displays
the Detail Exception
Window.

Step 6. Click on Un-
assign.

The system closes the
Detail Exception
Window and displays
the Process Workload
Window with the Con
IND and User Id field
for the line blank.
11 October 2007
15-87
AIT Installation

Step 7. Highlight
the Document Details
& Assignments box.
Step 8. Click on
Assign to display the
Process Select User
ID Window.

Step 9. Highlight
(click on) SSG
JONES
AITUSER3 and click
on Select.
The system closes the
window and displays
the Process Workload
Window. The
AITUSER3 is now in
the User ID field
beside the line.
Step 10. Click on
Send. The system
puts an A in the Con
IND field and sends
the highlighted line to
the AIT Out table.
Step 11. Click on
Close to Exit.

11 October 2007
15-88
AIT Installation
Task 2 Use the AIT Assignment Status Process to reassign all the remaining
Transactions Assigned to the User Id SAAS-MOD and to AITUSER3. Perform this
task on your own.
Select the AIT Assignment Status Process. Click on Start | ASP Executables | AIT
Assignment Status.
Highlight (click on) the first document number line displayed in the list box.
Click on Details to display it in the Process Workload Window.
Highlight (click on) the transaction line displayed and the system displays the Detail
Exception Window.
Click on Un-assign to change the current assignment.
Highlight (click on) the line to activate the Assign and Send buttons.
Click on Assign to display the Process select User Id Window.
Highlight (click on) AITUSER3 and click Select.
Click on Send to transfer the workload to the 751G.
Repeat this process until the list box on the Workload Assignment Status Window for
SAAS-MOD is empty.

SUMMARY FOR AIT ASSIGNMENT STATUS PROCESS
The AIT Assignment Status process lets you review the workload currently assigned and
sent to a specific AIT User Id. You can use the process to reassign workloads to another
751G.
During this lesson, we showed you how to view un-assign (cancel) and reassign
workloads to an AIT User Id on SAAS-MOD.
Remember all SAAS-MOD User Id entries are case sensitive.

11 October 2007
15-89
AIT Installation

C25 - USE WORKLOAD TO VIEW/CHANGE AIT 751G WORKLOADS
Introduction. The workload process is similar to the AIT Assignment Status process.
There are two major differences:
The transactions are selected by transaction type (issue, turn-in, receipt, and shipment)
not by user id.
The process displays all open transactions (including those not assigned to AIT) that
the SAAS-MOD system has processed on an Ammunition Stores Slip (3151) Window.
The process is just like AIT assignments, its used view, change (un-assign and
reassign), and assign workloads to the 751G.
During this lesson, we will show how to select by transaction type, change (un-assign
and assign) and assign workloads to 751G on SAAS-MOD.

Select the Workload
Process. Click on
Start | ASP
Executables |
Workload.
Task 1 Use the SAAS-MOD Workload Process to View, Change or Assign
Workloads to 751G. This is an instructor led exercise perform each step when directed
by the instructor.
Task 1A Follow these to View Current Workload by Transaction Type.
Step 1. Click on Issue
in the Document Type
box. The system
displays document
numbers with number
of lines for all open
issue documents.
Step 2. Highlight
(click on)
W4ZGAA20315001.
Step 3. Click on
Detail to display the
Process Workload
Window.
11 October 2007
15-90
AIT Installation
The Process Workload
Window displays the
document number
information and the
detail lines on the
document. Note that
the Con IND and User
ID fields are blank,
that means the
document did not go
to AIT.

Step 4. After viewing
the lines, click on
Close to return to the
Select Workload
Window.
Task 1B Follow these steps to Change (Un-assign and Reassign) Workload to
Change the Workload Assignment for a Transaction Type.

Step 1. Click on
Shipment in the
Document Type
box. The system
displays document
numbers with
number of lines for
all open Shipment
documents.
Step 2. Highlight
(click on)
WASP6101440001.
Step 3. Click on
Details to display
the Process
Workload Window.
11 October 2007
15-91
AIT Installation

Step 4. Use the
horizontal scroll bar
in the box to
display the Con
IND and User ID
field.
Step 5. Highlight
the Document
Details &
Assignments box.
The system displays
the Detail
Exception Window.

Step 6. Click on
Un-assign.
The system closes
the Detail
Exception Window
and displays the
Process Workload
Window with the
Con IND and User
Id field for the line
blank.
Step 7. Highlight
the Document
Details &
Assignments box.
Step 8. Click on
Assign to display
the Process Select
User ID Window.
11 October 2007
15-92
AIT Installation
Step 9. Highlight
(click on) SSG
FOSTER
AITUSER4 and
click on Select.

The system closes
the window and
displays the Process
Workload Window.
The AITUSER4 is
now in the User ID
field beside the
line.

Step 10. Click on
Send. The system
put an A in the Con
IND field and sends
the line to an AIT
Out table.
Step 11. Click on
Close to Exit.
Task 2 SAAS-MOD AIT Workload Process. Perform this task on your own.
Task 2A Assign the Remaining Shipment Transaction to the AIT User Id
AITUSER4.
Highlight (click on) the document number line displayed in the list box.
Click on Details to display it in the Process Workloads Window.
Highlight (click on) a line. The system displays the Detail Exception Window.
Click on Un-assign. The system returns to the Process Workload Window
Click on Assign to display the Process select User Id Window.
Highlight (click on) AITUSER4 and click Select.
Click on Send to transfer the workload to the 751G.

11 October 2007
15-93
AIT Installation
SUMMARY FOR AIT WORKLOAD PROCESS.
The workload process is similar to the AIT Assignments process but it lets you review
the current workload (all transactions that have had a DA3151 produced or that have
been assigned to an AIT User Id by transaction type. You can use it to assign, un-
assign, and send workload assignments to the 751G.
This process can be selected from the SAAS menu to view all transactions or from the
Ammunition Stores Slip (3151) Window in the issue, turn-in, receipt, or shipment
processes.

11 October 2007
15-94
AIT Installation

C26 - AIT EXCEPTION MAINTENANCE.
Introduction. The AIT Exception Maintenance process lets you view the transactions that
came from the 751G to SAAS-MOD that could not be processed. The process can be
selected from the SAAS-MOD menu. However, it appears whenever you select a
transaction in the Issue, Receipt, Turn-in or Shipment process that did not process in
properly.
Some transactions that failed to process may be correctable (the process identifies
correctable transactions) and processed but most transaction appearing in this process
cannot be fixed. The process provides details about the transaction and the reason the
system did not process it. If a transaction can be fixed and resubmitted it has a Y in the
Correctable field on the detail window. After you correct a transaction you can complete
it.
During this lesson, we will show how to view the exception transactions, correct,
resubmit and delete AIT exception transactions.

Select the Workload
Process. Click on
Start | ASP
Executables | AIT
Exceptions
Maintenance.
Task 1 Use the SAAS-MOD AIT Exception Maintenance Process to View, Delete,
and Resubmit Transactions From 751G when directed by the instructor.
Task 1A Follow these steps to View a Transaction in the AIT Exception
Maintenance Process.
The AIT Exceptions
Window shows the
DOC NO, SUFFIX,
NSN, SER NO and
LOT NO of
transactions coming
from the AIT-751G
that the system
cannot process.
To view detailed
information about a
transaction.
Step 1. Highlight
document and click
on Resubmit. The
system displays the
AIT Detail Window.
11 October 2007
15-95
AIT Installation

A correctable
transaction has a Y
in the Correctable
field.
ERR
CD/DESCRIPTION
fields explain the
problem with the
transaction.
The remaining fields
are part of the
transaction.
Step 2. Click on
Close to exit.
Task 1B Follow these Steps to Delete a Transaction in the AIT Exception
Maintenance Process.
Step 1. Highlight
document and click
on Delete. The
system displays the
Delete Confirmation
Window.
Step 2. Click on Yes
to confirm the
deletion. The system
deletes the line.
Step 3. Click on
Close to exit.

11 October 2007
15-96
AIT Installation

Task 1C Follow these steps to Correct and Resubmit a Transaction in the AIT
Exception Maintenance Process.
Step 1. Highlight
(click on) document
number
_______________
and click on
Resubmit. The system
displays the AIT
Detail Window.

A correctable
transaction has a Y in
the Correctable field.
Step 2. Correct the
data causing the error.
The ERR
CD/Description fields
explain the problem
with the transaction.
Based on the ERR
CD, you must change
at least one of the
fields on the
transaction.
Step 2. Click on
Resubmit to process
the transaction.
Task 2 There is no Task.
SUMMARY FOR AIT EXCEPTION MAINTENANCE.
The AIT Exception Maintenance process lets you view the transactions that came from
the 751G to SAAS-MOD that cannot be processed. The AIT Exception Maintenance
process displays the transactions that failed to process with an explanation and
correctable indicator. Only a transaction with a Y in the Correctable field can be
reprocessed.
11 October 2007
15-97
AIT Installation

C27 - USE AIT TO PROCESS AND STORE RECEIPTS.
Introduction: Receipt processing using the 751G has these four distinct stages.
It begins with the Receipt process on the 751G. The receipt information from the DD form 1348-1 is
scanned into the AIT 751G.
Next, the Receipt process on SAAS-MOD. The data from the 751G is transferred to SAAS-MOD and
processed through site selection in the Receipt process.
After site selection you flow to the Store process on the 751G. The store data (storage site) from SAAS-
MOD is transferred to the 751G. The ammunition is stored and the storage site, lot data and quantity is
confirmed on the 751G.
The final stage is the Receipt process on SAAS-MOD. The last stage is transfer of the confirmed store
data back to SAAS-MOD where the receipt is completed and the transaction closed.
During this lesson, we will go through all four stages beginning at the 751G and finishing at the SAAS-
MOD workstation.
Task 1 Process Receipt Documents (Conventional and Serialized) using the 751G. Task 1 an instructor
led exercise perform each task when directed by the instructor.
Task 1A Login to the 751G and select the Receipt Process.

Step 1. Login to
SAAS-MOD.

Touch The User Id
field to display the data
entry screen.
On the Username Data
Entry screen.

Enter AITUSER1 and
touch OK to display
the Login Screen.

11 October 2007
15-98
AIT Installation

Touch OK on the
Login Screen to
display SAAS-MOD
Select Location Menu.

Step 2. Touch ASP to
display the ASP Menu.

ASP Menu

Step 3. Touch Receipt
at the top of the ASP
Main Menu to display
the SAAS-MOD
Receipt (1348 Data)
Screen.

You may scan in the
information from the
1348 or enter the data
manually. The data
required is document
number, NSN, Total
Quantity.

11 October 2007
15-99
AIT Installation

Task 1B Scan Bar Codes on the DD FORM 1348 for a Conventional DODIC Receipt.

Step 4. Scan the document
number label on the DD
Form 1348. You must
confirm the document
number was scanned.

Touch Doc # / Suffix field.
To display Receipt (1348
Data) Screen again.

Scan the NSN label on the
DD For 1348.

Scan the Quantity label on
the DD For 1348.

Touch Enter Lots to display
the (Lot Data) Screen.

11 October 2007
15-100
AIT Installation

Step 5. Scan the Lot
Number labels on the DD
1348.

Touch Close (Next 1348).

Touch Yes on the Alert
dialog box.

To display a blank SAAS-
MOD Receipt (1348 Data)
Screen that is ready to
process the next receipt or
to transfer the receipt data
to SAAS-MOD.

NOTE: DO NOT TOUCH
DONE (XFER FILE).

Task 1B Scan Bar Codes on the DD FORM 1348 for a Serialized DODIC Receipt.

Step 1. Scan the document
number label on the DD
Form 1348. You must
confirm the document
number was scanned.

Touch Doc # / Suffix field.
To display Receipt (1348
Data) Screen again.

Scan the NSN label on the
DD For 1348.

Scan the Quantity label on
the DD For 1348.

Touch Enter Lots to display
the (Lot Data) Screen.

11 October 2007
15-101
AIT Installation
Step 2. Scan the Lot
Number labels on the DD
1348-1.

(Highlight) touch the line in
the list box and touch the
arrow in the serial number
field to view the serial
numbers scanned.

Touch Close (Next 1348).

Touch Yes on the Alert
dialog box.
To display a blank SAAS-
MOD Receipt (1348 Data)
Screen that is ready to
process the next receipt or
to transfer the receipt data
to SAAS-MOD.

11 October 2007
15-102
AIT Installation

TASK 1C Transfer the 751G File to SAAS-MOD work station.

Step 1. Touch Done (XFER
file), and touch Yes on the Alert
Screen to put the 751G in the
File Transfer mode and display
the File Transfer Screen.

Step 2. Put the 751G in the
docking station attached to the
SAAS-MOD workstation.

Make sure the SAAS-MOD workstation is running and these
processes (751G Dock Server and WBT AIT xfer.exe) are
displayed on the task bar at the bottom of the window. The transfer
is automatic and when the transfer ends, the 751G displays the
SAAS-MOD Menu.

Task 1D Follow these steps to Process Receipts coming from the 751G. When the Receipt
Processed in message is displayed on the SAAS-MOD workstation desktop select the Receipt
process.

Select the Receipt Process.
Click on Start | ASP
Executables | Receipts.
11 October 2007
15-103
AIT Installation
Step 1. Highlight document
number WT4F1913654001
and click on Select. Click
OK to display it in the
Process Receipts Window.

Step 2. Complete the
information required to
process the Receipt.
Enter the header data.
UIC From field: WQL701
Sp CODE field: Z3
REC ACCT field: ZT3
Enter the Receipt Lot Info
Select data.
Highlight (click on) the line
and click on Select to move it
to the work line.
WHSE ID field: Z3012
Step 3. Click on 3151 to
display the Ammunition
Stores Slip (3151) Window.

Step 4. Click on Workload to
display the Process Workload
Window.
11 October 2007
15-104
AIT Installation

the line in the Document
Details & Assignments box
and click on Assign to
display the Process Select
User ID Window.

SSG SMITH AITUSER1 in
the list box and click on
Select to display the Assign
Workload Window.

and click on Send .The
system Change Con IND
field to A and puts the
transaction in the AIT Out
folder.
Step 8. Click on Close to
display the Receipts
Document Window.
11 October 2007
15-105
AIT Installation

and click on Select. Click
OK to display it in the
Process Receipts Window.
Repeat steps 2 through 8
again.

Step 2. Data for header
information in step 2.
UIC From field: WQL701
Sp CODE field: Z3
REC ACCT field: ZT3
Enter the Receipt Lot Info Select
data.
Highlight (click on) the line and
click on Select to move it to the
work line.
WHSE ID field: Z3011
Step 3. Click on 3151 to display
the Ammunition Stores Slip
(3151) Window.
Step 4. Click on Workload to
display the Process Workload
Window.
Step 5. Highlight (click on) the
line in the Document Details &
Assignments box and click on
Assign to display the Process
Select User ID Window.
SSG SMITH AIT USER1 in
the list box and click on
Select to display the Assign
Workload Window.
and click on Send. The
system Change Con IIND
field to A and puts the
transaction in the AIT Out
folder.
display the Receipts
Document Window.

Note that both document
numbers now have a W in
the Status field.
exit the Receipts process.
The system automatically
transfers the transactions to
an 751G based on these
conditions
AITUSER1 is logged on, the
ASP Store process is selected
and the 751G is in the
docking station attached to a
SAAS-MOD work station.
11 October 2007
15-106
AIT Installation
Task 1E Follow these Procedures to Login to the 751G and Select the Store Process.

Note: If you are
logged in select the
Store Process from
the ASP Main Menu.

Step 1. Login to
SAAS-MOD.

Touch The User Id
field to display the
data entry screen.
On the Username
Data Entry screen.

Enter AITUSER1
and touch OK to
display the Login
Screen.

Touch OK on the
Login Screen to
display SAAS-MOD
Select Location
Menu.

Step 2. Touch ASP
to display the ASP
Menu.

11 October 2007
15-107
AIT Installation

ASP Menu

Step 3. Touch work
list at the top of the
ASP Main Menu to
display the SAAS-
MOD File Transfer
Screen.

No messages appear
as files are moved.
When the transfer is
complete, the 751G
SAAS-MOD work
list Screen will be
blank.

Task 1F Use these Procedure to Store the Receipts with the 751G.
You may scan in the information from a 2D Package/Pallet Label or enter the data manually. For this
exercise we will enter the data manually for the first transaction and scan the data in for the second
transaction.

Task 1(M) Follow these steps to store the first receipt manually.

the line in the list box and
touch Manual Entry. The
system displays the Store
Confirm/Enter Data Screen.

Step 2. The only entry
required is Quantity. Touch
Quantity to display the
SAAS-MOD Quantity
Calculator Screen.

11 October 2007
15-108
AIT Installation

Step 3. The only entry
required is Pallet Qty.
Touch Pallet Qty to display
the Standard Quantity
Entry Screen.

On the Pallet Qty Screen,
touch 528 and touch OK.
The SAAS-MOD Quantity
Calculator Screen is
displayed.

Step 4. Verify entries on
the SAAS-MOD Quantity
Calculator Screen.

# Boxes/Pallets = 1
Pallet Qty = 528.
Touch OK to display the
SAAS-MOD Store
Confirm/Enter Data Screen.

Step 5. Touch Data
Confirmed to display the
SAAS-MOD Store Screen.

Step 6. Highlight (touch)
the line and the Name,
NSN and Quantity Scanned
are displayed beside the
Change Loc button.

Step 7. Touch Close
(XFER file) and an Alert
Screen displayed. Touch
Yes to display the next
transaction or begin file
transfer.

11 October 2007
15-109
AIT Installation

Task 1(A) Follow these steps to store the second receipt by scanning 2D Package/Pallet Labels.

Step 1. Highlight (touch) the
line in the list box.

Step 2. Scan the 2D bar code
label.

Step 3. After the beep
highlight (touch) the line in
the list box and the Qty
Scanned field is now 10.

Step 4. Touch Close (xfer
file) an Alert Screen is
displayed. Touch Yes to
display the next transaction
or begin file transfer.

1G Follow these Procedures to Transfer the 751G File to SAAS-MOD work station.

Step 1. Touch Close (xfer
file), and touch Yes on the
Alert Screen to put the 751G
in the File Transfer mode.
ASP Main Menu is displayed

Step 2. Put the 751G in the
docking station attached to
the SAAS-MOD workstation.
The file is then automatically
transfers.

11 October 2007
15-110
AIT Installation

Make sure the SAAS-MOD workstation is running and these
processes (751G ActiveSync, IAW Upload and WBT AIT xfer.exe)
are displayed on the task bar at the bottom of the window. The transfer
is automatic. When the transfer ends, the user may check the work list
to see if the file was sent.

Task 1H Follow these steps to Process the Store Data for Receipts coming from the 751G.
When the Store Processed in message is displayed on the SAAS-MOD workstation desktop select
the Receipt process.
Select the Receipt Process.
Executables | Receipts.

and click on Select. Click OK
to display it in the
Ammunition Stores Slip
(3151) Window.

11 October 2007
15-111
AIT Installation
The transaction line in the list
box shows Con Ind I for all
transactions coming from the
751G751G.

Step 2. Click on Post Doc and
Save to complete the process
for this document.
Step 3. Click on Close to Exit
and display the Receipt
Documents Window.

Step 5. Highlight the remaining document number WT4F1913654021 in the Receipt Documents
Window and click on Select. Click OK to display it in the Ammunition Stores Slip (3151) Window.
Step 6. Click on Post Doc and Save to complete the process for this document.
Step 7. Click on Close to Exit and display the Receipt Documents Window.
Task 2 There is no task.
SUMMARY FOR USE AIT TO PROCESS AND STORE RECEIPTS.
Processing receipts using the 751G is a multi part process. Initially you process the information
from the DD form 1348-1 on the 751G, then transfer the information to SAAS-MOD for site
selection, then transfer the site selection back to the 751G to store the receipt and finally send the
confirmed store back to SAAS-MOD to post and save the transaction.

11 October 2007
15-112
AIT Installation

C28 - USE AIT TO STORE A TURN-IN.
Introduction: Processing turn-ins using the 751G uses the same Store process as a receipt. However,
it is a three stages process.
It begins with the Turn-in Process on SAAS-MOD where you enter the document number for a
Turn-in or associate a Turn-in document number with a wrap-a-around Issue document number. The
entered data and select the storage site for the items on the Turn-in and send it to the 751G to be
stored.
The next stage is the Store process on the AIT 751G. During this phase the items on the turn-in are
stored in the location specified and then transferred back to SAAS-MOD.
The final stage is done in the Turn-in process on SAAS-MOD when the turn-in is confirmed and
completed.
During this lesson we will review turn-in procedures on SAAS-MOD, transfer the turn-in to
the AIT 751G, store the items on the turn-in, transfer it back to SAAS-MOD and review
procedures for finalizing a turn-in on SAAS-MOD.
Task 1 Process a Turn-in Document with Conventional and Serialized DODIC using the 751G.
Task 1 an instructor led exercise perform each task when directed by the instructor.
Task 1A Process the Turn-in on SAAS-MOD and Assign/Send it to the 751G.
Select the Turn-In Process.
Executables | Turn-ins.
Step 1. Enter the turn-in
document number
W4ZGA020315001, enter Type
SER, and click on OK. Click on
YES when the Document
Confirmation Window is
displayed. The system displays
the Process Turn-in Window.

11 October 2007
15-113
AIT Installation
Step 2. Complete the
information required to process
the Turn-in.

Enter the header data.
Sp CODE field: Z3
REC ACCT field: ZT3
Trans code field: TAR
Enter this data on Issue Lot Info
work line for the first item.

11 October 2007
15-114
Norton 10.1 Installation
SECTION 16.0 NORTON 10.1 INSTALLATION

16.1 Uninstall Norton Antivirus version 7.51 or earlier on the SERVER or
Workstation.
Note : Be sure to log in as the local Administrator of the system.
(1) Click on Start/Settings/Control Panel

11 October 2007
16-1

(2) Click on Add/Remove Programs

11 October 2007
16-2

(3) Highlight Norton Antivirus Corporate Edition and click on Remove.

11 October 2007
16-3

(4) Click on Yes for confirmation to remove Norton Antivirus Corporate Edition.

(5) The removal program will gather information as shown below.

(6) When it finishes, Norton Antivirus Corporate Edition will no longer be
displayed on the Add/Remove Programs window. Close the window.

11 October 2007
16-4

16.2 Install Norton Antivirus version 10.1 on the SERVER or Workstation

(1) Insert your most current SAAS MOD Security CD into your CD-ROM drive.
Navigate to the Symantec Antivirus 10.0 folder/sav10_0_2_2000/CD1 and
double click on Setup.exe you will see:

11 October 2007
16-5
(2) Click on Install Symantec Antivirus and you will see:

(3) Click on Install Symantec Antivirus and you will see:

11 October 2007
16-6
(4) Click Next on the Welcome window:

(5) Click on the I accept the License Agreement window then click on Next:

11 October 2007
16-7
(6) Leave on Client Install and click on Next.

(7) Leave default for complete Install and click on Next.

11 October 2007
16-8
(8) Click on Next to the Unmanaged window.

(9) Uncheck Run Live Update and click on Next.

11 October 2007
16-9
(10) Click on Install:

(11) You will see progress of the installation

11 October 2007
16-10
(12) Check the Box "Don't remind me again until after next update to the Old
Virus Definition File window:

(13) Click on Finish to exit Symantec Antivirus Installation.
(14) Navigate to the Symantec Antivirus 10.0 folder/Updates and double click on
SAVCE_10_0_2_2001_ALLWIN_EN.msp you will see a Preparing to Install
screen followed by Welcome to the Patch for Symantec Antivirus. Click on
Update:

11 October 2007
16-11
(15) You will see a progress screen for updating:

(16) Update will complete. Click on Finish:

11 October 2007
16-12
(17) Install/Update will require a Reboot of your system. Click Yes to restart
screen:

(18) When your computer restarts, log on as the administrator. Delete the
following file: C:\Program Files\Symantec\LiveUpdate\S32luhl1.dll if it exists.
(19) Rerun steps 14 -18 for SAV_10.0.2.2020_ALLWIN_EN.msp in the Updates
folder.
(20) Rerun steps 14-18 for SAVCE_10.0.2.2021_ALLWIN_EN.msp in the
Updates folder.
(21) Next go to Start/Programs/Symantec Client Security/Symantec Antivirus and
click on LiveUpdate tab. This will update your signature files to the most current.
See below.

11 October 2007
16-13

16.3 Norton Antivirus Updates
Run the step 21 instruction above. The screen will look like the one displayed
below. Click on LiveUpdate and follow the on-screen prompts.

11 October 2007
16-14
Reserved for Future Use
SECTION 17.0 RESERVED FOR FUTURE USE

11 October 2007
17-1
SAAS Utilities
SECTION 18.0 SAAS UTILITIES

18.1 Oracle IP Tool

This process is used to extract IP address information to create Configuration
Diskettes for workstations to connect to the Database. This is accomplished by
the following steps:

1. Go to Start/Programs/SAAS Utilities/Oracle IP Tool.
2. You will see the screen Updating IP Addresses.
3. The process will then stop Oracle Services.
4. You will be prompted to insert a blank diskette and Press OK.
5. Next you will see the message Configuration files read for workstations.
Remove floppy and click OK.
6. Oracle Services will be started.
7. IP address Update for SAAS Oracle completed. Remove disk and click
on OK.

18.2 Archive Transactions

This process is used to extract transaction history information from the database
to free space of older transactions. It is recommended to run this process
periodically. Check with your local system administrator. This is accomplished
by the following steps:

1. Go to Start/Programs/SAAS Utilities/Archive Transactions
2. Select Continue on screen "About to Archive Transactions"
3. Enter J ulian date in YYYYDDD format for the date of transactions to
archive prior to this date ex. 2001001. Click on OK.
4. System will show you the number of records about to be archived, Press
Enter to continue.
11 October 2007
18-1
SAAS Utilities
5. You will see the number of Rows exported.
6. Click on OK to message to view export log.
7. View export log mentioned above, making sure there were no
errors.

User

18.3 Create Oracle User

This process allows you to create Oracle users. This is accomplished by the
following steps:

1. Go to Start/Programs/SAAS Utilities/Create Oracle User
2. Select Continue on screen "Creating New User"
3. Enter new User name and click on OK.
4. Enter Domain Name of the new user or leave blank. If you are logging
into a Domain, Enter it now, i.e.. NAE.
5. Click on OK to the message that the new user was created.

NOTE: A new Windows Server 2003 user group (ORA_SAAS_DBA) has
been created. This group has special Oracle privileges that are needed to run
some of the SAAS-MOD functions on the server. Each SAAS-MOD user that
installs SCP's, ICP's performs backups or executes certain SAAS executables on
the server, must be added to this group. An administrator must perform this
function on the SAAS-MOD server. Follow these steps to add users to the new
group:

NOTE: The CREATE ORACLE USER utility will function differently. If the
user is a domain user, the domain must be entered when the Oracle user is
created. If the user is a local machine user, then two Oracle users must be
created. One must be created with the machine name where the local user
exists. This is for SAAS application processes. A second Oracle user must be
created with just the username. This is for Oracle Browser and SAAS Reports.
2. Left click on Start | Programs |Administrative Tools Computer Management.
Note: Double click on Groups under Local Users and Groups.
11 October 2007
18-2
SAAS Utilities
3. Double left click on ORA_SAAS_DBA under Groups on the bottom half of the
User Manager window.
4. Left click on the Add button in the Select Users or Groups window. This will
6. Left click Add button to put the user in the Add Names: box. Repeat steps 5 &
6 until all SAAS-MOD users appear in the Add Names: box.
7. Left click the OK button to return to the Select Users or Groups window. All
8. Left click the OK button to exit the Select Users or Groups window.
9. In the Computer Management window, click on the computer (in the upper left
hand corner) and select Exit from the drop down menu.

User

18.4 Drop Oracle User

This process is used to remove Oracle users, such as personnel that are no
longer with your unit for whatever reason. This is accomplished by the following
steps:
1. Go to Start/Programs/SAAS Utilities/Drop Oracle User
2. Select Continue on screen "Dropping a User"
3. Enter the User name to be dropped and click on OK.
4. Enter Domain Name of the new user or leave blank. If you are logging
into a Domain, Enter it now, i.e.. NAE.
5. Click on OK to the message that the user was dropped.

11 October 2007
18-3
SAAS Utilities

18.5 Export

This process is used to make a "snapshot" of the database to the file system. It
is recommended to run this process daily. Whenever the asset posture has
changed from issues, turn-ins, receipts or condition code changes you should run
this process at the end of the business day. Check with your local system
administrator. This is accomplished by the following steps:
1. Go to Start/Programs/SAAS Utilities/Export
2. Select Continue on screen "About to Export current Database"
3. Enter a file name relevant for identification such as Unit/Date and click on
OK.
4. You will see the number of Rows exported for each table.
5. Click on OK to message to view export log.
6. View export log mentioned above, making sure there were no errors.

18.6 Import

This process is used to restore the database from the file system. It is
recommended to run this process for recovery purposes only. It can also be
used to "defragment" and re-index table structures. Check with your local
system administrator. This is accomplished by the following steps:
1. Go to Start/Programs/SAAS Utilities/Import
2. Select Continue on screen "About to Import a new Database"
3. Select Continue on screen "Current data will be dropped".
11 October 2007
18-4
SAAS Utilities
4. Select the file from the menu you wish to Import. This shows the default
location of where dump files are placed, however, you can browse to other
locations. Highlight the file and click on Open.
5. Click on OK to accept selected file.
6. You will see the number of Rows imported for each table.
7. Click on OK to message to view import log.
8. View import log mentioned above, making sure there were no errors.

18.7 Lock Database

This process is used to by the system administrator to lock the database for
exclusive use. It locks out normal users only. You can use this process that
requires exclusive use of the database such as Reconciliation. This is
accomplished by the following steps:
1. Go to Start/Programs/SAAS Utilities/Lock Database.
2. Click on OK to message "Users can not logon now. Click on UNLOCK DB
to enable users".

18.8 Logged-On DB Users

This process is used to by the system administrator to see what users are logged
onto the database. This will always show the SYSTEM user which logged in for
this view. This is accomplished by the following steps:

11 October 2007
18-5
SAAS Utilities
1. Go to Start/Programs/SAAS Utilities/Logged-On DB Users
2. Click on continue to message "List of Active Users in the Database".
3. Press the Enter key to message displayed at the bottom of list of user "Hit
Enter to continue".
4. Click on OK to message "Exiting".

18.9 System Backup Scheduler
This process is used to back up your SAAS data such as dumps and
communications data. This is accomplished by the following steps:
1. Go to Start/Programs/SAAS Utilities/System Backup Scheduler.
2. Select the days you wish to perform backups.
3. Select the time you wish the backups to run.
4. Click on Save and Exit when finished.

11 October 2007
18-6
SAAS Utilities

18.10 Restore Transactions

This process is used to restore the transaction history data to the database from
the file system. It is recommended to run this process for recovery or review
purposes only. Check with your local system administrator. This is

1. Go to Start/Programs/SAAS Utilities/Restore Transactions.
2. Select Continue on screen "About to restore archived transactions".
3. Select the file from the menu you wish to restore. This shows the default
location of where dump files are placed, however, you can browse to
other locations. Highlight the file and click on Open.
5. Click on OK to accept selected file.
6. You will see the number of Rows imported for the transaction history
table.
7. Click on OK to message to view archtrans.log.
8. View archtrans.log mentioned above, making sure there were no errors.

18.11 Unlock Database

This process is used by the system administrator to unlock the database from
exclusive use. It unlocks normal users previously locked out. This is
1. Go to Start/Programs/SAAS Utilities/Unlock Database.
2. Click on continue to message "Unlocking the Database".
3. Click on OK to message "Users can logon now".

11 October 2007
18-7
SAAS Utilities

18.12 Change Oracle Password

This process is used to change user passwords to access the database whether
it is a simple user or the database administrator account. This is accomplished
by the following steps:

1. Go to Start/Programs/SAAS Utilities/Change Oracle Password.
2. Click on continue to message "Change User Password"
3. Enter User Name for account you want to change password for, i.e...
"system"
4. Enter current password for the user entered above.
5. Enter new password and click on OK.
6. Reenter password to confirm and click on OK.
7. Click on OK to message User system's password changed message.

18.13 Oracle RA Tool (Restricted access)

1. Select the Oracle RA Tool.exe file from the c:\saas\utilities folder and
double-click.
2. You will then be presented with the following screen:

11 October 2007
18-8
SAAS Utilities
3. You may type over the 1 in the edit box for the total number of IP
addresses from workstations, or other systems that have a legitimate need
to connect to your Oracle database.

Note: once you apply this tool, only those IP addresses that you have
selected can connect to your database to do any work. You must include
the servers IP address also, or you will not be able to connect locally.

4. In the following example, I have selected 4 different IP addresses.

You then click the enter button.

5. This next screen appears, allow you to type in the IP addresses.

Enter the IP address of your 1
st
selection.

11 October 2007
18-9
SAAS Utilities
*Example IP address below:

Then click on the enter button. Repeat the process as needed, in order to
complete the total number of IP addresses that you entered on the first screen.

6. Once you have completed the task, the following message appears:

11 October 2007
18-10
SAAS Utilities

The restricted access filter has been applied.

7. The next window that pops up is a notepad window displaying a log file
that is located in the c:\saas\logs folder. This file displays the IP
addresses that you have selected for access. You may print, or save to
another location. Close the notepad window when finished.

Note: This log file appends each time that you use the tool, in order to keep
track of each time that you add an IP address.
11 October 2007
18-11
RFID (Radio Frequency Identification)
SECTION 19.0 RFID (RADIO FREQUENCY IDENTIFICATION)

19.0 Installation Procedures for RFID on ASP Workstations
The following instructions apply to installing the ASP RFID module on workstations.
a. Insert the CD SAAS Application L6F-10-00 in the CD drive.
b. Double click on My Computer and select the local drive for CDs. You can also access
the CD drive using Explorer.
c. Double click on SCP 10 RFID (VS 4.4) Install.
d. Double click on RFID Install to begin installation.

e. Click on Continue to "Install RFID Module VS 4.4"/\.
f. When prompted RFID Configuration is complete, click on OK to reboot. The RFID
installation is complete. Do not remove CD.

11 October 2007
19-1


19.1 Tag Docking Station Hardware, Configuration Setup and Registration
Procedures
19.1.1 Tag Docking Station Hardware
a. Docking Station
b. 12V AC-DC power adapter
c. RS-232 serial port cable
d. RFID tag

19.1.2. Tag Docking Station Hardware Setup Procedures
a. Connect the Docking Station to workstation using the RS-232 serial port cable.
NOTE: For workstations with multiple RS-232 serial ports, select a port, and record
which port was used for the configuration steps described below.
b. Connect the 12V AC-DC power adaptor to a power source and to the Docking
Station.
19.1.3. Tag Docking Station Configuration Procedures
NOTE: Mandatory entry fields are marked with an asterisk. Changes cannot be saved
unless data is entered in these fields.
a. Double click on My Computer and select the local drive for CDs. You can also access
the CD drive using Explorer.
b. Double click on SCP 10 RFID (VS 4.4) Install.
c. Double click on TIPSWriteInstall_3_5_1_75.exe
The InstallAnywhere window is displayed.
If the Uninstall Previous TIPS Write Release Window is displayed, click OK.
The Uninstall TIPS Write Window is displayed, click Uninstall.
11 October 2007
19-2

Uninstall Complete, click Done.
The Introduction Window is displayed, click Next.
The Cryptography Component Export Regulators window is displayed click Next.
Choose Install Folder window if c:\TIPSWrite3 is not displayed enter it and click
Install.
Install Compete, click Done.
Close the My Computer window.
d. Click on the TIPS Write 3 icon on the desk top to display the Tag Docking Station
Verification dialog box. This dialog box appears only if the Docking Station has not
been configured to a workstation.

e. Click on OK to display the Setup: Tag Docking Station window.

11 October 2007
19-3


19.1.4. Tag Docking Station Setup Location Procedures
a. The Setup: Tag Docking Station window has one tab: Location.

b. Enter the Tag Docking Station Serial Number preceded by the letter "T" in upper
case. This is a registration requirement of the docking station on the regional ITV
server. NOTE: Repeat this step each time a different docking station is connected to
the workstation.
c. Enter the Device Name to identify the docking station. Use a different Device Name
for each docking station in use on multiple workstations.
d. Enter the Device Description to identify the location of the docking station.
11 October 2007
19-4

e. Enter the Latitude and Longitude (use zeros (0) except for the last position.

19.1.5. Tag Docking Station Setup Communication Settings Procedures
a. Click on Communication Settings to validate the default settings. Default values are
Protocol: Auto-Detect and Com Port: 1. You can change the Com Port setting by
clicking and the down arrow, if the RS-232 serial port cable is connected to another
serial port. Click on Save if changes were made or click on Cancel to return to the
previous window. If save was clicked a dialog box The settings have been saved is
displayed, click OK.

b. Click on Save Settings to save the configuration changes.

c. Click on OK to continue setup and registration, click Close.

11 October 2007
19-5


19.1.6. Tag Docking Station Setup Registration Procedures
a. The Setup: Station Information/Register window displays system defaults and the
Docking Stations Serial Number (ID).

b. Click on the down arrow for Regional Service and select the Regional Server for your
geographic area (CONUS, Germany, or Korea). NOTE: Regional Server
configurations are set during installation and do not require changes.
c. Click on the down arrow for Communication and select the mode (normally Network)
to be used to transmit data files (Network, Modem, or Standalone).

11 October 2007
19-6


d. Click on The Station Information Tab. The Setup Station Information/Registration
window is displayed enter the following:
Site/Post Location
Name
Telephone
e. Click on Register to transmit the registration file (.TIP) created in the setup and
configuration process.
f. The save changes window is displayed, click Yes.
g. The registration window is displayed, click OK, and click Close.

19.2 RFID Interrogator Hardware, Configuration, Setup, and Registration
Procedures
19.2.1 Tag Docking Station Hardware
a. RFID Fixed and/or Gate Readers.
b. ITV Retriever.

19.2.2. Interrogator Hardware Setup Procedures
NOTE: The setup procedures for interrogators are not applicable for SAAS-MOD
systems.

11 October 2007
19-7


19.3 RFID Network and Modem Setup Procedures
Changes to the workstations network TCP/IP Protocol properties must be made through
the operating system
a. To view the Network configuration, click on Setup in the tool bar and click on Network
to display the Setup: Network window.

b. To view the Modem configuration, click on Setup in the tool bar and click on Modem
to display the Setup: Network window.
11 October 2007
19-8


19.3.1 Dial-up Networking / Modem Setup
TIPS-Read uses the Microsoft Windows operating system's Dial-up Networking
(DUN) subsystem to make modem connections to the Internet. The modem
must be configured with the operating system and a DUN Phonebook Entry
name 'ITV Connection' must be created before TIPS-Read can transfer files
(upload) via modem.

19.3.2 Configuring the modem with Windows Server 2003
The modem must be configured with the operating system before a Dial-up
Networking (DUN) can be added.
Chances are that the modem is already configured by Windows 2000 using the
Plug & Play technology. If not, select Start | Settings | Control Panel | Phone and
Modem Options to open the Phone and Modem Options window. Select the
Modems tab and press the Add button to open the Install New Modem window.
Use this to configure a new modem. Adding Modems is at Section 5.1
Make sure to not set the modem using the same Com Port/IRQ that the Tag
Docking Station or SaviReader will use. After it has been configured properly,
you can see the Com Port that the Tag Docking Station has been assigned by
selecting Setup | Tag Docking Station | Communications from the menu.
11 October 2007
19-9

Alternatively, for SaviReader, select Setup | Interrogator | Communication. The
Hardware Communications Settings window will open showing a COM Port field.
Set the modem so that the modem speaker is on initially to test so that you can
confirm it dialing properly. After TIPS-Read has been properly configured, set so
that modem speaker is off. Also, in the Phone and Modem Options window,
select the Dialing Rules tab to set options for area code, outside line, long-
distance calls, and to disable call waiting.

19.3.3 Creating a Dial-up Networking (DUN) Phonebook Entry
Once the modem has been configured with the operating system (above) create
a DUN phonebook entry that TIPS-Read will refer to and use. Note (below) that
the user name and password must be saved with the entry and that the entry
must be named 'ITV Connection'. This entry name is case sensitive and it must
be entered exactly as shown.
For Windows Server 2003 select Start | Settings | Network & Dialup
Connections. Press the Make a New Connection option to open the Network
Connection Wizard, then:
1. Click Next.
2. Select 'Dial-up to the Internet.' Press Next.
3. Select 'I want to setup my Internet connection manually, or I want
to connect through a local area network (LAN).' Press Next.
4. Select 'I connect through a phone line and a modem.' Press
Next.
5. Enter your ISP's (TSACS) local access phone number. Press
Next.
6. Enter your user name and password. (The password must be
saved with the phonebook entry.) Press Next.
7. For Connection name enter 'ITV Connection'. This entry name is
case sensitive; it must be entered exactly as shown.
8. 'Do you want to set up an Internet mail account now?' Select No.
Press Next.
11 October 2007
19-10

9. 'To connect to the Internet immediately, select this box and click
finish.' Leave the box checked and press Finish. (You want to test
this connection once before proceeding to the other configuration
sections).
10 At the 'Dial-up Connection' dialog box, make sure that 'Save
password' is checked. Press Connect.
When the dialog box message window indicates that the connection has been
established, test by opening the operating system Command Prompt (a.k.a. DOS
Prompt) (Start | Programs | Accessories | Command Prompt) and enter the
'ipconfig' command. A successful connection will display an entry with 'PPP
adapter ITV Connection' with non-zero IP address values for IP Address, Subnet
Mask and Default Gateway.
Disconnect the connection and close the Command Prompt window.
19.3.4 Viewing all Dial-up Networking phonebook entries from TIPS-Write
To see a list of all the Dial-up Networking phonebook entries without having to go
to the operating system, select Setup | Modem from the menu to open a window
as shown below. This window lists all the phonebook entries. You can verify
that 'ITV Connection' is among them. You cannot edit phonebook entries from
this window. You must do this from the operating system as described above.

11 October 2007
19-11


19.3.5 Network Setup
The Setup: Network screen displays the network connection information (such as
the IP address) for the TIPS-Write station and the regional server that is being
accessed. The information presented is for reference only and can not be edited
from this screen.
The Setup: Network screen can be accessed in the following ways:
1. Select Setup | Network from the menu.
2. Use the shortcut key (Alt - N)

11 October 2007
19-12


Data Fields:
This Station:
Computer Name -- The name of the computer on which TIPS-Write is
installed.
IP Address -- The IP Address of the computer on which TIPS-Write is
installed.
Regional Server:
Regional Server -- The name of the regional server to which the TIPS-
Write station reports.
IP Address -- The IP Address of the regional server.
E-mail Address -- The contact e-mail for the regional server.
To exit the Setup: Network screen, press the Close button.

11 October 2007
19-13

SAAS Security
SECTION 20.0 SAAS SECURITY
20.1 Overview
The SAAS Security CD implements the guidance of the DISA Security Gold Disk
(Platinum Level) setting, as well as AR 25-2 guidance. It also includes the latest
changes from the DA CIO/G6 (Department of the Army Chief Information Officer, G6)
regarding alternate CCL implementation. The settings on the SAAS Security CD are a
part of the SAAS DoD Information Technology Security Certification and Accreditation
Process (DITSCAP) and should be implemented for the Approval To Operate/Interim
Approval To Operate (ATO/IATO) to be valid. Instructions for installing SAAS Security
are included on the security CD.

20.2 Security Features Users Guide (SFUG)

STANDARD ARMY AMMUNITION SYSTEM MODERNIZATION (SAAS-Mod)
Security Features Users Guide (SFUG)

BY

SECURITY ENGINEERING

FOR

Assistant Project Manager Automated Logistics and Integrated Systems

JULY 2006

11 October 2007
20-1
SAAS Security

Table of Contents
1 INTRODUCTION
1.1 Purpose
1.2 Scope.....................................................................................................................................
1.3 Document Organization
1.4 General Security Requirements ............................................................................................
1.4.1.................................................................................................. Non-technical Safeguards
1.4.2.........................................................................................................Technical Safeguards
1.4.2.1 Discretionary Access Control (DAC) .......................................................................
1.4.2.2 Object Reuse .............................................................................................................
1.4.2.3 Audit
1.4.2.4 Identification and Authentication (I&A) ..................................................................
1.4.2.5 Anti-virus Software...................................................................................................
1.5 Additional Information .........................................................................................................
2 SYSTEM SECURITY OVERVIEW
2.1 Overview of Windows XP Professional and Windows Server 2003....................................
2.1.1............................. Windows XP Professional and Windows Server 2003 Enhancements
2.1.2............................................................................................................... Security Features
2.2 Basic Security Tenets............................................................................................................
2.3 The Information Security Manager.......................................................................................
2.4 User Roles.............................................................................................................................
2.5 User Security Responsibilities ..............................................................................................
2.5.1............................................................................................................ Controlling Misuse
2.5.2.............................................................................................Security Awareness Training
2.5.3......................................................................................................................... Monitoring
2.5.3.1 Security Incident Reporting......................................................................................
2.5.3.2 Configuration Maintenance and Monitoring ............................................................
2.5.4...................................................................................................................Protecting I&A
2.5.5.......................................................................................................... Non-Working Hours
3 USER SECURITY GUIDANCE
3.1 Establishing and Ending a Session .......................................................................................
3.1.1.................................................................................................Logging onto the Network
3.1.2................................................................................................... Locking the Workstation
3.1.3..................................................................................................... Logging off the System
3.2 User Identification and Authentication.................................................................................
3.2.1................................................................................................... Password Considerations
3.2.2............................................................................................................. Password Lifetime
3.3 User Profiles..........................................................................................................................
3.4 Windows XP Professional and Windows Server 2003 Domains and Workgroups..............
3.4.1....................................................................................................................... Workgroups
11 October 2007
20-2
SAAS Security
3.5 File System Guidance ...........................................................................................................
3.5.1............................................................................................ Discretionary Access Control
3.5.2........................................................................................................................File Sharing
3.5.2.1 DAC for objects (files and directories).....................................................................
3.5.2.2 Setting Directory or File Permissions.......................................................................
3.5.2.3 Changing Permissions...............................................................................................
3.5.2.4 Adding Users and Groups.........................................................................................
3.5.2.5 Removing Users and Groups ....................................................................................
3.5.3........................File Transfers and Secure File Transfer Protocol (FTP) (ssh2 compliant)
3.5.4............................................................................................................................. Auditing
3.5.5................................................................................................................. Auditing Events
3.5.6.............................................................................................................. Using the Modem
3.6 Protecting Removable Objects..............................................................................................
3.7 Security Checklist .................................................................................................................
Appendix A Acronyms and Abbreviations
Appendix B References

List of Figures

Figure 1. Logon Information.............................................................................................................
Figure 2. Log Off Windows..............................................................................................................
Figure 3. File Sharing .......................................................................................................................
Figure 4. Setting Permissions ..........................................................................................................
Figure 5. Changing Permissions .......................................................................................................

List of Tables

able 1. DAC Permission Definitions
Table 2. Security Checklist ...............................................................................................................

INTRODUCTION
Purpose
The purpose of this Security Features Users Guide (SFUG) is to provide non-administrative
users with instructions on the proper use of the security features of the Standard Army
Ammunition System-Modernization (SAAS-Mod) functions. This guide also provides a
description of the security safeguards required to ensure protection of the SAAS computer
system; defines the SAAS philosophy of protection; provides a list of common threats and
vulnerabilities related to SAAS; and outlines typical system security related roles and
responsibilities. This SFUG identifies and explains the user-level security mechanisms in the
SAAS computing environment and provides the guidance for consistent and effective protection
11 October 2007
20-3
SAAS Security
of SAAS information using the built-in security features of the Windows XP Professional and
Windows Server 2003 network operating systems.
Scope
This document describes the security features available to the user within a controlled SAAS
facility and is intended to provide desktop users with the fundamental information required to
access information and operate securely in the SAAS environment. This document also includes
information and recommendations on how to recognize and minimize security risks.
Document Organization
This document is divided into three chapters. Chapter 1, Introduction, describes the purpose,
scope and audience for this document. Chapter 2, System Security Overview, provides an
overview of SAAS system security principles, terminology, and user responsibilities. Chapter 3,
User Security Guidance, describes the steps and procedures required for SAAS users to securely
access and protect the SAAS system.
General Security Requirements
Protection of the SAAS computer system and the data processed by that system requires a
combination of both technical and non-technical security safeguards. Non-technical safeguards
may be based upon the facilitys geographical location; military service and local installation
policy requirements; physical facility layout; and other mission related factors; however, the
SAAS systems technical security safeguards will remain constant at each location regardless of
where the system is installed because they are implemented in the software of the SAAS
workstation.

Technical security safeguards will be implemented by the SAAS Windows operating systems
software, database software, and application software, or by a combination of all three.
Responsibility for the proper configuration and administration of the technical security
safeguards normally rests with an individual responsible for system security. Many of these
technical security safeguards are transparent to the system users. The following paragraphs
provide a brief general description of non-technical and technical security safeguards that apply
to SAAS.
Non-technical Safeguards
Non-technical security safeguards consist of procedural and administrative protective
measures implemented within an operational environment to ensure that a computer system and
its data are protected from unauthorized physical access, destruction, and modification. The
policy and procedural requirements associated with non-technical safeguards are military service
11 October 2007
20-4
SAAS Security
and site oriented. Non-technical safeguards consist of administrative, personnel, physical and
procedural security measures. These safeguards are documented in organizational security policy
instructions or manuals and complement the technical safeguards implemented on the SAAS
system. These safeguards are critical to ensuring the protection of a computer system and its
data. Examples of non-technical safeguards include:
The requirement for a policy that identifies security responsibilities for SAAS
Limitation of access (isolation) to the SAAS computer system
Maintenance of backup data offsite
User awareness of security policies and their environment
Identification of unauthorized users attempts to access the system
Contingency Plans (including Continuity of Operations Plans)

Technical Safeguards
Technical security safeguards consist of the automated security features implemented by the
SAAS computer system to protect it and its data from unauthorized access, destruction, or
modification. Unlike non-technical safeguards, the automated security features (i.e. technical
safeguards) will remain consistent regardless of where the system is physically located.
Technical safeguard requirements are established by Department of Defense (DoD) and US
Army requirements and are based upon the classification of data processed by the system,
clearance level of system users, and security mode of operation (e.g., dedicated, system high,
multilevel, and partitioned). The following paragraphs provide a brief description of the critical
technical safeguards associated with a sensitive, but unclassified (SBU) level of trust system
such as SAAS.
Discretionary Access Control (DAC)
In multi-user systems, such as SAAS, the SA ensures that authorized users of the system are able
to access only data and programs for which they have been granted appropriate access
permissions and privileges. In SAAS, DAC is implemented via the assignment to an individual
of a unique User ID and password, group assignment for each user, and use of permissions at the
directory and/or file level to limit access to specific individuals.
Object Reuse
The SAAS system is an application system in which individual users are allocated their own
storage space for personal and/or private data or programs associated with their work. The
SAAS object reuse safeguards ensure that all objects (e.g., data, programs) are permanently
deleted from a users assigned storage space prior to reassigning that storage space to a new user.
11 October 2007
20-5
SAAS Security
This prevents new users from gaining access to a previous users personal and private data. In
the SAAS system the reuse of storage space safeguard operation is transparent to individual
users.
Audit
SAAS audit safeguards provide for user accountability by recording the events initiated by each
individual user during their computer session. Events typically recorded by the audit function
include:
Use of identification and authentication (e.g., entry of User Identification (UID) and
password) information
Program initiation
File creation, deletion, open, or close
The type of event that created the log entry
Other user related actions.
Audit records identify (1) each individual user initiating an event, (2) the date and time an event
occurred, (3) the success or failure of each event, and (4) the location (e.g., terminal or desktop
computer station) from which each event was initiated. The SAAS audit function can be
configured to record actions of all system users or those actions performed by any particular
individual user. Different auditing functions are configured in both the Windows operating
system and in the Oracle database. The system audit functions operations are transparent to the
individual system users.
Identification and Authentication (I&A)
The SAAS I&A safeguard requires that users positively identify themselves to the computer
system before being allowed to work on the system. This is accomplished by assigning an
unique user identification (UID) and password to each individual, prior to their being granted
access to the system. The UID and its associated password also serves as the mechanism for
associating a specific user with the audit events recorded during their session on the computer.
The UID and password must be presented to the SAAS system each, and every time, an
individual user logs on the system. Entry of the user password will also be required to re-enter
the SAAS system after an absence in which the screen saver has been activated. Incorrectly
entering the UID and its associated password three times will result in the user being locked out
of the system until his UID has been reset by the IASO.
Anti-virus Software
The SAAS anti-virus software requires that users have the capability to check incoming and
outgoing files and electronic media for computer viruses. This is accomplished by providing
11 October 2007
20-6
SAAS Security
each workstation (desktop and laptop) with a licensed copy of Symantec Anti-Virus. The anti-
virus software is set to automatically check email and all incoming files as they arrive. However,
it is the responsibility of the user to initiate a check for viruses on files or media they intend to
transfer to another computer, either through email or via other electronic media.
Additional Information
Any user who wishes to obtain additional information about the topics discussed in this
document may go to the following documents:
1) Standard Army Ammunition System (SAAS) Security Authorization Agreement (SSAA).
2) Standard Army Ammunition System (SAAS) Trusted Facility Manual (TFM).
3) AR 25-2 Information Assurance.
SYSTEM SECURITY OVERVIEW
This section provides a brief background on SAAS primary software components (Windows
XP/2003/Oracle) that are used to implement required security safeguards. It presents the many
security features Windows has that users will employ to secure their information while it is
stored and processed on a workstation. This chapter explains their use.
Overview of Windows XP Professional and Windows Server 2003
The Windows XP Professional Operating System is the workstation model of the Windows XP
platform and incorporates the best of Windows 2000 and Windows NT 4.0. Windows Server
2003 Operating System is the server model of the Windows platform. They are both being
marketed by Microsoft as the easier-to-use Windows yet and are designed for inexperienced
users.
Windows XP Professional and Windows Server 2003 Enhancements
Windows XP Professional and Windows Server 2003 include a number of enhancements to
make end users less dependent on administrators. Improvements include an easy-to-use setup
program, improved Help and Wizards, and an Active Desktop designed to conform to the way
the user accesses desktop features. User Interface enhancements and features that improve the
user interface include the following:
Logon and shutdown dialog boxes - Logon and shutdown dialog boxes are easier to
use, with fewer, better-organized choices.
Task Scheduler - The enhanced Task Scheduler allows users to schedule scripts and
programs to run at specific times.
Support for Mobile Users - Microsoft Windows XP Professional and Windows Server
2003 support the latest laptop technologies based on the Advanced Configuration and
11 October 2007
20-7
SAAS Security
Power Interface (ACPI), which allows a user to change or remove devices without
turning off the computer. ACPI also uses power management to lengthen battery life
with suspend or resume capabilities. Additional features in Microsoft Windows XP
Professional and Windows Server 2003 that provide support for mobile users include the
following:
o Telephony Interface
o Fax Service
o Phone Dialer
o NetMeeting
o Encrypting File System
o Built-in Internet Services
o Outlook For E-Mail And News reading
o Connect ability To A Windows NT Domain
o Modem and New Hardware Support
o Internet Explorer
The Network Connection Wizard which consolidates all of the processes for creating
network connections. Users can now setup networking features from a single wizard.
Microsoft Windows XP Professional and Windows Server 2003 includes many features that help
reduce the overall cost of managing the computing environment, from installation of the
operating system and applications to day to-day desktop management and support.
Security Features
Microsoft Windows XP Professional and Windows Server 2003 are the most secure Windows
desktop operating system currently available, either when operating on a stand-alone computer
or in any type of public or private network. Security features and enhancements in Microsoft
Windows XP Professional and Windows 2003 Server include the following:
Integration with Windows 2000 Active Directory Active Directory provides scalable,
flexible account management for large domains with fine-grained access control and
delegation of administration. Active Directory is not, however, used in the present SAAS
system architecture.
Kerberos 5 Kerberos 5 is an authentication protocol (an internet security standard) that
is implemented as the default protocol for network authentication and provides a
foundation for authentication interoperability.
Public Key Certificates Authentication by using public key certificates, secure
channels based on Secure Sockets Layer (SSL) 3 and CryptoAPI, delivers industry-
standard protocols for data integrity and privacy across public networks.
11 October 2007
20-8
SAAS Security
User Accessible File Encryption A feature allowing each user to encrypt his files.
Internet Protocol Security (IPSec) - A security protocol, transparent to the user,
providing a method of securing all network traffic against both insiders and outsiders.
Virtual Private Networking (VPN) VPN allows the user to tunnel through foreign
networks to prevent anyone on the foreign network from viewing his data.
Basic Security Tenets
The SAAS security implementation is based on a preventative approach and is executed by the
site security staff with the cooperation of all system users. This section outlines the basic security
tenets for SAAS:
All users are responsible for becoming familiar with the security procedures required to
carry out their daily tasks and duties.
All users are responsible for reporting suspected misuse of the system.
The Information Security Manager
SAAS and US Army Security Policy require each SAAS site to have an Information Security
Manager (ISM). The ISM is the person responsible for enforcing SAAS site security policies
and procedures. The Information Security Manager (ISM)/Information Assurance Security
Officer (IASO), or designee, is the person with whom the end-user should interact for most
SAAS security related issues. He is the person the end-user should contact if there are any
SAAS related security questions or concerns. Normally, the ISM, or designee, is the person to
whom the end-user reports SAAS security incidents.
The ISM responsibilities may vary slightly at each location, but the below listed responsibilities
are typical. The ISM is the focal point for all assigned system, directorate, or department SAAS
security matters and is responsible for the following:
Implementing the SAAS Automated Information System (AIS) security program as it
applies to a site-specific AIS, including preparing and submitting accreditation support
documentation.
Maintaining an inventory of all SAAS hardware, implemented system software releases,
and major functional application systems.
Monitoring system activity, including identifying the levels and types of data handled by
SAAS, verifying password assignments, and reviewing audit trails, outputs, etc., to
ensure compliance with SAAS security policies and procedures.
Conducting and documenting the site SAAS risk assessment.
Coordinating all system security matters with SAAS security management structure and
system users.
11 October 2007
20-9
SAAS Security
Completing an AIS security survey for SAAS and participating in the preparation of the
customized Site Security Operational Procedures (SSOP).
Supervising, testing, and monitoring changes affecting the AIS activity and SAAS
network security posture.
Implementing appropriate safeguards as required by directives.
Monitoring system activity for security violations and reporting all security infractions to
the appropriate authority.
Supporting user training in correct AIS security procedures.
Assisting in the implementing, developing, and testing the site SAAS contingency plan.

User Roles
The design of the SAAS system includes a concept called role-based security to prevent abuse,
misuse, or unauthorized actions by any user. A SAAS user gets assigned to one or more of these
roles according to his position and responsibilities in his organization. The security manager and
DBA should work closely together to ensure that the least privilege principle is applied. No
one user should be assigned certain combinations of roles which would allow them to manipulate
SAAS in a manner that is inconsistent with his job requirements. For example, a user assigned
the Company Commander role should not also have the SAAS Officer role. If a user has
mistakenly been assigned to a role which does not match his position or responsibilities, it is his
duty to report this discrepancy to the ISM and his chain of command.
User Security Responsibilities
The SAAS system users play a key role in ensuring the secure operation of the computer system.
While the operation of most system security features is not apparent to the user (they are
transparent) and does not require user intervention, failure to follow the locally-established
security policy could result in unauthorized disclosure of sensitive data, unauthorized system
access, and unavailability of system resources. While unintentional security incidents sometimes
cannot be avoided, the impact associated with these incidents can be minimized if they are
reported to the appropriate security personnel as soon as possible. A general list of user security
responsibilities includes the following:
Complying with local security policy.
Protecting passwords at the sensitivity level of data processed by the system (for SAAS
this is SBU).
Protecting system resources from damage, destruction, or unauthorized access.
Protecting sensitive, unclassified information (e.g., printed products, monitor display
screens) from unauthorized disclosure, alteration or loss.
11 October 2007
20-10
SAAS Security
Ensuring that all printed output products are marked For Official Use Only (FOUO), the
proper marking for SBU data.
Reporting password compromise and suspected security violations to the appropriate
security personnel.

Controlling Misuse
Misuse of any Department of Defense system, including SAAS, is illegal under federal and local
statutes. Users are responsible for abiding by policies and guidelines and must understand what
constitutes system misuse. The site security staff can provide specific guidance on security
issues that are of concern to the site.
Security Awareness Training
All new SAAS users are required to attend a security indoctrination/orientation training session.
This program continues with security awareness training throughout the users tour of duty in the
trusted facility and ends with a security debriefing at the tours end. It is imperative that each
user understand what constitutes system misuse in order to prevent inadvertently violating
policies and regulations, thereby increasing the risk to the systems effective and correct
operation.
Monitoring
User activities on the SAAS system are regularly monitored and are capable of being archived
and tracked from a historical perspective. When intentional acts of misuse or risky patterns of
system related behavior occur, policy related enforcement mechanisms are expected to be
enacted.
Security Incident Reporting
Each SAAS user is responsible for promptly reporting suspected security violations. In most
cases, early detection of security violations will minimize the impact to SAAS. In the absence of
site-specific reporting procedures, all suspected security violations should be reported
immediately to the local ISM. These individuals will initiate an investigation to validate the
suspected security violation and implement appropriate corrective measures. Users should not
attempt to perform their own investigation or assess the potential system impact. These efforts
will only delay investigation by the appropriate authorities followed by the implementation of
corrective measures. A general list of suspected security incidents that should be reported
includes the following:
Suspected compromise of user passwords.
11 October 2007
20-11
SAAS Security
Attempts to gain unauthorized system access.
Attempts to circumvent SAAS system security features.
Unauthorized disclosure of sensitive information.
Attempts by authorized users to access sensitive data outside of their area of
responsibility.
Improper configuration of SAAS security safeguards (e.g., accessing SAAS without a
password or accessing previously restricted SAAS functionality).
Attempts to gain detailed information about SAAS security safeguards.
Suspected unauthorized modifications to sensitive data.
Denial of Service attacks.
If users suspect or detect misuse, in-progress attacks, or other aberrant system activity, they
should immediately contact the IASO. It is important to report the incident immediately to
prevent further possible compromise or damage to the system. Users must be aware that the
failure of a single site to ensure security puts all sites at risk.
Configuration Maintenance and Monitoring
The SAAS system security staff monitors workstations and servers to verify that the correct
security configuration is maintained. Users must not attempt to load unauthorized software or
change file permissions without security staff permission. Additionally, users must not change
file permissions unless it is within the scope of their job or is required for the mission, and they
have received proper authorization.
Protecting I&A
Each SAAS user plays a key role in the system security of the SAAS system network. Technical
safeguards alone cannot protect sensitive system resources against unauthorized access,
modification, or destruction unless each user consistently applies appropriate physical, personal,
administrative, and procedural security measures. In this respect, each user is responsible for the
following:
Not revealing their passwords to others.
Locking their workstations when they must be unattended for any length of time.
Logging off their systems at the end of the day.
11 October 2007
20-12
SAAS Security

Non-Working Hours
During non-working hours and when offices are left unattended, all doors and windows to
offices that house SAAS equipment are to be locked.
USER SECURITY GUIDANCE
This chapter covers the security features of Windows XP Professional and Windows Server 2003
operating system that relate to SAAS users as well as steps and procedures users must take to
protect their information.
Establishing and Ending a Session
This section discusses the mechanics of logging on and off the SAAS Windows XP Professional
and Windows Server 2003 network and of locking the workstation during brief absences. SAAS
provides the user with a Single Sign-on (SSO), which allows the user to access all authorized
network resources, on the basis of a single user authentication process that is performed when the
user initially accesses The Army Knowledge Online (AKO).
Logging onto the Network
All users must first log on to a Windows XP Professional and Windows Server 2003 system
before being allowed access to any SAAS system or network resources. As described later, this
logon may be to the local workstation or to a domain. To log on, users must first hit the
CTRL+ALT+DEL keys simultaneously to receive the logon dialog box (Figure 1Error!
Reference source not found.). The user must then enter his username and password. Guidance
on password generation is provided in the following sections. The selection made in the
Domain pull-down list defines which domain the user is attempting to log in to (e.g., an
account on the local machine or an account in a domain to which the computer belongs).

11 October 2007
20-13
SAAS Security
Figure 1. Logon Information

Locking the Workstation
When leaving their workstations for any length of time, users should either log off or lock the
workstation in order to protect the workstation and the users data from passers-by who can take
advantage of the open session. SAAS security policy requires users to utilize the terminal lock
feature to prevent unauthorized access to the system and sensitive data in their absence. Once the
terminal lock feature is executed, the monitor will display a blank screen or screen saver and
prevent anyone from viewing sensitive data. After the terminal lock feature is activated, future
access to the terminal is granted only after entry of a valid User ID and password.

SAAS has a default system registry setting that automatically locks the system after 300 seconds.
This is not reconfigurable.

Logging off the System
Logging off of a SAAS workstation allows other users with valid accounts to use the machine
without disrupting the previous users data, whereas locking the workstation locks the interactive
user interface, but does not close the currently active processes of the user that has logged onto
the workstation. Logging off the system at the end of the workday or before a long absence is
mandatory. Follow the steps below to log off of a SAAS workstation:
To logoff, click on the Start button.
Select Log Off.
Click on the Log Off button as shown in Figure 2Error! Reference source not
found..

Figure 2. Log Off Windows

User Identification and Authentication
Logging on to a system establishes the users identity and authenticates the user, which is a
necessary component of SAAS security. Once a user receives the logon dialog, he is required to
11 October 2007
20-14
SAAS Security
identify himself to the system (by username) and enter his password, as described above. Both
username and password are looked up in the SAAS Security Account Manager (SAM) database.
If there is a successful match, the system will give the user a unique security token that contains
his user account information and establishes a session. This security token, called an access
token, is used to identify the user for the duration of his session (until he logs off the system).
The access token is transparent to the user and contains a users security identifier (SID), group
IDs, and user rights.
Password Considerations
Passwords are unique to the individual and are the basis for user authentication. Each new user
will be given his username along with a password by the site security staff. Users should never
write their passwords down or share them with another user.
Passwords for accessing the SAAS applications on SAAS clients or passwords for accessing the
SAAS Enterprise software are subject to the constraints of AR 25-2 Information Assurance.
Password constraints are controlled by registry settings for the SAAS system and by similar
policies in effect at AKO.
Passwords must include at least ten characters long and must contain at least two characters from
each of the four following character groups:
Uppercase alphabetic characters (AZ)
Lowercase alphabetic characters (az)
Numbers (09)
Special characters (!, @, #, $, %, ^, &, *, (, ), <, >, etc.)
Additionally, passwords must meet the following rules:
Passwords must not be a word found in a dictionary, or a proper name spelled
forwards or backwards.
Passwords must not be based on a simple keyboard sequence or repetitious
keystrokes.
Passwords must not be a previously used password.

Password Lifetime
SAAS and AKO passwords are valid for 60 days. The system will prompt a user 14 days before
his password is about to expire and ask him to select/generate a new password. The user must
make sure that he follows this prompt and obtains a new password or he runs the risk of being
locked out of his account. If this happens, he should see his network administrator or security
manager to unlock his account and generate a new password.
SAAS is configured to lock accounts after three failed logon attempts. If a user becomes locked
out, he must contact his network administrator or security manager to unlock his account.
11 October 2007
20-15
SAAS Security
User Profiles
When a SAAS user has been authenticated and has established a session, he sees a familiar
desktop with applications and settings that are the same as the last time he logged on. This
collection of assigned applications and settings is called a profile. Windows XP Professional and
Windows Server 2003 assign these user profiles to each valid user. Windows XP Professional
and Windows 2003 Server can create three types of User Profiles as described below.
Local - Local profiles are specific to the local workstation on which they are created.
Roaming - Roaming profiles are stored on a network server and accessed when a user
logs on.
Mandatory - Mandatory profiles are stored on a network server and are configured
by the local network administrator. These profiles allow administrators to control the
desktop of all users participating in the domain.

Windows XP Professional and Windows Server 2003 Domains and Workgroups
SAAS Windows XP Professional and Windows Server 2003 systems may be configured to
participate in a domain or workgroup. Active Directory is not authorized for use with the SAAS
system. The user-visible differences between the domain and workgroups are presented in the
following paragraphs.
Workgroups
Workgroups are a collection of related workstations that operate on a peer-to-peer level. This
means that there is no centralized management of security or resources. Each workstation
manages its own user account database. Logging onto these machines requires a user to have a
local account. It must be noted that the members of any workgroup are still managed as part of
the overall network and are subject to the restrictions of the network security policies and
resource requirements.
File System Guidance
Windows XP Professional and Windows Server 2003 currently support two file systems: the
New Technology File System (NTFS) and the File Allocation Table (FAT). NTFS is the file
system created for Windows NT and later operating systems, whereas FAT is an older, insecure,
but backward-compatible file system. FAT does not have the security features that NTFS
supports. A workstation with a FAT volume runs the risk of having its files accessed by
unauthorized users. It is a SAAS requirement for Windows XP Professional and Windows
Server 2003 platforms to use NTFS.
11 October 2007
20-16
SAAS Security
This section provides good information for all users, but is relevant only for Windows XP
Workstation users who are permitted to create and control shared files, directories, or other
system resources on their workstations. The items discussed below apply to resources that are
shared between users, whether on the same workstation or between workstations.
Discretionary Access Control
An important feature of NTFS is file-level security. Windows XP provides the ability to specify
access control permissions on each object (file, directory or folder). Each object has an Access
Control List (ACL) that identifies the user or group accounts that have been granted access to
that object and identifies the type of access granted to the object.
File Sharing
File sharing allows users to access resources on other machines on a network (a sample screen is
shown in (Figure 3. File Sharing). Depending on the network configuration, network shares can
be seen within local domains as well as remote trusted domains. The SAAS systems are
configured such that the ability to share resources can only be created by the security staff. If a
user has a requirement to share resources, they must see the System administrator. The user
should be aware that if they make a mistake in any process, they can easily recover by canceling
the process or backing up to the error point and then correcting their error.

Figure 3. File Sharing
11 October 2007
20-17
SAAS Security
3.5.2.1 DAC for objects (files and directories)
Error! Reference source not found. lists the available permissions a SAAS user can set on files
and directories, along with the effects of that permission. Users can set the permissions on any
objects that they own or to which they have been granted Full Control.

Table 1. DAC Permission Definitions
Permission Effect
No Access Prevents any access to the directory and its file event if the user has been
granted full level control.
List Allows the viewing and browsing of a directory, without access to files
unless overridden by other files or directory permissions.
Read Allows opening files and executing applications.
Add Allows the adding of files and subdirectories without read access.
Change Allows the combination of Add and Read permissions, plus Delete.
Full Control Consists of the combination of Add, Read, Delete, and Change, plus
taking ownership and assigning permissions.

Setting Directory or File Permissions
In order to assign permissions to files and/or directories, users must own or have full control over
that object. To edit file or directory permissions, perform the following steps:
Open My Computer.
Select and right-click on the target directory or file.
Select Properties.
Select the Security tab and choose the appropriate permissions. (See )

11 October 2007
20-18
SAAS Security

Figure 4. Setting Permissions

Changing Permissions
Selecting the user/group and selecting new permissions from the Permissions list will change a
users or groups assigned permissions. Advanced permissions are accessible by clicking on the
advanced button.
Adding Users and Groups
To grant access to another user, use the following steps:
Click on the Add button on the Security tab (pictured in Figure 4.). From here, an
administrator can add users or groups from the local machine or, if connected to a
domain, users, computers, or groups from the domain or other trusted domains.
Click on the advanced button to display the window shown in Figure 5.
11 October 2007
20-19
SAAS Security

Figure 5. Changing Permissions

Click on the View/Edit button to make changes to existing accounts.

Removing Users and Groups
To remove another users access, select the appropriate entry from the list on the Security Tab
and click on the Remove button.
File Transfers and Secure File Transfer Protocol (FTP) (ssh2 compliant)
The transfer of files between SAAS and the authorized interfaces will be accomplished by an
embedded communications programs utilizing secure FTP.

11 October 2007
20-20
SAAS Security
Auditing
Auditing is a very useful SAAS security feature. Activating the auditing feature allows the
system to trace accesses to certain sensitive files and directories that are suspected targets.
Once an administrator has enabled the auditing of file and/or object accesses on a system, users
have the ability to specify auditing on files and directories that they own. Users should consult
with their site security officer or network administrator for local audit policies and guidance.
Auditing Events
Once auditing has been enabled, you can specify files and directories to be audited by following
these steps:

Open My Computer
Right-click on the file or directory on which to set auditing
Select Properties, Security, Advanced, and the Auditing tab (Error!
Reference source not found.)

Figure 6. Auditing

Select the users to be audited. For this example, we will use Authenticated Users.
Click on Add.
Select Authenticated Users from the Names list box.
Click on OK and the window in Figure 7 will be displayed.
11 October 2007
20-21
SAAS Security

Figure 7. Auditing Entry

Check the appropriate audit events.

Note: Users should exercise care when specifying file and directory auditing. Auditing
access to frequently accessed files and directories can rapidly fill up the security log. Not
only does this create large log files to sift through, it also takes up a lot of disk space.
The user should also be aware that if he makes a mistake, he can easily recover by
canceling the process or backing up to the error point and then correcting their error.

Using the Modem
The modem is to be used to provide connectivity to the servers for synchronization when
network connectivity is not available. At no time should the modem and the network connection
be concurrently active. Use one or the other, as appropriate, but never use both at the same time.
The procedure outlined in this section will describe the means for accomplishing this.

11 October 2007
20-22
SAAS Security
In order to use the modem, the user must click on the desktop icon for connecting to the
modem. This causes the network card in the system to automatically disconnect and then
activates the modem.

When the outgoing call is made, the user will enter the phone number and the call will go
through.

After the user has completed the file transmission, another click on the desktop icon will
disable the modem and re-activate the network card.

Protecting Removable Objects
It is every bit as important to SAAS users that data stored as hardcopy or as soft copy for
external storage is protected as fully as it is when on the SAAS computer system. External
storage is defined as the following:
Floppy disk
Consumer-market tape or optical-magnetic drives, e.g., Iomega Zip and Jazz drives from
SyQuest.
Production tape drives, e.g. HP SureStore
External hard drive
Read/writeable CD/DVD-ROM drive
Printed documents
Portable USB drives

SAAS policies regarding copying and removing data from workstations or servers to external
media, such as a floppy disk, will be fully described at each site. As part of the site security
policy, each site will address when data can be copied, how it will be handled after it is copied,
what must be done with it when the user is finished with the copy, etc.

Security Checklist
This section proposes a partial checklist (Error! Reference source not found.) for users to use
to verify that they have secured their workstations. The IASO or the user may add to this
checklist as they feel appropriate.
Table 2. Security Checklist
11 October 2007
20-23
SAAS Security

Item
Completed
Checklist
Yes No
I have not revealed my password to anyone
I have not written down my password
I always log off my computer when I no longer need to use it
I lock my workstation if I leave it unattended while I am logged on, and
I use a password-protected screen saver to lock the workstation if I
forget to lock it myself
I always take care to use directory and file permissions to ensure only
users who need to access my files can do so, and that they only have the
type of access they need

Appendix A
Acronyms and Abbreviations
This section contains an alphabetized list of the acronyms and abbreviations used throughout this
document. Each acronym or abbreviation is spelled out in its entirety the first time it is used in
the document. Thereafter, only the acronym or abbreviation is used.
ACL Access Control List
ACPI Advanced Configuration and Power Interface
AIS Automated Information System
AKO Army Knowledge Online
ALT Alternate Key
APG Advanced Password Generator
APIPA Automatic Private IP Addressing
COE Common Operating Environment
CTRL Control Key
CPU Central Processing Unit
DAA Designated Approval Authority
DAC Discretionary Access Control
DBA Database Administrator
DEL Delete Key
DHCP Dynamic Host Configuration Protocol
DII Defense Information Infrastructure
DoD Department of Defense
FAT File Allocation Table
11 October 2007
20-24
SAAS Security
FOUO For Official Use Only
GB Giga-Bytes (Billions of Bytes)
GCSSArmy Global Combat Support System Army
I&A Identification and Authentication
IASO Information Assurance Security Office
IPSec Internet Protocol Security
ISM Information Security Manager
ISSM Information Systems Security Manager
MB Mega-Bytes (Millions of Bytes)
NTFS New Technology File System
SAM Security Account Manager
SBU Sensitive-But-Unclassified
SFUG Security Features Users Guide
SID Security Identifier
SSOP Site Security Operational Procedures
TFM Trusted Facility Manual
UID User Identification
USB Universal Serial Bus

Computer security terms or phrases used throughout this document are the following:
I&A - Identification and Authentication. Before gaining access to system resources or
data, users must be identified to the system via a valid user account consisting of a user
ID and password.
DAC - Discretionary Access Control. Discretionary access control is the operating
system feature that allows the system to determine who is able to read, write, or execute a
system object (files, directories, printers, etc.). Authenticated users will have access only
to system objects that are required for their functional role and that are granted via DAC
controls.
Importing and exporting file system objects. Users may be required to import files
(bring files into their computer system from another computer system); export files
(move or copy a file from the users workstation to another workstation or file server); or
share files that reside on their workstation, another workstation or a file server. The user
should be aware of any attendant security restrictions and precautions.
Audit event generation - Users need to understand that the actions they perform on their
workstations are audited by the SAAS operating system and database system, and that
audit logs are maintained and reviewed by the Information Assurance Security Officer
(IASO). This background security review activity is transparent to the user.
11 October 2007
20-25
SAAS Security
Security Access Token A unique security token issued to each user by Windows XP
Professional and Windows Server 2003 at the time they login. This token is used by the
operating system to uniquely identify each user throughout the duration of their session.

Appendix B
References

The policies, procedures and requirements applied to the SAAS were derived from the following
program and security documents.

Army Regulation 25-2 Information Assurance, 12 December 2003

DoD Directive 8500.1 Information Assurance, 24 October 2002

DoD Instruction 8500.2, Information Assurance (IA) Implementation, 6 February 2003

Federal Information Security Management Act (FISMA), December 2002

OMB Circular A-130, A-123, A-127

Freedom of Information Act of 1986 (P.L. 99-570)

FIPS PUBs 31, 41, 65, 73, 112, 113

Computer Security Act of 1987, 40 U.S.C. 759

Privacy Act of 1974, 5 U.S.C. 552a (e)(10)

The Immigration and Nationality Act, 8 U.S.C. 1202, Section 222(f)

Federal Manager's Financial Integrity Act, 31 U.S.C. 1352

Computer Fraud and Abuse Act of 1986, 18 U.S.C. 1030

Executive Order No. 12958 entitled, "Classified National Security Information."

Executive Order 10421 entitled, "Providing for the Physical Security of Facilities
Important to the National Defense."

11 October 2007
20-26
SAAS Security
"National Policy for Safeguarding and Control of Communications Security (COMSEC)
Material," NCSC-1

"National Policy on Use of Crypto-Material by Activities Operating in High-Risk
Environments," NCSC-5.

"National Policy on Secure Voice Communications," NCSC-8.

National Telecommunications and Information System Security Policy 3 (NTISSP 3),
"National Policy for Granting Access to U.S. Classified Cryptographic Information."

National Telecommunications and Information System Security Policy 200 (NTISSP
200), "National Policy on Controlled Access Protection."

National Telecommunications and Information System Security Policy 300 (NTISSP
300), "National Policy on Control of Compromising Emanations."

National Telecommunications and Information System Security Directive 500
(NTISSD 500), "National Directive on Telecommunications and Automated Information
Systems Security (TAISS) Education, Training, and Awareness."

National Telecommunications and Information System Security Directive 600
(NTISSD 600), "National Directive on Communications Security (COMSEC) Monitoring.

"National Policy on Telecommunications and Automated Information Systems:
Director of Central Intelligence Directive 1/16 (DCID 1/16).

Office of Management and Budget Circular A-123 (OMB A-123).

Federal Personnel Manual

National Security Telecommunications and Information Systems Security
Committee (NSTISSC) instructions and advisory memoranda.

11 October 2007
20-27
SAAS Security
TRUSTED FACILITY MANUAL (TFM)

BY

SECURITY ENGINEERING

FOR

Assistant Project Manager Automated Logistics and Integrated Systems

JULY 2006

EXECUTIVE SUMMARY
The Standard Army Ammunition System Modernization (SAAS-Mod) Trusted Facility Manual
(TFM) is written for individuals with administrative responsibility for the SAAS-mod network
operations at the site and server level. The TFM provides the administrator with detailed,
accurate instructions for the installation, secure configuration, and function of the Microsoft
Windows Server 2003, Oracle 10g, and Windows XP Professional. The TFM also describes for
the administrator how to configure, operate, and use the system protection mechanism to control
access to data, administrative functions, and databases. All this is intended to facilitate and
11 October 2007
20-28
SAAS Security
maintain the SAAS-mod system as certification and accreditation under the guidance provided
by the DITSCAP.
This document includes references to the Department of Defense (DoD) 8500 series
requirements, NSA Guidelines, Defense Information Systems Agency (DISA) Security
Technical Implementation Guides (STIGs), and the new Army Regulation (AR) 25-2).

TABLE OF CONTENTS
Page
Executive Summary
1.0 INTRODUCTION
1.1 Purpose
1.2 Scope
1.3 Recommended Use of This Manual
1.4 References
1.4.1 Resources
2.0 SYSTEM SECURITY OVERVIEW
2.1 Threats, Vulnerabilities, Attacks and Countermeasures
2.1.1 Threats
2.1.2 Vulnerabilities
2.1.3 Attacks
2.1.4 Countermeasures
2.2 Protection Mechanisms Available to Counter General Threats
2.3 Physical Security Assumptions
2.4 Confidentiality Level
2.5 Management
2.6 Documentation and Evaluation
2.6.1 Risk Assessment
2.6.2 Continuity of Operations Plan
2.6.3 Certification and Accreditation
3.0 PHYSICAL SECURITY
3.1 Physical Controls
3.1.1 Protection of the System
3.1.2 Facility Control
3.1.2.1 Computer Area Access Logs
3.1.2.2 Visitor Log
3.1.2.3 Maintenance Log
3.1.2.4 Facility Log
3.1.2.5 Audit Review Log
3.1.3 Facility Access by Authorized Individuals
3.1.4 System Access by Authorized Users
3.1.5 Access by Visitors
3.1.6 Access by Maintenance Personnel
11 October 2007
20-29
SAAS Security
3.1.7 Movement of System Equipment and Media
3.2 Property Control and Distribution
3.3 General Guidelines and Procedures
4.0 PERSONNEL SECURITY
4.1 Visitors
4.2 Foreign Nationals
4.3 Maintenance Personnel
4.4 Security Awareness Training
4.4.1 Security Training Awareness Program
4.4.2 Periodic Security Training
5.0 COMPUTER SECURITY
5.1 System Integrity
5.2 System Baseline
5.3 Microsoft Windows Server 2003
5.6.2 Local Audit Policy Settings
5.6.3 User Rights Assignment
5.6.4 Security Option Settings
5.6.5 Event Log Settings
5.6.5.1 Security Options Settings.
5.6.5.2 Clearing Logs on System Halts
5.6.6 Registry Key Permission Settings
5.6.7 File Permission Settings
5.6.7.1 Modifying Permissions on a File or Folder.
5.6.7.2 Permissions Encompassing all Folders and Subfolders
5.6.7.3 Adding files or folders to the Security Configuration
5.6.7.4 Excluding an Object When Modifying the Configuration..
5.6.7.5 File and Folder Permission Setting.
5.6.8 Special considerations for the Dr. Watson USER.DMP File
5.7 Windows Discretionary Access Controls
5.8 Windows Identification and Authentication
5.9 Oracle Database Management System
5.9.1 Current Relational Database Management System Version
5.9.2 RDBMS Software Monitoring
5.9.3 Oracle Discretionary Access Controls
5.9.4 Oracle Auditing
5.9.5 Oracle Identification and Authentication
5.10 SAAS-Mod Application Security
5.10.1 Application Discretionary Access Controls
5.10.2 Application Auditing
5.10.3 Application Identification and Authentication
5.11 C2 Protect Tools
5.12 Anti-Virus
5.13 Security Patches
6.0 WINDOWS XP PROFESSIONAL Software INSTALLATION AND CONFIGURATION
11 October 2007
20-30
SAAS Security
6.1 Pre-Configuration Requirements
6.1.1 Hardware Compatibility List
6.2 Physically Securing Workstation and Software
7.0 Manual Security Configuration
7.1 Password Management
7.3 Configuring the Default Accounts
7.3.1 Administrator Account
7.3.2 Guest Account
7.4 Assigning Users to Groups
7.5 Print Auditing
7.6 Printer Restrictions
7.7 Additional Security Options Settings

Glossary. Acronyms and Abbreviations

Tables

Table 1. Password Policy
Table 2. Account Lockout Policy
Table 3. Recommended Audit Policy
Table 4. Standard and Advanced User Rights
Table 5. Security Option Settings
Table 6. Event Log Settings
Table 7. File and Folder Permission Settings
Table 8. Dr Watson Crash Dump File Permission Settings
Table 9. Database Table Audit Configuration
Table 10. List of Audit Views
Table 15. Administrator Account Configuration
Table 16. Guest Account Configuration
Table 17. Security Options

Figure

Figure 1. Auditable Event

11 October 2007
20-31
SAAS Security
TRUSTED FACILITY MANUAL (TFM)

1.0 INTRODUCTION
This Trusted Facility Manual (TFM) is addressed to the System Administrator (SA), Information
Assurance Manager (IAM), and Information Assurance Security Officer (IASO) for the Standard
Army Ammunition System Modernization (SAAS-Mod). The TFM is a comprehensive
guideline for maintaining a secure operating environment for the SAAS-Mod system. The TFM
presents cautions about functions and privileges that must be controlled in order to operate a
secure system during both garrison and tactical operations. In addition, it provides the
procedures for implementing and maintaining the audit files. A detailed audit record structure
for each type of audit event is provided.
1.1 Purpose
The SAAS-Mod TFM satisfies the Class C2 controlled access protection requirements outlined
in Department of Defense (DoD) 5200.28-STD, Department of Defense Trusted Computer
System Evaluation Criteria. That regulation has been superseded by the DoD 8500 series. The
SAAS-Mod system must meet the requirements mandated by United States (U.S.) Army
Regulation AR 25-2, DoD Directive 8500.1, and DoD Instruction 8500.2. This manual reflects
the latest changes and guidance related to the new requirements. However, the previous
guidance revisited here and in the Security Framework documents are still relevant for
application and database security. This manual augments system hardware and software
documentation by providing:
a. Guidance for configuring and maintaining a secure system in accordance with (IAW)
DISA STIGs for securing Microsoft Windows Server 2003 and MS Windows XP Professional
operating environments.
b. Guidance on how to operate the system in a secure manner.
c. Information to make effective use of existing system privileges and protection
mechanisms.
d. Pertinent warnings about the possible misuse of administrative authority as they apply to
the SAAS-Mod system.
1.2 Scope
This manual augments the SAAS-Mod System Administrators Handbook, the Security Features
Users Guide (SFUG), vendor documentation, and other system documentation. The TFM places
emphasis on establishing and maintaining a secure system supplementing the information
provided in those documents.
11 October 2007
20-32
SAAS Security

This manual addresses Physical Security, Personnel Security, Computer Security, Operations
Security, Network Security, Security Awareness Training, and Security Incident Reporting. The
TFM includes security guidelines and instructions for the server, workstation, and laptop
configurations. This TFM does not attempt to detail safeguards at the site-specific level. Such
detail is left to the discretion of the local site commander and supporting staff.
1.3 Recommended Use of This Manual
This manual provides the SA and IASO with guidance to ensure secure operation of the SAAS-
Mod system. This document consists of several sections identifying the required settings for
operating a secure Windows 2003 or XP Professional environment. A warning icon, noted
below, is associated with all warning or caution statements for any configuration setting that may
affect the functionality of the system.
Caution: This icon alerts the reader to use caution when implementing the following
steps. It is also specific to the Registry Editor. Several configuration recommendations and
mandatory items in this document require the use of the Registry Editor. Using the Registry
Editor incorrectly can cause serious, system-wide problems, which may require the
reinstallation of Windows Server 2003 or XP Professional software in order to correct. Use
the Registry Editor tool with caution.
A glossary is included with a list of acronyms used throughout this document. References
and requirements documentation are listed in section 1.4 below. For any security setting
links listed throughout this document that do not function properly, cut and paste the
following Information Assurance Support Environment (IASE) Information Assurance (IA)
Document Library link, in the web browser: http://iase.disa.mil/stigs/stig/index.html. The SA or
IASO may need to download the appropriate Public Key Infrastructure (PKI) certificate to access
the site. To download a PKI certificate, go to the public site, http://iase.disa.mil/index2.html.
After accessing the IA Document Library website, browse the list of available resources for
the specific title listed in the TFM. These URL addresses can only be accessed from a .mil
or .gov domain.

1.4 References
1.4.1 Resources
The below list are documents that define the requirements that must be met by the system or best
practices that shall be incorporated into the system configuration:
11 October 2007
20-33
SAAS Security
a. Office of Management and Budget (OMB) Circular A-130, Management of Federal
Information Resources, Transmittal Memorandum No. 4.
b. Deputy Secretary of Defense, Memorandum, Department of Defense (DoD) Information
Assurance Vulnerability Alert (IAVA), 30 December 1999.
c. DoD Directive 8500.1, "Information Assurance (IA)," dated October 24, 2002
d. DoD 8510.1-M, Department of Defense Information Technology Security Certification
and Accreditation Process (DITSCAP) Application Manual, 31 July 2000.
e. DoD Directive 8500.1, Information Assurance (IA), 24 October 2002.
f. DoD Directive O-8530.1, Computer Network Defense (CND), 8 January 2001.
g. DoD Instruction 5200.40, DoD Information Technology Security Certification and
Accreditation Process (DITSCAP), December 30, 1997.
h. DoD Instruction 8500.2, Information Assurance (IA) Implementation, 6 February 2003.
i. DoD Instruction O-8530.2, Support to Computer Network Defense, 9 March 2001.
.
j. NSA, Protection Profile for Single-level Operating Systems in Environments Requiring
Medium Robustness, version 1.22, 23 May 2001.

k. DISA, Database Security Technical Implementation Guide, version 5, release 1, 18
October 2002.
l. AR 190-13, The Army Physical Security Program, 30 September 1993.
m. AR 190-51, Security of Unclassified Army Property (Sensitive and Nonsensitive), 30
September 1993.
n. AR 25-2, Information Assurance

2.0 SYSTEM SECURITY OVERVIEW
The following subsections provide: (1) a brief description of threats, vulnerabilities, attacks and
countermeasures; and (2) a discussion of the available operational protection mechanisms,
physical security assumptions, and the automated protection mechanisms provided by the SAAS-
Mod. Effective use of these protection mechanisms will reduce the probability of success or the
effect of attacks by eliminating or reducing vulnerabilities.
11 October 2007
20-34
SAAS Security
2.1 Threats, Vulnerabilities, Attacks and Countermeasures
The SAAS-Mod system will be subject to constant threats. Any vulnerability of SAAS-Mod
may present the opportunity for an attack on the system by a threat agent. The following
paragraphs provide a brief insight into threats, threat agents, vulnerabilities and attacks.
2.1.1 Threats
A threat is anything or anyone with the potential to cause a degradation of security or mission
performance from the standards prescribed for the system in its security policy. The universe of
threats includes both natural and man-made threats. Man-made threats are initially divided into
"Insiders" and "Outsiders. An Insider is anyone who is authorized access to some portion of the
system and trusted not to use this access to harm the system (e.g., SAs and authorized users).
Outsiders are not authorized access to the system. Natural threats occur according to the laws of
physics (e.g., wind, flood, and earthquake) and are usually geographically dependent. A threat
agent is someone or something capable of bringing an attack to bear against a system. Fire, a
disgruntled employee, or spies are examples of threat agents. Fire is a natural threat. A
disgruntled employee is an Insider. Hackers and foreign intelligence agents are Outsiders.
2.1.2 Vulnerabilities
A vulnerability is a flaw, weakness, or deficiency in the implementation of a security
requirement that could be exploited to degrade (harm or neutralize) system security performance.
For example, suppose an SA assigned all users a password of "users. It would not take long for
a curious hacker or disgruntled employee to gain unauthorized access to the system. The
vulnerability in this example is the mismanagement of passwords.
2.1.3 Attacks
An attack is the activity whereby resources are brought to bear by a threat agent against a system,
normally targeting any vulnerability. Attacks may take the form of Trojan horses (e.g., during
development or maintenance), viruses (brought in on floppy disks or received over network),
worms (received over networks), or direct user access. Some attacks may be implemented or
facilitated by access to poorly managed passwords, access to systems via networks, poorly
managed Discretionary Access Controls (DAC), ineffective protection of trusted audit functions,
passive intercept of information, and active masquerading by tapping communications wire lines
or fiber optic circuits.
2.1.4 Countermeasures
The effective implementation of countermeasures serves to reduce or eliminate the
susceptibility of vulnerabilities to successful attack. Countermeasures consist of physical,
personnel, procedural, administrative, and automated security mechanisms or processes
designed to protect system resources. Some specific examples of these mechanisms or
11 October 2007
20-35
SAAS Security
processes are effective password management, monitoring of audit data, staffed or locked
facilities, security guards, and strict software and hardware configuration management.
2.2 Protection Mechanisms Available to Counter General Threats
Effective system administration dictates that protection mechanisms are employed as needed,
subject to cost-effectiveness, availability, and operational efficiency. The following examples of
protection mechanisms may be used in one form or another:
a. Effective password management.
b. Severe limitation of Administrator privileges. Administrator privileges should be given
only to the SA and the designated assistants.
c. Limited assignment of "group" and "other" DAC privileges and permissions
(mechanisms to isolate functional roles are also essential to prevent possible fraud) for NT 4.0
systems.
d. Effective group policy management for W2K systems.
e. Use of trusted audit functions and frequent review of audit trail data (preferably daily and
not to exceed weekly).
f. Code that prevents a user from simultaneously logging in from the same terminal or from
more than one terminal.
g. Effective configuration management.
h. Contingency planning.
i. Physical security measures.
j. Strong procedural security.
k. Personnel security screening.
l. User Security Training and Awareness programs (at all levels that directly and indirectly
affect users of the SAAS-Mod system).
m. Effective implementation of a Defense-in-Depth (DiD) strategy.
2.3 Physical Security Assumptions
All sites shall have physical security that meets the requirements of AR 190-13 and unit
Standard Operating Procedures (SOPs). System administrators shall coordinate the SAAS-
Mod physical security requirements with unit and organizational security elements.
2.4 Confidentiality Level
Determining the sensitivity of the data is extremely important when the data will be distributed
outside the SAAS-Mod security boundary. The SAAS-Mod data shall not be handled,
processed, or distributed until the confidentiality level is determined. Unclassified-Sensitive
11 October 2007
20-36
SAAS Security
SAAS-Mod information shall not be distributed or released to individuals and/or systems that are
not authorized to process or handle Unclassified-Sensitive SAAS-Mod information, and never
without proper authorization. This includes both electronic and printed copies of SAAS-Mod
reports and lists of ammunition status.
2.5 Management
The SA, under the direction of an IASO/IAM, shall control the SAAS-Mod computer systems,
local area network (LAN), computer center/facility, operations, and maintenance processes. Any
deviations from the standard practices described in this TFM must be coordinated through the
Site Commander and IASO. Minor changes made in the operating configuration or the security
level must be approved by the CCB and IASO, and then documented in a facility or system log,
as well as the System Security Authorization Agreement (SSAA). Major changes to the system
must be approved by the Designated Approving Authority (DAA), as this may void the
accreditation of the system. If a major change in the operating configuration or security level
does occur, a new accreditation effort may be required IAW AR 25-2 and DoD 8510.1-M.
2.6 Documentation and Evaluation
2.6.1 Risk Assessment
To determine proper security and protective measures to be used with the SAAS-Mod, several
accompanying processes must be implemented. Perform a site risk assessment to:
a. Identify security risks based on the analysis of threats to and vulnerabilities of the
system.
b. Determine the magnitude of the identified risks.
c. Incorporate measures needed to safeguard against the identified risks. The results of the
risk assessment shall be documented in the SAAS-Mod site Risk Assessment Review (RAR)
Report. The site RAR Report will be used as a basis for site accreditation.
2.6.2 Continuity of Operations Plan
The SAAS-Mod Continuity of Operations Plan (COOP) shall be utilized for system/application
recovery and alternate operation plans. The COOP document includes instructions/procedures
required to meet the contingency planning requirements described in AR 25-2. Security Incident
Reports shall be used to document existing and potential vulnerabilities, and reviews and audits
shall be compiled to correct any configuration security discrepancies.
The configuration management controls documented in the SAAS-Mod Configuration
Management Plan are employed to ensure the following:

a. Unauthorized changes are not made to the SAAS-Mod system.
11 October 2007
20-37
SAAS Security
b. The master copy of the software is safeguarded and never used for actual production
operations.
c. Production copies of software are generated from the master copy, as required.
d. System and application program libraries are protected and backup copies are
maintained.
e. Strict configuration management controls are enforced to reduce the risk of
introducing untested or malicious software.

2.6.3 Certification and Accreditation
The SAAS-Mod system is in phase 4 of its DITSCAP process life cycle. The DITSCAP process
applies to all systems requiring certification and accreditation (C&A) throughout their life cycle.
It is designed to be adaptable to any type of information system and any computing environment
and mission. The IASO/IAM will conduct activities to monitor system management,
configuration, and changes to the operational and threat environment to ensure an acceptable
level of residual risk is preserved. Security management, configuration management, and
periodic compliance validation reviews will be conducted. Changes to the system environment
or operations may warrant beginning a new DITSCAP cycle as identified in DoD 8510.1-M,
Department of Defense Information Technology Security Certification and Accreditation Process
(DITSCAP) Application Manual. DoD 8510.1-M provides direction to the IASO/IAM to ensure
compliance is maintained IAW DoD Instruction 5200.40, DoD Information Technology Security
Certification and Accreditation Process (DITSCAP). The DITSCAP will be the process used for
all future C&A efforts.
3.0 PHYSICAL SECURITY
SAAS-Mod system hardware (including LAN equipment), software, documentation, and all
Unclassified-Sensitive data handled by the SAAS-Mod system shall be protected to prevent
unauthorized (intentional or unintentional) disclosure, destruction, or modification. This section
provides procedures and guidance relative to physical controls.
3.1 Physical Controls
The IASO, SA shall implement processes and policies that regulate the access, use, distribution,
sensitivity, and management of SAAS-Mod assets, applications, and data. The IAM is
responsible for ensuring these processes are enforced and policies disseminated to the lowest
level.
11 October 2007
20-38
SAAS Security
3.1.1 Protection of the System
The SAAS-Mod shall be installed and located in an area that protects it from unauthorized
access. A Computer Area Access Log shall be maintained at the entrance to the area.

3.1.2 Facility Control
3.1.2.1 Computer Area Access Logs
It is recommended that a Computer Area Access Log be established and maintained by the
IASO. All authorized individuals shall be required to fill in the Computer Area Access Log
upon entering/departing to/from the SAAS-Mod computer areas and work areas. The Computer
Area Access Log, as a minimum, shall contain the date, time of arrival and departure, first and
last name of the individual, signature, represented company/agency, purpose of visit, and if
applicable the escort's name and signature. The Computer Area Access Log sheets shall be
reviewed preferably daily, or at least weekly, by the IASO or other designees. The Computer
Area Access Log sheets shall be monitored and protected by an authorized individual and
retained for a minimum of 90 days.
3.1.2.2 Visitor Log
The IASO or designee shall maintain a Visitor Log. Outside visitors shall be required to log into
the Visitor Log upon access/departure to/from all SAAS-Mod computer areas and work areas.
The Visitor Log, as a minimum, shall contain the date, time of arrival and departure, first and last
name of the visitor, signature, represented company/agency or contractor, purpose of visit,
clearance level, and the person authorizing access. The Visitor Access Log sheets shall be
monitored and protected by an authorized individual and retained for a minimum of 90 days.
3.1.2.3 Maintenance Log
A Maintenance Log shall be used to record major maintenance activity and/or preventive
maintenance procedures performed on the SAAS-Mod system. Maintenance logs shall be kept
separate from other logs and shall be limited to maintenance information only. The Maintenance
Log sheets shall be monitored and protected by an authorized individual and retained for a
minimum of 90 days.
11 October 2007
20-39
SAAS Security
3.1.2.4 Facility Log
A Facility Log shall be maintained by the site to record all major changes in the SAAS-Mod
operating configuration such as changing security levels of information and the installation of
new hardware or software.
3.1.2.5 Audit Review Log
An Audit Review Log must be established to track the periodic reviews of SAAS-Mod audit
trails. The log must include, as a minimum, the date of the review, the file(s) reviewed, the name
of the reviewer, and an indication of the results of the review. Refer to paragraph 5.6.2, Local
Audit Policy Settings; paragraph 5.9.4, Oracle Auditing; and paragraph 5.10.2, Application
Auditing, for additional procedures and guidance.
3.1.3 Facility Access by Authorized Individuals
Physical access to the SAAS-Mod system and facility must be controlled during both Garrison
and Tactical operations. Physical access to the SAAS-Mod LAN, computer systems, and
general work areas shall be restricted to authorized personnel and positively identified. Only
authorized personnel with a genuine need for access to perform management, technical, and
administrative support, and/or other related daily job functions shall be granted access to these
areas by the IASO or a cognizant authority. If access is granted, the individuals shall be
indoctrinated into the security practices of the secure areas.
The IASO or SA shall maintain a list/roster of individuals who are authorized to access a
particular area/facility. The list/roster of authorized individuals shall be prominently posted in
the area/facility. The list/roster shall be used to challenge individuals who are not authorized to
be in the area.
3.1.4 System Access by Authorized Users
To obtain system access for a particular user, a manager/supervisor responsible for a SAAS-Mod
function shall submit to the IASO an Access Request Form or standard form letter specifying the
particular individuals name, badge number, organization, and phone number. Upon approval,
the IASO or a designee shall direct or be directed to include the user in the appropriate role and
account. Requests for system privileges shall explain the need for such privileges in detail.
If approved, the account shall be installed by the IASO or his/her designee (SA) on the server
and the workstation, and passwords shall be assigned to the account IAW section 5. New users
shall be indoctrinated into the security practices of the SAAS-Mod system prior to being
allowed use of the system. All users of the system shall agree to adhere to all security
practices documented in the TFM (for IASOs / SAs), or SFUG (for ordinary users) and the site
SOP, by signing the Account Request Form. All users of the system shall understand that they
will be subject to periodic monitoring of account activities and usage of system resources.
11 October 2007
20-40
SAAS Security
Knowledge of the Administrator password shall be limited to only those individuals assigned
IASO and System Administrator responsibilities.
Individuals shall be responsible for providing protection, storage, and accountability for
information at all times.
Users shall log-off systems before leaving the area. Prior to departing the facility, all individuals
shall be logged out of the Computer Access Log (if a Computer Access Log is established by the
site).
3.1.5 Access by Visitors
It is recommended that visitor requests for personnel indigenous to local and tenant commands
must be submitted to and coordinated with the IASO. All requests shall contain the first and last
name of the visitor, rank (as applicable), date and time of the requested visit, clearance or
authorization level of the visitor, the purpose for the visit, and identification of the unit or
organization to which the visitor is assigned. The visitors supervisor (as applicable) shall sign
the request. The IASO shall approve the visit request in accordance with criteria of local
operations, schedules, and security considerations and at the IASOs Commanding Officers
direction. Upon arrival of the visitor, the IASO or delegate shall ensure compliance with the
local facility visit procedures and supplemented with the procedures in this manual.
It is emphasized that no visitor shall be permitted access to the facilities without prior
notification and coordination with the IASO or designee. All visits by non-U.S. citizens and
others whose identities are not known to the commander or manager shall be coordinated with
the IASO. An authorized individual shall escort visitors at all times.
The IASO will modify the above instructions to comply with local site security standing
operating procedures.
3.1.6 Access by Maintenance Personnel
Maintenance personnel shall be observed and their actions monitored during the maintenance
operations by individuals with the technical expertise to detect obvious unauthorized
modifications and accesses.
3.1.7 Movement of System Equipment and Media
During system equipment and media movements, safeguards must be in place to prevent the
unauthorized modification, loss, and casual viewing of Unclassified-Sensitive information, and
unauthorized acquisition or destruction of:
a. System hardware;
11 October 2007
20-41
SAAS Security
b. System software used in system operations; and
c. System data or information in any form or on any media.
3.2 Property Control and Distribution
Property control and distribution entails the procurement and allocation of SAAS-Mod assets
and applications used by the Army or SAAS-Mod. Assets include workstations, LANs, and
computer center hardware and applications, along with the operating system (OS) and program
software. All property shall be controlled and subject to frequent random audits. Therefore, it
is necessary to know the exact location of every piece of equipment and software. A property
database shall be maintained containing the hardware type, serial number, SAAS-Mod tag
number (if one exists), the software installed on the hardware, the software distribution serial
number, location of hardware, and the custodian. Movement of all SAAS-Mod property,
including information or hard copy output, shall be coordinated through the IASO or designee.
The current custodian shall be responsible for all SAAS-Mod equipment, applications, and data
assigned to him/her and the legality of all software not pertaining to SAAS-Mod. Only
authorized software shall be installed on any part of the SAAS-Mod system. Public domain
shareware or other privately purchased/attained software shall not be loaded/installed on any
part of the SAAS-Mod system.
Loading/installing unauthorized software will nullify the generic accreditation. Personnel shall
be required to account for the disposition of any SAAS-Mod assets, software, and data prior to
termination of employment or transfer to another group or program.
3.3 General Guidelines and Procedures
Physical protection of SAAS-Mod assets is the responsibility of individual sites. Site-specific
physical security measures can take the form of barriers (e.g., fences, armed perimeters, buildings,
intrusion alarms, and approved storage containers) as well as implementing procedures.
Employing cost-effective physical security measures shall protect the SAAS-Mod assets. The
following generic physical security safeguards and procedures should be established and
implemented to protect the SAAS-Mod hardware, software, and data:
a. The system hardware, software, documentation, data, and LAN hardware (e.g., wiring,
junction boxes, gateways, concentrators, and cables) shall be protected from unauthorized
access, destruction, or modification (either intentional or unintentional).
b. The LAN hardware shall be inspected frequently to ensure that no unauthorized hardware
or devices are connected to the LAN (e.g., wire tapping devices). The procedures include
inspecting LAN wiring and cables that are hidden from view (e.g., behind walls and in false
ceilings).
c. Buildings, which house the SAAS-Mod system and related sensitive areas (as
applicable), shall be designated as restricted areas and mission essential or vulnerable areas in
accordance with AR 190-13.
11 October 2007
20-42
SAAS Security
d. Mainframe facilities shall be included in the installation physical security plan required
by AR 190-13.
e. Only personnel performing official duties shall be allowed to access the SAAS-Mod
system documentation.
f. Periodic physical security inspections shall be implemented IAW AR 190-13.
g. Particular attention should be paid to the physical security of the SAAS-Mod system,
which is not being operated or otherwise attended continuously.
h. SAAS-Mod computer areas and support facilities shall be secured at the end of the duty
day and at any other time the facilities are unoccupied.
i. SAAS-Mod key and lock control shall be maintained IAW AR 190-51, appendix C.
4.0 PERSONNEL SECURITY
This section describes the security policies for SAAS-Mod personnel. SAAS-Mod personnel are
subject to the policies and procedures that regulate the access, use, distribution, confidentiality
level, and management of SAAS-Mod system assets, applications, and data.
4.1 Visitors
Visitors not having a need-to-know shall not be allowed access to the SAAS-Mod
facility/installation or remote facility (workstation area) processing sensitive information unless
all sensitive material is stored, laptop or workstation screens are blanked or obscured from view,
and printers are disabled. An authorized individual shall escort visitors at all times. Refer to
paragraph 3.1.5 for additional information pertaining to visitors.
4.2 Foreign Nationals
The process of authorizing foreign national employees to work in a sensitive environment is
under the control of the Organizational or Unit personnel/security office. The IASO shall
maintain liaison with personnel and security offices for the purposes of either justifying the need
to employ foreign nationals, or verifying their eligibility to be employed in the SAAS-Mod
facility. No foreign national shall be allowed access to the SAAS-Mod facility without
verification of his/her eligibility from cognizant personnel offices.
4.3 Maintenance Personnel
Maintenance personnel accessing the SAAS-Mod facility on a regular basis shall be listed on
the approved roster of authorized individuals (see paragraph 3.1.3). Including individuals on
the list of authorized individuals shall be based upon IASO discretion. In the event
maintenance personnel not on the approved roster require access, IASO agents with enough
technical expertise to detect obvious malicious activity shall observe maintenance operations.
Refer to paragraph 3.1.6 for additional information pertaining to maintenance.
11 October 2007
20-43
SAAS Security
4.4 Security Awareness Training
A security program is only effective if the personnel using the protected system understand and
are aware of the need for security and how they must participate in the protection of the
system. A Security Training Awareness program shall be implemented by the IAM/IASO at
the SAAS-Mod facility and remote sites. Each user of the SAAS-Mod system must complete
training. All new users shall be required to complete the program prior to being given access
to the system. A periodic review and update of security procedures shall be given to all
SAAS-Mod system users. A security briefing shall be presented in the form of a handout or in
a seminar. The security awareness program shall convey the significance of security and the
role of each user in maintaining the security posture of the system. The importance of access
controls (account, system, and physical), data integrity protection, and property control shall be
conveyed to the users through the SAAS-Mod Security Awareness Training Program. Training
is also given to all personnel who are responsible for the management, operation, and
maintenance of the SAAS-Mod components.
4.4.1 Security Training Awareness Program
The IAM/IASO is responsible for implementing a Security Training and Awareness Program
IAW AR 25-2. All SAAS-Mod users, the SA, and all personnel under the SAs supervision must
participate in Security Training and Awareness Program tailored for the SAAS-Mod system.
The curriculum of the Security Awareness Program shall cover, as a minimum, the following:
a. Threats, vulnerabilities, and risks associated with the system. Under this portion, specific
information regarding measures to reduce the threat from malicious software will be provided,
including prohibitions on loading unauthorized software, the need for frequent backup, and the
requirement to report abnormal program behavior immediately.
b. Information security objectives; that is, what is it that needs to be protected?
c. Responsibilities associated with the system security.
d. Information accessibility, handling, and storage considerations.
e. Physical and environmental considerations, which are necessary to protect the system.
f. System data and access controls.
g. Emergency and disaster plans.
h. Authorized system configuration and associated configuration management requirements.
11 October 2007
20-44
SAAS Security

4.4.2 Periodic Security Training
The IAM/IASO shall implement and oversee periodic security training and awareness. This may
include various combinations of:
a. Self-paced or formal instruction;
b. Security education bulletins;
c. Security posters;
d. Training films and tapes; and
e. Computer-aided instruction.

5.0 COMPUTER SECURITY
This section provides procedures and guidance relative to Computer Security (COMPUSEC).
Computer security includes automated measures and controls that protect a system against denial-
of-service and unauthorized (accidental or intentional) disclosure, modification, or destruction of
the system and data.
5.1 System Integrity
Windows Server 2003 and Windows XP Professional are operating systems in which the typical
OS function and networking are integrated. Windows Server 2003 and Windows XP
Professional provide many configurable security features to secure both the operating system and
networking functions. System-level integrity consists of protecting both hardware and software
resources. The IASO will ensure a Windows 2003 Server and Windows XP Professional
workstation is configured to provide compliance with the security required by DoD Directive
8500.1 and OMB Circular A-130. The IAM will use the following guidelines in the acquisition
and implementation of products to ensure that security-related issues are adequately addressed:
a. Products will be evaluated for sensitive functions that could compromise Windows
Server 200 and Windows XP Professional security, and will implement controls to protect those
functions. All security controls implemented will be coordinated with, and approved by, the
IAM or IASO.
b. The SA, under the direction of the IASO, is responsible for creating, checking, and
maintaining a current system baseline for all servers and critical workstations. The IASO is
responsible for verifying the system baseline. The IAM is responsible for setting overall policy
for system baseline creation and maintenance.
11 October 2007
20-45
SAAS Security
c. Sites will use a baseline control tool on all servers and critical systems for which the
tool is available. This does not apply to special purpose systems where it would degrade the
security posture of the system. Examples are firewalls and SABI (Secret and Below
Interoperability) secure guards that have a minimal operating system tailored to the specific
requirements of the device.

5.2 System Baseline
A baseline is a database that contains a snapshot of the system after it has been fully loaded
with operating system files, applications, and users. Baseline control consists of comparing a
current system snapshot with the original system snapshot. The purpose of maintaining and
checking a system baseline is to detect unauthorized, undocumented system changes.
Unauthorized changes may indicate system compromise and, if detected, could prevent serious
damage. A baseline consists of files that change infrequently in terms of size, access
permissions, modification times, checksums, etc. They are usually found in the system
directories but could be in other locations. One of the Defense Information Systems Agency
(DISA) recommended system baseline utilities used to obtain and check system baselines is the
Axent Enterprise Security Manager (ESM) application. The following are minimum
requirements for the SA:
a. Perform weekly baseline reviews on each critical system.
b. Maintain three weeks of baseline product reports and be able to provide them upon
request.
c. Maintain all baseline backups on write-protected media.
d. Baseline and compare operating system *.exe, *.bat, *.com, *.cmd, and *.dll files.
A quick way to perform a baseline review is to create a text file using the dir command. To
create the initial baseline file, at the command prompt, enter dir /s c:\winnt\*.* >baseline.txt at
the C: prompt. This will send the directory contents, including all files, to the file baseline.txt on
the C: drive. Be sure to enter a space between *.* and the greater than sign (>). After changes
have been made, run the same command, but change the filename (baseline2.txt).
To compare the two files, open the new file (baseline2.txt) in MS Word, and perform a file
comparison. In MS Word, this can be found on the menu under Tools-Track Changes-Compare
Documents. Any file changes will be reflected. Changes shall only be implemented after a
baseline freeze, through the Configuration Control Board (CCB), IAW the Configuration
Management Plan.
Intrusion detection should be provided at the system level. In many situations, full intrusion
detection at the enclave level may not be possible due to virtual private network (VPN) or
application layer encryption. The IAM/IASO will determine the most effective means to protect
11 October 2007
20-46
SAAS Security
data integrity. Applications or appliances installed to protect the system shall be from the
approved Blanket Purchase Agreement (BPA) list for use on Army systems.
5.3 Microsoft Windows Server 2003
The following settings are provided in the event that it becomes necessary for the SA to
manually configure a SAAS-Mod system. These settings are part of the system install image
distributed by the PM LIS along with comprehensive installation instructions. Therefore, a
manual configuration should not be necessary. However, the SA should periodically review
these settings and verify that the system configuration has not been changed. Any deviation
from the NSA security settings, as required by DoD Instruction 8500.1 for the operational
system, shall be documented by the local IASO/IAM. These changes shall be considered and
approved by the Configuration Control Board prior to any changes taking affect.
System administrators should use the DISA Security Technical Implementation Guides for
Windows 2003 Server as guidance to set up and maintain the SAAS-Mod 1B systems. Section
4 of the System Administrators Manual gives installation instructions for the server
To achieve the highest level of Windows 2003 Server security, install Service Pack 1. For
a complete list of available post service packs and hotfixes, go to the Windows 2003 Server
Downloads website.
Table 1 lists the recommended Password Policy settings.
Table 1. Password Policy

Password Policy Options Recommended Settings
Enforce password uniqueness by remembering last x
passwords:
Prevents users from toggling among their favorite
passwords and reduces the chance that a hacker/password
cracker will discover passwords. If this option is set to 0,
users can revert immediately
back to a password that they previously used. Allowable
values range from 0 (do not keep password history) to 24.
24 Passwords
Maximum Password Age:
The period of time that a user is allowed to have a
password before being required to change it. Allowable
values include Forever (password never expires) or
between 1 and 999 days.
90 days
11 October 2007
20-47
SAAS Security
Password Policy Options Recommended Settings
Minimum Password Age:
The minimum password age setting specifies how long a
user must wait after changing a password before
changing it again. By default, users can change their
passwords at any time. Therefore, a user could change
their password, then immediately change it back to what
it was before. Allowable values are 0 (allow changes
immediately) or between 1 and 42 days.
1 Day
Minimum Password Length:
Blank passwords and shorter-length passwords are easily
guessed by password cracking tools. To lessen the
chances of a password being cracked, passwords should
be longer in length. Allowable values for this option are 0
or between 1 and 14 characters.
10 Characters (10 characters
satisfies requirements for
SBU systems per AR 25-2
Password must meet complexity requirements of
installed password filter:
Enforces strong password requirements for all users by use
of a dynamic link library called passfilt.dll. Stronger
passwords provide some measure of defense against
password guessing and dictionary attacks launched by
outside intruders. Passwords must contain characters from
3 of 4 classes: upper case letters, lower case letters,
numbers, and special characters (e.g. punctuation marks).
Also, passwords cannot be the same as the users logon
name.
Complexity requirements will take effect the next time a
user changes his password. Already-existing passwords
will not be affected.
Enabled
Password Policy Options Recommended Settings:
Prevents users from changing their passwords without
logging on. If the users password expires, the user will
not be able to log on and an administrator will have to
change the users password.
Setting this value and requiring new users to change
their password at first logon will generate the error You
do not have permission to change your password. This
setting can be temporarily disabled in order to allow new
users to log on initially.
Enabled

Table 2 lists the recommended Account Lockout Policy settings.
11 October 2007
20-48
SAAS Security
Table 2. Account Lockout Policy

Account Lockout Policy Options Recommended Settings
Account lockout count:
Prevents brute-force password cracking/guessing attacks
on the system. This option specifies the number of bad
logon attempts that can be made before an account is
locked out. Allowable values range from 0 (no account
lockout) to 999 attempts.
3 Invalid logon attempts

Lockout account for:
Sets the number of minutes an account will be locked
out. Allowable values are Forever (until admin unlocks)
or between 1 and 99999 minutes.
Setting this value to Forever (until admin unlocks)
may allow a potential denial of service attack. It is
important to note that the built-in Administrator account
cannot be locked out.
Forever

Reset account lockout count after:
Sets the number of minutes until the bad logon count is
reset.
99999
Allowable values range from 1 to 99999 minutes.

5.6.2 Local Audit Policy Settings
Table 3 lists the recommended Audit Policy settings.
Table 3. Recommended Audit Policy

Audit Policy Options User Manager for
Domain Names
Recommended
Settings
Audit Account Management: User and Group
Tracks changes to the Security account
database (when accounts are created,
changed, or deleted).
Management
Success, Failure
11 October 2007
20-49
SAAS Security
Audit Policy Options User Manager for
Domain Names
Recommended
Settings
Audit Logon Events: Logon and Logoff Success, Failure
Tracks users who have logged on or off,
or made a network connection. Also
records the type of logon requested
(interactive, network, or service). Track
failures to record possible unauthorized
attempts to break into the system.
Audit Object Access: File and Object
Access
Failure
Tracks unsuccessful attempts to access
objects (directories, files, printers).
Individual object auditing is not
automatic and must be enabled in the
objects properties.

Audit Policy Change: Success, Failure Security Policy
Tracks changes in security policy, such
as assignment of privileges or changes in
the audit policy.
Changes

Audit Privilege Use:
Tracks unsuccessful attempts to use
privileges. Privileges indicate rights
assigned to administrators or other power
users.
Use of User Rights Failure
Audit Process Tracking:
Detailed tracking information for events
such as program activation and exits.
This option is useful to record specific
events in detail if you believe your
system is under attack.
Process Tracking No Auditing
Audit System Events:
Tracks events that affect the entire
system or the Audit log. Records events
such as restart or shutdown.
Restart, Shutdown
and
System

Success, Failure

11 October 2007
20-50
SAAS Security
The common administrative tools contain the Event Viewer, which allows the Administrator to
view the application log, security log, or system log. Recommended audit settings available in
section 9 of the System Administrators Manual.
To enable file system auditing:
1. Click Start, click Run, type mmc /a (note the space between mmc and /a), and then
click OK.
2. On the File menu, click Add/Remove Snap-in, and then click Add.
3. Under Snap-in, click Group Policy, and then click Add.
4. In Select Group Policy Object, click Local Computer, click Finish, click Close, and
then click OK.
5. In Local Computer Policy, click Audit Policy.
Local Computer Policy
o Computer Configuration
o Windows Settings
o Security Settings
o Local Policies
o Audit Policy
6. In the details pane, double-click Audit Object Access.
7. In the Audit object access Properties dialog box, click the options you want, and then
click OK.
You must be logged on as an administrator or as a member of the Administrators group to
set up auditing of files and folders. Group Policy is available only to administrators.
If you have previously saved a console with Group Policy, you can open the saved
console and go to step 5.
After you enable auditing of files and folders, you must specify which files and folders to
audit.

a. Select events to audit.
a. To Audit the Directory Only: In the Apply To option: Change the pull down bar to This
folder only.
b. To Audit Directories and Its Files Only: In the Apply To option: Change the pull down
bar to This folder and files.
c. To Audit the Directory and Subdirectories Only, Not Files: In the Apply To option:
Change the pull down bar to This folder and subfolders.
d. To Audit Directories, Subdirectories, And All Files: In the Apply To option: Change the
pull down bar to This folder, subfolders and files.
11 October 2007
20-51
SAAS Security

5.6.3 User Rights Assignment
Table 4 lists the recommended audit policy settings. In the User Rights Assignment section.
a. Right-click on the desired Attribute in the right frame
b. Select Security
(1) To Add a user or group: Add | Select user or group | Add | OK | OK
(2) To Remove a user or group: Select user or group | Remove | OK

Table 4. Standard and Advanced User Rights

Standard/Advanced User Rights

All shaded areas represent advanced
user rights.
Windows
Workstations

Windows
Member Servers
Access this computer from network:
Allows a user to connect over the
network to the computer.
Administrators
Authenticated
Users
Administrators
Authenticated Users
Act as part of the operating system:
Allows a process to perform as a
secure, trusted part of the operating
system. Some subsystems are granted
this right.
(No One)

(No one)
Add workstations to the domain:
Allows a user to add workstations to a
particular domain. This right is
meaningful only on domain controllers.
By default, the Administrators and
Account Operators groups have the
ability to add workstations to a domain
and do not have to be explicitly given
this right.
(No one)

(No one)

Back up files and directories:
Allows a user to back up files and
directories.
This right supersedes file and directory
permissions.
Administrators,
Backup Operators
Administrators
Backup Operators
Bypass traverse checking:
Allows a user to change directories and
(No one) (No One)

11 October 2007
20-52
SAAS Security

user rights.
Windows
Workstations

Windows
Member Servers
access
files and subdirectories even if the user
has no permission to access parent
directories.
Change the system time:
Allows a user to set the time for the
internal clock of the computer.

Administrators Administrators
Create a pagefile:
Allows a user to create new pagefiles
for virtual memory swapping.
Create a token object:
Allows a process to create access
tokens. Only the Local Security
Authority should be allowed create this
object.
(No one)

(No one)
Create permanent shared object:
Allows a user to create special
permanent objects, such as \\Device,
that are used within Windows.
(No one)

(No one)
Debug programs:
Allows a user to debug various low-
level objects such as threads.
(No one) (No one)
Force shutdown from a remote
system:
Allows a user to shutdown a Windows
system remotely over a network.
Generate security audits:
Allows a process to generate security
audit log entries.
(No one) (No one)
Increase quotas:
This right has no effect in current
versions of
Windows.
(No one) (No one)
11 October 2007
20-53
SAAS Security

Windows
Workstations

Windows
Member Servers
user rights.
Increase scheduling priority:
Allows a user to boost the execution
priority of a process.
Load and unload device drivers:
Allows a user to install and remove
device drivers.
Lock pages in memory:
Allows a user to lock pages in memory
so they cannot be paged out to a
backing store such as Pagefile.sys.
(No one) (No one)
Log on as a batch job:
This right has no effect in current
versions of
Windows.
(No one) (No one)
Log on as a service:
Allows a process to register with the
system as service.
Some applications such as
Microsoft Exchange require a service
account, which should have this
right. Review the users/groups
assigned this right on the system
PRIOR to applying the security
templates in order to determine
which assignments are necessary.
The .inf template files will
remove all users/groups from this
right unless you modify the setting.
As Needed As Needed
Log on locally: Administrators, Administrators,
11 October 2007
20-54
SAAS Security

Windows
Workstations

Windows
Member Servers
user rights.
Allows a user to log on at a systems
console.
Authenticated
Users
Backup Operators
Manage auditing and security log:
Allows a user to specify what types of
resource access (such as file access) are
to be audited and the ability to view
and clear the security log. Note that this
right does not allow a user to set system
auditing policy using the Audit
command in the Policy menu of User
Manager. Members of the
Administrators group always have the
ability to view and clear the security
log.
Modify firmware environment
variables: Allows a user to modify
system environment variables stored in
nonvolatile RAM on systems that
support this type of configuration.
Profile single process:
Allows a user to perform profiling
(performance sampling) on a process.
Profile system performance:
Allows a user to perform profiling
(performance sampling) on the system.
Replace a process-level token:
Allows a user to modify a processs
security access token. This is a
powerful right used only by the system.
(No one) (No one)
Restore files and directories: Allows
a user to restore backed-up files and
directories. This right supersedes file
and directory permissions.
Administrators,
Backup Operators
Administrators,
Backup Operators
11 October 2007
20-55
SAAS Security

Windows
Workstations

Windows
Member Servers
user rights.
Shut down the system:
Allows a user to shut down Windows.
Authenticated
Users
Administrators
Administrators
Take ownership of files or other
objects: Allows a user to take
ownership of files, directories, printers,
and other objects on the computer. This
right supersedes permissions protecting
objects.

5.6.4 Security Option Settings
Table 5. Security Option Settings

Security Attribute

Recommended
Security Setting
Allow Server Operator to schedule tasks (Domain Controllers Only): Not Configured
Allows Server Operators to use Schedule Service (AT command) or
schedule task to automatically run.
HKLM\System\CurrentControlSet\Services\Schedule

Allow system to be shutdown without having to logon: Disabled
Normally, you can shut down a computer running Windows Workstation
without logging on by choosing Shutdown in the Logon dialog box. This
is appropriate where users can access the computers operational switches;
otherwise, they might tend to turn off the computers power or reset it
without properly shutting down. However, you can remove this feature if
the CPU is locked away. This step is not required for Windows Server,
because it is configured this way by default.
HKLM\Software\Microsoft\WindowsNT\
CurrentVersion\Winlogon\ShutdownWithoutLogon = 0

11 October 2007
20-56
SAAS Security
Security Attribute

Recommended
Security Setting
Audit access to internal system object:
There are a number of Windows system components that are accessible to
individuals with programming knowledge that could be used to mount a
denial of service attack.
HKLM\System\CurrentControlSet\Control\Lsa\AuditBaseObjects =
1
Objects are not audited by default when this option is enabled.
When File and Object auditing is enabled you may receive Event 560
failures in the event log. This behavior can occur when the task manager
is polling, or is going out through the computer and reading objects.
Enabled

Audit use of all user rights including Backup and Restore:
The additional privileges audited with this option enabled are bypass
traverse checking, debug programs, create a token object, replace process
level token, generate security audits, back up files and directories, and
restore files and directories.
HKLM\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditin
g
User rights including Backup and Restore are not audited by default
when this option is enabled.
The SCM will show mismatch after configuration. This setting
should be verified in the registry.
Enabled
AutoDisconnect: Allow sessions to be disconnected when they are
idle:
Disconnects a user session from any servers on the domain when it
exceeds the AutoDisconnect Time.
Not Configured
AutoDisconnect: Amount of idle time required before disconnecting
session:
Set the amount of elapses idle time allowed before disconnecting the users
session.
Not Configured
11 October 2007
20-57
SAAS Security
Security Attribute

Recommended
Security Setting
Change Administrator account name to:
The Administrator account is created by default when installing Windows
on the server and/or workstation. Therefore, it is recommended that the
Administrator account be renamed on all Windows machines.
<Configure Locally>

Change Guest Account to:
The Guest accounts are created by default when installing Windows on
the server and/or workstation. The Guest account is disabled by default on
the server, but not on the workstation. Even though it has been disabled,
the account still exists. Therefore, it is recommended that the Guest
accounts be renamed on servers and workstations.
<Configure Locally>

Clear virtual memory pagefile when system Shuts down:
Virtual Memory support in Windows uses a system pagefile to swap
pages from memory when they are not being actively used. On a running
system, this pagefile is opened exclusively by the operating system and
hence is well protected. However, to implement a secure Windows
environment the system page file should be wiped clean when Windows
shuts down. This action ensures sensitive information, which may be in
the pagefile, is not available to a malicious user.
HKLM\CurrentControlSet\Control\Session Manager\Memory
Management\ClearPageFileAtShutdown = 1
Enabled
Digitally sign client-side communication always: Not Configured
Digitally sign client-side communication when possible: Not Configured
Digitally sign server-side communication always: Not Configured
Digitally sign server-side communication when possible: Not Configured
Disallow enumeration of account names and shares by anonymous:
Restricts the ability for anonymous logon users (also known as NULL
session connections) to list account names and enumerate share names.
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous
= 1
Enabled
11 October 2007
20-58
SAAS Security
Security Attribute

Recommended
Security Setting
Do not display last username in logon screen:
By default, Windows places the user name of the last user to log on the
computer in the User name text box of the Logon dialog box making it
convenient for the most frequent user to log on. To enhance security,
prevent Windows from displaying the user name from the last logon. This
is especially important if a generally accessible computer is being used for
system administration.
Enabled
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\
DontDisplayLastUserName = 1
Forcibly logoff when logon hours expire:
Disconnects a user account from any servers on the domain when it
exceeds its logon hours.
Enabled
Message text for users attempting to log on:
It is recommended that systems display a warning message before logon,
indicating the private nature of the system. Many organizations use this
message box to display a warning message that notifies potential users
that their use can be monitored and they can be held legally liable if they
attempt to use the computer without proper authorization. The absence of
such a notice could be construed as an invitation, without restriction, to
enter and browse the system.
LegalNoticeText = "Text you want displayed"
<see DoD Warning Banner text>
Message title for users attempting to log on:
In conjunction with the Logon Text it recommended that systems display
a warning message title before logon, indicating the private nature of the
system.
LegalNoticeCaption = "Text you want displayed on title bar"
<see DoD Warning Banner Title text>
11 October 2007
20-59
SAAS Security
Security Attribute

Recommended
Security Setting
Number of previous logons to cache in case Domain Controller not
available:
0
The default Windows configuration caches the last logon credentials for
users who log on interactively to a system. This feature is provided for
system availability reasons such as the users machine is disconnected
from the network or domain controllers are not available.
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\CachedLogonsCount = 0
Users will NOT be able to log on to the domain unless connected to
the network.
Prevent user from installing print drivers: Enabled
Enables the system spooler to restrict adding printer drivers to
administrators and print operators (on server) or power users (on
workstation).
HKLM\System\CurrentControlSet\Control\Print\Providers\LanMan
PrintServices\Servers\AddPrintDrivers = 1
Users can still connect to Network Print shares on which they have
permissions.
Due to an implementation flaw, the .inf file does not set this registry
key correctly. The manual change on page 75 is still required.
Restrict CDROM access to locally logged on user only:
By default, Windows allows any program to access files on CDROM
drives. In a highly secure, multi-user environment, only allow interactive
users to access these devices. When operating in this mode, the CD-
ROM(s) are allocated to a user as part of the interactive logon process.
These devices are automatically reallocated when the user logs off.
NT\CurrentVersion\Winlogon\AllocateCDRoms = 1
Enabled
11 October 2007
20-60
SAAS Security
Security Attribute

Recommended
Security Setting
Restrict Floppy access to locally logged on user only:
By default, Windows allows any program to access files on floppy drives.
In a highly secure, multi-user environment, only allow interactive users to
access these devices. When operating in this mode, the floppy disks are
allocated to a user as part of the interactive logon process. These devices
are automatically reallocated when the user logs off.
NT\CurrentVersion\Winlogon\AllocateFloppies = 1
Enabled
Restrict management of shared resources such as COM1:
Restrict the access of shared resources.
HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\ProtectionMode
Enabled
Secure Channel: Digitally encrypt or sign secure channel data
always:
Not Configured
Secure Channel: Digitally encrypt or sign secure channel data when
possible:
Not Configured
Secure Channel: Digitally sign secure channel when possible: Not Configured
Secure System partition (for RISC platforms only): Not Configured
Send downlevel LanMan compatible password:
This parameter specifies the type of authentication to be used. For a
homogeneous Windows Network this key should be set to 5.
HKLM\System\CurrentControlSet\Control\Lsa\LMCompatibilityLev
el Value = 5
Not Compatible
Send unencrypted password in order to connect to 3rd Party SMB
server:
Some non-Microsoft SMB servers only support unencrypted (plain text)
password exchanges during authentication. Check with the vendor of the
SMB server product to see if there is a way to support encrypted password
authentication, or if there is a newer version of the product that adds this
support.
HKLM\System\CurrentControlSet\Services\Rdr\Parameters\
EnablePlainTextPassword = 0
Disabled
11 October 2007
20-61
SAAS Security
Security Attribute

Recommended
Security Setting
Shutdown system immediately if unable to log security audits: Enabled
If events cannot be written to the security log, the system should be halted
immediately. If the system halts as a result of a full log, an administrator
must log onto the system and clear the log.
HKLM\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail =
1

5.6.5 Event Log Settings
Event Log settings that can be configured with the SCM include maximum size, guest access,
how long logs will be retained, and how the operating system handles logs at the maximum size.
To view event log settings of an SCM template double-click the following:
a. Security Configuration Manager
b. Configurations
c. Default configuration file directory (%SystemRoot%\Security\Templates)
d. Specific configuration file
e. Event Log
To modify Event Log settings via the Security Configuration Manager, double-click the
following path: Event Log | Settings for Event Logs | specific option to view or edit.
Table 6 lists recommended Event Log settings for the Application, Security, and System logs.
Table 6. Event Log Settings

Event Log Settings Recommended
Settings
11 October 2007
20-62
SAAS Security
Settings
Maximum Log Size for Application Log: 4194240 kilobytes
(KB)
Maximum Log Size for Security Log:

Maximum Log Size for System Log:
If the event logs are too small, logs will fill up often and
administrators must save and clear the event logs more frequently
than required. Allowable values range from 64 KB to 4194240 KB.
Restrict Guest access to Application Log: Enabled
Restrict Guest access to Security Log: .
Restrict Guest access to System Log:
Default configuration allows guests and null logons the ability to
view event logs (system and application logs). While the security log
is protected from guest access by default, it is viewable by users who
have the Manage Audit Logs user right. This option disallows guests
and null logons from viewing any of the event logs.

Retain Application Log for:
Retain Security Log for:
Retain System Log for:
These options control how long the event logs will be retained
before they are overwritten. Since it is not recommended that any
event logs be overwritten when they become full, this option should
not be configured.
Not configured
11 October 2007
20-63
SAAS Security
Settings
Retention method for Application Log: Manually
Retention method for Security Log:
Retention method for System Log:
How the operating system handles event logs that have reached their
maximum size. The event logs can be overwritten after a certain
number of days, overwritten when they become full, or have to be
cleared manually. To ensure that no important data is lost, especially
in the event of a security breach of the system, the event logs should
not be overwritten.
Shutdown system when security audit log becomes full: Enabled
If events cannot be written to the security log, the system should be
halted immediately. If the system halts as a result of a full log, an
administrator must restart the system and clear the log.

5.6.5.1 Security Options Settings
The Security Options settings recommend enabling Audit access to internal system object and
Audit use of all user rights including Backup and Restore. If these options are enabled large
amounts of audit data will be generated requiring the logs to be cleared regularly. In order to
save and clear audit logs select:
a. Start | Programs | Administrative Tools (Common) | Event Viewer.
b. Select Event log from the Log menu.
c. Select Clear All Events.
d. Yes to save settings with unique file name.
e. Save.
f. Yes to clear the log.
g. Repeat the above steps for each log.
11 October 2007
20-64
SAAS Security

5.6.5.2 Clearing Logs on System Halts
If the system halts as a result of a full log, an administrator must restart the system and clear the
log. Before the auditor clears the security log, ensure the data is saved to disk. Then Use the
Registry Editor to modify the following Registry key value:
Select Start | Run | Type Regedt32.exeOpen
Hive: HKEY_LOCAL_MACHINE
Key: \System\CurrentControlSet\Control\Lsa
Name: CrashOnAuditFail
Type: REG_DWORD
Value: 1
This value is set by the operating system just before it crashes due to a full audit log. While the
value is 2, only the administrator can log on to the computer. This value confirms the cause of
the crash. Reset the value =1.

5.6.6 Registry Key Permission Settings
The editing of the registry is not recommended. However, there will be site-specific guidance or
updates relating to security that require changes to registry keys The SA should read this
guidance prior to making any changes to the registry.
5.6.7 File Permission Settings
The necessary changes can be made in one of two ways. The first method is to use an automated
script., the second method is to change permissions on each file and folder manually.
5.6.7.1 Modifying Permissions on a File or Folder
To modify the security settings on a particular file or folder already specified in the inf file:
a. In the right frame, double-click on the file or folder to be changed.
b. Ensure that the Overwrite radio button is selected.
c. Click Edit Security.
d. Uncheck the Allow inheritable permissions from parent to propagate to this object
checkbox.
11 October 2007
20-65
SAAS Security
e. If the inheritable permissions checkbox was previously checked, click on the Remove
button in the Security dialog box.
f. Add/remove users and groups to reflect the recommended permissions.
g. For each user and/or group, set the permissions by clicking on the permission
checkboxes.

5.6.7.2 Permissions Encompassing all Folders and Subfolders
If the folder permissions should encompass the folder itself, all files within the folder, and all
subfolders:
a. Click the Apply | OK. Stop here.
b. Otherwise, click the Advanced button.
c. Double-click on a user and/or group. A Permission Entry dialog box will appear.
d. In the Apply To pull-down menu, select the correct configuration (e.g. This folder only).
e. Click OK |Apply | OK | OK.

5.6.7.3 Adding files or folders to the Security Configuration
To add a file or folder to the security configuration:
a. Right-click on File System.
b. Select Add Files or Add Folder from the pull-down menu.
c. Select the file or folder to be added.
d. Click OK.
e. A Configuration Security dialog box will appear.
f. Configure the permissions according to the steps detailed in the previous Modifying
Permissions on a File or Folder section.

5.6.7.4 Excluding an Object When Modifying the Configuration
There are occasions where a specific file or folder should retain its current security settings. To
ensure that parent folders dont propagate their new permissions down to such files or folders,
exclude the object from configuration. To exclude an object:
11 October 2007
20-66
SAAS Security
a. In the right frame of File System, double-click on the file or folder to be changed.
b. Click the Ignore radio button.
c. Click OK.

5.6.7.5 File and Folder Permission Settings
Folders and files not explicitly listed below are assumed to inherit the permissions of their parent
folder. Folders with Ignore are explicitly excluded from configuration and retain their original
permissions. The following system variables are referenced in the file permissions within the OS
configuration file:
%SystemDrive% - The drive letter on which Windows is installed. This is usually C:\.
%SystemRoot% - The folder containing the Windows operating system files. This is
usually %SystemDrive%\winnt.
%SystemDirectory% - %SystemRoot%\system32.

Table 7. File and Folder Permission Settings

Folder or File User Groups Recommended
Permissions
%SystemDirectory%
folder, subfolders, and files
Contains many operating system DLLs, drivers,
and executable programs.
Administrators
Authenticated
Users
Creator Owner
System
Full Control
Read, Execute
Full Control
Full Control
%SystemDirectory%\config
Contains registry hive files.
Administrators
System
Full Control
Full Control
11 October 2007
20-67
SAAS Security
Permissions
%SystemDirectory%\Ntbackup.exe
file
File system backup program.
Administrators
System
Full Control
Full Control
%SystemDirectory%\rcp.exe
file
Program used to execute remote procedure
calls.
Administrators
System
Full Control
Full Control
%SystemDirectory%\Rdisk.exe
file
Program used to create an Emergency Repair
Disk.
Administrators
System
Full Control
Full Control
%SystemDirectory%\Regedt32.exe
%SystemDirectory%\Regedt32.cnt
%SystemDirectory%\Regedt32.hlp
file
Registry editing tool and associated help files.
Administrators
System
Full Control
Full Control
%SystemDirectory%\repl\export
Folder containing scripts and files to be
replicated to other replication servers.

Administrators
Authenticated
Users
Creator Owner
Replicator
System
Full Control
Read, Execute
Full Control
Read, Execute
Full Control
%SystemDirectory%\repl\import
Folder containing scripts and files that have
Administrators
Authenticated
Users
Full Control
Read, Execute
11 October 2007
20-68
SAAS Security
Permissions
been replicated from other replication servers.

Creator Owner
Replicator
System
Full Control
Modify
Full Control
%SystemDirectory%\rexec.exe
file
Program used to execute remote calls.
Administrators
System
Full Control
Full Control
%SystemDirectory%\rsh.exe
file
Program used to execute a remote shell.
Administrators
System
Full Control
Full Control
%SystemDirectory%\spool\Printers
Printer spool.

Administrators
Authenticated
Users
Creator Owner
Replicator
System
Full Control
Modify
Full Control
Modify
Full Control
%SystemDrive%
Drive on which Windows is installed. Contains
important system startup and configuration
files.
Administrators
Creator Owner
System
Authenticated
Users
Full Control
Full Control
Full Control
Read, Write,
Execute
%SystemDrive%\autoexec.bat
c:\autoexec.bat
file
Initialization file for DOS applications.
Administrators
Authenticated
Users
System
Full Control
Read, Execute
Full Control
11 October 2007
20-69
SAAS Security
Permissions
%SystemDrive%\boot.ini
c:\boot.ini
file
Boot menu.
Administrators
System
Full Control
Full Control
%SystemDrive%\config.sys
c:\config.sys
file
Administrators
Authenticated
Users
System
Full Control
Read, Execute
Full Control
%SystemDrive%\io.sys
file
Administrators
Authenticated
Users
System
Full Control
Read, Execute
Full Control
%SystemDrive%\msdos.sys
file
Administrators
Authenticated
Users
System
Full Control
Read, Execute
Full Control
%SystemDrive%\ntdetect.com
c:\ntdetect.com
file
Hardware detector during Windows boot.
Administrators
System

Full Control
Full Control
%SystemDrive%\ntldr
c:\ntldr
file
Windows operating system loader.
Administrators
Creator Owner
System

Full Control
Full Control
Full Control
11 October 2007
20-70
SAAS Security
Permissions
%SystemDrive%\NTReskit
Only exists if Windows Resource Kit has been
installed. Contains resource kit files.
Administrators
Creator Owner
System
Authenticated
Users
Full Control
Full Control
Full Control
Read, Write,
Execute
%SystemDrive%\pagefile.sys
file
System pagefile. Cannot be accessed since it is
being used.
(Ignore)
%SystemDrive%\Program Files
Default folder for installed applications.

Administrators
Creator Owner
System
Authenticated
Users
Full Control
Full Control
Full Control
Read, Write,
Execute
%SystemDrive%\Users
If folder exists (from a previous windows
version), leave permissions intact.
(Ignore)
%SystemDrive%\Win32app
If folder exists (from a previous windows
version), leave permissions intact.
(Ignore)
%SystemRoot%
folder only
Folder in which the Windows operating system
is installed. By default, this is called winnt.
Administrators
Creator Owner
System
Authenticated
Full Control
Full Control
Full Control
Read, Write,
11 October 2007
20-71
SAAS Security
Permissions
Users Execute
%SystemRoot%
subfolders and files

Administrators
Authenticated
Users
Creator Owner
System
Full Control
Read, Execute
Full Control
Full Control
%SystemRoot%\$NtServicePackUninstall$
Contains older versions of system files
necessary to back off a service pack.
Administrators
System
Full Control
Full Control
%SystemRoot%\Cookies
Folder in which cookies generated in web
browsing are kept.
Administrators
Creator Owner
System
Authenticated
Users
Full Control
Full Control
Full Control
Read, Write,
Execute
%SystemRoot%\drwtsn32.log
file
Dr. Watson application error log file.

Administrators
Authenticated
Users
Creator Owner
System
Full Control
Modify
Full Control
Full Control
%SystemRoot%\Help
System Help files. In order for authenticated
users to use the full capabilities of help, they
must be able to add index files to this folder.
Administrators
Creator Owner
System
Authenticated
Users
Full Control
Full Control
Full Control
Read, Write,
Execute
11 October 2007
20-72
SAAS Security
Permissions
%SystemRoot%\History
History folder for web browsing.
Administrators
Creator Owner
System
Authenticated
Users
Full Control
Full Control
Full Control
Read, Write,
Execute
%SystemRoot%\mapiud.ini
file
File needed for Outlook Express.

Administrators
Authenticated
Users
Creator Owner
System
Full Control
Modify
Full Control
Full Control
%SystemRoot%\nsreg.dat
file
File needed for Netscape.

Administrators
Authenticated
Users
Creator Owner
System
Full Control
Modify
Full Control
Full Control
%SystemRoot%\Profiles
Contains user profile settings. Because the
Profiles folder needs to retain specific user
permissions, it will be configured manually in
chapter 13 of the NSA recommendation guide.
(Ignore)
%SystemRoot%\regedit.exe Administrators Full Control
file Full Control System
Registry editing tool.
%SystemRoot%\repair
Administrators
System
Full Control
Full Control
11 October 2007
20-73
SAAS Security
Permissions
Backup files of SAM database and other
important registry and system files to be used
during a system repair.

%SystemRoot%\Security Administrators Full Control
folder, subfolders, and files System Full Control
SCM databases and templates.
SystemRoot%\SendTo Administrators Full Control
folder, subfolders, and files Creator Owner Full Control
Folder needed for Outlook Express. System Full Control
Authenticated
Users
Read, Write,
Execute
%SystemRoot%\Temporary Internet Files Administrators Full Control
folder, subfolders, and files Creator Owner Full Control
Folder needed for web browsing System Full Control
Authenticated
Users
Read, Write,
Execute

5.6.8 Special considerations for the Dr. Watson USER.DMP File
By default, the Everyone group has Full Control of the Dr. Watson crash dump file (user.dmp).
This file contains various program error details, including information on the computer and the
user logged in at the time the error took place. If a user successfully gained access to this file, they
could obtain confidential information such as username and password.
To prevent users from getting access to potentially sensitive information, select from one of the
following options for protecting the crash dump file:
a. If information from the crash dump file is not required, delete the drwtsn32.exe entry
from the HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AeDebug registry key.
This will cause Dr. Watson to be replaced with a simple Application Error box.
11 October 2007
20-74
SAAS Security
b. If information from the crash dump file is desired, create a directory that will be used to
hold the crash dump files. Set the permissions for this directory as described in Table 8.

Table 8. Dr Watson Crash Dump File Permission Settings

Group/User Name Permissions
Administrators
Authenticated Users
Creator Owner
System
Full Control
Modify (This folder only)
Full Control
Full Control

5.7 Windows Discretionary Access Controls
Windows Explorer gives the SA the ability to view and change access permissions for files and
directories. By default, members of the Administrators group can use Windows Explorer to
control auditing for and take ownership of specific files and directories. Users logged on as
members of other groups can use Windows Explorer to view and change permissions for files
and directories they own or for which they have permission to do so. The SA should use the list
of files and directories provided in the SA Manual to insure that the files and directories are
properly set on Access Control Lists. Additional guidance for ACLs is given in the DISA
Security Technical Implementation Guide document. Normal SAAS-Mod users should have
the ability to access any OS or database management system
(DBMS) files. Print Manager allows members of the Administrator and Power User groups to
create (install) and configure new printers and to manage the forms that can be used by printers.
By default, Administrators can control auditing for and take ownership of any printer. Within
limits established by permissions protecting a printer, all users can use Print Manager to set the
properties of the printer, set permissions on a particular printer, take ownership of a printer, and
manage documents in the print queue.
The DISA Security Technical Implementation Guide document lists all the rights that can be
assigned by the Administrator to users.
Remote Access Server requires separate permissions. The DISA Security Technical
Implementation Guide document describes configuration settings for Remote Access Service
(RAS) section 11.2 of the System Administrators Manual also gives guidance for setting up RAS.
11 October 2007
20-75
SAAS Security
5.8 Windows Identification and Authentication
System administrators should NOT use the default Administrator UserID. The default Administrator
password should be changed immediately to a random set of characters. The SA should create a
unique UserID for each SA and assign the SA users to the Group Administrators. The password for
the UserID Administrator should be written down and placed in a secure container for use only
when the SA can no longer function or is incapacitated.
The DISA Security Technical Implementation Guide document contains guidance for the
account policies in Figure 8-2.

5.9 Oracle Database Management System
UPDATE: Use the Database Security Technical Implementation Guide, v7r2, May 2006. The
IASO/ Database Administrator (DBA) is responsible for documenting deviations from the DB
Security Technical Implementation Guides (STIG).
5.9.1 Current Relational Database Management System Version
The integrity of the Relational Database Management System (RDBMS) software executables
and data files is crucial to the optimal and correct operation of all database applications using the
RDBMS. To protect the RDBMS environment, the IASO will ensure that the database RDBMS
version is a vendor-supported product version. Vendor supported product versions are those that
continue to receive security updates by the vendor upon discovery of vulnerabilities. The DBA
will ensure that the database RDBMS patch level is in accordance with Information Assurance
Vulnerability Management (IAVM) requirements. Systems unable to support upgrades require an
extension for non-compliance filed with a signed acceptance of risk by the system DAA.
The RDBMS host should be an approved/certified platform to host the database.
The IASO will ensure that the database RDBMS version is a vendor supported product
version.
The database RDBMS patch level will be maintained by the DBA in accordance with
IAVM requirements.

5.9.2 RDBMS Software Monitoring
The RDBMS software installed on the host system will be monitored monthly for unauthorized
modification. Trojan horses and other malicious code could be implanted in standard database
executables that could corrupt database integrity or allow unauthorized access. Host systems
11 October 2007
20-76
SAAS Security
should baseline their systems after application installation to collect data on application
directories and files for future comparison in order to determine unauthorized modification.
The host SA will monitor the RDBMS software on a regular basis no less frequently than
monthly to detect unauthorized modifications.
5.9.3 Oracle Discretionary Access Controls
The Database Security Technical Implementation Guide, v7r2, May 2006 document contains
guidance for using profiles, and managing privileges to users.
5.9.4 Oracle Auditing
guidance for auditing. The IASO shall update this TFM accordingly if additional auditing is
necessary to meet updated requirements. Table 9 lists 23 SAAS-Mod DB tables, which are
audited for update, delete, and insert events after the audit.sql file is executed during installation.

Table 9. Database Table Audit Configuration

Table Names
1 Stg_area
2 Storage_point
3 Warehouse
4 Ammunition_lot_ite
5 Serial_matl-itm
6 Dodaac0
7 Dodaac_address
8 Management_center
9 Mil_org
10 Mil_storage
11 Military_structure
12 Mil_org_management
13 Site_hazard
14 Distance_category
15 Mgmt_acct
16 SAAS-Modmod_procedures
11 October 2007
20-77
SAAS Security
Table Names
17 User0
18 User_procedure
19 Atp_dodic_balance
20 Atp_lot_balance
21 Std_weapon_system
22 Weapon_dodic_profi
23 Atp_dodic_rsr_requ

guidance for managing Oracle audits. SAAS-Mod 1B contains the Oracle Browser, which
enables the DBA to customize the view of the information in the audited table. Refer to the
interactive documentation for Oracle Browser loaded on the SAAS-Mod 1B computer for more
information.
The Oracle audit data must be reviewed at least once per week or when abnormal/malicious
activity is suspected. Oracle contains an SQL script file named
cataudit.sql, which the DBA can execute to support the audit review process. Table 10 lists the
Oracle views, which are created when cataudit.sql is executed.

Table 10. List of Audit Views

Audit Views
1 STMT_AUDIT_OPTION_MAP
2 AUDIT_ACTIONS
3 ALL_DEF_AUDIT_OPTS
4 DBA_STMT_AUDIT_OPTS
5 USER_OBJ_AUDIT_OPTS
DBA_OGJ_AUDIT_OPTS
6 USER_AUDIT_TRAIL
DBA_AUDIT_SESSION
7 USER_AUDIT_SESSION
DBA_AUDIT_SESSION
8 USER_AUDIT_STATEMENT
DBA_AUDIT_STATEMENT
9 USER_AUDIT_OBJECT
DBA_AUDIT_OBJECT
11 October 2007
20-78
SAAS Security
Audit Views
10 DBA_AUDIT_EXISTS
11 USER_AUDIT_SESSION
DBA_AUDIT_SESSION
12 USER_TAB_AUDIT_OPTS
guidance on how to set up audit triggers when abnormal/suspicious activity is suspected or when
trying to follow the movements of a suspicious user.

5.9.5 Oracle Identification and Authentication
Use the Database Security Technical Implementation Guide, v7r2, May 2006, to securely
configure the Oracle identification and authentication (I&A) settings. Password complexity must
be in accordance with DISA and Army guidelines.

5.10 SAAS-Mod Application Security
This section provides guidance and procedures for SAAS-Mod Application DAC, Auditing, and
I&A.

5.10.1 Application Discretionary Access Controls
ALLFusion provides access in Maintain Users processes. See Section 16.0 of the SAAS-Mod
1B End Users Manual for specific details on the security access controls provided by the
Maintain Users processes.
5.10.2 Application Auditing
The SAAS-Mod DB Transaction History Table contains a limited audit trail of all
communication activity. Refer to the SAAS-Mod 1B System Administrators Manual for
detailed information pertaining to the Transaction History Table.
11 October 2007
20-79
SAAS Security
5.10.3 Application Identification and Authentication
Procedures and guidance pertaining to the SAAS-Mod Application I&A are to be IAW the DISA
Desktop Application Security Technical Implementation Guide, 06 February 2006. Applications
unable to conform shall have deviations to these requirements documented and maintained by
the IASO.
5.11 C2 Protect Tools
Brigade and above should have an IASO familiar with C2 Protect Tools and AR 25-2, when
published. Coordination with the IASO is essential for maintaining the correct versions of the
C2 Protect Tools.

5.12 Anti-Virus
Each computer in SAAS-Mod 1B should have the Norton Anti-Virus software program running
resident in memory at all times. Floppy disks placed into a floppy drive on any SAAS-Mod 1B
computer and files received from external sources should automatically be scanned for viruses.
Do not open a file on a floppy disk until the entire disk is scanned for viruses. Each
computer should have automatic times to scan the hard drive for viruses. The anti-virus software
should scan the entire hard disk each time the computer cold boots. The IASO should be notified
immediately when a virus is detected. Do not continue processing until the IASO is notified
and the IASO verifies the virus has been cleaned. Procedures and guidance pertaining to the
proper Norton settings shall be IAW Army Antivirus Policy messages and the DISA Application
STIG. The IASO shall ensure the Antivirus .dat files are updated at least every 30 days.
5.13 Security Patches
Maintaining the security of a Windows system requires frequent reviews of security bulletins.
Many security bulletins mandate the installation of a software patch or hotfix, to overcome
security vulnerabilities.
The IASO and SA must ensure that the latest security patches to correct known vulnerabilities
are installed on SAAS-Mod. The IASO and SA shall subscribe to the DoD- Computer
Emergency Response Team (CERT) Information Assurance Vulnerability Alert (IAVA) list.
Send an email to: majordomo@cert.mil. The body of the message should consist of the one line
text below:
subscribe iavalist
The IASO/SA will receive a message from the list server requesting confirmation. The message
will contain a confirmation number. The IASO/SA will have to respond with the confirmation
number to complete the subscription process.
11 October 2007
20-80
SAAS Security
The IASO and SA should keep abreast of the latest countermeasures (security patches) by
periodically reviewing information published by organizations such as the CERT Carnegie
Mellon University, Forum of Incident Response Security Teams (FIRST), DISA Automated
Systems Security Incident Support Team (ASSIST), and Computer Incident Advisory Capability
(CIAC). Specific procedures and guidance pertaining to security patches are included with the
release of Systems Change Package. See the Software Version Descriptor (SVD) for installation
instructions.
Before a patch or hotfix is applied to the system, the Configuration Control Board must approve
the change to the baseline. The Configuration Management Plan should include an emergency
process to quickly incorporate security patches or configurations into the system baseline.
If the security patch or configuration change is in response to an IAVM message, the fix must be
applied in accordance with the IAVM Process. If the IASO/SA is unable to apply the fix within
the time limit established in the IAVA, the IAM/IASO will need to request, through the DAA, an
extension or exemption from the Army Computer Emergency Response Team (ACERT).
6.0 WINDOWS XP PROFESSIONAL Software INSTALLATION AND
CONFIGURATION
The security configuration discussed in this document applies to Windows XP Professional used
by SAAS-Mod with any new or existing installation. In most cases, no distinction will be made.
All sites should use this document in conjunction with instructions regarding the installation of
Windows XP Professional standard configuration options. The recommendations presented will
strengthen security measures implemented during the installation phase of the operating system
software.

6.1 Pre-Configuration Requirements
6.1.1 Hardware Compatibility List
The follow points should be considered when selecting hardware:
Only hardware listed on the Microsoft Hardware Compatibility List should be used
for Windows XP environments. Using hardware that does not conform to Windows
XP standards may cause serious compatibility problems and have potential security
consequences.
6.1.2 Patches and Hotfixes
Patches and hotfixes are applied to fix operational and security flaws that Microsoft has
discovered. Administrators are required to apply the latest Windows service packs and hotfixes
as directed by the PM LIS IASO. Often, these will be applied via interim change package (ICP)
issued by the IASO. See paragraph 5.13 for further guidance.
11 October 2007
20-81
SAAS Security
6.2 Physically Securing Workstation and Software
The physical security requirements for system hardware are contained in AR 190-13, The Army
Physical Security Program. System hardware and software installation disks that have not been
physically secured can make the operating system and data stored on hard drives vulnerable. For
example, a personal computers floppy drive can easily be used to subvert the operating systems
controls if certain precautions are not taken. Booting from a DOS floppy and then running a
simple shareware program allows the contents of a NTFS (Windows XP Professional
workstation) formatted hard drive to be read. Likewise, software can be installed and then used
to recover an Administrators password to gain unauthorized control of the operating system. On
occasion, the subversion can be unintentional, such as allowing the floppy device to be part of
the boot sequence and accidentally booting from a virus infected disk that releases malicious and
damaging code.
The mandatory precautions to safeguard the Windows XP Professional Workstations are:
Physically restrict and limit access to Windows XP Professional workstations to persons
other than the user of that workstation.
Physically secure the hard drives by locking them in place or locking the case to a fixed
building support.
Physically secure software, particularly the Windows XP Professional workstation
installation disks and CDs.
Implement passwords to protect the BIOS in order to prevent the floppy drives being
activated without authorization
Virus scanning software must be installed and regularly used to detect and remove viruses. The
Department of Defense owns a site license for Norton Antivirus for Windows XP Professional.

7.0 Manual Security Configuration
The following settings are provided in the event that it becomes necessary for the SA to
manually configure a SAAS-Mod system. These settings are part of the system install image
distributed by the PM LIS along with comprehensive installation instructions. Therefore, a
manual configuration should not be necessary. However, the SA should periodically review these
settings and verify that the system configuration has not been changed. Any deviation from the
NSA security settings, as required by DoD Directive 8500.1, for the operational system shall be
documented by the local IASO/IAM. These changes shall be considered and approved by the
Configuration Control Board prior to any changes taking affect.
7.1 Password Management
a. Passwords must be used.
11 October 2007
20-82
SAAS Security
b. Passwords must be at least 10 characters long.
c. Passwords must contain characters from the following four classes:
(1) English Upper Case Letters (A, B, C, Z)
(2) English Lower Case Letters (a, b, c, z)
(3) Westernized Arabic Numerals (0, 1, 2, 9)
(4) Non-alphanumeric, Special characters (!, @, #^, *)
7.3 Configuring the Default Accounts
7.3.1 Administrator Account
Table 15 lists the configurations used for the local Administrator account on a Windows XP
Professional workstation.
Table 15. Administrator Account Configuration
Administrator Account Configuration
Administrator User Properties Parameters
User Name Rename the default Administrator account.
Full Name Administrator
Description Keep the same.
Password Password must meet complexity requirements.
User Must Change Password at Next Logon Should not be selected.
Users Cannot Change Password Should not be selected.
Passwords Never Expire
Department policy requires that users
passwords change every 90 days. Using this
feature, the system administrator can force a
users password to expire automatically.
Alternatively, the administrator may elect to
handle this process manually.
Account Disabled Do not select.
Groups The Administrator account should only belong
to the local Administrator group.
Profile Do not configure for local Administrator.

7.3.2 Guest Account
The Guest account must be password protected and disabled. Use Table 16 to configure the
guest account.
11 October 2007
20-83
SAAS Security
Table 16. Guest Account Configuration
Guest Account Configuration
Guest User Properties Parameters
User Name Rename the default Guest account.
Full Name Guest
Description Keep the same.
Password Password must meet complexity requirements.
User Must Change Password at Next
Logon
Should not be selected.
Users Cannot Change Password Should be selected.
Passwords Never Expire
Department policy requires that users passwords
change every 90 days. This applies to disabled
accounts as well as active accounts
Account Disabled Do not select.
Groups The Guest account should only belong to the local
Guest group.
Profile Disable this account.

7.4 Assigning Users to Groups
Recommendation: Use the following rule of thumb to manage security-using groups:
a. Devise a Windows XP Professional workstation group architecture based on
functional/operational needs.
b. Create the user accounts and add them to these functional/operation groups.
c. Apply Windows XP Professional workstation permissions against
functional/operational groups by adding only groups to the ACL for objects (e.g., files and
printers).
NOTE: The system administrator must follow the principle of least privilege when
assigning users to groups. Membership in a group must be determined by the users
need to access the collective resource permissions and system rights of the group. All
groups must be created by the system administrator, and possess only those privileges
required by the group to perform assigned duties.
7.5 Print Auditing
Print auditing, as supported by the Print Manager program, may be useful for certain classes of
users.
11 October 2007
20-84
SAAS Security
Enable print auditing depending on post requirements and security accountability needed for
some application specific print tasks. Auditing of printer activity is enabled in the Printer
Manager program, and should address print event logging by group. The following steps must be
performed for printer auditing to be enabled:
a. From the Control Panel, select Printers.
b. From the File menu, select Properties.
c. From within Properties, select the Security area.
d. From within Security, select Auditing.
e. Click the Add button and choose the Everyone group name.
f. Select the Failure check box for all Audit Events.

7.6 Printer Restrictions
Users must be restricted to printers within their functional areas. Additionally, only authorized
system staff is to be granted Full Control over any dedicated or shared printer. By default, users
are permitted to print and delete their print jobs. No further access is required of general users.
In some cases, it may be useful to assign a user to the Print Operators group in Windows XP
environments, and modify the ACL of a particular printer object to allow that group Manage
Printers permission. This can be implemented at the discretion of the SA.
7.7 Additional Security Options Settings
Use the settings shown in Table 17 to configure the local security policy.
Table 17. Security Options
Security Options
Security Option Setting
Additional restrictions for anonymous connections:
HKLM\System\CurrentControlSet\Control\Lsa\
No access without explicit anonymous
permissions
RestrictAnonymous = 2
Allow system to be shutdown without having to
logon
Not Defined
Allowed to eject removable Windows XP
Professional workstation media
Administrators
Amount of idle time required before disconnecting
session
15 minutes
Audit the access of global system objects Enabled
Audit use of Backup and Restore privilege Enabled
11 October 2007
20-85
SAAS Security
Security Options
Automatically log off users when logon time
expires
Enabled
Automatically log off users when logon time
expires (local)
Enabled
Clear virtual memory pagefile when system shuts
down
Enabled
Digitally sign client communication (always) Disabled
Digitally sign client communication (when
possible)
Enabled
Disable CTRL+ALT+DEL requirement for logon Disabled
Do not display last username in logon screen Enabled
Send NTLMv2 response only\refuse
LM Registry value = 4.
AN Manager Authentication Level:
Some Windows XP processes, such as Cluster
Services, use NTLM to authenticate. Use of the
recommended setting may cause these services to
fail.

IF the AD Services client have not
been installed set Send NTLM
response only
Registry value=2.
In this instance the IASO must
document the settings as a deviation to
system configuration requirements and
have a contingency plan to mitigate
vulnerabilities associated with LM
authentication.
This setting should be verified
in a test environment prior to
making any changes on an
operational server or workstation.
11 October 2007
20-86
SAAS Security
Security Options
WARNING! This computer is the
property of the United States
Department of Defense and may be
accessed only by authorized users.
Unauthorized use of this system is
strictly prohibited and may be
subject to criminal prosecution. The
Department may monitor any
official or personal activity or
communication on this system and
retrieve any information stored
within this system. By accessing and
using this computer, you are
consenting to such monitoring and
information retrieval for any lawful
purpose, including, but not limited
to, a properly authorized law
enforcement or counter-intelligence
investigation, information systems
security monitoring, an Inspector
General Inspection, or other
authorized administrative
investigation. Users have no
expectation of privacy with respect
to any information, either official or
personal, transmitted over, or
stored within this system, including
information stored locally on the
hard drive or other media used with
this computer to include removable
media or hand-held peripherals
devices.
Message text for users attempting to log on
Message title for users attempting to log on DOD Warning Banner
Number of previous logons to cache 1
Prevent system maintenance of computer account
password
Disabled
Prevent user from installing print drivers Disabled
Prompt user to change password before expiration 14 days
Recovery Console: Allow automatic administrative
logon
Disabled
11 October 2007
20-87
SAAS Security
Security Options
Recovery Console: Allow floppy copy and access
to all drives and all folders
Disabled
Rename administrative account Configure Locally
Rename guest account Configure Locally
Restrict CD-ROM access to locally logged-on user
only
Disabled
Restrict floppy access to locally logged-on user
only
Disabled
Secure Channel: Digitally encrypt or sign secure
channel data (always)
Disabled
Secure Channel: Digitally encrypt secure channel
data (when possible)
Enabled
Secure Channel: Digitally sign secure channel data
(when possible)
Enabled
Secure Channel: Require strong session key Disabled
Secure system partition (for RISC platforms only) Not defined
Send unencrypted password in order to connect to
3
rd
Party SMB servers
Disabled
Shutdown system immediately if unable to log
security audits
Disabled
Smart card removal behavior Lock workstation
Strengthen default permissions of global system
objects (e.g. Symbolic Links)
Enabled
Unsigned driver installation behavior Warn but allow installation
Unsigned non-driver installation behavior Warn but allow installation

11 October 2007
20-88
SAAS Security

This page intentionally left blank.
GLOSSARY
ACRONYMS AND ABBREVIATIONS

ACL Access Control List
AD Active Directory
AR Army Regulation
ASSIST Automated Systems Security Incident Support Team

BIOS Basic Input Output System
BPA Blanket Purchase Agreement

C&A certification and accreditation
CCB Configuration Control Board
CD-ROM compact disk-read only memory
CERT Computer Emergency Response Team
CIAC Computer Incident Advisory Capability
CM configuration management
CND Computer Network Defense
COMPUSEC Computer Security
COOP Continuity of Operations Plan

DAA Designated Approving Authority
DAC Discretionary Access Control
DBA Database Administrator
DBMS database management system
DiD Defense-in-Depth
DISA Defense Information Systems Agency
DITSCAP DoD Information Technology Security Certification and Accreditation Process
DLL dynamic linked library
DoD Department of Defense

11 October 2007
20-89
SAAS Security
ESM Enterprise Security Manager

FIRST Forum of Incident Response Security Teams

GUI graphical user interface

I&A identification and authentication
IA Information Assurance
IAM Information Assurance Manager
IASE Information Assurance Support Environment
IASED Information Assurance and Security Engineering Directorate
IASO Information Assurance Security Officer
IAVA Information Assurance Vulnerability Alert
IAVM Information Assurance Vulnerability Management
IAW in accordance with
ICP interim change package
IEF Integrated Engineering Facility

KB kilobyte
KB Knowledge Base

LAN local area network

MMC Microsoft Management Console
MS Microsoft

NSA National Security Agency
NT New Technology
NTFS New Technology File System

OMB Office of Management and Budget
OS operating system

PKI Public Key Infrastructure
PM Program Manager

RA Risk Assessment
RAR Risk Assessment Review
RAS Remote Access Service
RDBMS Relational Database Management System
RISC Reduced Instruction Set Computer

SA system administrator
SAAS-Mod Standard Army Ammunition System Modernization
11 October 2007
20-90
SAAS Security
SABI Secret and Below Interoperability
SAM Security Account Manager
SBU sensitive but unclassified
SCM Security Configuration Manager
SCP Systems Change Package
SFUG Security Features Users Guide
SMB Server Message Block
SMS Systems Management Server
SOP standard operating procedures
SP Service Pack
SSAA System Security Authorization Agreement
STIG Security Technical Implementation Guide
SVD Software Version Descriptor

TASO Terminal Area Security Officer
TFM Trusted Facility Manual

URL Uniform Resource Locator
U.S. United States
USAISEC United States Army Information Systems Engineering Command
UserID user identification

VPN virtual private network

W2K2 MS Windows 2003
WXP MS Windows XP Professional

20.4 AKO Security Update and Downloads

Reference: AKO----The Armys Portal Website

Note: This amendment is divided into three different parts. The first part explains how
to gain access to the SAASMOD folder on the Armys AKO Website. The second and
third parts briefly detail the steps required to download files from the Armys AKO
Website, and how to install the files on your respective computers.

11 October 2007
20-91
SAAS Security

Part 1.) How to Gain Access to the SAASMOD Folder on the Armys AKO Website:

To gain access to the SAASMOD information that has been placed on the Armys AKO
website you must perform the actions as outlined below. The Uniform Resource
Locator (URL) for the Armys AKO website is as follows: https://www.us.army.mil

To access this website you will need to Register with the Army's Portal website. During
the registration process you will be able to obtain a Logon Id and Password to their
website. Once you have registered properly, you can access the SAAS MOD folder and
download applicable files to your system by following the on screen prompts.

Perform the following steps to access the information that has been placed in the
SAASMOD folder for your use:
--click on Files tab (Formerly Collaborate) located near the top of the Home page on
the Army's AKO website
--click on U. S. Army Organizations
--click on Logistics
--click on PM LIS
--click on ALIS
--click on SAAS MOD
--click on L6F-xx-00 Interim Changes folder where xx is the current SAAS
Release number.
--click on your appropriate level of SAAS.

Please remember to record your Logon Id and Password from the Armys AKO website
and retain this information in a secure place. If you have any questions or encounter
any problems when attempting to install downloaded files from this website, please call
the Customer Assistance Office at Fort Lee, Virginia at the following phone numbers
and request guidance from our office:
Commercial: (804) 734-1051
DSN: 687-1051

Part 2.) Downloading Instructions from the Armys AKO Website:

Once you have gained access to the Armys AKO website and the SAAS-MOD folder,
you will see a plus sign (+) located immediately to the left of SAAS-MOD. Click on the +
sign to view the main sub-folders aligned under the SAAS-MOD folder. Click on the
main sub-folders to view either additional sub-folders or the files contained therein.
11 October 2007
20-92
SAAS Security
Notice that the displayed window is divided into two parts. As you click on the sub-
folders located on the left part of the screen to open them, the sub-folders and or files
will be displayed on the right side of the screen. Follow the sequence of steps listed
below to download the selected file. You can only download one file at a time:

--Select the file that you want to download by placing a checkmark in the box adjacent
to the file
--Click on the selected file to be downloaded
--A File Download window will pop up on your screen
--Click on the SAVE button
--A SAVE AS window will be displayed on your screen
--Select the folder location of your choice as to where you want to save the file
--In the SAVE AS window, click on SAVEthe File Download process will start
automatically
--When the File Download process has completed, the Download Complete window will
be displayed on your screen with this message displayed, Download Complete
--Click on Close
--Close any remaining window(s) that are open until you return to the AKO screen
displaying the Collaborate Tab and the SAAS MOD folders and files.
--You may now download another file or Logout from the AKO Website
11 October 2007
20-93
SAAS Security
--The LOGOUT button is located at the top right side of the Collaborate Tab
--Downloading the file to your Hard drive is now complete. The next step is file
installation.

Part 3.) Installation of SAASMOD Downloaded Files from the Armys AKO
Website:

After completing Parts 1 and 2 above successfully, you now have the downloaded file
saved to your hard drive on your computer system. To implement the essentials of the
file that you have downloaded follow the sequence of steps listed below:
--You must be logged on as the Administrator with the Administrative Password
--Using either Microsoft Explorer or File Manager, proceed to the location of where you
SAVED the downloaded file on your hard drive
--Remember that most of these downloaded files are executable file(s)the file
extension is .exe
--Double Left Click on the downloaded file and the execution of the downloaded file will
start
--Follow any on-screen prompts during the execution process
--After the execution process has completed, Re-start your system so that the changes
will take effect
--Remember that in most instances, your system will Re-Start automatically upon
completion of the execution process. If it does not, then perform the Re-Start manually
so that the changes will be implemented on your system.
--After the Re-Start is completed proceed with normal operations.

11 October 2007
20-94

Admin Handbook Cisco

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Admin Handbook Cisco

Uploaded by

Copyright:

Available Formats

SAAS MOD

SYSTEMS ADMINISTRATOR HANDBOOK

You might also like