SOP for Deploying MiniMon with Remote Access

From PTAGISWiki

	Standard Operating Procedure
Subject:	SOP for Deploying MiniMon with Remote Access
Author:	John Tenney
Approved by:	Don Warf

Contents 1 Objective 2 Scope 3 Responsibilities 4 Procedure 4.1 INTRODUCTION 4.1.1 Background 4.1.2 Next Generation 4.2 SYSTEM REQUIREMENTS 4.3 SECURITY PROCEDURES 4.3.1 Physically Secure the Computer 4.3.2 Require Strong Passwords 4.3.3 Use of Antivirus, Firewall and System Updates 4.3.4 Dedicated System 4.3.5 Screen Saver with Password Protection 4.4 DEPLOYMENT PROCEDURES 4.4.1 Create a Target User Account 4.4.2 Install MiniMon Application 4.4.3 Create Shortcut to Automatically Start MiniMon 4.4.4 Enable Remote Desktop Protocol 4.4.5 Set AutoLogin 4.5 OPTIONAL PROCEDURES 4.5.1 Set MiniMon account to Power User Priveleges 4.5.2 Automatically Restart after System Failure 5 References

Objective

The objective of this procedure is to define steps necessary to configure MiniMon for automatic restart as well as remote access.

Scope

This procedure applies to PIT Tag interrogation sites using MiniMon in which maximum unattended uptime is desired.

Responsibilities

This procedure can be used by any person/agency deploying MiniMon.

Procedure

INTRODUCTION

Background

PTAGIS MiniMon is an unattended, long-running application for collecting instrumented PIT tag detection data (monitoring) from an interrogation site. MiniMon operates within a Windows user account. Computers at these sites experience intermittent power interruption and PTAGIS recommends setting up these sites to automatically restart MiniMon when the system boots. This document provides step-by-step instructions for IT administrators for installing and configuring MiniMon for automatic restart as well as remote access.

Next Generation

PTAGIS is developing the next generation interrogation software to replace MiniMon – called M4. PTAGIS recognizes the disadvantages for requiring a long-running application to reside within a Windows user station. M4 will perform monitoring operations in a background process (Windows Service) that will decouple the need for a dependent Windows user station. This will provide better flexibility and safety for operating M4 within an unattended Windows platform. Automatic restart can be configured during installation, mitigating the need for this SOP.

SYSTEM REQUIREMENTS

To deploy MiniMon following the procedures described within this document, the following system requirements are necessary:

1. MiniMon will operate on a wide variety of Windows platforms. However, for this procedure, the following platforms are required:

a. Windows XP SP2 or better

b. Windows Server 2003 or better

c. *Windows Vista has not been tested under this operating procedure.

2. This procedure will require Administrator privileges to create a separate user account to install and operate MiniMon. This target user account has the following requirements:

a. MiniMon must be installed while logged into the target user account. MiniMon will create local registry settings associated with the target user account. These settings are stored under this registry key:

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\MiniMon

b. During installation, the target user account must have temporary Administrator privileges to update system OLE files.

c. The target user account MiniMon will operate within must have Power User or Administrator privileges. MiniMon requires privileges to open and close local files as well as making network connections to upload data to PTAGIS via passive FTP.

d. The target user account must be configured to have access to Remote Desktop Protocol as a member of the Remote User security group.

3. This procedure uses a Microsoft utility TWEAKUI to be downloaded and installed on the target computer. This utility can be removed after the procedure is completed.

4. High-speed (DSL or better) network connection to support remote access.

SECURITY PROCEDURES

PTAGIS recognizes that installing MiniMon in a trusted user account with automatic logon and remote access is not an ideal deployment scenario with regards to security. The next generation interrogation software (M4) is designed to decouple unattended monitoring with the user interface, mitigating the need for this procedure.

Until M4 is ready for deployment, this procedure intends to provide the most secure method for deploying MiniMon for scenarios that require unattended execution, automatic restart, and remote access. The following security procedures should be followed:

Physically Secure the Computer

Due to automated login requirements, the MiniMon computer can be accessed by anyone by performing a simple reset of the computer. Therefore, it is required that this system be physically secured – door locks, alarms, etc. – in order to prevent unauthorized access. This is not an unreasonable measure: stolen computers account for a large percentage of unauthorized access and data theft.

Require Strong Passwords

A strong password that is hard to break has the following characteristics:

• Contains at least six characters
• Contains characters from each of the following three groups:
  • Uppercase and lowercase letters (A, a, B, b, C, c, and so on)
  • Numerals
  • Symbols (characters that are not defined as letters or numerals, such as !, @, #, and so on)
• Contains at least one symbol character in the second through sixth positions
• Is significantly different from prior passwords
• Does not contain your name or user name
• Is not a common word or name

Strong password requirements can be enforced on a system by enabling “Password must meet complexity requirements” Password Policy within Local Security Settings (see Control Panel | Administrative Tools| Local Security Policy | Password Policy).

Use of Antivirus, Firewall and System Updates

To minimize the risk of viruses, worms and other security threats, it is recommended antivirus software be installed and kept updated.

A firewall is a protective boundary that monitors and restricts information that travels between a computer and a network or Internet. At a minimum, Windows XP SP2 provides a firewall feature that should be enabled. See Windows Security Center located within the Control Panel for more information.

Windows provides an Automatic Update feature that will install the latest security patches issued from Microsoft. This feature has two basic parts: downloading the patch and installing the patch. Downloading updates should not effect operation of the system as long as the Internet connection is DSL or better. However, installing updates frequently require a system reboot that can effect data collection. It is not recommended that the automatic updates be enabled; however, it is recommended the system be frequently updated by site personnel.

Dedicated System

MiniMon was developed to run on a dedicated system and does not collect sensitive information that could be exploited. This dedicated system should not be used for other purposes, such as email or data storage that could store sensitive information and make this machine a target for theft.

The dedicated system should not contain any unsecured VPN or other networking tunnels that could compromise the security of an enterprise at the other end.

Screen Saver with Password Protection

Even though resetting the system will automatically log into the MiniMon user account, a user approaching the system has no way of knowing this. Therefore, it is recommend to set the Screen Saver utility to turn on after 5 or 10 minutes and enable the On Resume, password protect setting. These settings can be accessed from Control Panel | Display Properties and clicking the Screen Saver tab.

DEPLOYMENT PROCEDURES

The following step-by-step procedure guides a user through installing MiniMon in a target user account, enabling automated login and remote desktop access.

Create a Target User Account

A user account will be used to install and operate MiniMon. The account will also be configured for automated login and remote desktop access. MiniMon features require this account to have at least Power User privileges for normal operations. This procedure creates an example account of ptagis, however, any account can be used to deploy MiniMon, including the local administrator account.

Use the Local Users and Groups administrative tool (Control Panel | Users Accounts | Advanced tab | Advanced button) to create the new account with a strong password and add the account to the Administrators group.

Install MiniMon Application

To install the MiniMon application, first login to the target user account (an example account was created in the previous step). Download the latest version of the application from the PTAGIS web site to the target system (or install it from media). Run the installation program and use the default settings provided by the installer. Verify the installation by running the application after it completes.

The MiniMon installer requires Administrator privileges.

Create Shortcut to Automatically Start MiniMon

In order for MiniMon to automatically run after the startup of the target user account, create a special application shortcut following these directions:

1. Open Windows Explorer or My Computer

2. Navigate to the default MiniMon installation directory:

C:\Program Files\PTAGIS\MiniMon

3. Right-click MiniMon.exe and select Create Shortcut from the context menu.

4. Right-click the newly created shortcut and select Properties from the context menu

5. On the Shortcut tab of the shortcut properties window, place the curser at the end of the executable path listed in the Target text box and type: AutoInterrogate. The text entry should look like this:

"C:\Program Files\PTAGIS\MiniMon\MiniMon.exe" AutoInterrogate

Close the Shortcut properties.

6. Execute the shortcut and verify that MiniMon does startup and is in Monitoring mode. For more information on this step, refer to the installation section of the MiniMon help documentation.

7. Cut-and-Paste or Drag-and-Drop the shortcut to Startup folder in the target user account. For example, the Startup folder for a new ptagis account would be:

C:\Documents and Settings\ptagis\Start Menu\Programs\Startup

8. Reboot the PC and login to the MiniMon account to verify MiniMon starts up automatically in monitoring mode.

Enable Remote Desktop Protocol

To be able to access this machine remotely, you must first enable Remote Desktop Protocol for the MiniMon user account by following these directions:

1. While logged into the MiniMon user account with Administrator privileges, open the Control Panel, select System applet and choose the Remote tab page on the System Properties window.

2. Check the Allow users to connect remotely to this computer option. You may need to adjust the Windows Firewall settings as described by clicking on the hyperlink on this page.

3. If you are setting this feature from another user account, click Select Remote Users and add the MiniMon account to access Remote Desktop feature.

4. Press OK to close the System Properties.

Set AutoLogin

To allow the MiniMon account to automatically login after a system reboot, perform the following steps:

1. Download and install the following TWEAKUI Power Toy utility from Microsoft Downloads: Microsoft PowerToys for Windows XP. Make sure you install the appropriate version (do not select the Itanium 64-bit version by mistake).

2. Run the TWEAKUI utility, expand the Logon node and select Autologon

3. Check the Log on automatically at system startup box and type the appropriate User Name and Domain that corresponds to the MiniMon account.

4. Click the Set Password button and type the password for the account.

5. Press OK to close the utility.

6. Verify the Autologon by rebooting the PC – the MiniMon account should automatically logon and MiniMon should start in monitoring mode.

7. To logon to this machine with another account, hold the Shift key during system startup and the Autologon will abort.

OPTIONAL PROCEDURES

The following procedures are optional:

Set MiniMon account to Power User Priveleges

If the MiniMon account is not required to have Administrative privileges (i.e. not the local administrator account) it would be prudent to restrict the privileges of this account to a Power User. You can do this using the User Management console described in step 4.1.

MiniMon must run with either Administrative or Power User privileges.

Automatically Restart after System Failure

By default, if a system failure occurs, the machine will not attempt to reboot. To change this setting, click the Settings button located in the Startup and Recovery section of the System Properties (see step 4.4 for access instructions). In the Startup and Recovery window within the System Failure section, check Automatically restart option and press OK to close and save the changes.

References

None.