Loading...
 
Enabling ParentWeb Security Tracking

Starting with the update to SPM available after September 15th, 2009, ParentWeb now has three new security-related features:

  1. Tracking, in student notes, the last successful or failed login
    Only the last login or attempted login is tracked, along with success, date & time and IP address of the attempt
  2. Locking a ParentWeb account out without changing/altering passwords, via Notes
    This locks all access to that student, regardless of whether the login is via the student ID or contact info
  3. Enabling an auto-lockdown for an account where too many failed login attempts are detected.
    (for example, automatically lock an account after 5 failed login attempts)

The Auto-lockdown can be enabled/disabled independently of the Notes based tracking/manual lock down, though you have to have setup the Notes based tracking before Auto-lockdown will be active and available.

Enabling Note based login tracking and manual-lockdown ability

Doing this only requires you to create a new note code in the note group "WEB-INFO". Once the note code is setup, it will automatically be added to the students notes the next time their account is logged into or attempted to be logged into. Creating this will NOT, by itself, enable automatic lockdown based on repeated failed logins — you'll need the next step after that to enable that.

NOTE: You must have administrator privileges in SPM in order to set this up

  1. Enter the Note Group Maintenance. Usually this is done from the main SPM menu by going into the Maintenance Menu, then the District Maintenance Menu, then selecting the Note Group Maintenance from the menu. Once in, you should see a screen like:
    Image
  2. Using the up/down arrow keys, navigate to the note group called WEB-INFO. Then, using the right/left arrow keys, move the menu to Update and press Enter.
    Image
  3. Once you are seeing the setup for the Note Group WEB-INFO, immediately press F1 to move to the note codes. Do not make any changes to the WEB-INFO note group definition.
  4. The next screen is the Note Codes listed that are part of the WEB-INFO note group. Using the left/right arrow keys, select Create from the menu and press Enter
    Image
  5. Fill in the fields of the new note code as follows:
    1. In the Code field, type in SECURITY
    2. In the next field (description), type in Account Security Control
    3. In the next field, Multiple notes per student, type in No
    4. Leave the Use Dates field as No
    5. Leave the Use End Date field as No
    6. For the Use Flags field, type in Yes
    7. For the description field right after the Use Flags field, type in Acct Locked
    8. Leave the Use Tables field as No
    9. Press F1 to save it

    Image
  6. Exit out of the Note code and Note Group maintenance
  7. Setup for tracking last login attempt and manual locking abilities is now complete!

1.2. Setting up the ability to automatically lockdown accounts

Setting up this ability does not automatically mean it will be enforced. The values you install control whether this will be enforced or not. Further, even if you set this up, until you setup the note code (in the previous section), it will have no impact/affect regardless of settings.

NOTE: You must have administrator privileges in WebSage and be familiar with the WebSage Service editor to set this up

  1. Enter the WebSage Service editor on your web browser. Generally, this is a variation of the URL you would use to login into ParentWeb. For example, if your URL for logging into ParentWeb looked like this
https://www.myDistrict.edu/cgi-bin/ParentWeb/pw-login.p

Then the websage service editor URL would look like this:

https://www.myDistrict.edu/cgi-bin/ParentWeb/ws-svcedit.p
  1. Type in the security password to authorize yourself
  2. From the Main Editor page, select the PARNTWEB service on the Known Services list and then press the Edit Service button
    Image
  3. Near the bottom of the page, locate the Change Service Attributes button and press it
    Image
  4. Scroll to the bottom of the current list of known Service Attributes and locate the New Attribute button and press it
    Image
  5. In the form for creating a new attribute, set the values as follows:
    1. For the Attribute Name, type in LOGIN_FAIL_MAX
    2. For the Description, type in Max # of failed logins before lock
    3. For the Value, type in the # of failed logins before you want an account locked. A suggested value is 5. Setting this to 0 disables the auto-lockdown action.

    Image
  6. Press the Save Attribute button
  7. Setup is complete!
    NOTE: There is no specific logout for the Service Editor — just close your browser or go to another web site.

1.3. Manually Disabling a ParentWeb login

To disable a students account from being able to be logged in, do the following:

  1. Via the SPM Student Maintenance, lookup the student you wish to lock down and select Update from the menu
  2. Change the area to the Web Info area of the Student (this is a Notes based area)
  3. Select the SECURITY note code and select Update from the menu and press Enter
    If the student does not have a SECURITY note code yet:
    1. Select Create from the menu
    2. For the note code, type in SECURITY
    3. Continue on with the next step below
  4. Move down to the Acct Locked field and change the value to Yes.
  5. Press F1 to save
  6. The ParentWeb account is now locked. No one can log into that account.

NOTE: The SECURITY note code is normally automatically created the first time anyone attempts to login into ParentWeb (after the SECURITY note was setup per the steps above). If a student does not yet have the note code, it just means that as of yet, no one has tried to login since you set the SECURITY note up.

1.4. Disabling or Changing the Auto-Lockdown action

You can disable the Auto-Lock down or change the number of attempts before auto-lockdown via the web service editor. Using the general outline of the steps you used to create the Auto-Lockdown entry via the WebSage service editor, here's the steps needed:

  1. Enter the ParentWeb WebSage editor using the WebSage Editor URL in your web browser
  2. Enter the WebSage Service Editor password
  3. From the Main Editor page, select the PARNTWEB service on the Known Services list and then press the Edit Service button
  4. Near the bottom of the page, locate the Change Service Attributes button and press it
  5. Scroll down the list of attributes until you find the one named LOGIN_FAIL_MAX
  6. To DISABLE Automatic Lockdown, change the Value to 0
    NOTE: Any number less than one (1) or a Value that is an invalid number (has letters or other characters) effectively disables auto-lockdown
  7. To Change the number of unsuccessful login attempts before auto-lockdown, type in the number (from 1 to 99) in the Value column
  8. Scroll down to the bottom of the page, locate the Save Changes button and press it to save
  9. Change to Auto-Lockdown is complete!
    NOTE: There is no specific logout for the Service Editor — just close your browser or go to another web site.

1.5. Re-enabling a student ParentWeb account after it's been locked down

If a students ParentWeb account has been locked, either due to automatic lockdown because of excessive failed logins or because it was manually locked, the account will stay locked until someone manually intervenes and clears the lock as follows:

  1. Via the SPM Student Maintenance, lookup the student you wish to lock down and select Update from the menu
  2. Change the area to the Web Info area of the Student (this is a Notes based area)
  3. Select the SECURITY note code and select Update from the menu and press Enter
    If the student does not have a SECURITY note code yet, the account cannot have been locked yet.
  4. Move down to the Acct Locked field and change the value to No
  5. Press F1 to save
  6. The ParentWeb account is now unlocked and can be logged into again.

NOTE: The SECURITY note code is normally automatically created the first time anyone attempts to login into ParentWeb (after the SECURITY note was setup per the steps above). If a student does not yet have the note code, it just means that as of yet, no one has tried to login since you set the SECURITY note up (which also means the account cannot be locked as the note code that controls locking doesn't exist).

1.6. Viewing a students last login information

Once the SECURITY note code is setup, a SECURITY note will automatically be created for a student upon the first attempt (successful or not) to log into that account. Further, all logins, successful or not, will track the date and time of the login and the IP address the login came from. For unsuccessful logins, you can also see the number of unsuccessful logins. You can view this status for a student as follows:

  1. Via the SPM Student Maintenance, lookup the student you wish to lock down and select Update from the menu
  2. Change the area to the Web Info area of the Student (this is a Notes based area)
  3. Select the SECURITY note code and select Display from the menu and press Enter
    If the student does not have a SECURITY note code yet, the account has not been attempted to be logged in yet
  4. View the login info in the Comments section. If the comments start with a number, then it is the number of unsuccessful login attempts. The remaining info (date, time and IP address) are clearly labeled.
  5. Press F1 to end the display

1.7. Additional notes about security

  • Once a ParentWeb account is locked, it will not allow any login, even with the correct password, until manually re-enabled.
  • A person trying to login into a locked student account receives no special message that the account is locked. The login will fail, the exact same way it would fail if they put the wrong password in place. This is intentional and necessary to thwart attempts at hacking the account as providing any additional feedback to a hacker (person or a hacking program) will help them to learn more about the system and account.
  • Even after the account is locked, the failed login attempt counter, visible in the students SECURITY note code, will continue to be incremented and the last login attempt date/time/IP address are updated.


Page last modified on Wednesday 23 of September, 2009 11:06:31 EDT