Organization
Mission
Green IT
Guided Tour
Opening Hours
Location
ITSC Student User Consultation Committee
Announcements
System Availability
User Areas User Guide
Location
Opening Hours
Facilities
Services
Computing ID and Password
Computer Account Application
Accounts Information Management System
Computer Resources Assignment on various Systems
Request Additional Computer Resources
Alerts, News and Events
E-mail Fraud (Phishing) Alert
Good Practices for General Users
Good Practices for Technical Professionals (Intranet only)
LAN Administrators Resources Website
Information Security Policies (Intranet only)
Useful Tools and Links
Anti-virus Software - Kaspersky
CUHK Certificate Authority (CA)
FAQ
Glossary
Report IS Incidents
eLearning
High-performance Computing
iHome - CUHK Community Homepage Server
Logic - General Purpose UNIX Server
PC LAN Services at User Areas
System Maintenance Schedule
Computer Equipment Acquisition (Intranet only)
Software Licensing
University-wide Software Standards
Services to Department
Departmental Technology Solutions
Learning and Multimedia Technologies
University Administration Systems
AMSD Forms
MyCUHK
CU Link
ITSC Training Courses
Training Room Booking
Application Forms
Print Account Management System
eSurvey System
ITSC Digest
User Guides
E-Card Service
Posters and Wallpapers
Internet Applications
Campus-wide E-mail (CWEM)
CU Net-TV
More..
Campus Network
ResNet
ClassNet
Wireless LAN(Wi-Fi)
Off-Campus Access
VPN
Wi-Fi Hotspot Partnership Programme
Internet and Other Links
The Chinese University of Hong Kong Information Technology Services Centre 資訊科技服務處 香港中文大學
bullet Alerts, News and Events
bullet Good Practices for General Users
bullet Good Practices for Technical Professionals (Intranet Only)
bullet Information Security Policies (Intranet Only)
bullet Useful Tools and Links
bullet FAQ
bullet Glossary
bullet Report IS incidents
   
Central Authentication and Directory Service
   

1. Introduction
2. Definitions
3. Policy Statement
4. Responsibility

5. CADS Application Procedures and Guidelines
6. Authentication and Authorization
7. CADS-registered IT Systems
8. How to check if an IT system is CADS-registered?
9. What to do if you find an IT system that asks for CWEM account but is not listed on the ITSC CADS web page?
10. Enquiries
11. Central Authentication and Directory Service Application Form

     
1.

Introduction

  
 

The use of ITSC CWEM computer account in information systems as the means for user authentication and/or authorization has been increasing. It provides a convenient way for IT system owners of departments to deliver systems that require centralized user authentication.

Through this Central Authentication and Directory Service, ITSC provides a mechanism to interface the IT systems with the central user database for user authentication. Target IT systems are those provided for a campus-wide or departmental/faculty level use. For security concern, those who need to use the service have to observe the policy and guideline and follow a set of procedure for the application and the use of the service. This paper documents the policy, guideline and procedure in the use of the Central Authentication and Directory Service provided by ITSC.

The latest version of this document can be found at http://www.cuhk.edu.hk/itsc/security/cads

    Top of Page
 
 
     
2.

Definitions

  
 

Terms

Description

Central Authentication and Directory Service (CADS)

The service defined in this document. It includes the provision of user authentication and directory service through

  • CWEM computer account (computing ID and CWEM password) or
  • Staff/Student ID and CWEM password
  • CWEM computing ID only (in Local Authentication Mode)

Local Authentication Mode

This refers to the authentication mode that makes use of CWEM computer account but not CWEM password. This kind of system has its own password being maintained by the IT System Owners (i.e. departments and units). User passwords are being maintained locally at user department’s server.

IT Systems

Include both in-house developed IT applications and systems in the University.

Lightweight Directory Access Protocol (LDAP)

The CUHK Directory Service provides a campus-wide centralized database that contains information about students, staff, faculty and other units of the University. This service is supported by LDAP (Lightweight Directory Access Protocol). ITSC LDAP server is an authoritative source for storing university data including staff/student IDs, Computing IDs, e-mail address and other derived attributes. LDAP is used to support the Central Authentication and Directory Service. If the application for CADS is approved, ITSC will provide the IT System Owner a mechanism to interface with the LDAP server for user authentication via CWEW computer account.

CWEM Computer Account (CWEM Computing ID and Password)

The CWEM Computer Account is the computing ID used in the Central Authentication and Directory Service. The associated password is the CWEM Password. It is a unique login identifier for each person in the CUHK computing community.

    Top of Page
 
 
     
3.

Policy Statement

  
 

The central authentication infrastructure built by ITSC provides a unified, secure and integrated method for verifying the electronic identity of all persons in the university community. It is an essential IT security enabler for campus-wide services, systems and applications.

By possession of a CUHK Staff or Student ID, a student or staff, is not implicitly, granted an access to information or services. Their eligibility of an access right to information or services depends on their role or status (staff/retiree, student/alumni) with the University. Unit heads, or their service owners, are responsible for establishing the access policies for their services. They have to decide the access policies before applying for the Central Authentication and Directory Service supported by the central authentication infrastructure of ITSC.

Use of CWEM computer account or CWEM password for authentication is strictly prohibited without prior application to ITSC. ITSC would approve application for CADS only if the IT System owner can compile to the guidelines as specified in Section 5. ITSC will terminate the system from the use of CADS at anytime if ITSC finds any violation to terms in this policy document.
    Top of Page
 
 
     
4.

Responsibility

  
     
  4.1 Responsibility of an Individual  
 
  1. Any person who is issued a CWEM computing account must read and agree to a set of responsibilities set forth in Computer Network - Policies & Guidelines on Access and Usage documented at http://www.cuhk.edu.hk/itsc/publications/userdoc/rgen002.html in particular

4.1   

To enable the ITSC staff to accurately maintain information about his/her by supplying current information including department affiliation, degree program (undergraduate or graduate), and the University position (faculty, staff, graduate staff, or student).

4.2

Not to p rovide false or misleading information .

4.3 

To be responsible for any and all activities initiated by his or her account.

4.4   

To be responsible for selecting a secure password for their account and for keeping that password secret at all times. Passwords should not be written down, stored on-line, or given to others. Passwords should never be given out to someone claiming to be an ITSC staff member; authorized ITSC staff members do not need to know individual user's password.

  1. Many online applications now require one’s CWEM password for authentication. In order to protect one’s’ interests, on e should observe the guidelines for setting a strong password http://www.cuhk.edu.hk/itsc/security/gpis/guidestrongpw.html
  2. If users have discovered that there are vulnerabilities in accessing any one of authorized information systems, they should inform the ITSC. T he ITSC will work with the concerned information system owner to implement remedy solutions. If the information system owner refuses to implement remedy solutions, the ITSC has the right to stop the computer account access from the responsible information system.
  3. Should one suspects that his or her password has been compromised, he or she should change it immediately online at https://accounts.itsc.cuhk.edu.hk/resetpasswd/index2.html and report the incident as documented at http://www.cuhk.edu.hk/itsc/security/isreport/index.html
    Top of Page
     
  4.2 Responsibility of the ITSC  
 
  1. As the owner of the CWEM computer accounts, the ITSC will act with prudence, diligence and due care to protect the data.
  2. Unauthorized access, collection, disclosure, modification or processing of the computer account information will be forbidden or blocked by ITSC without prior notice.
    Top of Page
     
  4.3 Responsibility of the IT System Owner  
 

To use the Central Authentication and Directory Service (CADS), the IT System Owner is responsible for:

  1. Making sure that basic security measures have been implemented in their information systems that are going to connect to CADS.
  2. Providing basic security measures include, but not limited to, the following settings: encrypt all data transmitted between the information system and CADS system, control the number of password trials, forbid any forms of password storage even temporarily, etc. More suggestions on security measures could be located in http://www.cuhk.edu.hk/itsc/security.
  3. Allowing the ITSC to enlist information of their information systems in CADS-registered IT systems (This page is restricted to authorized CUHK staff and students with a valid Computing ID (user name) and CWEM password (password) to login.)
  4. Informing the authorized users of their system that the use of their computer account information for authentication has been authorized by the ITSC.
  5. Compiling to The Personal Data (Privacy) Ordinance when handling user data. Personal Information Collection (PIC) Statements must be published at an eye-catching area of the information system notifying the users the purpose(s) of collecting and using their computer account information.
  6. Maintaining a channel for their users for enquiring their policies on using personal data. A link to ITSC Electronic HelpDesk (https://helpdesk.itsc.cuhk.edu.hk/group/abuse) for users to report any improper use of the CWEM computer account information must be placed at the information system.
  7. Using the user authentication mechanism provided by ITSC on the designated IT System only.
  8. Informing ITSC about the change of their IP address.

For systems which are using local authentication mode, system owners must state clearly on the login page reminding your users to use a password different from CWEM password. In long run, we highly recommend system owners to:

  1. Change not to use CWEM computer account as the login ID to prevent any confusion or otherwise
  2. Turn to use CADS using both CWEM computing ID and CWEM password.
    Top of Page
 
 
     
5.

CADS Application Procedures and Guidelines

  
 
  1. Application to the use of CADS shall be submitted by the IT System Owner. The IT System Owner shall complete the CADS application form and submit it to ITSC
  • at the planning stage of the information system development; and
  • at least one month in advance before the production date of the system
  1. A CADS application must be endorsed by Department / Unit Head and is subject to annual renewal.
  2. On applying the service, the IT System Owner must be responsible for its system security and take the responsibility as specified in Section 4.3.
  3. CADS will only serve systems that are connected to the campus network.
  4. The IT system must have strong physical security protection where access is limited to authorized personnel. ITSC may conduct onsite checking on the compliance of physical security.
  5. Administration of the IT system must be performed by a qualified or a dedicated IT staff.
  6. The IT System will be reviewed by ITSC and have to pass the ITSC Vulnerability Assessment Test.
  7. The System Owner must provide ITSC with proper system documentation.
  8. After the CADS is approved by ITSC, the System Owner are encouraged to include the following on its web page.
    - CADS logo:
    CADS logo
    - CADS reference number (This page is restricted to authorized CUHK staff and students with a valid Computing ID (user name) and CWEM password (password) to login.)
    - the message "This is a CADS-registered IT System. It passed the application procedures published at http://www.cuhk.edu.hk/itsc/security/cads and was approved by ITSC.".
    Top of Page
 
 
     
6.

Authentication and Authorization

  
 

Authentication will be done by CADS to verify whether one has a valid identity in the University. However, it is IT System Owner’s responsibility to manage the authorization of users in their computer applications depends on users’ role or status (staff/retiree, student/alumni) with the University.
    Top of Page
 
 
     
7. CADS-registered IT Systems  
  Visit https://www.cuhk.edu.hk/itsc/restricted/login/cads-registered-systems.html for details. This page is restricted to authorized CUHK staff and students with a valid Computing ID (user name) and CWEM password (password) to login.
    Top of Page
 
 
     
8.

How to check if an IT system is CADS-registered?

  
 
  1. Check if the IT system is listed on the web page at https://www.cuhk.edu.hk/itsc/restricted/login/cads-registered-systems.html . This page is restricted to authorized CUHK staff and students with a valid Computing ID (user name) and CWEM password (password) to login.
  2. Contact the IT System Owner for the legitimate URL of the system.
  3. Never use a search engine to locate the site.
    Top of Page
 
 
     
9.

What do if you find an IT systm that asks for CWEM account but is not listed on the ITSC CADS-registed IT Systems web page?

 
  1. Do not use the IT system.
  2. Report to ITSC (Call 26098845 during office hours or write to ITSC Electronic HelpDesk at https://helpdesk.itsc.cuhk.edu.hk/group/abuse)
    Top of Page
 
 
     
10..

Enquiries

  
  Please write to ITSC Electronic HelpDesk at https://helpdesk.itsc.cuhk.edu.hk/group/abuse .
    Top of Page
 
 
     
11.

Central Authentication and Directory Service Application Form
 

Please visit http://www.cuhk.edu.hk/itsc/onlineapp/form/a20.doc

    Top of Page
 
 

 
 

Need Help?
For comments and enquiries about this service, please write to the ITSC Electronic Helpdesk at
http://helpdesk.itsc.cuhk.edu.hk