Rockwell Software's Security Server Network Edition
Transcript of Rockwell Software's Security Server Network Edition
-
7/27/2019 Rockwell Software's Security Server Network Edition
1/74
Getting Results with
Rockwell Software
Security Serve
(Network Edition
August 2000
-
7/27/2019 Rockwell Software's Security Server Network Edition
2/74
Contacting
Rockwell Software
Technical Support Telephone1-440-646-7800
Technical Support Fax1-440-646-7801
World Wide Webwww.software.rockwell.com
Copyright Notice 1999, 2000 Rockwell Software Inc., a Rockwell Automation company. All rights reserved
Printed in the United States of America
Portions copyrighted by Allen-Bradley Company, LLC, a Rockwell Automation company.
This manual and any accompanying Rockwell Software products are copyrighted by Rockwell
Software Inc. Any reproduction and/or distribution without prior written consent from RockwellSoftware Inc. is strictly prohibited. Please refer to the license agreement for details.
Trademark Notices The Rockwell Software logo, RSAlarm, RSAnimator, RSAssistant, RSBatch, RSBreakerBox,
RSButton, RSChart, RSCompare, RSControlRoom, RSData, RSDataPlayer, RSEventMaster,
RSGauge, RSJunctionBox, RSLogix Emulate 5, RSLogix Emulate 500, RSGuardian, RSHarmony,
RSKeys, RSLadder, RSLadder 5, RSLadder 500, RSLibrary Builder, RSLinx, RSLogix 5,
RSLogix 500, RSLogix Frameworks, RSLogix SL5, RSMailman, RSNetworx for ControlNet,
RSNetworx for DeviceNet, RSPortal, RSPower, RSPowerCFG, RSPowerRUN, RSPowerTools,
RSRules, RSServer32, RSServer, RSServer OPC Toolkit, RSSidewinderX, RSSlider, RSSnapshot,
RSSql, RSToolbox, RSToolPak I, RSToolPak II, RSTools, RSTrainer, RSTrend, RSTune,
RSVessel, RSView32, RSView, RSVisualLogix, RSWheel, RSWire, RSWorkbench,
RSWorkshop, SoftLogix 5, A.I. Series, Advanced Interface (A.I.) Series, AdvanceDDE,
AutomationPak, ControlGuardian, ControlPak, ControlView, INTERCHANGE, Library Manager,
Logic Wizard, Packed DDE, ProcessPak, View Wizard, WINtelligent, WINtelligent LINX,WINtelligent LOGIC 5, WINtelligent VIEW, WINtelligent RECIPE, WINtelligent VISION, and
WINtelligent VISION2 are trademarks of Rockwell Software Inc., a Rockwell Automation
company.
Data Highway Plus, DH+, DHII, DTL, MicroLogix, Network DTL, PLC, PLC-2, PLC-3, PLC-5,
PowerText, Pyramid Integrator, PanelBuilder, PanelView, PLC-5/250, PLC-5/20E, PLC-5/40E,
PLC-5/80E, SLC, SLC 5/01, SLC 5/02, SLC 5/03, SLC 5/04, SLC 5/05, and SLC 500 are
trademarks of the Allen-Bradley Company, LLC, a Rockwell Automation company.
Microsoft, MS-DOS, Windows, and Visual Basic are registered trademarks, and Windows NT,
Windows 98, Microsoft Access, and Visual SourceSafe are trademarks of the Microsoft
Corporation.
ControlNet is a trademark of ControlNet International.
DeviceNet is a trademark of the Open DeviceNet Vendors Association.
Ethernet is a registered trademark of Digital Equipment Corporation, Intel, and Xerox Corporation.
Pentium is a registered trademark of the Intel Corporation.
Adobe and Acrobat are trademarks of Adobe Systems Incorporated.
IBM is a registered trademark of International Business Machines Corporation. AIX, PowerPC,
Power Series, RISC System/6000 are trademarks of International Business Machines Corporation.
UNIX is a registered trademark in the United States and other countries, licensed exclusively
through X/Open Company Limited.
AutoCAD is a registered trademark of Autodesk, Inc.
Warranty This Rockwell Software product is warranted in accord with the product license. The product's
performance will be affected by system configuration, the application being performed, operator
control and other related factors.
The product's implementation may vary among users.
This manual is as up-to-date as possible at the time of printing; however, the accompanying
software may have changed since that time. Rockwell Software reserves the right to change anyinformation contained in this manual or the software at anytime without prior notice.
The instructions in this manual do not claim to cover all the details or variations in the equipment,
procedure, or process described, nor to provide directions for meeting every possible contingency
during installation, operation, or maintenance.
-
7/27/2019 Rockwell Software's Security Server Network Edition
3/74
Preface
Preface
Purpose of this bookThis getting results book provides you with information on how to install anuse Rockwell Software's Security Server. It also explains how to access andnavigate the online help.
Intended audienceWe assume that you are a network engineer, and that you are familiar with:
Microsoft
Windows NT
Domain administration for Windows networks
How does it fit in with other Rockwell Softwareproduct documentation?
The getting results book can be considered the entry point into ourdocumentation set. The documentation set contains pertinent, easily accessibproduct information and ships with the software product. The documentatioset is designed to free you from tedious paper shuffling and reduce informatio
overload.The getting results book and online help make up the RSI documentation se
Online help
The online help includes all overview, procedural, screen, and referenceinformation for the product. The help contains four basic components:overview topics, quick start topics, step-by-step procedures, and screenelement descriptions (for example, text boxes, drop-down lists, and optionbuttons). All of the help is context sensitive with the application and providethe user with immediate access to application tasks and screen elementdescriptions.
-
7/27/2019 Rockwell Software's Security Server Network Edition
4/74
ii Getting Results with Rockwell Softwares Security Server (Network Edition)
Document conventionsThe conventions used throughout this document for the user interface complywith those recommended by Microsoft Corporation. If you are not familiarwith the Microsoft Windows user interface, we recommend that you read thedocumentation supplied with the operating system you are using before
attempting to use this software.
FeedbackPlease use the feedback form, which you will find packaged with your software,to report errors and/or let us know what information you would like to seeadded in future editions of this document.
-
7/27/2019 Rockwell Software's Security Server Network Edition
5/74
Table of Contents
Contents
Preface.......................................................................................Purpose of this book ................................................................................................................
Intended audience.....................................................................................................................
How does it fit in with other Rockwell Software product documentation? ....................
Document conventions............................................................................................................
Feedback.....................................................................................................................................
Chapter 1
Introducing Rockwell Softwares Security Server...................
What Rockwell Software's Security Server is ........................................................................
What is a resource? ...................................................................................................................
What is an access control list? .................................................................................................
What is an action? .....................................................................................................................
The Network Edition of the Security Server ........................................................................
The Standalone Edition of the Security Server .......................... ....................................... ...
Chapter 2
Installing the Security Server and clients ...............................
Introduction ...............................................................................................................................
System requirements.................................................................................................................
Before installing the server ......................................................................................................
Installing the Security Server ..................................................................................................1
Setting the start up parameters for the Security Server service.........................................
Setting up DCOM for the users of the Security Server .....................................................
Installing clients for the Security Server ...............................................................................
Chapter 3
Managing your Security Server configuration ....................... 2
The Security Server Configuration Explorer .......................................................................2
The Security Server model ......................................................................................................2
-
7/27/2019 Rockwell Software's Security Server Network Edition
6/74
iv Getting Results with Rockwell Softwares Security Server (Network Edition)
Adding user groups to the system .............. ....................................... ................................. 25
Importing actions for Rockwell Software applications...................................................... 26
Adding a single user to a group ............................................................................................. 26
Adding workstation groups to the system .............................................................. ............. 27
Creating a resource .................................................................................................................. 28Grouping resources................................................................................................................. 29
Grouping actions ..................................................................................................................... 29
Assigning access to individuals and groups ......................................................................... 30
Finding users, workstations, actions, or groups.................................................................. 32
Viewing and changing the server properties ....................................................................... 32
Refreshing access control lists ............................................................................................... 36
Using admin accounts to control access to the
Security Server's Configuration Explorer ............................................................................ 36Roaming security ..................................................................................................................... 37
Chapter 4
Backing up and synchronizing Security Servers....................39
Using directory replication ..................................................................................................... 39
Exporting your Security Server database ............................................................................. 39
Importing your Security Server database ............................................................................. 40
Restoring a previously saved configuration......................................................................... 40
Chapter 5
Upgrading from Standalone Edition to Network Edition........43
Appendix A
Setting up A.I. Series software to use Security Server .........45
Creating the global resource for PLC-5 A.I. Series ............................................................ 45
Creating the global resource for PLC-3 A.I. Series ........................................................... 46
Creating a resource based on processor name for PLC-5 processors............................. 47Creating a resource based on processor name for PLC-3 processors............................. 48
Appendix B
Setting which account domain controller to use...................49
Background............................................................................................................................... 49
-
7/27/2019 Rockwell Software's Security Server Network Edition
7/74
Table of Contents
Changing the account domain controller .............................................................................5
Appendix C
Consolidating processor resources for RSLogix 5and RSLogix 500..................................................................... 5
Rules for resource consolidation ...........................................................................................5Consolidating processor resources ........................................................................................5
Unconsolidation .......................................................................................................................5
Glossary .................................................................................. 5
Index ....................................................................................... 6
-
7/27/2019 Rockwell Software's Security Server Network Edition
8/74
vi Getting Results with Rockwell Softwares Security Server (Network Edition)
-
7/27/2019 Rockwell Software's Security Server Network Edition
9/74
Introducing Rockwell Softwares Security Server
What Rockwell Software's Security Server isIt's easy to protect a system from unwanted intrusion or unauthorized use.Lock it up and don't let anyone use it at all. Don't connect it to a network, don
leave it where someone could get to it, and most likely, you won't have anythinto worry about. The problem with that scenario, of course, is that we don't uscomputers that way. We can't lock them up and we can't keep them off ournetworks. We have to allow people to use them, and that is where securityproblems arise.
We want to protect our systems from unauthorized use, but we also wantauthorized users to use the systems efficiently. We also want to make securitefficient for ourselves, making changes to the system as simple as possible.
Rockwell Software's Security Server is a centralized system for restricting acceto resources. Centralizing the system makes it easier for you to establish and
maintain secure systems.
There are two forms of the Security Server:
A Network Edition (the edition this book discusses), which gives youcentralized control over security functions for Rockwell Software productover your entire network.
A Standalone Edition, which gives you local control over securityfunctions on the machine where you install the Security Server.
These two forms operate in much the same way, except that the NetworkEdition has some features the standalone edition does not have.
What is a resource?A resource is an application, processor, or computer that Security Server canrestrict access to. Resources contain actions, functions that can be controlled
Chapter
1
Introducing Rockwell
Softwares SecurityServer
-
7/27/2019 Rockwell Software's Security Server Network Edition
10/74
2 Getting Results with Rockwell Softwares Security Server (Network Edition)
Resources contain rules for access to actions, called access control lists (ACLs).These rules define who can access the resources actions, and the circumstancesunder which a user can access those actions.
Global and application resources
Resources are eitherglobal, controlling access to actions in an application, orthey are applicationresources, controlling access to a particular aspect of anapplications functions.
For example, in PLC-5 A.I. Series software, there is anglobalresource calledAI5GLOBALRIGHTS. With this global resource, you can control actions inthe software globally, without respect to the processors being used.
However, PLC-5 A.I. Series software also allows you to define applicationresources for your processors. By using these application resources, you cancontrol the actions in PLC-5 A.I. Series software based on what processors arebeing used.
A computer can also be a resource. RSLinx, for example, uses the computerrunning RSLinx as a resource. To use the Security Server with RSLinx, youcreate a resource with the name of the computer running RSLinx, then grant ordeny RSLinx actions to users for that computer.
What is an access control list?Access control lists are lists of rules regarding access to actions. Simply put,access control lists (ACLs) define who can do what to a resource and fromwhere they can do it.
Each rule in an ACL requires a user or user group, a workstation or workstationgroup, and a software function (action). ACL rules are called access controlentries (ACEs).
Who can do what from where
Access control lists answer the question who can do what from where.Forming and maintaining ACLs is the central activity in the Security Server.Therefore, understanding how ACLs work is critical to using the SecurityServer effectively and efficiently.
Access control entries
An ACL contains entries, each of which contains four parts:
User, which defines who can or can't access the resource and action
Workstation, which is the physical location of the user (Network Edition
only)
-
7/27/2019 Rockwell Software's Security Server Network Edition
11/74
Introducing Rockwell Softwares Security Server
Action, which is an operation performed on an resource
Deny/Grant, which defines whether the user can or cannot use the functio
Of course, many facilities will have hundreds of potential users, workstationand actions available. The Security Server permits you to group users,workstations, and actions to make the process of creating ACLs more efficien(Workstations are part of ACLs only in the Network Edition of the Security
Server.)For example, if you have a group of electricians, all of whom can performcertain actions from certain workstations, you can create a group calledElectricians and place all of your electricians in that group. You can thencreate a group of workstations called Electrician Workstations and place aof the workstations the electricians use into that group. You can then creategroup of actions called Electrician Actions and place all of the actionselectricians can perform in that group. You could then create an ACE that say
Electricians at Electrician Workstations are granted Electrician Actions
Access
ControlList
Member
Member
Member
Member
Member
Member
Member
Member
ACLMember
ActionUser Workstation Deny/Grant
-
7/27/2019 Rockwell Software's Security Server Network Edition
12/74
4 Getting Results with Rockwell Softwares Security Server (Network Edition)
You can create groups based on however your facility is organized: by jobfunction, by area, by whatever means you like. However you do it, you'll wantto plan how you are going to organize people, workstations, and actions beforeyou begin using the Security Server.
What is an action?An action is a software function. The Security Server controls access to actionsthrough Access Control Lists (ACLs).
For example, online programming is a software function that is an action for
PLC-5 A.I. Series software. With the Security Server, you can control who canprogram online and from which workstations a given person can programonline.
Applications provide a list of their actions to the Security Server. See yourapplication's documentation for information about how it sends its list ofactions to the Security Server.
Data Table Value
Modification
Description Editing
Downloading Program
to PLC-5
Forcing Functions
Offline Monitoring
Offline Programming
Online Monitoring
Online Processor
Mode Changes
Online Programming
Updating Program
from PLC-5
"Electricians"
group
"Electrician
Workstations"
group
"Electrician
Actions" group
can be
grouped
and used to
form this
simple ACL
at these
workstationsand these
actions
Bob
Hans
SueRay
Hilda
Maria
These
electricians
Machine 1
Machine 2
Machine 3Machine 4
Machine 5
Machine 6
"Electricians"at "Electrician
Workstations"
are granted
"Electrician
Actions"
-
7/27/2019 Rockwell Software's Security Server Network Edition
13/74
Introducing Rockwell Softwares Security Server
The Network Edition of the Security ServerIn the Network Edition of the Security Server, the software maintains theresources, user groups, and workstation groups and provides access to themfrom applications. Applications access the Security Server when they are abouto perform a secured function (the exact timing of these accesses varies from
application to application). The Security Server responds to the application,either granting or denying the user-requested action based on the ACEs.
The Network Edition of the Security Server provides network level security.Users of this edition are domain users. User groups may be either defined inSecurity Server or in domain user groups.
The Standalone Edition of the Security ServerThe Standalone Edition of the Security Server operates in much the same waas the Network Edition, except there is no separate computer running the
Security Server.Standalone Edition provides workstation level security. For Windows NT oWindows 2000, users may be local users or private users. Private users existonly within the Security Server database. For Windows 95, Windows 98, orWindows Me platforms, users can be only private users.
Tip The Security Server does not work if the Rockwell Softwareapplications on a given computer are not aware that a SecurityServer system exists. Generally, you must configure applications touse the Security Server, and you can override the configurations by
reinstalling the software (the details of overriding the SecurityServer depend on the individual application). To ensure yoursystem is secure, make sure you secure the installation disks for yourRockwell Software applications.
-
7/27/2019 Rockwell Software's Security Server Network Edition
14/74
6 Getting Results with Rockwell Softwares Security Server (Network Edition)
-
7/27/2019 Rockwell Software's Security Server Network Edition
15/74
Installing the Security Server and clients
IntroductionThis chapter explains how to install and start the Security Server software. Thchapter includes information on the following:
system requirements
installation methods
installation procedures
updating an existing installation
starting procedures
After installing the software, we recommend that you read the release notelocated in the online help. The release note may contain more up-to-dateinformation than was available when this document was published. To view threlease note, clickStart > Rockwell Software > Security Server NetworkEdition > Release Notes.
System requirementsThe Network Edition of the Security Server installs in two phases:
A server installation, which takes place on the computer on which youwant to run the server.
A client installation, which takes place on the client workstations. Theserver installation places the software for installing the client in a directoryyou can share with the workstations that will install the client for the SecuritServer. This saves you from having to carry disks to the client workstationand provides a centralized point for updating the client.
The Security Server requires:
A computer running one of the following operating systems:
Chapter
2
Installing the Security
Server and clients
-
7/27/2019 Rockwell Software's Security Server Network Edition
16/74
8 Getting Results with Rockwell Softwares Security Server (Network Edition)
Microsoft Windows NT Workstation or Windows NT Server, version 4.0(with service pack 4 or higher.) Additional computers are required if youwant backup security servers. See page 9 for information about whetherto run the Security Server on Windows NT Workstation or Windows NTServer.
Microsoft Windows 2000 Workstation or Windows 2000 Server.Additional computers are required if you want backup security servers.See Should you run the Security Server on a Workstation or Server? onpage 9 for information about whether to run the Security Server onWindows 2000 Workstation or Windows 2000 Server.
Connection to a network supporting Microsoft Networking with a WindowsNT 4.0 Server acting as a primary domain controller. Note that the SecurityServer will not work in Windows 2000 native (Active Directory)environments. It will work in mixed domain environments (without ActiveDirectory).
The client for the Security Server requires: A computer running one of the following operating systems:
Microsoft Windows NT Workstation or Windows NT Server, version4.0 (with service pack 4) or higher
Microsoft Windows 2000 Workstation or Windows 2000 Server
Microsoft Windows Me
Microsoft Windows 98
Microsoft Windows 95 with the DCOM patch (see Microsofts Web site
for this patch: www.microsoft.com) Connection to a network supporting Microsoft Networking with a Windows
NT 4.0 Server acting as a primary domain controller. Note that the SecurityServer will not work in Windows 2000 native (Active Directory)environments. It will work in Windows 2000 forest/domains configured asmixed mode.
-
7/27/2019 Rockwell Software's Security Server Network Edition
17/74
Installing the Security Server and clients
Should you run the Security Server on aWorkstation or Server?
A significant difference between the Workstation and Server versions ofWindows 2000 and Windows NT is that the Workstation versions can suppoonly ten simultaneous network connections. This does not mean that you cahave only ten Rockwell Software client applications connected to one SecuritServer running on a Workstation system. Communication to the SecurityServer takes place only when it's needed, so it's likely that you could use aWorkstation to run the Security Server for much larger facilities. However, imore than ten Rockwell Software client applications try to perform a securedaction at the same time, the client workstations will not be able to connect tothe Security Server.
If you already have a Server system, it's probably a good idea to run the SecuritServer on that system.
Before installing the serverBefore running the server setup, you must verify the settings for the currentllogged on user account. Failure to do so will result in improper installation othe software.
You must have administrator rights on your Windows NT or Windows 2000machine to install the Security Server. If you are not an administrator of youmachine, an administrator can add your account to the Administrators groupor install the Security Server for you.
The Security Server runs as a service
The Security Server runs as a service. However, it can't run correctly in theSystem account (the System account can't access network services, and theSecurity Server relies on network services). It must run under a user accounwhich means that the software must log on as a user. You may want to give
the Security Server a user account of its own rather than having it run in theaccount of a human user. (The account you use will be validated with youraccount domain.)
When you install the Security Server, you must log on with an account that haAdministrator rights. The installation program will establish the following
rights for the user account under which the Security Server will run:
Tip Installing the Security Server requires an account in which theserver will run.
-
7/27/2019 Rockwell Software's Security Server Network Edition
18/74
10 Getting Results with Rockwell Softwares Security Server (Network Edition)
Act as part of the operating system
Generate security audits
Log on as a service
Manage auditing and security log
Where you should install the Security Server
If you intend users in more than one domain to access the same Security Server,you must run the server under an account in a domain that is trusted by theother domains containing users of the Security Server.
The following illustration shows where you can install the Security Server infour basic networking scenarios. Note this applies only to Windows NT 4.0domains; Windows 2000 native domains (with Active Directory) are notcurrently supported.
Domain A
(account domain)Domain B
Two domains, one-way trust
relationship
Install server on
Domain A
Two domains, two-way trust
relationship
Install server on
either domain
Domain A
(account domain)Domain B
Domain A
(account domain)Domain B Domain C
Three domains, one-way trust
relationships
There is no trust relationship between Domain
C and Domain A. There is no configuration
that would allow one RSSecurity Server to
serve users on all three domains.
Domain BDomain A
(account domain)Domain C
Three domains, one-way trust
relationships
Install server on
Domain A
-
7/27/2019 Rockwell Software's Security Server Network Edition
19/74
Installing the Security Server and clients 1
Installing the Security Server
1. On the machine on which you want to install the Security Server, insertthe Security Server CD-ROM into the CD-ROM drive.
2. Follow the instructions that appear on the screen.
a. On the Welcome dialog box - Read the Security Server introductoryinformation, and then clickNext.
b. On the Software License Agreement dialog box - Read the entireSoftware License Agreement. ClickYes to accept and continueinstallation, or clickNo to decline and exit the installation.
c. On the Registration Information dialog box -Type your name, thename of your company, the support ID number of your software, anthen clickNext.
d. On the Select Folder dialog box - Select a directory location for theSecurity Server application files.
Tip Before installing the Security Server, you must log on to the domainin which you intend to run the Security Server. Make sure the username under which the Security Server will run has an account on
the domain. Otherwise the software will install, but it won'tconfigure properly.
If autorun is: Then:
enabled The Setup program starts automatically and the Welcome
dialog box appears. Proceed to step 2.
disabled Perform the following steps:a. ClickStart, then clickRun. The Run dialog box appears.
b. In the Open field, type x:\setup, where xis the letter ofthe drive containing the Security Server CD-ROM.
c. ClickOK. The Welcome dialog box appears.
Tip You can find the support ID number on the product box label.
-
7/27/2019 Rockwell Software's Security Server Network Edition
20/74
12 Getting Results with Rockwell Softwares Security Server (Network Edition)
A dialog box appears, indicating that a Security Server subdirectory willbe created in the specified destination directory. ClickYes to confirm,or No to exit.
e. On the Select Components dialog box - Select installation options. Inthe Product (left) pane, select the Security Server product(s) that you
want to install. In the Product Options (right) pane, select thecomponent(s) of each product that you want to install. If you want tocreate a centralized location for the workstation client software, makesure Client Install is checked. ClickNext.
f. On the Specify Start Menu Item dialog box -Accept the default
program folder, or type the name of the program folder in which youwant the Security Server application icons to appear. ClickNext.
A dialog box appears, indicating the specified location of the SecurityServer icons in the Start menu. ClickYes to confirm, or No to exit.
g. On the Security Server Network Edition dialog box - Confirm yourprevious selections, and then clickNext. The Setup dialog boxappears while files are being copied to the hard disk drive.
h. On the Rockwell Softwares Security Service Installer dialog box -
set the parameters for running the Security Server. These parameters
are described on page 13.i. On the Rockwell Softwares Security Service Installer dialog box -
read and follow the instructions. You can also refer to theinstructions starting on page 14 for information regarding setting upDCOM for the server.
j. On the Setup Complete dialog box - Select the activation and readmeviewing options and clickFinish.
To begin activation, insert the Master disk into the 3.5-inch disk drive.
k. On the EVMOVE dialog box - Follow the instructions that appear onthe screen to activate the Security Server software.
l. On the Restart Windows dialog box - Specify the restart option foryour operating system and clickFinish. The installation is complete.
3. When you are finished installing the software, remove the Security ServerCD-ROM from the CD-ROM drive and the Security Server Master diskfrom the disk drive. Store them in a safe place.
Tip If you have a number of computers that will be clients for theSecurity Server, you can automate the process of selecting serversfor the clients. See page 20 for more information.
-
7/27/2019 Rockwell Software's Security Server Network Edition
21/74
Installing the Security Server and clients 1
Setting the start up parameters for the SecurityServer service
After the setup program copies its files to your server's hard drive, it will displathe Rockwell Software's Security Service Installer window. The followintable describes the installation parameters.
The Security Server runs as a service whether it starts automatically at machinstartup, or manually when a client requests it to start, or through the Servicesapplet. (See your Windows NT or Windows 2000 documentation for
information about running the Services applet.)
If the server starts manually through DCOM (when a client requests it to startit will stop when the last client disconnects from it.
This parameter: Does this:
Domain The domain of the user account in which the Security Server will run.
Account The user account under which the Security Server willrun. By default, this field shows the account you arecurrently using. If this is not the account you want to runthe Security Server, enter the correct account name.
Password The password for the account under which the Security Server will run. The field is blank by default. You mustenter the password for the account.
Startup Mode The Security Server runs as a service. You can have theservice start when Windows starts or you can choose tostart the service manually.
Manual: The Security Server starts when an appli-
cation requests it. This is the default set-
ting.
Automatic: The Security Server starts when themachine boots.
Most likely, you'll want the service to start manually.That way, the server does not run until an applicationrequests it, taking the minimum amount of resources.However, for large networks, you probably will want theservice to start automatically.
-
7/27/2019 Rockwell Software's Security Server Network Edition
22/74
14 Getting Results with Rockwell Softwares Security Server (Network Edition)
If the service fails to install properly
When you clickOK, the Security Server validates the user name with thedomain controller. If you did not log on to the correct domain, or if the username you have entered is not a valid user and enabled in the domain youentered, configuration of the Security Server service will fail.
If you have entered a valid domain and user, but not a valid password for thatuser, the Security Server service will fail to start due to a logon failure.
To solve these problems, verify that the user for the Security Server exists inthe domain, then log on to that domain. Run the Security Server ServiceInstaller, and correct the problem. (ClickStart > Rockwell Software >Security Server Network Edition > Security Service Installer.)
For the account validation to work properly, you must disable the Guestaccount. See your Windows NT or Windows 2000 documentation forinformation about disabling accounts.
Changing the service installation parameters
You can change the service installation parameters by running the SecurityServer Service Installer. ClickStart > Rockwell Software > Security ServerNetwork Edition > Security Service Installer.
The server will be identified for the Security Server clients by the name of themachine running the Security Server. Note the name of the machine runningthe server.
If the service is started automatically at machine startup or manually throughthe Services applet, the service can only be stopped by the Services applet. (See
your Windows NT or Windows 2000 documentation for information aboutrunning the Services applet.)
Setting up DCOM for the users of the Security ServerApplications communicate to the Security Server using Microsoft's DistributedComponent Object Model system, otherwise known as DCOM. You must setup DCOM so users of the Security Server can launch and access the SecurityServer.
-
7/27/2019 Rockwell Software's Security Server Network Edition
23/74
Installing the Security Server and clients 1
There are two layers to DCOM configuration. There is a default layer, whicapplies to all DCOM-enabled applications. There is also an application-speciflayer, which applies only to the application being accessed (in this case, theSecurity Server database). Users must have rights to both layers; if they aredenied access to the default layer, they cannot access the application-specificlayer.
Create a group of users for the Security Server
Probably the most efficient way of handling the configuration is to create agroup of users. You must be an administrator of the computer on which yoare creating the group.
See your Windows NT or Windows 2000 documentation for informationabout creating user groups.
Give the group access to the service
Give the new user group the Access this computer from network right. Thgroup members will need this right, since they will be using the network toaccess the server.
Tip DCOM connections are cached by the server. If a user attempts aconnection and the connection fails because the user does not haverights to make the connection, the server will continue to deny thatuser access until the server is rebooted. The same thing applies tomade connections; once a user can make a connection, that user willbe able to make that connection until the computer running theSecurity Server is rebooted. Therefore, when you make changes tothe DCOM configuration, it is a good idea to reboot the computerrunning Security Server.
-
7/27/2019 Rockwell Software's Security Server Network Edition
24/74
16 Getting Results with Rockwell Softwares Security Server (Network Edition)
Set up the DCOM configuration so the group hasaccess
DCOM configuration is done through the DCOMCNFG.EXE application.
Start DCOMCNFG
To start DCOMCNFG, clickStart > Run. Type DCOMCNFG, then clickOK. This opens the Distributed COM Configuration Properties window.
Set the default properties
In the Distributed COM Configuration Properties window, click the DefaultProperties tab. Set the default DCOM properties as shown.
Tip The DCOMCNFG application may look somewhat different onyour system. The setting location and names should be the same.
Set the Default
Authentication
Level to Connect
Make sure this
box is checked!
Set the Default
Impersonation
Level to Identify
-
7/27/2019 Rockwell Software's Security Server Network Edition
25/74
Installing the Security Server and clients 1
Setting the default DCOM permissions
In the Distributed COM Configuration Properties window, click the DefaulSecurity tab.
Set the default launch permissions
In the Default Launch Permissions section, click the Edit Default button
Add the Security Server users group to the list of who can launch a DCOMapplication. Make sureType of Access is set toAllow Launch.
If the SYSTEM account is not added with Allow Launch access, DCOMcannot start (the System Control Manager, which runs DCOM, runs in theSYSTEM account). Make sure the SYSTEM account is in the default launchpermissions list with Allow Launch access. It is also a very good idea to havthe INTERACTIVE user in this list as well. Otherwise, someone using theSecurity Server on the server machine may not be able to start it.
Set the application-specific DCOM properties
In the Distributed COM Configuration Properties window, click theApplications tab. Click the Sentinel.Database application, then clickProperties. This displays the Sentinel.Database properties window.
In the Sentinel.Database properties window, click the Security tab.
Sets who can
access the
Security Server
Sets who can
launch the
Security Server
-
7/27/2019 Rockwell Software's Security Server Network Edition
26/74
18 Getting Results with Rockwell Softwares Security Server (Network Edition)
For the access permissions section, clickUse custom access permissions.ClickEdit and add the Security Server user group. Make sureType of Accessis set toAllow Access.
For the launch permissions section, clickUse custom launch permissions.ClickEdit and add the Security Server user group. Make sureType of Access
is set toAllow Launch.
Reboot the server computer
To make sure your changes to the DCOM configuration are in place, rebootthe computer. Otherwise, old cached connections could prevent properconfiguration.
Installing clients for the Security Server
To install the client for computers running A.I. Series software (or to place theConfiguration Explorer on a client machine):
1. From the computer running the Security Server, give read access for theClientSetup directory (by default, C:\Program Files\RockwellSoftware\Security Server\ClientSetup) to the client workstations.
2. From the client workstations, install the client software from theClientSetup directory on the server. (The client is already installed on the
computer running the Security Server.)
Tip When you install a Rockwell Software application that uses theSecurity Server, client software is installed along with theapplication (except for A.I Series software).
When you install a client for the Security Server on a client machine,you can also install the Security Server Configuration Explorer,which allows you to administer security rights from clientworkstations. This can be very convenient for administration ofyour security system.
If you install the Configuration Explorer on a client machine, makesure you create administrator accounts for the Security Server (seepage 36). Otherwise, any user on the client machine will be able to
change the security configuration.
-
7/27/2019 Rockwell Software's Security Server Network Edition
27/74
Installing the Security Server and clients 1
Configuring the clients to use servers
From a computer that has a client for the Security Server installed, clickStar> Rockwell Software > Security Server Client > Security Server
Definition. This application defines the servers to which you are attaching thclient.
To define a server:
1. ClickBrowse to display a Network Neighborhood view of computers oyour workstations domain.
2. In the list of machines that appears, click the name of the machine that irunning the Security Server, then clickOK.
3. To add backup Security Servers into the list, clickNew, select a server,then clickOK.
Click these
arrows to change
the serverpriority.
Click Browse to
locate a server.
When you have
defined a server,
it appears in this
list.
When you select
a workstation
name, it appears
here.
Click New to
define a new
server.
Click Add to add
the selected
server to the list
Important If you are configuring a backup Security Server, make sure its servelist matches the primary Security Servers list.
-
7/27/2019 Rockwell Software's Security Server Network Edition
28/74
20 Getting Results with Rockwell Softwares Security Server (Network Edition)
4. You can adjust the priority of machines (the order in which the client willlook at servers) by clicking on a server then clicking the arrow buttonsnext to the server list. Servers toward the top of the list have higherpriority.
5. Click the OKbutton. You have now configured the client to use Security
Servers.If the client is unable to connect to the primary Security Server, it will tryto connect to backup servers in the order set in step 4.
Enable remote DCOM (for Windows 98 clients)
If you are running the Security Server client on a computer running Windows98, you must enable remote DCOM before you can connect the client to theSecurity Server computer. To enable remote DCOM:
1. Start the DCOMCNFG application. This application allows you toconfigure DCOM settings. To run DCOMCNFG:
a. ClickStart > Run.
b. Type DCOMCNFG, then clickOK. This opens the DistributedCOM Configuration Properties window.
2. Click the Default Security tab.
3. Check the Enable Remote Connection checkbox.
Automating client setup
You can automate the client setup process by changing the SERVER.INI file
found in the ClientSetup directory on the Security Server. Changing theSERVER.INI file simplifies and speeds the process of configuring clients by
placing the server names into the client configuration by default.
This is an example of a SERVER.INI file:
; This file will contain the machine name where the Security Server
; has been installed as the "Primary" server. You can define backup
; servers by adding multiple entries to this file.
;
[ServerNames]
Primary = SECURITY_SERVER
;Backup#n =
; where n = 1, 2, 3, ...
(Comment lines start with a semicolon.)
-
7/27/2019 Rockwell Software's Security Server Network Edition
29/74
Installing the Security Server and clients 2
Note that the primary server is defined for you. When the Security Server isinstalled, the primary server is defined as being the computer on which theserver was installed. In the example shown above, the computer calledSECURITY_SERVER is the primary Security Server.
You can define backup servers as shown in the following example:
[ServerNames]Primary = SECURITY_SERVER
Backup#1 = MAIL_SERVER
Backup#2 = ACCOUNT_SERVER
Backup#3 = BACKUP_SERVER
Once the SERVER.INI file is changed, you will find those four servers definewithout having to run the Security Server Definition application, saving somtime in selecting and arranging those servers.
-
7/27/2019 Rockwell Software's Security Server Network Edition
30/74
22 Getting Results with Rockwell Softwares Security Server (Network Edition)
-
7/27/2019 Rockwell Software's Security Server Network Edition
31/74
Managing your Security Server configuration 2
The Security Server Configuration ExplorerThe Security Server Configuration Explorer is the tool you use to configureRockwell Software application security. It is used to create resources, to definresource ACLs, to group users, workstations and resources. It is also used tconfigure the properties of the Security Server, to perform access checks, anto provide troubleshooting help. It also allows you to import and export
databases for synchronizing the databases for Security Servers.
You can use the Security Server Configuration Explorer from a machine onwhich you have the Security Server. If you have installed the ConfigurationExplorer on machines running the client, you can also run it from there.However, you must run Configuration Explorer from the domain in which thSecurity Server is running. Otherwise, you may not be able to access all of thusers or machines you need to configure the Security Server system.
Starting Configuration Explorer
To run Configuration Explorer, clickStart > Rockwell Software > SecuritServer Network Edition > Security Config Explorer.
The Security Server modelRockwell Software's Security Server is based on resources. Rules are set up foeach resource. Each rule specifies a user or user group, a workstation orworkstation group, an action or action group, and whether the access is granteor denied.
Chapter
3
Managing your Security
Server configuration
Important Configuration Explorer can make changes only to the primarySecurity Server. To make changes to both your primary and backuSecurity Servers, you must make the changes to the primarySecurity Server, then copy the database from the primary server tthe backup server. See page 39 for more information.
-
7/27/2019 Rockwell Software's Security Server Network Edition
32/74
24 Getting Results with Rockwell Softwares Security Server (Network Edition)
For example, you may want certain users to be able to monitor a specific PLC-5 processor from any workstation. You may want these same users to be ableto modify that processor's program while online with that processor, but onlyfrom workstations in line-of-sight of that processor. You can create rules(ACLs) to do this with the Security Server.
About resources
In the Security Server, there are two types of resources: global or application.Global resources control access to actions (functions) in a software product.Application resources control access to specific applications of a softwareproduct.
For example, in PLC-5 A.I. Series software, there is anglobalresource calledAI5GLOBALRIGHTS. With this global resource, you can control actions inthe software globally, without respect to the processors being used.
However, PLC-5 A.I. Series software also allows you to define application
resources for your processors. By using these application resources, you cancontrol the actions in PLC-5 A.I. Series software based on what processors arebeing used.
A computer can also be a resource. RSLinx, for example, uses the computerrunning RSLinx as a resource. To use the Security Server with RSLinx, youcreate a resource with the name of the computer running RSLinx, then grant ordeny RSLinx actions to users for that computer.
Precicely what an application resource is varies depending on the software youuse with the Security Server. For example, for PLC-5 A.I. Series software, an
application resource is a processor. When rules of access are applied tofunctions associated with one of these application resources, softwarefunctions are controlled with respect to that processor. For RSLinx software,an application resource is the computer running RSLinx.
Resource names and IDs
Resources have a name, an ID, and a description. The description helps letusers of the resource understand what the resource is for. The name and IDare used by the client application to identify the resource.
TipYou can change whether the server grants or denies actions bydefault through the Security Server's Configuration ExplorerProperties function (see page 32).
-
7/27/2019 Rockwell Software's Security Server Network Edition
33/74
Managing your Security Server configuration 2
How actions are added to the Security Serverdatabase
Before you can create access control lists for using actions, you must add theactions to the Security Server database. Different applications have differenmethods of adding actions; consult the documentation for the application fothe correct method.
See Importing actions for Rockwell Software applications on page 26 forinformation on how to import the actions for several Rockwell Softwareapplications.
Adding user groups to the systemFor large systems with many users and workstations, it's best to group usersinto logical groups, such as Managers or Electricians. You can then assigactions to entire groups rather than to individuals.
If you want to assign actions to groups of users, you need to assign users to group.
To add a group of users to the system:
1. Right-click the Users/Groups folder, then clickNew Group. Thesoftware displays the User Group - Newwindow.
2. Type a name for this group in the Name field. You can add a descriptio
for the group in the Description field. The name can contain anycharacters except: comma (,), pipe (|), or slash (/)
3. Click the Group Members tab.
4. Click theAdd button. The software displays a browser window, whichallows you to browse through your Windows network to find users.
5. Once you find the user you want to add, click the user name, and thenclickOK.
6. Repeat steps 4 and 5 for all of the users you want to add to the group.
Tip As a convenience, once you add a user or workstation to a group inConfiguration Explorer, that user or workstation becomes availablein the _Security Server domain in Configuration Explorer. You
can use the Security Server domain as a shortcut to the users orworkstations you have previously added.
-
7/27/2019 Rockwell Software's Security Server Network Edition
34/74
26 Getting Results with Rockwell Softwares Security Server (Network Edition)
Importing actions for Rockwell Software applicationsAction lists for several Rockwell Software applications are available as SecurityServer database backup files. You can import these files to add actions forthese applications.
To import one of these files, open Configuration Explorer, clickFile >
Import, then select the file you want to import. (Alternately, you can right-click theActions/Groups folder, then clickImport Actions.) The files arelocated (by default) in the \Rockwell Software\Security Server\System folder.
Consult the documentation for your specific application for more information
about configuring it to use the Security Server.
Adding a single user to a groupIf you are adding one or two users and you know the logon names of thoseusers, it is probably faster to add them individually. To add a single user:
1. Open the group to which you want to add the new user.
2. Click the Group Members tab.
3. Click theAdd User button. The Enter user name dialog appears.
4. Type the logon name of the user in the User Name field. If the user is inthe same domain that you are currently logged onto, type just the userslog on name (you can type the domain name too, but it is not necessary).If the user is in another domain, you need to type the domain and username.
For this application: Import this file:
RSLogix 5 RSLogix5Security.bak
RSLogix 500 RSLogix500Security.bak
PLC-3 A.I. Series software AI3Security.bak
PLC-5 A.I. Series software AI5Security.bak
RSBatch RSBatchSecurity.bak
RSLinx RslinxSecurity.bak
RSLogix Frameworks DiagramDeveloper Offline and Online
FrameworksSecurity3.bak
-
7/27/2019 Rockwell Software's Security Server Network Edition
35/74
Managing your Security Server configuration 2
5. To validate that the user is a member of the domain (or that you have thcorrect user), clickDisplay. The Description and Full Name fields wishow the users information from the account domain controller (if theinformation exists).
6. To finish, clickAdd User. This also validates that the user exists on the
account domain controller, and adds the user to the group.
Adding workstation groups to the systemYou can also group workstations and assign actions to those groups. Forinstance, you may want people in your office to be able to program offline bunot online. If you grouped workstations into Office and Plant groups, anassigned rights based on location, you could then restrict online programminfrom your office.
If you want to assign actions to groups of workstations, you need to assignworkstations to a group.
To add a group of workstations to the system:
1. Right-click theWorkstations/Groups folder, then clickNew Group.The software displays theWorkstation Group - Newwindow.
2. Type a name for this group in the Name field. You can add a descriptiofor the group in the Description field. The name can contain anycharacters except:
comma (,), pipe (|), slash (/), or backslash (\)
3. Click the Group Members tab.
4. Click theAdd button. The software displays a browser window, whichallows you to browse through your Windows network to findworkstations.
5. Once you find the workstation you want to add, click the workstation
name, and then clickOK.6. Repeat steps 4 and 5 for all of the workstations you want to add to the
group.
Tip One use of workstation groups is to create line of sight accessrules, allowing access to process only from those workstationswhere the process can be seen.
-
7/27/2019 Rockwell Software's Security Server Network Edition
36/74
28 Getting Results with Rockwell Softwares Security Server (Network Edition)
Creating a resourceTo create a resource:
1. Right-click the Resources/Groups folder, then clickNew. The softwaredisplays the Resource - Newwindow.
2. If you are creating a resource for an application (a global resource), click
the Global Resources (Application Name) drop-down list, and selectthe application for which you want to create a global resource. The fieldsfill in with the appropriate information.
If your application is not shown in the Global Resources (ApplicationName) drop-down list, consult the documentation for your application forinformation about the name and resource ID it requires.
3. If you are creating an application resource, click theApplicationResources drop-down list, then click the application for which you wantto create a resource. Click the Browse button, then browse for theresource you want to create.
Currently, there are two types of resource available by browsing.Depending on the application for which you are creating a resource, youcan browse for a workstation (through a network browse window) or for
a processor (through RSLinx Super Who). The type of browse windowyou will see depends on the application you select in the ApplicationResources list.
Tip Do not change the name or resource ID of the global resource foran application. Applications use this information whencommunicating with the Security Server; if it is changed, user accesswill be denied.
Tip If you are creating application resources for RSLogix 5 or RSLogix500 (which consist of processors and the communication driversused to communicate with them), you may want to consolidatethose resources so they are not dependent on the computers fromwhich they are being accessed. See Consolidating processorresources for RSLogix 5 and RSLogix 500 on page 53 for more
information.
-
7/27/2019 Rockwell Software's Security Server Network Edition
37/74
Managing your Security Server configuration 2
Grouping resourcesYou can group resources to efficiently create ACLs for them. For example, you have a series of PLC-5 processors in one location, and those processor ahave resources, you can group those resources to make assigning rights easie
To create a resource group:
1. Right-click the Resources/Groups folder, then clickNew Group. Thsoftware displays the Resource Group - Newwindow.
2. Type a name for this group in the Name field. You can add a descriptiofor the group in the Description field. The name can contain anycharacters except:
comma (,), pipe (|), slash (/), or backslash (\)
3. Click the Group Members tab. You'll see a list of the available resourcein the security system. Select the actions you want in the group, then clicthe right arrow (>>) button. The selected actions move into the
Member Items list.4. Click the OKbutton. The resource group is now ready to have users
assigned to it.
Grouping actionsIf your system is particularly complex, you may want to group actions as wellGrouping actions permits you to assign combinations of actions to individuaor groups. For example, you may want your maintenance employees to be abto monitor machines but not modify data values or program them. You coul
group all of the monitoring actions and assign them to your maintenanceemployees. (On top of that, you could group your maintenance employees,group the maintenance actions, and then assign the action group to themaintenance employee group).
To create an action group:
1. Right-click theActions/Groups folder, then clickNew Group. Thesoftware displays theAction Group - Newwindow.
2. Type a name for this group in the Name field. You can add a descriptiofor the group in the Description field. The name can contain any
characters except:comma (,), pipe (|), slash (/), or backslash (\)
3. Click the Group Members tab. You'll see a list of the available actions ithe security system. Select the actions you want in the group, then clickthe right arrow (>>) button. The selected actions move into theMember Items list.
-
7/27/2019 Rockwell Software's Security Server Network Edition
38/74
30 Getting Results with Rockwell Softwares Security Server (Network Edition)
4. Click the OKbutton. The action group is now ready to have usersassigned to it.
Assigning access to individuals and groups
You can assign access to actions to individuals and groups through theresource. For example, if you want to assign the actions for an application, goto that application's resource.
To assign actions to individuals or groups:
1. Click the resource containing actions you want to assign.
2. Click theAccess Control List tab. The access control list, or ACL, is thelist of who has rights to actions for that resource.
3. In the Users/Groups field, type the name of the user or group of usersyou want to have rights to an action. If you want to browse for the name,click the button next to the Users/Groups field.
4. If you want to limit the action to a particular workstation or group ofworkstations, type the name of the workstation or workstation group intheWorkstations/Groups field. If you want to browse for the name,click the button next to theWorkstations/Groups field.
5. Select the actions you want to assign, then click the right arrow (>>)button. The selected actions move to the Selected Actions list.
6. If you intend to grant access to these actions, click the Grant button. Ifyou intend to deny access to these actions, click the Deny button.
7. ClickOK. The access control list fills with the actions you assigned.
Editing an access control list entry
To change an access control list entry, click the entry then clickEdit. Awindow appears, allowing you to change the entry.
Tip Use user and workstation groups in resource ACLs. You'll probablyfind it easier to debug your ACLs if you do it that way.
-
7/27/2019 Rockwell Software's Security Server Network Edition
39/74
Managing your Security Server configuration 3
How access control list entries are applied
An access control list entry (ACE) that comes first in an access control list haprecedence over the rules below it. For example, if the first ACE in an accescontrol list grants a group of users every action for a resource, you can't denthose users an action later in the list. However, if you want to deny a group o
users a particular action but grant all others, you can place the denial first in thaccess control list, then place an ACE granting access to all actions under thdenial. The denial takes precedence because it came first, but that group ofusers still has access to the other actions from that resource.
The same thing applies to groups of users. If a user is denied access to an actioearly in an access control list, but the user is part of a group that is grantedaccess to that same action later in the same list, the user is denied access to thaaction.
Grant for Bob/
Workstation1
Deny for */
Workstation1
ACE
ACE
Result
Because Bob was granted the action
in the first ACE, the second ACE is
ignored.
Let's say we have a user named Bob at a
workstation called Workstation 1. Bob is trying
to perform an action for which there are two
access control entries (ACEs).
Grant for Bob/
Workstation1
-
7/27/2019 Rockwell Software's Security Server Network Edition
40/74
32 Getting Results with Rockwell Softwares Security Server (Network Edition)
Moving access control list entries
Because access control list entries that come first take precedence over entriesthat come later, you can move rules higher or lower in the access control list totry to avoid rule conflicts (or set up conflicts to your advantage).
To move an entry, click the entry, then click the up or down arrow buttons tomove the rule into the position you want.
Finding users, workstations, actions, or groupsYou can search for users, workstations, actions, or groups in the project tree.To do this, clickEdit > Find, and enter a string to find in the Search for field.Do not use wildcards (like ? or *) in your search strings. You can enter a partialstring (like down for download).
You can search down in the tree, up in the tree, or in both directions.
Viewing and changing the server propertiesThrough the Security Server's Configuration Explorer, you can view and
modify the current configuration of the Security Server.To view the server's configuration, clickFile > Properties. The PropertyPage window appears.
Deny for */
Workstation1
Grant for Bob/
Workstation1
ACE
ACE
Result
Because everyone (*) at
Workstation1 was denied the action
in the first ACE, the second ACE has
no effect. Even though the second
ACE would allow Bob to perform the
action, it is ignored because the first
ACE has priority.
Let's say Bob is still at Workstation1, but we
change the ACE order.
Deny for */
Workstation1
-
7/27/2019 Rockwell Software's Security Server Network Edition
41/74
Managing your Security Server configuration 3
General tab
The General tab shows general system information. This information may buseful for troubleshooting or if you require technical support with the SecuritServer.
Setup tab
The Setup tab allows you to control some of the behavior of the SecurityServer.
This information: Means:
Server Machine Name The name of the computer running the server.
Database Version The version of the Security Server database (wherethe security information is stored)
Workstation Groups The number of workstation groups in your currentdatabase
Workstations The number of workstations in your currentdatabase
Resource Groups The number of resource groups in your currentdatabase
Resources The number of resources in your current database
Action Groups The number of action groups in your currentdatabase
Actions The number of actions in your current database
User Groups The number of user groups in your currentdatabase
Users The number of users in your current database
-
7/27/2019 Rockwell Software's Security Server Network Edition
42/74
34 Getting Results with Rockwell Softwares Security Server (Network Edition)
Default Security Access
You can set the Security Server to grant or deny access to actions by default.(When you first install the Security Server, it denies access by default. If youhave more actions you want to grant than deny, you may want to set up theSecurity Server to grant access by default then create denials in the accesscontrol lists for your resources).
Database Backup Files
By default, the Security Server keeps three backup files of your securitydatabase. If the Security Server database becomes corrupt, you may be able torecover your database from one of these backup files. (See page 39 for more
information.) You can select from zero to nine backup files.
Security Audit Events
Windows NT has an Application Log that allows you to see when certainactions take place. If you want to log client and Configuration Explorer eventsin the Application Log, check the appropriate boxes. (Security Server events,such as startup and shutdown of the server, are always logged.)
You can access and view the Application Log through the Event Viewerapplication that comes with Windows NT or Windows 2000. See yourWindows NT or Windows 2000 documentation for information regarding
using Event Viewer.Log Audit Events to Sentinelx.log
Check this box if you want to log Security Server events to a file rather than tothe Windows NT/Windows 2000 Application Log. If you choose to log eventsto a file, the Security Server writes event log information to a comma-delimitedASCII file that can be imported into other applications (such as Microsoft
Excel) for review.
Maximum Log Files
If you choose to log events to a file, the Maximum Log Files listbox becomes
available. Use this box to set how many days of logging you want to retain. TheSecurity Server will create a new Sentinelx.log file for each day on which anentry occurs (new files are created at midnight). The log files are stored in theSystem\log folder under the folder where the Security Server is installed.
Tip Resources must always be defined in the Security Server databasewhether default access is set to grant or deny. If a resource is notdefined, access to it will be denied.
-
7/27/2019 Rockwell Software's Security Server Network Edition
43/74
Managing your Security Server configuration 3
Server Information tab
The Server Information tab shows information about your networking setup
Default Account Domain and Default Account Domain Controller
The Default Account Domain and Default Account Domain Controllersettings work in tandem. The Security Server will access the default account
domain controller for user and group information if the domain of the user ogroup matches that of the default account domain. In large and geographicalldiverse networks, this may greatly speed network access.
See Appendix B on page 49 for more information.
Network information refresh rate (minutes)
The refresh rate is the rate at which the Security Server checks its database. Foexample, when a user is removed from a group, the refresh removes any usegroups to which the user belonged and no other user belonged. Anotherexample is when a new user is added to a new domain network group. The
Security Server will add this new user group to its database when it performsthe check. At each refresh, the Security Server rewrites its database.
Client Connections to Server
These fields indicate the maximum number of client workstations that canconnect to the Security Server at one time, the peak number of clientworkstations that have connected to the Security Server at one time, and thenumber currently connected.
The peak number of client workstations indicates the number of licencesrequired for your system. If it is at the maximum number, it is possible that yo
may need more licences.
If you need to increase the number of client workstations that can connect tthe Security Server, please contact your Rockwell Software sales representativ
Configuration Explorer tab
The Configuration Explorer tab shows information about your networkingsetup.
Default Account Domain and Default Account Domain Controller
The Default Account Domain and Default Account Domain Controllersettings work in tandem. The Configuration Explorer gathers and presentsnetwork information for you to create user groups or resource ACLs. Thesetwo settings allow you to select a domain controller for a particular domain.The domain controller is then used for all Configuration Explorer browsing othe domain. Note these settings may be different for each instance ofConfiguration Explorer on your network.
-
7/27/2019 Rockwell Software's Security Server Network Edition
44/74
36 Getting Results with Rockwell Softwares Security Server (Network Edition)
See Appendix B on page 49 for more information.
Display Full Names
When Display Full Names is checked, Configuration Explorer displays fullnames and descriptions (when available from the server) for members ofSecurity Server groups. When domain groups are displayed, the full names and
descriptions of users in those groups are also displayed.
Displaying full names and descriptions can take time. Turning this function off(by clearing the Display Full Names checkbox) will speed up these networkoperations.
Refreshing access control listsYour access control lists (ACLs) can contain users who no longer haveaccounts or whose accounts are disabled. You may wish to remove these usersfrom your ACLs. To do this, clickFile > Refresh ACLs.
When you choose to refresh ACLs, the Security Server performs that taskduring the next refresh cycle, and makes a log entry including the domainaccount and action taken. You can change the time to the next refresh cycle bychanging the server preferences. See Network information refresh rate(minutes) on page 35 for more information.
Using admin accounts to control access to theSecurity Server's Configuration Explorer
If you install the Configuration Explorer on a user's computer, you must define
an administrator for the Configuration Explorer. Otherwise, anyone withaccess to the Configuration Explorer can change the configuration of your
entire Security Server system.
To define an administrator:
1. ClickView > Admin Accounts. This displays the AdministrationAccounts window.
2. ClickAdd. This displays a browse window, allowing you to select a userto be an administrator for Configuration Explorer.
3. Locate a user to be an administrator, click that user's logon name, and
then clickOK. If you want to search for a user, type the beginning of theuser's logon name in the Search for field, then clickFind.
Tip As a convenience, the _Security Server domain contains all usersthat are currently in the Security Server's database. To save time,you can choose administrators from this domain.
-
7/27/2019 Rockwell Software's Security Server Network Edition
45/74
Managing your Security Server configuration 3
Roaming securityWith the Network Edition of Security Server, it is possible to disconnect fromyour network and maintain access to secured functions. For example, amaintenance engineer may need to take a laptop with secured software off ohis or her network to perform operations in a plant. This is accomplished
through a process called roaming.Roaming operates by caching security information for a set number of days. ASecurity Server administrator decides whether roaming should be enabled, anfor how many days. If Roaming is enabled, any user can cache securityinformation to run while disconnected from the network.
While roaming, access is checked for each resource using the logged-in user anworkstation. The system creates a roaming database that remains in effect unta timeout occurs (the number of days roaming is permitted expires) or theConfiguration Explorer terminates the roaming session.
If a timeout occurs, the user will no longer be able to access secured RockweSoftware applications.
Enabling or disabling roaming
Roaming is enabled through Configuration Explorer. Only Security Serveradministrators are able to enable or disable roaming (if you have not definedadministrators for your Security Server, see Using admin accounts to controaccess to the Security Server's Configuration Explorer on page 36 forinformation about doing this.
To enable roaming, clickView > Set Roaming Security Timeout.
By default, roaming is enabled. To disable roaming, check the DisableRoaming Security Caching checkbox.
If you wish to enable roaming, set the number of days roaming should beenabled with the Roaming Security Timeout (days) listbox. You can setbetween 0 and 90 days. If you want to make roaming valid only during the
current day, set the timeout to 0 days (the day ends at midnight).
Using roaming
To use roaming:
1. Start Configuration Explorer.
2. ClickView > Configure Roaming Security Information.
Important If you do not define administration accounts, any user can enableor disable roaming.
-
7/27/2019 Rockwell Software's Security Server Network Edition
46/74
38 Getting Results with Rockwell Softwares Security Server (Network Edition)
3. Since there is no network server available to validate users, you mustprovide a name and password to use with Security Server while roaming.Under theAlias User Information section of the Configure RoamingSecurity Information dialog, enter your user name in the User Namefield. Do not use your network user name for this field.
4.Enter a password to use with Security Server while roaming in thePassword and Confirm Password fields.
Roaming remains enabled until either the Configuration Explorer reattaches tothe Security Server, or the timeout period elapses. If the roaming timeoutperiod elapses, connect Configuration Explorer to the Security Server to
restore operation.
Important Do not forget your user name and password! If you do, you willnot be able to use roaming, and you will not be able to use softwarethat is secured with Security Server.
-
7/27/2019 Rockwell Software's Security Server Network Edition
47/74
Backing up and synchronizing Security Servers 3
Rockwell Software's Security Servers do not communicate with each other. Iyou want to keep the same security information on primary and secondarySecurity Servers, you may handle this process in any of three ways:
export your Security Server database from your primary Security Server animport the database on your backup Security Servers
directly copy the database files from the primary Security Server to backupservers.
use Windows NT/2000 directory replication to copy the database files fromthe primary Security Server computer to backup computers (this is thepreferred method since it happens automatically)
Using directory replicationWindows NT and Windows 2000 have a built-in replication service that allowyou to copy files from one computer to another automatically. In Windows
NT this is called the LAN Manager Replication service; in Windows 2000this is called the File Replication service. You can configure this service tocopy files from the folder containing the Security Server database from theprimary Security Server to backup servers.
Note that the Windows 2000 File Replication Service is not available on
Windows 2000 Professional. Therefore, if you are using a computer runningWindows 2000 Professional as a Security Server, you will not be able to use thmethod for replicating your database.
For more information about using directory replication, see the documentatio
for Windows NT or Windows 2000.
Exporting your Security Server databaseTo export your Security Server database, run the Configuration Explorer, theclickFile > Export Database.
Chapter
4
Backing up and
synchronizing SecurityServers
-
7/27/2019 Rockwell Software's Security Server Network Edition
48/74
40 Getting Results with Rockwell Softwares Security Server (Network Edition)
This function allows you to save a backup file. The backup file contains all ofthe information necessary to reconstruct your Security Server database eitheron your primary Security Server or on a backup Security Server.
Importing your Security Server database
When you import a Security Server database into a Security Server, theimported database will be added to the current configuration of that SecurityServer.
To import a Security Server database, run the Security Server ConfigurationExplorer, then clickFile > Import Database. The software allows you toselect a backup database file to import.
If the database import detects conflicts, you can choose to overwrite thecurrent database with the imported information or not. You can do this on acase-by-case basis or for the entire imported database. For example, if a user
already exists in the database and the imported database contains the same user,you can choose whether to overwrite the current database with the informationabout that user from the imported database.
If there are errors detected during the import
If the database import detects errors, the import notifies you that there areerrors and writes descriptions of the errors to a log file. The file is namedSentinelImport.log, and it is found in the Security Server system directory (bydefault, that directory is C:\Program Files\Rockwell Software\SecurityServer\System). You can open the log file in Windows Notepad and examine
it. (A typical error is that a user described in the backup database no longerexists or is no longer enabled in the domain the import removes such usersand notifies you in the log file.)
The error log file describes errors by line numbers. These line numbers referto the end of a resource or user list, not to the line containing the error. Thestring (invalid user name, for example) causing the error is listed with the errordescription. You should search for the string causing the error and not the linenumber if you wish to correct the backup database.
Restoring a previously saved configurationEach time you change your Security Server configuration and save thosechanges, the software writes a backup of your last saved security database aswell as your most recent changes. (The database is also saved and backed upduring each refresh cycle.) If you make a mistake and need to revert to apreviously saved version of your Security Server database, you can do so.
-
7/27/2019 Rockwell Software's Security Server Network Edition
49/74
Backing up and synchronizing Security Servers 4
To restore a previous version of your Security Server database, locate thedirectory containing the Security Server system. By default, the Security Servesystem is located in C:\Program Files\Rockwell Software\Security Serve\System\db. In that directory, you'll find the files that make up a SecurityServer database. The following table describes these files:
Delete the Sentinel.sdb file and replace it with one of the backup files. If yojust made the change you need to correct, the backup file you need isSentinel.sb1 (the number on the backup file is incremented with subsequentsaves).
This file: Does this:
Sentinel.sdb The primary security database. Contains all of the databaseinformation necessary for the Security Server to providesecurity functions.
Sentinel.sb1.sbN
The backup security database files. Contains previousversions of the security database. With each save of thesecurity database, the Security Server copies the previouslysaved version to a backup file. For information about settingthe number of security database backups maintained by the
Security Server, see page 34.
Important Before overwriting a database file, make sure the Security Server inot running.
Tip If you are restoring a database that was backed up during a resourceconsolidation or unconsolidation, the backed-up database is located(by default) in C:\Rockwell Software\SecurityServer\System\SentinelResourcen.bak (where n is a sequencenumber indicating how many times the consolidation orunconsolidation has been done). For information about resourceconsolidation, see Consolidating processor resources for RSLogix5 and RSLogix 500 on page 53.
-
7/27/2019 Rockwell Software's Security Server Network Edition
50/74
42 Getting Results with Rockwell Softwares Security Server (Network Edition)
-
7/27/2019 Rockwell Software's Security Server Network Edition
51/74
Upgrading from Standalone Edition to Network Edition 4
The databases for Security Server Standalone Edition and Network Editionvary in the following ways:
Standalone Edition provides security for a single workstation, whileNetwork Edition provides network-wide security.
Standalone Edition does not contain references to workstations.
Standalone Edition users can be either users local to a Windows NTmachine, or they can be private users, known only to the Security ServerNetwork Edition uses only domain users, validated by a domain controlle
Because of these differences, access control lists and users created inStandalone Edition are not compatible with Network Edition. Thisinformation will be lost during an upgrade to Network Edition.
It is possible to retain the resource/group and action/group definitions fromStandalone Edition when upgrading to Network Edition.
To upgrade a Standalone Edition database to a Network Edition database:
1. Export the Standalone Edition database.
2. Install Security Server Network Edition.
3. Import the exported Standalone Edition database file into NetworkEdition. During the import, there will be warnings concerning importinthe Standalone Edition database.
4. Review the SentinelImport.log file for import errors. See Restoring apreviously saved configuration on page 40 for more information.
Chapter
5
Upgrading from
Standalone Edition toNetwork Edition
-
7/27/2019 Rockwell Software's Security Server Network Edition
52/74
44 Getting Results with Rockwell Softwares Security Server (Network Edition)
-
7/27/2019 Rockwell Software's Security Server Network Edition
53/74
Setting up A.I. Series software to use Security Server 4
A.I. Series software can use the Security Server to secure resources. To set uA.I. Series software to do this, you need to tell the software to send its actionto the Security Server.
There are two types of resource for A.I. Series software. There is a global
resource called AI5GLOBALRIGHTS or AI3GLOBALRIGHTS, whiccontrols access to functions in the software. You can also create resources foeach processor being programmed (in case you want to vary the actions grantebased on the processor