Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
SIMATIC HMI WinCC V6.0 SP4 Process Visualization System WinCC Security Concept
Recommended and mandatory practice
Planning the Security Cells and Access Points Managing the Network Managing Computers and Users User and Access Management in WinCC and Integration Into Windows Management Planning Time Synchronization Implementing Patch Management Secure Network Access to Security Cells Concluding remarks References Meaning of the Symbols Used Glossary
1 2 3 4 5 6 7 8 9 10
Edition 07/2006
A5E00917540-01
Safety instructions
This manual contains instructions that must be followed both for your personal safety and in order to avoid damage to equipment. Instructions regarding your personal safety are identified by a warning triangle; instructions regarding general equipment damage appear without a warning triangle. Warnings and associated instructions appear as follows depending on the level of danger (the most dangerous warning appears first).
! ! !
Danger
Indicates that death or serious injury will occur if the corresponding precautions are not taken.
Warning
Indicates that death or serious injury can occur if the corresponding precautions are not taken.
Caution
With a warning triangle, indicates that minor injury can occur if the corresponding precautions are not taken.
Caution
Without a warning triangle, indicates that equipment damage can occur if the corresponding precautions are not taken.
Notice
Indicates that undesirable events or circumstances can occur if the corresponding instruction is not heeded. In the event of a number of levels of danger prevailing simultaneously, the warning corresponding to the highest level of danger is always used. If a warning with a warning triangle warns of potential injury, a warning regarding equipment damage can be included in the same notice.
Qualified personnel
Reference must be made to this document when setting up the associated device/system. Only qualified personnel may commission and operate a device/system. In the context of the safety instructions in this document, qualified personnel are persons who are authorized to commission, ground and mark devices, systems and circuits in accordance with safety engineering standards.
Intended use
Please note:
!
Trademarks
Warning
The device may only be used for the applications envisaged in the catalog and technical description, and only in association with third-party devices and components recommended and/or approved by Siemens. In order to operate correctly and safely, the product must be transported, stored, set up and installed correctly, and operated and maintained with care.
All product names followed by the symbol are registered trademarks of Siemens AG. Other product names in this document may be trademarks whose use by third parties might violate the rights of their owners.
Exclusion of liability
We have checked the content of this document for consistency with the hardware and software it describes. However, as deviations cannot be totally excluded, we are unable to warrant complete consistency. The information in this document is reviewed at regular intervals and any necessary correction included in subsequent editions.
A5E00917540-01 07/2006
Preface
Purpose of this documentation
The "WinCC Security Concept" documentation contains recommended and mandatory procedures for planning and building secure, networked WinCC automation solutions with connected Web clients, SIMATIC IT applications and office networks based on customer specifications. This documentation serves as both a reference and a guide for network administrators working in the following areas: Configuration of WinCC Commissioning and servicing of WinCC Management of company networks
It is intended to facilitate cooperation between network administrators managing company networks and automation networks.
Required knowledge
This documentation is intended for persons involved in the configuration, commissioning and servicing of automation systems using SIMATIC WinCC. It assumes basic knowledge of the common IT technology used in offices. Notice
This documentation cannot replace training of personnel in the fields of network engineering, management of Microsoft Windows desktop and server stations and operation of these stations in Windows domains and in fact assumes some previous knowledge of these skills on the part of the reader.
Preface
The following security concept documents should be used as references in this context: BSI IT Baseline Security Manual, Chapter 4 "Infrastructures" FDA 21 CFR 11, "Electronic Records; Electronic Signatures" NAMUR Worksheet NA 67 "Information Security for Process Control Systems (PLS)" NAMUR Worksheet NA 103 "Use of Internet Technology in Process Automation" ISA TR99.00.012004 "Security Technologies for Manufacturing and Control Systems", dated March 11, 2004
This security concept can be used to validate a networked plant as a "closed system" according to FDA 21 CFR 11 Section A Para. 11.3 Number (4): Quote: "A closed system means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system." End of quote.
ii
Preface
System types
The WinCC Security Concept is illustrated in this document on the basis of the following types of system: Single-user system as a visualization system without Web clients
iii
Preface
Note
This SIMATIC WinCC Security Concept has been system-tested and should be implemented in your installation. You must be aware that not all security concepts from the IT world can be implemented 1-to-1 in process automation. IT focuses mainly on global accessibility and maximum security. The most important factor for process automation is functionality.
Notice
Deviations from the recommended WinCC Security Concept can result in security vulnerabilities. Always keep your system up to date so that security vulnerabilities do not occur. This documentation contains the WinCC Security Concept V6.0 SP4. Your Siemens Automation & Drives representative will let you know if the manual has been updated.
iv
Preface
Guide
Topics are listed in the order in which an administrator should perform the configuration of the required components. Background information and context is provided for each task to help the administrator understand the associated security concept and purpose. This documentation consists of the following topics:
Section Planning the Security Cells and Access Points Managing the Network Content Principle: Division into security cells Security Cells and Room Protection Specifying Network Access Points Name Resolution Assigning IP Addresses and Division into Subnets
Managing Computers and Principle: Division of responsibility Users Operating Plants in Windows Workgroups User and Access Management in WinCC and Integration Into Windows Management Planning Time Synchronization Implementing Patch Management Managing Plants Using a Windows Domain (Active Directory) Shared domains - dedicated organizational unit Shared forest - subordinate domains Relationship between Windows user rights and the project-specific management of user rights and operator permissions Integration into Windows management Time Synchronization in a Windows Workgroup Without a Central Plant Clock Time Synchronization in a Windows Workgroup with a Central Plant Clock Time Synchronization in a Windows Active Directory Domain Without a Central Plant Clock (with NTP Time Server) Time Synchronization in a Windows Active Directory Domain With a Central Plant Clock Implementing Patch Management Installing and Configuring the Software Update Service (SUS) Configuring the AU Clients (AU = Automatic Update)
Secure Network Access to Principle: Closed system in accordance with FDA Security Cells Using Firewalls for Access Points Using Virus Scanners for Access Points Principle: Integration of Remote WinCC PCs Into the Closed System in Accordance with FDA Additional Measures Using and Configuring Authentication and Encryption with IP Security Using and Configuring Authentication and Encryption with Secure Sockets Layer Using and Configuring VPN (Virtual Private Network) and Network Access Quarantine Control for Secure Support Access
Log/Audit
Preface
Additional support
If, once you have read the manual, you have any questions about the products described in it, please contact your local Siemens representative. You will find a list of representatives at: http://www.siemens.com/automation/partner You will find a guide to the technical documentation we offer for individual SIMATIC products and systems at: http://www.automation.siemens.com/simatic/portal/html_76/techdoku.htm You will find the online catalog and online ordering system at: http://mall.automation.siemens.com/
Training centers
We offer courses to help get you started with the WinCC visualization system. Please contact your regional training center or the central training center in Nuremberg. Phone: +49 (911) 895-3200. Internet: http://www.sitrain.com
Technical support
Technical support for all A&D products can be accessed as follows: By completing our online support request form: http://www.siemens.de/automation/support-request Phone: Fax: + 49 180 5050 222 + 49 180 5050 223
For additional information about our technical support services, please visit us on the Internet at http://www.siemens.de/automation/service .
vi
Table of Contents
Preface Table of Contents 1 Planning the Security Cells and Access Points 1.1 1.2 2 2.1 2.2 3 3.1 3.2 3.2.1 3.2.2 4 i vii 1-1
Security Cells and Room Protection ................................................................1-1 Specifying Network Access Points...................................................................1-6 2-1 Name Resolution .............................................................................................2-1 Assigning IP Addresses and Division into Subnets..........................................2-6 3-1 Operating Plants in Windows Workgroups ......................................................3-1 Managing Plants Using a Windows Domain (Active Directory)........................3-4 General Information About Domains................................................................3-4 Embedding Plants in Existing Domains (Active Directory)...............................3-9 4-1
User and Access Management in WinCC and Integration Into Windows Management 4.1 4.2
Rights Management in Windows .....................................................................4-1 User management in WinCC ...........................................................................4-8 5-1 Time Synchronization in a Windows Workgroup Without a Central Plant Clock ..........................................................................................5-3 Time Synchronization in a Windows Workgroup with a Central Plant Clock....5-9 Time Synchronization in a Windows Active Directory Domain Without a Central Plant Clock (with NTP Time Server)..................................................5-15 Time Synchronization in a Windows Active Directory Domain With a Central Plant Clock ........................................................................................5-23 6-1 Implementing Patch Management ...................................................................6-3 How to Detect a Security Vulnerability With MBSA..........................................6-4 Assessing Security Vulnerabilities ...................................................................6-8 Obtaining Software Updates and Security Patches .........................................6-9 Testing Security Patches .................................................................................6-9 Deploying Security Patches.............................................................................6-9 Maintaining the Patch Environment .................................................................6-9 Installing and Configuring the Software Update Service (SUS) .....................6-10 Basics of SUS................................................................................................6-10 Installing SUS ................................................................................................6-14 Configuring the SUS Server ..........................................................................6-15
Implementing Patch Management 6.1 6.1.1 6.1.2 6.1.3 6.1.4 6.1.5 6.1.6 6.2 6.2.1 6.2.2 6.2.3
vii
Table of Contents
6.3 7 7.1 7.2 7.2.1 7.2.2 7.2.3 7.3 7.3.1 7.3.2 7.4 7.4.1 7.4.2 7.4.3 7.5 7.5.1 7.5.2 7.5.3 7.5.4 7.5.4.1 7.5.4.2 7.5.4.3 7.5.4.4 7.5.4.5 8 8.1 8.2 9 10
Configuring the AU Clients............................................................................ 6-21 7-1 Mapping Data Traffic 7-1 Using Firewalls for Access Points 7-7 General Information About Firewalls............................................................... 7-7 Using the Microsoft ISA Server as a Firewall .................................................. 7-7 Using Local Firewalls on WinCC PCs ........................................................... 7-11 Using Virus Scanners for Access Points 7-12 Using Local Virus Scanners on WinCC PCs (Distributed Access Points) ..... 7-12 Using a Microsoft ISA Server Virus Scanning Module at the Central Access Point of a Plant..................................................................... 7-14 Integration of Remote WinCC PCs Into the Closed System in Accordance with FDA ....................................................................................................... 7-15 Using and Configuring Authentication and Encryption with IP Security ........ 7-17 Using and Configuring Authentication and Encryption with Secure Sockets Layer................................................................................... 7-23 Using and Configuring VPN (Virtual Private Network) and Network Access Quarantine Control for Secure Support Access ............................................ 7-26 Requesting and Installing Certificates........................................................... 7-53 How to Install a Stand-Alone Root Certification Authority ............................. 7-53 Downloading a Certification Authority Certificate .......................................... 7-56 Requesting a Local Computer Certificate for IPSec...................................... 7-57 Setting Up SSL on a Web Server.................................................................. 7-59 Creating a Certificate Request ...................................................................... 7-59 Submitting a Certificate Request................................................................... 7-61 Issuing a Certificate ...................................................................................... 7-61 Installing the Certificate on the Web Server.................................................. 7-62 Configuring Resources to Request SSL Access ........................................... 7-62 8-1 Residual Risks ................................................................................................ 8-1 Additional Measures ....................................................................................... 8-1 9-1 10-1 1
Concluding remarks
Glossary
viii
1
1.1
This is why individual plants and parts of them need to be segmented and provided with room protection.
1-1
1-2
Separating the two buses avoids loading the plant bus with the communication for the visualization on the WinCC clients. The availability of the plant bus is thereby increased. Figure 1-1 shows the division of the control layer into "terminal bus" and "plant bus" segments using the "production shop" security cell as an example. The PC stations on the control layer are assigned to the terminal bus. The AS stations on the control layer are assigned to the plant bus.
1-3
Large system In the example configurations illustrated in Figure 1-2 and Figure 1-3, referred to hereinafter as the company "plant.com", there are 3 main buildings with a variety of functions and devices. Each building corresponds to a security cell in this example because: There are persons with similar responsibilities and permissions in each of the segments. Each security cell can fulfill its task in isolation from the others for a certain period of time.
1-4
Planning the Security Cells and Access Points One exception in this example is the building controlling access to the entire company site. This building contains a single device that displays special alarms but does not allow any operator inputs.
1-5
1.2
The dimensioning of the router must correspond to the actual requirement of the network traffic and any planned expansions of the plant. A router represents a bottleneck for network traffic due to its status as a "stand-alone device". You may need to use modern "GigaBit" technology for the routers. You may need to configure the routers redundantly.
Note
We recommend the temporary use of routers as isolation and connection components for individual security cells, especially when commissioning a plant. This makes it much easier, for example, to test the function of all devices and their communication mechanisms. You will subsequently need to replace these routers with firewalls or install and configure firewall software on any computers being used as routers (see Section 7.2 "Using Firewalls for Access Points").
1-6
Large system The access points are illustrated in Figure 1-4 (Network access points, router): Access point to control layer via router control system Access points to MES layer via MES router or router control system
All devices on the ERP layer are located in a physical subnet on the top layer. This is connected with the next MES layer via the MES router. The MES layer in turn is connected to the control layer via the router control system. In this example, the WinCC servers swap out production data from the control layer to the SIMATIC IT Historian Server or long-term archive server at regular intervals. Although the control layer can work for a certain amount of time without a connection to the MES layer, it must be regularly connected to the archive servers on the MES layer, because its archive capacity is limited. Production data are collected, archived and evaluated on the MES layer and made available to the ERP layer via a Web solution (WinCCWebServer01). An important aspect is that these production data cannot be destroyed and can no longer be changed.
1-7
Note
You do not have to run a SIMATIC IT Historian Server or WinCC long-term archive server on the MES layer. If given conditions do not allow such a layer to be formed, you must do without these additional security zones. However, this is not recommended.
1-8
2
2.1
Symbolic names
All network nodes must be assigned symbolic names in order to keep the network structure and administration flexible and make it possible to react to changes. These names correspond to the IP addresses of the network nodes. Task-oriented symbolic names, such as WinCCServer01, PresseSrv01, have proved popular. Most applications use these names to find the contacts they are looking for on the network.
Note
As soon as a Windows 2000 or Windows 2003 domain is used to manage the Windows computer (see Section General Information About Domains ), a writable DNS server is an absolute necessity for resolving names in this domain.
Name resolution for each individual segment must also function without connection to the other segments. Fast and reliable name resolution is a requirement for high-level performance in each individual segment.
2-1
DNS suffix Specification of the DNS suffix is important for the PC to be correctly entered on the DNS server. This also applies to the DNS server itself.
2-2
Managing the Network DNS server address The DNS server is set on the plant PC by selecting the menu command "Start > Settings > Control Panel" > "Network Connections" > "Local Area Connection" > "General" tab > "Properties" button. In the "Internet Protocol (TCP/IP) Properties" dialog box, select: "Obtain DNS server address automatically" or "Use the following DNS server addresses:"
2-3
2-4
Multi-user system,
large system
We also recommend using at least one additional PC as a DNS and WINS server in a workgroup. The DHCP server can also be located on this PC. In a domain, the DHCP, DNS and WINS servers can also be installed on a domain controller.
2-5
2.2
Recommended IP addresses
In the 192.168.x.x range, for example, there are: 256 class C networks (subnet 192.168.0.x to subnet 192.168.255.x), each with 254 subscribers (IP address 192.168.x.1 to IP address 192.168.x.254)
The office environment addresses are often already used by the company IT department. Include the IT department in the planning of the plant network at an early stage if a connection to the office network is planned or foreseen as a future development.
2-6
The following should be noted when using DCHP in a WinCC system: There must be a DHCP server in each segment. It can be located on a computer together with the DNS and WINS servers. We recommend the following settings for the DHCP server on the terminal bus in our example:
Settings Reservations Explanation Make reservations for all plant PCs on the terminal bus. This will ensure that the plant PCs are always assigned the same IP address even when they have been switched off for a long period. Tip: Select a random dummy name such as dummy01 as a reservation name. Subsequently, you can use the FQDN name entered under the reservations to easily tell if the computer with the corresponding MAC address is logged on properly. Once you have made reservations for all plant PCs, you only need to select a very small address pool, for example, 192.168.25.10 to 192.168.25.60. 003 Router 006 DNS Server 015 DNS Domain Name 044 WINS/NBNS Server 046 WINS/NBT Node Type 192.168.25.1 192.168.25.101* production.plant.com 192.168.25.101* 0x8
* Only applies when a DNS or WINS server is also installed on the domain controller, for example. Otherwise, the IP addresses will need to be adapted. Other options may be useful based on local requirements, for example: 042 NTP Servers 033 Static Route Options 192.168.25.101 192.168.125.0 192.168.25.1
Note that DHCP servers cannot be configured redundantly. This does not mean, however, that the WinCC PC will cease to function following the failure of a DHCP server. Problems only arise if the lease time expires or the PCs are rebooted. Select a lease time long enough to meet your requirements. If DHCP server redundancy is required, you can cluster the server like any other Windows server. Another possibility is to configure an alternative IP address in the case of Windows XP or Windows Server 2003. To avoid duplicate addressing in the event a DHCP server failure, these alternative IP addresses must be maintained parallel to the DHCP entry.
2-7
Note
Be sure to reserve the following addresses: IP address x.x.x.0 as network address IP address x.x.x.1 as router IP address x.x.x.255 as broadcast address
2-8
Managing the Network The plant configuration and the IP address assignments for our example plant might appear as follows:
Figure 2-4 contains devices and configurations that will be explained in detail in later sections. Although a simpler diagram might be preferable here, this figure better illustrates the subnet division and IP address assignments.
2-9
Multi-user system,
large system
We recommend that you use an additional PC as the DHCP server. The DNS and WINS servers can also be located on this PC. In a domain, the DHCP, DNS and WINS servers can also be installed on a domain controller.
2-10
3.1
Practical experience has shown that configuring just one computer incorrectly can pose a huge risk to an entire plant. Locating the error in such cases is often tedious and complicated.
3-1
All computers in the Production (A) workgroup must be set up with the same security policy (B), the correct network adapter configuration (C), and a consistent group and user configuration (D); moreover, they must always be updated at the same time. It is easy to see that as the number of users and computers increases, so does the time and effort required for management.
3-2
Large system Although use in a workgroup is possible, it is not recommended, due to the applicability of the criteria in the following Section 3.2 "Managing Plants Using a Windows Domain (ActiveDirectory)". In any case, centralized management using an additional PC with DNS, WINS and DHCP functionality is recommended.
3-3
3.2
3.2.1
3-4
Note
When a separate Windows domain is set up for the plant, it must be possible for this domain to be managed by operating personnel. This responsibility cannot be transferred to persons outside the production plant, because such persons are not in a position to judge whether or not a given configuration change will have a negative effect on the production process. This may require additional training of the operating personnel.
Note
Only authorized persons may be permitted to configure a plant PC. Administrative user accounts may only be used for responsibilities within WinCC.
3-5
The domains must always be available At least one of the two domain controllers must be located directly on with high-performance. the plant network. This ensures that a domain logon and Group Policy update can always be performed, even if the connection to the other networks fails. The individual objects must be managed grouped in organizational units. The use of additional subdomains should be avoided. Responsibility for the domains and the WinCC PCs must be separate. This reduces the risk of an individual object being configured incorrectly. This does away with the need of having to use at least two additional domain controllers for each subdomain and reduces the time and effort involved in administration. In the "Plant.com" example, the "Production" organizational unit containing all user and computer objects relevant for production has been created for this purpose. Responsibility for this is transferred to an administrative account, which only manages the domain properties of this organizational unit and not those of the entire domain (for example, the Chief Operator (B), a foreman of "Plant.com").
The management and initial Inherent errors, which may only become apparent much later and configuration of the domain by the require a complete reconfiguration of the domain, can be avoided. domain administrator must be performed by qualified operating personnel or a designated employee of the "Plant.com" IT department. The accounts of the domain administrators may only be used for actual administrative duties. This prevents misconfiguration or a local virus affecting the entire domain. These accounts do not normally need to be used subsequently in day-to-day activities.
3-6
Managing Computers and Users Figure 3-2 shows how management can be simplified on the basis of centrally configured safety policies, network configuration and user management. The management of the plant PCs (for example, network configuration, name resolution and IP address assignment) is centralized by the "Production.Plant.com" (A) domain. Responsibility for this infrastructure server (C) is given to the "Domain-Admin". 1. An organizational unit, "OU-Production", is created to manage the plant in the example. This is where all general properties are defined and the "WinCC-Servers", "WinCC-Clients" and "Web-Servers" groups, as well as the "Server-Desktop-User-Dom", "Client-Desktop-User-Dom" and "WebServer-Desktop-User-Dom" (E) domain user accounts, which will subsequently be used as accounts for the runtime operation of the plant, are managed. 2. The real administrative account "Chief-Operator" in the "Operator-Group" manages the subordinate organizational unit "Production-PC". This operator is responsible for the properties that should only be assigned to WinCC PCs (for example, software to be installed, settings for time synchronization, memberships of local groups (D), rights, settings for managing software updates, etc.).
Note
The permissions that should be given to global groups and domain user accounts on the WinCC PCs are described in detail in Section 4 "User and Access Management in WinCC and Integration Into Windows Management" and are simply indicated in Figure 3-2 as orange-colored lines.
3-7
3-8
3.2.2
3-9
3-10
Notice
Only precise delineation of the spheres of responsibility through delegation of responsibilities and rights to operating personnel can ensure that no undesirable configuration changes are made to plant PCs by the IT department.
3-11
3-12
User and Access Management in WinCC and Integration Into Windows Management
4.1
4-1
User and Access Management in WinCC and Integration Into Windows Management
The corresponding share permissions and security settings are managed automatically by the WinCC software. The user simply needs to make the local users and global groups members of these SIMATIC user groups. Note
In addition, all Windows users who are to work on WinCC PCs with SIMATIC components need to be added to the power users local group.
SIMATIC WinCC
WinCC uses the SIMATIC HMI, SIMATIC HMI CS and SIMATIC HMI VIEWER user groups for project sharing and project file access. The first time a project is opened, project sharing is automatically set and configured with the required sharing permissions and security settings. Project share permissions and file access are managed automatically by the WinCC software. Figure 4-1 up to Figure 4-2 illustrates the necessary group memberships in detail.
4-2
User and Access Management in WinCC and Integration Into Windows Management
Rules
Use the Microsoft-recommended ALP strategy (Add User Account to Local Group and assign Permission) and AGLP strategy (Add Domain User Account to Global group, add global group to Local Group and assign Permission). The plant operator logs onto the WinCC operator station and is assigned the operator authorizations configured in the "User Administrator" editor and for graphical function objects. As well as being local power users, the project engineer and operator of a project must also be members of the "SIMATIC HMI" group. In order to be able to access the project remotely, the "ClientDesktopUser" account for each WinCC client must be a member of the "SIMATIC HMI" group on the server.
Description Local Windows user on a WinCC server where process mode (Runtime) runs in a workgroup A member of the following groups on each WinCC server: Power User, SIMATIC HMI and SIMATIC HMI VIEWER Not a member of a local group on a WinCC client or Web server Local Windows user on a WinCC client where process mode (Runtime) runs in a workgroup A member of the following groups on a WinCC client: Power User, SIMATIC HMI and SIMATIC HMI VIEWER Must also be configured on the WinCC server and be a member of the SIMATIC HMI and SIMATIC HMI VIEWER groups on the WinCC server Local Windows user on a Web server where process mode (Runtime) runs in a workgroup A member of the following groups on each Web server: Power User, SIMATIC HMI and SIMATIC HMI VIEWER Must also be configured on the WinCC server and be a member of the SIMATIC HMI and SIMATIC HMI VIEWER groups on the WinCC server A WinCC client is always installed on a Web server in WinCC systems Local Windows user on a WinCC configuration system where configuration is performed in a workgroup A member of the Power User, SIMATIC HMI and SIMATIC HMI CS groups on a WinCC configuration system When project configuration changes are to be made on a WinCC server or WinCC client, they should always be made by this user. This is why the WinCC project engineer should also be configured on a WinCC server and WinCC client and be a member of the following groups on the WinCC server and WinCC client: Power User, SIMATIC HMI and SIMATIC HMI CS A global domain group that contains all domain users and where process mode (Runtime) runs on a WinCC server in a domain A member of the following local groups on each WinCC server: Power User, SIMATIC HMI and SIMATIC HMI VIEWER Not a member of a local group on a WinCC client or Web server
Client-Desktop-User
Configurator/Project engineer
WinCC-Server
4-3
User and Access Management in WinCC and Integration Into Windows Management
User/User group WinCC-Client Description Web Server A global domain group that contains all domain users and where process mode (Runtime) runs on a WinCC client in a domain A member of the following local groups on each WinCC server: SIMATIC HMI and SIMATIC HMI VIEWER A member of the following local groups on each WinCC client: Power User and SIMATIC HMI A global domain group that contains all domain users and where process mode (Runtime) runs on a Web server in a domain A member of the following local groups on each WinCC server: SIMATIC HMI VIEWER A member of the following local groups on each Web server: Power User, SIMATIC HMI and SIMATIC HMI VIEWER
4-4
User and Access Management in WinCC and Integration Into Windows Management
4-5
User and Access Management in WinCC and Integration Into Windows Management
4-6
User and Access Management in WinCC and Integration Into Windows Management
4-7
User and Access Management in WinCC and Integration Into Windows Management
4.2
User Administrator
The actual user management for operating the plant is performed in the UserAdministrator editor. The editor is divided into two components Configuration and Runtime for assigning and managing permissions: Users and permissions are managed in the "UserAdministrator Configuration System": It is here that new users are entered, passwords are assigned, permissions are managed in a table and the link to SIMATIC logon is administered. The main task of the "User Administrator Runtime System" is to monitor system logons and access rights.
4-8
A central plant clock is recommended for plants running WinCC as it allows both methods to be used. SICLOCK TM GPS Package 24V with order number 2XV9450-1AR24 SICLOCK TM GPS Package 230V with order number 2XV9450-1AR25
Both packages contain the SICLOCK TM central plant clock and the SICLOCK GPSDEC radio clock. Other time synchronization products can also be used depending on application requirements. Additional information: For additional information about time synchronization concepts for industrial plants, please visit us on the Internet at: German: http://siemens-edm.de/siclock.0.html English: http://siemens-edm.de/siclock.0.html?id=109&L=2
5-1
Recommended configurations
We basically recommend 4 different configurations: Windows workgroup without a central plant clock Windows workgroup with a central plant clock Windows ActiveDirectory without a central plant clock (with NTP time server) Windows ActiveDirectory with a central plant clock
Operation in a Windows workgroup is designed for small plants that do not need to be operated synchronized to the company network or other networks. However, if a plant is to be operated in a Windows domain (Windows Active Directory), no competing time synchronization mechanisms may influence the plant PC. Whereas an incorrect time only causes problems in the interpretation of causal relationships for most applications, imprecise time here can lead to logon denials being issued to domain clients attempting to log onto their domain controller. The reason for this is a security feature of the domain controller in Windows 2000 and higher, which is intended to prevent hijacking of an established session. The standard authentication protocol, Kerberos V5, uses the time of a workstation as part of the generation process for authentication tickets. If the configured time tolerance (default 5 min.) between client and server is exceeded, it is assumed that an attacker has decrypted the logon and hijacked the session. This is prevented by invalidating the session and rejecting the client's attempt to log onto its domain.
5-2
5.1
5-3
5-4
Planning Time Synchronization If the above box is grayed out on the "Activate time-of-day adjustment on the CP 1613" screen and "Time-of-day adjustment" is deactivated, the CP 1613 must first be switched to "PG mode".
5-5
Planning Time Synchronization "Time-of day adjustment" can then be activated. You must then reset the mode to "Configured mode".
Figure 5-4 Changing the operating mode of the CP 1613 to Configured mode
The WinCC servers function as what are known as cooperative masters. Only when a CP1613 on the plant bus is not receiving a broadcast time signal (from an AS as master clock) will WinCC time synchronization switch to "Master" clock mode and itself transmit broadcast time signals to the plant bus as a substitute for the master clock, which has probably failed. This is described in more detail in the following section.
5-6
Planning Time Synchronization Time synchronization is set via "Time Synchronization" in WinCC Explorer.
5-7
Planning Time Synchronization The WinCC clients WinCCClient01 and WinCCClient02 are configured as time "Slaves" on the connected WinCC server using WinCC time synchronization in their own projects. They are synchronized with the clock of the respective WinCC server via the "terminal bus" during runtime of their projects.
5-8
5.2
5-9
If the above box is grayed out on the "Activate time-of-day adjustment on the CP 1613" screen and "Time-of-day adjustment" is deactivated, the CP 1613 must first be switched to "PG mode".
5-10
Planning Time Synchronization Set the interface modules for the plant bus by selecting the menu command "Start > SIMATIC > SIMATIC NET > Configuration Console".
"Time-of day adjustment" can then be activated. However, you must then reset the mode to "Configured mode".
Figure 5-10 Changing the operating mode of the CP 1613 to Configured mode
WinCC Security Concept - Recommended and mandatory practice A5E00917540-01
5-11
Planning Time Synchronization The WinCC servers function as what are known as cooperative masters. Only when a CP1613 on the plant bus is not receiving a broadcast time signal (from the central plant clock) will WinCC time synchronization switch to "Master" clock mode and itself transmit broadcast time signals to the plant bus as a substitute for the central plant clock, which has probably failed. This is described in more detail in the following section.
5-12
Planning Time Synchronization Time synchronization is set via "Time Synchronization" in WinCC Explorer.
5-13
Planning Time Synchronization The WinCC clients WinCCClient01 and WinCCClient02 are configured as time "Slaves" on the connected WinCC server using WinCC time synchronization in their own projects and are synchronized with the clock of the respective WinCC server via the "terminal bus" during runtime of their projects.
5-14
5.3
Time Synchronization in a Windows Active Directory Domain Without a Central Plant Clock (with NTP Time Server)
Example configuration - Windows domain without a central plant clock but with NTP time server
Figure 5-13 Windows domain without a central plant clock but with NTP time server
5-15
5-16
Planning Time Synchronization If the box is grayed out on the "Activate time-of-day adjustment on the CP 1613" screen and "Time-of-day adjustment" is deactivated, the CP 1613 must first be switched to "PG mode".
"Time-of day adjustment" can then be activated. You must then reset the mode to "Configured mode".
Figure 5-16 Changing the operating mode of the CP 1613 to Configured mode
5-17
Planning Time Synchronization The WinCC servers function as what are known as "cooperative masters". The first WinCC server activated on the plant bus and not receiving a broadcast time signal automatically switches to "Master" clock mode. All other WinCC servers activated subsequently then detect a broadcast time signal on the plant bus and automatically switch to "Slave" clock mode. This is described in more detail in the following section. Note
Time synchronization of the AS is only performed when at least one WinCC server is activated.
All other plant PCs are automatically time clients of the PDC emulator through their membership of the domain. Since the Windows-internal time synchronization is too infrequent for runtime operation of a plant, WinCCServer01 and WinCCServer02 are additionally configured as "Slave clocks of the PDC emulator using WinCC time synchronization. Any other domain controller is configured as a substitute "Master clock.
5-18
Planning Time Synchronization Time synchronization is set via "Time Synchronization" in WinCC Explorer.
Figure 5-17 WinCC time synchronization with domain controller in the server project
5-19
Planning Time Synchronization The WinCC clients WinCCClient01 and WinCCClient02 are configured as "Slave clocks of the domain controllers or the connected WinCC servers using WinCC time synchronization in their own projects and are synchronized with the clock of the respective domain controllers or WinCC servers via the "terminal bus" during runtime of their projects.
Figure 5-18 WinCC time synchronization with domain controller in the client project
5-20
Figure 5-19 WinCC time synchronization with connected WinCC server in the client project
5-21
Planning Time Synchronization WinCC PCs, such as WinCCClient02 or CS, for which WinCC time synchronization is not available, are synchronized via the DCF77 reception service, which must be installed separately. It can use one of the two domain controllers or WinCC servers as the master clock.
Figure 5-20 Setting the DCF77 reception service on the client without WinCC time synchronization
5-22
5.4
Time Synchronization in a Windows Active Directory Domain With a Central Plant Clock
5-23
5-24
Planning Time Synchronization If the box is grayed out on the "Activate time-of-day adjustment on the CP 1613" screen and "Time-of-day adjustment" is deactivated, the CP 1613 must first be switched to "PG mode".
5-25
Planning Time Synchronization "Time-of day adjustment" can then be activated. You must then reset the mode to "Configured mode".
Figure 5-24 Changing the operating mode of the CP 1613 to Configured mode
The WinCC servers function as what are known as cooperative masters. Only when a CP1613 on the plant bus is not receiving a broadcast time signal (from the central plant clock) will WinCC time synchronization switch to "Master" clock mode and itself transmit broadcast time signals to the plant bus as a substitute for the central plant clock, which has probably failed. This is described in more detail in the following section.
5-26
This domain controller is then configured as the authoritative time source. The procedure for this is described by Microsoft in: Configuring the Windows Time service to use an internal hardware clock How to configure an authoritative time server in Windows Server 2003: http://support.microsoft.com/kb/816042/EN-US/ See topic:
All other plant PCs are automatically time clients of the PDC emulator through their membership of the domain. Since the Windows-internal time synchronization is too infrequent for runtime operation of a plant, WinCCServer01 and WinCCServer02 are additionally configured as "Slave clocks of the PDC emulator using WinCC time synchronization. Any other domain controller is configured as a substitute "Master clock.
5-27
Planning Time Synchronization Time synchronization is set via "Time Synchronization" in WinCC Explorer.
Figure 5-26 WinCC time synchronization with domain controller in the server project
5-28
Planning Time Synchronization The WinCC clients WinCCClient01 and WinCCClient02 are configured as "Slave clocks of the domain controllers or the connected WinCC servers using WinCC time synchronization in their own projects and are synchronized with the clock of the respective domain controllers or WinCC servers via the "terminal bus" during runtime of their projects.
Figure 5-27 WinCC time synchronization with domain controller in the client project
5-29
Figure 5-28 WinCC time synchronization with connected WinCC server in the client project
5-30
Planning Time Synchronization WinCC PCs, such as WinCCClient02 or CS, for which WinCC time synchronization is not available, are synchronized via the DCF77 reception service, which must be installed separately. It can use one of the two domain controllers or WinCC servers as the master clock.
Figure 5-29 DCF77 reception service on the client without WinCC time synchronization
5-31
5-32
6-1
Identify
Deploy
Patch management with the Windows Software Update Services (WSUS) 2.0
http://www.microsoft.com/technet/technetmag/issues/2005/11/HandsOn/default.aspx
6-2
6.1
Current FAQs
When deploying security patches in plants running WinCC, read the latest FAQs available on the Internet at http://support.automation.siemens.com/. The following FAQs are important: FAQ 22016868 FAQ 18752994 http://support.automation.siemens.com/WW/view/en/22016868 http://support.automation.siemens.com/WW/view/en/18752994
6-3
6.1.1
Using MBSA
The Microsoft Baseline Security Analyzer (MBSA) can be used for the following tasks: Scanning one or more computers for vulnerabilities Determining the availability of security updates Graphic user interface Command line
Note
The logon account required for executing MBSA must be a member of the administrator group on the computers to be scanned. Use the net use \\computername\c$ command to check if the required access rights and permissions are available. The "computername" refers to the network name of the computer to be scanned for missing patches. First deal with any problems regarding access to administrative privileges before scanning remote computers with MBSA.
6-4
How to manually detect missing updates using the graphical user interface in MBSA
1. Start MBSA by double-clicking the desktop icon or selecting MBSA in the "Programs" menu. 2. Click "Scan a Computer". MBSA scans the local computer with the default setting. To scan multiple computers, click "Scan Multiple Computers" and then select a number of computers or an IP address range. 3. Select all check boxes (see Figure 6-2). 4. Click "Start Scan". Your server will now be analyzed. Once the scan is complete, MBSA displays a security report and saves this report in the directory %userprofile%\SecurityScans. In the following example, all boxes have been checked for scanning IP address 192.168.25.25 (WinCCClient01, see Figure 2-4). The subordinate SUS server (SEC-CA) is also checked.
5. Once the scan is complete, click the link next to the negative items for details of the results (see Figure 6-3); a list of the security updates that have not yet been installed will appear. The Microsoft Security Bulletin reference number is displayed. You can obtain additional information about a bulletin by clicking the reference.
How to detect missing updates using the command line interface in MBSA
Go to the MBSA installation directory in a command line window and enter the following command: mbsacli /i 192.168.25.25 /sus "http://192.168.125.53/" This opens the same report that is available in the graphic user interface. Here too, the report is saved in the directory %userprofile%\SecurityScans.
6-5
The top half of the MBSA screenshot shown in Figure 6-3 is self-explanatory. A red "X" indicates that a serious problem has been found. To display a list of missing patches, click the corresponding Result details link.
6-6
For both types, links are available to the relevant hotfix and security bulletin sites that provide information about the patch as well as download instructions.
If there is an update that cannot be confirmed, check the information in the bulletin and follow the instructions for installing the patch or changing the configuration.
Additional information
Additional information about patches that cannot be checked with MBSA is available in Microsoft Knowledge Base Article 306460, "HFNetChk Returns Note Messages for Installed Patches".
6-7
6.1.2
Security Bulletins
You can assess the risk of an attack by reading the following security bulletins: Technical information about what an attacker needs to exploit the security vulnerabilities described in bulletins. Physical access may be required for an attack, for example, or the user may have to open a harmful e-mail attachment. Mitigating factors you need to assess in light of your security policy to determine how much you are affected by a security vulnerability. A patch might not be absolutely necessary because of your security policy. If you are not using the index service on your server, for example, there is no need to install a patch against a security threat in the service. Assessing threats to set priorities. Assessing the severity of threats involves several factors. These include the role of the computer whose security may be endangered and the extent to which this computer is affected by the security vulnerability.
Note
If you are using an affected product, you must almost always install the patches for security vulnerabilities that are characterized as critical or important. Patches rated as critical should be installed as soon as possible.
6-8
6.1.3
Additional information
You can find detailed additional information in 6.2 Installing and Configuring the Software Update Service (SUS).
6.1.4
6.1.5
6.1.6
6-9
6.2
6.2.1
Basics of SUS
Limitations of SUS
Limitations of SUS: SUS does not support Windows NT or Windows 9x computers. SUS does not support Microsoft Office or Microsoft BackOffice products. SUS updates the OS, Microsoft IIS and Microsoft Internet Explorer (IE) only. Although it supports many languages, SUS does not yet support every language supported by Windows XP and Windows 2000. SUS does not have an uninstall option to automatically remove an update it has deployed. Therefore, it is important to test updates before installing them with SUS. You can also use the manual uninstall method to remove updates.
6-10
The SUS server is basically an IIS Web page. You use Web pages to administer and monitor SUS. AU clients use Web pages to download updates. Microsoft stores the updates on its Windows Update servers. The SUS Windows Update Synchronization Service handles the periodic synchronization between the SUS server and the Microsoft Windows Update servers. AU clients use HTTP to communicate with an SUS server. The SUS server also uses HTTP. The AU clients periodically contact the Windows Update servers and synchronize the database of updates available for download. This database is called the catalog. You can perform catalog synchronizations on demand, or you can schedule them. The catalog does not contain the actual updates. It contains a description of the updates and information that the AU clients need to determine whether an update is applicable for their XP or Win2K installations. You can configure the SUS server to download and install the updates for each language you choose to support, or you can leave the updates on the Windows Update servers. In this case, the AU clients download and install the updates. No matter which configuration you choose, SUS checks the updates against Microsoft's public certificate before downloading and installing the updates. This prevents imposters using SUS to insert malicious code into your computers. Although a single process in many programs, downloading and installation are two separate processes in SUS. Lets say that you want to have the AU clients download and install updates. The AU clients periodically check your SUS server for any newly approved updates. When an AU client finds an update that it needs to download, it begins the download process by connecting to the appropriate Windows Update server. You can configure the AU client to automatically download and install the update. Alternatively, you can configure it to notify the user that an update is ready for download. In the latter case, the AU client waits for the user to initiate the download. Once the AU client has downloaded the update to a temporary folder, the installation process begins. The AU client checks the options you set to determine when to install the update. You can configure the AU client to automatically install updates according to a schedule you have set. Alternatively, you can configure the AU client to notify the user that updates are available for installation. It will then wait for the user to initiate the installation. After installing the updates, the AU client restarts the computer if required. If a user is currently logged on, the AU client gives the person 5 minutes to save his or her work, close all programs, and log off. The AU client then restarts the computer. Because the AU client uses the Qchain tool, it only needs to restart the machine once, even if it installs several updates.
6-11
The configuration of the AU clients must be performed according to a Group Policy. Once the installation of the patches on the AU clients is complete, they must not be rebooted automatically. Scan data traffic during download and deployment of the patches using an application firewall with a virus scanner (for example, Microsoft Internet Security And Accelerator Server and the TrendMicro virus scanning module).
6-12
The following figure shows the placement of the higher-level SUS server (A) in the ERP and the placement of the lower-level SUS server (B) in the MES. The lower-level SUS-CA server downloads its patches from the higher-level SUS-ERP server over the MES firewall via http. All plant PCs receive their patches from the lower-level SUS server. For this to work, HTTP download from the lower-level SUS server must be permitted at all access points. To also allow a dial-up support computer (D) to install any missing updates before it accesses the plant, it must also be given access to the lower-level SUS server while it is still in the quarantine network. The MES network serves as the quarantine network.
6-13
6.2.2
Installing SUS
To use SUS, you need a server on which to run SUS. AD domain controllers and machines running Microsoft Small Business Server (SBS) cannot be SUS servers. The SUS server as well as the domain controllers and workstations that SUS will manage all need to run: Windows 2000 SP2 or higher IE 5.5 or higher The SUS server also needs to run IIS 5.0 or higher.
You can install SUS on an IIS server that already hosts other Web sites. SUS can coexist with other Web sites because SUS uses only three IIS components: The Common Files folder Microsoft Management Console (MMC) Internet Information Services snap-in World Wide Web Server (not on a WinCC PC, however)
SUS is usually installed in the default Web site. If you do not have a default Web site or you have a different Web site bound to port 80, see Appendix A in the Microsoft white paper "Deploying Microsoft Software Update Services". To access this paper, click the Software Update Services Deployment White Paper link on the Software Update Services Web page: http://www.microsoft.com/Windows2000/downloads/recommended/susserver/default.asp . The SUS Web site also has a link to download SUS. Once you have downloaded SUS, open file sussetup.msi to start the Setup Wizard. The welcome page and end user license agreement (EULA) (which you must accept) appear; when prompted, select the Typical installation option and click Next. Make a note of the SUS server's URL. You will need this URL to configure the AU clients. Click Install. During installation, SUS runs the IIS Lockdown Tool to secure IIS on the SUS server. This lockdown prevents an intruder who has cracked into your SUS server from accessing AU clients. The IIS Lockdown Tool disables options that present security risks. Therefore, it might break existing Web applications. If your SUS server hosts other Web applications and those applications depend on components such as WebDAV (WWW Distributed Authoring and Versioning), Microsoft FrontPage Server Extensions or FTP, you might run into problems. Although you can get SUS to coexist with these applications, you might need to enable certain options again after installing SUS. For a full description of the changes SUS makes to IIS, see Appendix A in the "Deploying Microsoft Software Update Services" white paper. At the end of the installation routine, the Wizard displays the Finish page along with the URL for the SUS administration Web page. Make a note of this URL. You will need it to administer the SUS server in the future.
6-14
6.2.3
6-15
Implementing Patch Management The Set Options link. Click here to open the Options page, which contains 5 sections: Under "Select a proxy server configuration", you need to specify whether to use a proxy server configuration. If your network has to access the Internet via a proxy server, you can configure the SUS server to authenticate and use the proxy server to access the Windows Update servers. However, for this example, select the "Do not use a proxy server to access the Internet" option.
Under "Specify the name your clients use to locate this update server" you can, if necessary, enter the name of your SUS server. By default, the "Server name" edit box will contain your SUS server's NetBIOS name. If you have disabled NetBIOS name resolution on your network, however, you can change it to the DNS name or IP address. You will also need to enter the SUS server name again in the AU client configuration. Unfortunately, it is not clear why you have to change the settings on both the server and the client.
6-16
Implementing Patch Management Under "Select which server to synchronize content from" section, specify the data source with which you want the SUS server to synchronize. There are two options: the "Synchronize directly from the Microsoft Windows Update servers" option, which is the default setting, and the "Synchronize from a local Software Update Services server" option, which lets you synchronize your SUS server with another SUS server, for example, to accommodate scalability needs. If you are synchronizing with another SUS server, enter that server's NetBIOS or DNS name. If you select the "Synchronize list of approved items updated from this location (replace mode)" option, your SUS server will not only synchronize its own catalog of updates but will also use the other server's list of approved updates.
Under "Select how you want to handle new versions of previously approved updates", you can specify how you want SUS to handle new versions of updates. Sometimes a bug in an update comes to light and Microsoft has to re-approve the update. What happens if you have already approved this update? Do you want SUS to direct AU clients to automatically install the new version? If so, select the Automatically approve new versions of previously approved updates option. However, if you would rather have SUS treat the new version of the update as a new update and wait for you to approve it before deployment, select "Do not automatically approve new versions of previously approved updates. I will manually approve these later."
6-17
Implementing Patch Management Under "Select where you want to store updates", specify the location in which you want to store updates. Remember that SUS always downloads the catalog. However, you can control whether you want to download the updates to the SUS server or leave the updates on the Windows Update server. For this example, select "Save the updates to a local folder". Then select the languages for which you want to save updates.
Once you have completed these five steps and selected the options you require, click "Apply" to save your selections. You are now ready to configure the SUS synchronization schedule and approve the updates you want to deploy.
6-18
Implementing Patch Management The "Synchronize server" link. Click the "Synchronize server" link to open the "Synchronize server" page. This page displays two options: "Synchronize now", which you can click to perform an immediate synchronization manually, and "Schedule Synchronization", which you can click to create a schedule for automatic synchronization. Click "Schedule Synchronization". As you can see in Figure 6-13 you can start synchronization on request only (i.e., without a schedule being configured), configure synchronization to take place on a daily basis at a specific time or configure synchronization to take place once a week on a specific day at a specific time. If you decide to create a schedule, change the preset time (e.g., 03:00). The Windows Update servers may be overloaded at this time, as all the default-configured SUS servers will be submitting synchronization requests. You can also configure how many times SUS should retry synchronization if a synchronization attempt fails. The default setting is three attempts. SUS waits 30 minutes between attempts.
In our example, SUS has been configured to synchronize daily at 01:00. Notice how the "Synchronize server" page now specifies the date and time of the next scheduled synchronization. Click "Synchronize". SUS displays the system with which it is synchronizing along with the progress of that synchronization.
6-19
Implementing Patch Management The Approve updates link. Click this link to display a list of all updates in the catalog and configure the status of these updates. This list appears in Figure 6-14. You can sort the list by update date, title, platform (Windows XP or Windows 2000), or status. In terms of its status, an update can be "Approved" (approved for distribution to the appropriate AU clients), "Not Approved", New (a recently downloaded update that has not been approved), "Updated" (a new version of a previously approved update) or "Unavailable" (update is not available for download).
The list of updates in Figure 6-14 shows that all IE security updates associated with KB867282 have been approved. These include the IE for Windows XP, IE for Windows Server 2003, IE 6 SP1 and IE 5.01. Although all these updates have been approved, each AU client installs only the update appropriate for its IE version. To approve one or more updates, check the box next to each update, then click "Approve". Confirm your selection by clicking "Yes" in the prompt that appears. SUS will then display a dialog box listing the updates you have selected and prompting you to accept the EULA for these updates. Depending on your screen resolution and browser settings, the "Accept" and "Don't Accept" buttons might not appear. This happens if the dialog box is too small to display all the updates. Unfortunately, you cannot resize this dialog box. However, you can place the mouse pointer in the list box and press the Tab key to make both buttons visible. Click "Accept" to approve the updates for deployment on the AU clients.
6-20
6.3
Because WinCC Version 6 systems need one of these operating systems, the AU client is always installed. Basically, the configuration only involves changing a few registry values. Since it is impractical to change these registry values manually, you should use a Group Policy that can be edited using the Microsoft Management Console (MMC) shown in Figure 6-15.
6-21
Implementing Patch Management 1. Double-click the "Configure Automatic Updates" policy. Select "Enabled" in the properties window (see Figure 6-16). In the Configure automatic updates drop-down list box, select the option that matches your requirements: 2 - Notify for download and notify for install 3 - Auto download and notify for install 4 - Auto download and schedule the install
2. Once you have completed the configuration of the policy, click OK.
6-22
Implementing Patch Management 3. Double-click the "No auto-restart for scheduled Automatic Updates installations" policy. Select "Enabled" in the properties window shown in Figure 6-17.
4. Once you have completed the configuration of the policy, click OK.
6-23
Implementing Patch Management 5. Double-click the "Specify intranet Microsoft update service location" policy. Select "Enabled" in the properties window shown in Figure 6-18. In the "Set the intranet update service for detecting updates" edit box, specify the URL you wrote down earlier (e.g., the URL of the SUS server that the client should check periodically for new updates). In the "Set the intranet statistics server" edit box, specify the URL of the IIS server to which the client should report its activities (usually, this URL is the same as the previous one). Click OK and close the Group Policy Editor. Apply your settings.
6. Once you have completed the configuration of the policy, click OK. 7. Force the application of the Group Policy. Computers reapply Group Policies every 90 minutes, with a random offset of up to 30 minutes. So, you might have to wait as long as 2 hours for computers in your domain to start checking the SUS server for approved updates. To force the immediate application of the Group Policy, log onto the computer, open a command shell window, and run the following command: On computers with Windows 2000: secedit /refreshpolicy machine_policy On computers with Windows XP or Windows Server 2003: gpupdate
The computer should now start downloading all updates you have approved.
6-24
Multi-user system We recommend you proceed exactly as described above for multi-user systems.
Large system In large systems, it is absolutely essential to follow the instructions given above precisely in order to avoid security risks.
6-25
6-26
7.1
7-1
Secure Network Access to Security Cells No communication takes place between the ERP layer (C) and control layer (A).
7-2
7-3
Secure Network Access to Security Cells Data traffic between the control and MES layers: Protected and securely authenticated communication between the WinCC server (A) and the remote WinCC client (B) is permitted, but it must always be verified. This may result in slight delays and reduced performance.
Figure 7-3 Data traffic between the control layer and MES layer
7-4
Secure Network Access to Security Cells Data traffic to the ERP layer via SUS-CA: Access to the SUS-CA server via HTTP is permitted for every plant computer.
7-5
Secure Network Access to Security Cells Data traffic to the ERP layer with access by Web clients: A Web client (C) on the ERP layer is permitted to access a Web server (B) on the MES layer via the MES firewall.
7-6
7.2
7.2.1
7.2.2
Receiving and decrypting of IPSec data traffic as a proxy, thereby offering the capability to analyze for anomalies (see 7.4.1) Advantage In addition to allowing you to block the required and particularly vulnerable ports of the file and Windows network services at access points, Microsoft ISA Server allows you to use certificate-based IPSec connections to make these specific ports available again to special computers and users. Requirements There are no other unprotected access points to the respective security cell. The special computers and users who are permitted access must be configured with at least an equal amount of care and protection as the security cell itself. They are defined as "trusted".
7-7
7-8
FROM: "Internal SECERP", "Internal SECMES" TO: "Internal SECERP", "Internal SECMES" Protocols: HTTP, HTTPS Allow: All Users FROM: "Internal SECControl", "Internal SECMES" TO: "Internal SECControl", "Internal SECMES" PROTOCOL: HTTP, HTTPS ALLOW: All Users FROM: "Internal SECControl", "Internal SECMES" TO: "Internal SECControl", "Internal SECMES" PROTOCOL: ICE Client, ICE Server, IPSec-ESP, IPSec-ESP Server, IPSec-NAT-T Client, IPSec-NAT-T Server, L2TP Client, L2TP Server, PPTP, PPTP Server ALLOW: All Users
7-9
7-10
7.2.3
Note
WinCC V6.0 SP4 and earlier do not support the activation of a local firewall on a WinCC PC.
Multi-user system,
large system
Since the WinCC PCs are located within a security cell, only a few minimal settings are needed for the local firewall. The required settings, however, cannot be published at this date. They will be made available in the next version of this document following long-term testing. This is why only the firewall properties at the access points are used at this time.
7-11
7.3
7.3.1
Approved virus scanners for WinCC V6.0 SP2 and higher (acc. to WinCC V6.0 SP4 release notes)
The following virus scanners have been tested for compatibility with WinCC V6.0 SP2 and higher: Symantec AntiVirus Corporate Edition V8.1 and higher Trend Micro Server Protect V5.56 and higher Trend Micro Office Scan NT V5.02 and higher
Note
At the current time, all virus scanners must be disabled when operating a WinCC long-term archive server, due to possible interference from the scan.
7-12
Single-user system Since the network adapter forms the access point in a single-user system, you need to install and configure a local virus scanner.
Multi-user system,
large system
With a multi-user system or large system, it is practical to install a server-client architecture for virus scanners. Figure 7-9 shows the basic principle using Trend Micro OfficeScan V7 as an example. The SUS-CA server operates as the OfficeScan server in our example plant. This PC, therefore, now performs three functions: Server for the Software Update Service Stand-alone certification authority (see Requesting and Installing Certificates) OfficeScan server
7-13
7.3.2
Using a Microsoft ISA Server Virus Scanning Module at the Central Access Point of a Plant
Virus scanning modules such as the "Trend Micro InterScan Web Security Suite", which can be integrated as a module in the Microsoft ISA Server, use anti-virus, anti-phishing, anti-spyware, and optional URL technologies to check all passing Web data traffic. With the Microsoft ISA Server and an integrated virus scanning module, IPSec connections can be received as a proxy for protected plant PCs, unpacked and their Web content checked for viruses. They are only forwarded to the destination computer if their content has been deemed to be safe.
7-14
7.4
Integration of Remote WinCC PCs Into the Closed System in Accordance with FDA
Integration into the closed system means that WinCC PCs that are physically located outside the closed system or a security cell but nevertheless have access to the plant, are included in the closed system or security cell using network technology.
7-15
Multi-user system,
large system
Figure 7-10 shows an example for the integration of trusted computers WinCCClient02 and WinCCWebServer01 (B) into the control layer security cell via an IPSec tunnel to WinCCServer01 (A).
7-16
7.4.1
IP Security
IP Security (abbreviated as IPSec) is a secure communication method that can authenticate, sign and encrypt the data traffic between two or more network nodes based on filtering rules and for the most part transparently. The additional computation required by this reduces performance, however. If the data are encrypted, the data traffic can no longer be inspected. The following options are available for secure authentication of the communicating plant PCs: Active Directory Standard (Kerberos V5 Protocol) Using a certificate from a certification authority Using a character string for protecting the key exchange
7-17
Name of rule
Filter list
Filter action
Tunnel settings
Connection type
Authentication method
Default response rule: Deactivated The names of the filter lists are chosen to reflect their function. The same applies to the filter action, "3DES required". The name should give an indication of the encryption method used. Table of IP filter lists for plant PCs on the control layer: Filter list Source address Source mask Source port Own IP address 255.255.255.255 Any Traffic to MES Own IP address 255.255.255.255 Any Traffic to ERP Own IP address 255.255.255.255 Any HTTP Own IP address 255.255.255.255 Any Own IP address 255.255.255.255 Any Destination address Destination mask Destination port 192.168.25.0 255.255.255.0 Any 192.168.125.0 255.255.255.0 Any 192.168.225.0 255.255.255.0 Any 192.168.125.53 255.255.255.255 443 192.168.125.53 255.255.255.255 80 Yes TCP Yes TCP Yes Any Yes Any Mirrored Protocol type Any
Traffic to Control
Yes
7-18
Secure Network Access to Security Cells IP security rules for plant PCs on the MES layer for the "SIMATIC Networks" security policy:
Filter action
Tunnel settings
Default response rule: Deactivated IP filter lists for plant PCs on the MES layer:
Filter list
Source address Source mask Source port Own IP address 255.255.255.255 Any
Destination address Destination mask Destination port 192.168.25.0 255.255.255.0 Any 192.168.125.0 255.255.255.0 Any 192.168.225.0 255.255.255.0 443 192.168.125.53 255.255.255.255 443 192.168.125.53 255.255.255.255 80
Mirrored
Traffic to Control
Yes
Traffic to MES
Yes
Any
Traffic to ERP
Yes
TCP
HTTP
Yes
TCP
Yes
TCP
7-19
Secure Network Access to Security Cells IP filter actions for plant PCs on the control and MES layers:
Filter action
Action
IP traffic security
Communication with computers that do not support IPSec No Not applicable Not applicable
7-20
Procedure
To create a new IP Security Policy, follow the instructions in this section. We recommend you use the available wizards. If you retain the default settings, the following wizard routines will be performed: IP Security Policy Wizard Security Rule Wizard IP Filter Wizard Filter Actions Wizard
1. Create a Microsoft Management Console (MMC) that contains the "IP Security Monitor" and "IP Security Policies on the Local Computer" snap-ins.
Click IP Security Policies in the console tree and then on Name in the right pane. Select the menu command Action > Create IP Security Policy. Follow the instructions of the IP Security Policy Wizard until the "Properties" dialog box for the new policy is displayed. Assign the name "SIMATIC Networks" for your security policy. Deactivate the standard response rule.
2. In the properties dialog box for the new security policy, open the "Rules" tab and click "Add". Follow the Security Rule Wizard instructions and make the following settings: Tunnel settings: The rule specifies no tunnel. Network type: All network connections In the IP Filter Lists dialog box of the Security Rule Wizard, click "Add" to start a new IP filter list. Select the name "Traffic to MES".
7-21
Secure Network Access to Security Cells 3. In the "IP Filter List" dialog box, click "Add" to start the IP Filter Wizard. Make the following settings: Mirrored: Source address: Destination address: IP address: Subnet mask: IP protocol type: Enabled Own IP address Special IP subnet 192.168.125.0 255.255.255.0 Any
4. Click "OK" to close the "IP Filter List" dialog box. 5. Click "Next" in the Security Rule Wizard. 6. In the "Filter Action of the Security Rule Wizard" dialog box, click "Add" to start the Filter Action Wizard. 7. Follow the Wizard instructions and make the following settings: Name of filter action: Filter action: Communication with computers that do not support IPSec IP traffic security: 3DES required Negotiate security
8. Select the filter action you have just created in the Security Rule Wizard. 9. Follow the Wizard instructions and select A certificate from the following certification authority as the authentication method. Select the certification authority: Plant CA. 10. Close all dialog boxes and activate the security policy.
7-22
7.4.2
Using and Configuring Authentication and Encryption with Secure Sockets Layer
7-23
7-24
3. Log onto WinCCWebServer01 as the user configured in the "User Administrator" editor. 4. If the WinCC WebNavigator has not yet been installed on WebClient02, this can be performed now via https. The same applies for the WinCC/WebNavigator user plug-ins. 5. The plant displays can now be displayed on WebClient02.
7-25
7.4.3
Using and Configuring VPN (Virtual Private Network) and Network Access Quarantine Control for Secure Support Access
7-26
VPN
Microsoft definition: http://www.microsoft.com/technet/isa/2004/plan/vpnroamingquarantine.mspx
Application of VPN
A virtual private network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. With a VPN, you can send data between two computers across a shared or public network in a manner that emulates a point-to-point private link. To emulate a point-to-point link, data are encapsulated, or packed, with a header that provides routing information. This information allows the data to traverse the shared or public network to reach its destination. To emulate a private link, the data are encrypted for confidentiality. Data intercepted on the shared or public network are indecipherable without the encryption keys. The link in which the private data are encapsulated and encrypted is a VPN connection.
7-27
Operating principle
Note
We have decided to use a stand-alone ISA Server 2004 for VPN dial-up in the following example. Of course, one of the two firewalls (Figure 7-16) might also perform this job if it is an ISA Server 2004. The combination of SUS and Quarantine Control PC is also only an example. The two functions could also be separated and run on different computers.
1. First, a dial-up file must be created by "Production-Admin", for example (Section 3). This file establishes a VPN connection, checks the support computer (A), installs the security updates and certificates, and then allows the support computer access to the plant. (For more detailed information, see "Configuration overview" below). 2. The support employee must then connect to the network through an access point (C) assigned to him or her by the plant personnel.
3. Although the support computer (A) is now connected to the ISA Server 2004 (B), as an unknown computer it has absolutely no permissions on the network and cannot access the plant. Only after the administrator has provided the support computer with the dial-up file can the actual support dial-up begin. The administrator can supply the dial-up file to the support employee on a floppy or CD, or make it available in a shared folder on the ISA server.
7-28
Secure Network Access to Security Cells 4. Once the support employee has run the dial-up file, (s)he simply needs to enter his or her user name and password, which (s)he will have received from Production-Admin, for authentication purposes. This information must be specified by the administrator when configuring the ISA server VPN dial-up (see VPN Configuration). An encrypted VPN connection (D) to the ISA server is now established (see Figure 7-17).
5. ISA Server 2004 detects the new VPN connection and, based on its firewall rules (see Quarantine Configuration) and notices that it involves a support dial-up due to the IP address and user name. The ISA Server 2004 assigns the support computer an IP address on the quarantine network (E) (see Figure 7-18).
7-29
Secure Network Access to Security Cells 6. Once the support computer is on the quarantine network, it begins its check. Depending on the requirements of the plant, it might check if: A virus scanner is activated The support computer is free of viruses A firewall is active All the latest updates and patches have been installed
Any missing components and patches may be installed or activated from the SUS/Quarantine Control server (F). If the plant is working with IPSec, a certificate may be requested and installed from the certification authority. The computer has no access to the plant during this entire procedure. 7. Only once all checks have been completed successfully does the dial-up file inform the ISA Server 2004 of this and the ISA Server 2004 allow the support computer full access to the plant (G).
Note
Only the connection to the support hub is a real, physical connection. All other connections (Figure 7-17 Support dial-up VPN tunnel to Figure 7-19 Support dial-up plant access) are emulated as "virtual" connections by ISA Server 2004. This means that the support computer is given permissions by the policies and rules as if it were a subscriber to these networks.
7-30
Configuration overview
The configuration of the support dial-up is divided into three main parts: VPN configuration Quarantine configuration Creation of a Connection Manager profile This is the dial-up file that establishes the connection from the VPN client (support computer) to the dial-up computer (ISA Server 2004) and checks the VPN client. The basic steps involved in this configuration are explained in the following section based on the example above. The general settings for ISA Server 2004 are not described here.
VPN configuration
Proceed as described in Figure 7-20 to configure VPN remote dial-up. The numbering of the sections below corresponds to the individual steps. Click the respective links to perform the configuration tasks.
7-31
Secure Network Access to Security Cells 1. Verify that VPN client access is enabled (Step 1):
For the ISA Server to accept VPN client connections, the "Enable VPN client access" box must be checked. Specify the maximum number of simultaneous connections in the "Maximum number of VPN clients allowed edit box. Enter a value of 10 here to allow ten clients simultaneous access.
7-32
Secure Network Access to Security Cells 2. Specify Windows users (Step 2): ISA Server 2004 expects information about the users or group of users that are allowed to establish VPN connections with the ISA server. It does not matter whether this is a local group or a group from the domain. Enter a local group called "VPN Support Dial-up" in the Windows User Management. Add all users who are permitted to access the plant through the support dial-up to this group. It is best to create dedicated support users for this purpose.
7-33
Secure Network Access to Security Cells Now add this group on the "Groups" tab of the VPN Clients Properties dialog box.
7-34
Secure Network Access to Security Cells 3. Verify the VPN properties (Step 3.1): In the "Protocols" tab, select the tunneling protocol for which ISA Server 2004 is to accept connections. Select the default tunneling protocol "Enable PPTP". Although it offers somewhat less security than a connection via IPSec, it does not require its own certificate for the connection. PPTP is fully sufficient for the support dial-up.
7-35
Secure Network Access to Security Cells 4. Verify remote access configuration (Step 3.2): VPN access can take place from several networks. However, as support employees only have access to the plant through specific dial-up points, only one network, i.e., the support network including all dial-up points for support employees, is required. If VPN connections from other networks are added later, for example, support dial-up via the Internet, they also have to be specified here.
Specify how the VPN clients receive their IP address in the "Address Assignment" tab. This can be through a static address pool or through a DHCP server. The "Use the following network to obtain DHCP, DNS and WINS services" option specifies which DNS server and WINS server is assigned to the VPN client.
7-36
Secure Network Access to Security Cells Select "Static address pool" and click "Add". Enter the address range 192.168.68.90 to 192.168.68.100. The number of addresses in the range must exceed the number of simultaneous connections assigned by at least one. For DHCP, DNS, and WINS services, use the MES network where the access computer for the VPN clients is located.
These settings could also be configured manually by clicking the "Advanced" button (see small image), but it is not necessary here.
7-37
Secure Network Access to Security Cells To establish the connection, an authentication method to be used to authenticate the support employee must be specified. It makes sense here to accept the MS-CHAPv2 authentication method, since this is the most secure of the available methods for authenticating with user name and password.
Steps 4 and 5 in Figure 7-20, configuring the firewall rules for the VPN clients and configuring the network rules, are dealt with at the end of the quarantine configuration together with the required settings.
7-38
The two notification components, RQS.exe and RQC.exe, are required from the Windows 2003 Resource Kit and the update. They are used by the VPN client to inform the dial-up computer that the former has successfully completed its check. RQS.exe is a listener component that runs on the dial-up computer. It waits for notification from the VPN client. RQC.exe is its counterpart, and sends the notification to the dial-up computer. The syntax is as follows: rqc connection name Tunnel name Domain User name Authentication string After installing the resource kit and update, install the RQSUtils. Follow the dialog boxes and specify an installation path.
7-39
7-40
7-41
Secure Network Access to Security Cells Now open Configuration/Networks in the ISA Management Console and select the "Networks" tab. Select Quarantined VPN clients, right-click the object and select Properties from the context menu. In the "Quarantine" tab, check the Enable quarantine control box and select "Quarantine according to ISA Server policies".
7-42
Now use the Connection Manager Administration Kit on ISA Server 2004 to create a Connection Manager profile and the dial-up file that is used by a VPN client to establish a connection to the dial-up computer and that allows the VPN client to be checked.
7-43
7-44
Secure Network Access to Security Cells Check the "Phone book from this profile" box and enter the IP address of ISA Server 2004.
7-45
Secure Network Access to Security Cells Uncheck the "Automatically download phone book updates" box.
7-46
Secure Network Access to Security Cells Enter a name for the profile to be displayed later in "My Network Places/Connections" on the VPN client. Enter a name for the dial-up file to be generated.
The most important component - the quarantine script - appears. As discussed above, it is the core of VPN quarantine dial-up. The Production Administrator can use it to perform all actions (s)he deems necessary to check the support computer.
7-47
Secure Network Access to Security Cells Select "Post-connect" from the "Action type" drop-down list box. This script will be executed once the VPN client is on the quarantine network. Once the script has successfully performed all actions, it uses RQC.exe to send a string (see ConfigureRQSForISA.vbs) to the dial-up computer, enabling it to take the VPN client out of quarantine and add it to the plant network.
7-48
Secure Network Access to Security Cells Example script: The following is an example script published by Microsoft that has been changed slightly. This script does not have its own check function, it only serves as a basic framework. It can be modified as needed to execute any desired actions. The script syntax is as follows:
script.bat %DialRasEntry% %TunnelRasEntry% %Domain% %UserName% %DialRasEntry% becomes %1 %TunnelRasEntry% becomes %2 %Domain% becomes %3 %UserName% becomes %4 @echo off echo RAS Connection = %1 echo Tunnel Connection = %2 echo Domain = %3 echo User Name = %4 set MYSTATUS= REM REM Network Policy Check REM REM Checks if ICF is enabled REM Sets ICFCHECK to 1 (pass). REM Sets ICFCHECK to 2 (fail). REM Checks for installed virus scanner REM Sets VIRCHECK to 1 (pass). REM Sets VIRCHECK to 2 (fail). REM Rqc.exe is run based on the results REM if "%ICFCHECK%" == "2" goto :TESTFAIL if "%VIRCHECK%" == "2" goto :TESTFAIL rqc.exe %1 %2 7250 %3 %4 Version1 REM %1 = %DialRasEntry% REM %2 = %TunnelRasEntry% REM 7250 is the TCP port where Rqs.exe sets a listener REM %3 = %Domain% REM %4 = %UserName% REM Version1 is the authentication string REM
7-49
7-50
Secure Network Access to Security Cells You can include other files in the profile in the final dialog box. Since the script needs RQC.exe to notify the dial-up computer that the check has been completed successfully, this file MUST be added (you can find it in the Windows 2003 Resource Kit directory). All other files required by your script must also be added.
7-51
Secure Network Access to Security Cells Once you have finished, you will find a folder with the name of your profile in the Program Files\cmak\Profiles directory. All of the utilized files are stored there. The client only needs the EXE file and the additional file attachments. Now, when the EXE file is executed on the support computer, a connection to the dial-up computer will be established and the client added to the quarantine network, checked and given access to the plant.
Large system Large systems are considered under the same terms as multi-user systems. The function of the dial-up computer can be fulfilled by a firewall between the networks (ERP layer, MES layer, control layer), provided the firewall is an ISA Server 2004, or by a stand-alone ISA Server 2004.
7-52
7.5
7.5.1
General information
Certification authority type: Stand-alone root certification authority General name of the certification authority: Plant CA.
Procedure
The installation procedure is also described in the Microsoft "Help and Support Center" for Windows Server 2003 at the following link: How to Install a Stand-Alone Root Certification Authority 1. Log onto the system as an Administrator, or if you have the Active Directory service, log onto the system as a Domain Administrator. 2. Select the menu command Start > Settings > Control Panel. 3. Double-click "Add or Remove Programs" and then "Add/Remove Windows Components". 4. In the Windows Components Wizard, check the "Update Root Certificates" box. A dialog box appears to inform you that the computer cannot be renamed and that the computer cannot be joined to or removed from a domain after the installation of Certificate Services. Click "Yes" and then "Next". 5. Click "Stand-alone: root CA". 6. Enter the general name of the certification authority. This information cannot be changed once the certification authority has been installed. 7. In "Validity period", specify the validity duration for the root certification authority. See the note below for items to consider when setting this value. Click "Next". 8. Specify the storage locations for the certificate database, the certificate database log and the shared folder. Click "Next". 9. If Internet Information Services (IIS) is running, you will be prompted to stop it before proceeding with the installation. Click "OK". 10. If prompted, enter the path to the Certificate Services installation files.
7-53
Secure Network Access to Security Cells 11. Check the certification authority in the following MMC:
7-54
Secure Network Access to Security Cells 12. In the IIS (Internet Information Services), ensure that the "Enable session state" box is checked in the properties for the application configuration of the Web site where the certificate server service is to be executed. http://support.microsoft.com/default.aspx?scid=kb;en-us;840690 Click "Start > Programs > Administration Tools > Internet Information Services Manager". Right-click the Web site where the certificate server service is running, and then select "Properties". Click the "Home Directory" tab, and then under "Application Settings", click "Configuration". Click the "App Options" tab in the "Application Configuration" dialog box, and then check the "Enable session state" box. Restart Microsoft Internet Information Services (IIS).
7-55
7.5.2
Procedure
1. Open Internet Explorer. 2. Enter the path "http://sus-ca/certsrv" as the "Address". "Servername" is the name of the Web server under Windows Server 2003 where the corresponding certification authority is located. 3. Click "Download CA certificate, certificate chain or CRL" and then "Next". 4. If you want to trust all the certificates issued by this certification authority, click "Install this CA certificate chain". 5. Once you have finished using the Certificate Services Web pages, close Internet Explorer. Check the installation of the certification authority certificate using the "Certificates (Local Computer)" and "Certificates Current User" snap-ins in the Microsoft Management Console (MMC). The certification authority certificate should be listed for the current user as well as the local computer under the Trusted Root Certification Authorities. If this is not the case, cut the certification authority certificate from the Trusted Root Certification Authorities for the current user and paste it to the same location for the local computer.
7-56
7.5.3
Select the "Mark keys as exportable" check box Select the "Use local machine store" check box
8. Leave all the other options set to the default value unless you need to make a specific change. 9. Click "Submit". 10. If the Certification Authority is configured to issue certificates automatically, the "Certificate Issued" screen should appear. Click "Install this Certificate". The "Certificate Installed" screen should appear with the message "Your new certificate has been successfully installed". 11. If the certification authority is not configured to issue certificates automatically, a "Certificate Pending" screen appears, requesting that you wait for an administrator to issue the certificate that was requested. To retrieve a certificate that an administrator has issued, return to the Web address and click "Check on a pending certificate". Click the requested certificate, and then click "Next". If the certificate is still pending, the "Certificate Pending" screen appears. If the certificate has been issued, the "Install this Certificate" screen appears.
7-57
If the certificate you have installed does not appear here, it has either been installed as a "User certificate request", or you did not select "Use local machine store" within the advanced request.
7-58
7.5.4
Summary
Secure Sockets Layer (SSL) is a collection of encryption methods that provide authentication, trust verification and data integrity. SSL is the method most often used between Web browsers and Web servers to establish a secure communication channel. SSL can also be used for secure communication processes between client applications and Web services. A Web server must be configured with an SSL certificate in order to support SSL communication processes. The following sections describe how to request an SSL certificate and how to configure Microsoft Internet Information Services (IIS) to provide support for secure communication processes with Web browsers and other types of client application that use SSL.
7.5.4.1
Procedure
1. Start the "IIS-MMC" (Microsoft Management Console) snap-in. 2. Expand the node with the name of your Web server and select the "WebNavigator" Web site. 3. Right-click the Web site and select "Properties". 4. Click the "Directory Security" tab. 5. Under "Secure communications", click the "Server Certificate" button to start the Web Server Certificate Wizard. Note: If the "Server Certificate" button is not available, you have probably selected a virtual directory, a directory or a file. Repeat Step 2 and select a Web site. 6. Click "Next" to close the "Welcome" dialog box. 7. Click "Create a new certificate" and then click "Next". 8. The dialog box displayed now contains the following two options: "Prepare the request now, but send it later" This option is always available. "Send the request immediately to an online certification authority". This option is only available when the Web Server has access to one or more Microsoft certificate servers in a Windows 2000 domain, which are configured to issue Web server certificates. At a later point in the request procedure you will have the opportunity to select a certification authority to which you wish to send your request from a list.
Click "Prepare the request now, but send it later" and then "Next".
7-59
Secure Network Access to Security Cells 9. Enter a meaningful name for the certificate in the "Name" field, for example "WebNavigator". Now enter 1024 as the bit length of the key in the "Bit length" field and click "Next". The Wizard uses the name of your current Web site as the default name. This is not used in the certificate, but serves as the displayed name to help orient administrators. 10. Type your organization name (e.g., Plant) in the "Organization" field and the organizational unit (e.g., Laboratory) in the "Organizational unit" field, and click "Next". Note: This information is entered into the certification request; check it carefully to ensure it is correct. The certification authority checks this information and enters it into the certificate. Visitors to your Web site might wish to display this information and decide if they want to accept this certificate. 11. Enter a common name for the site in the "Common Name (CN)" field and then click "Next". "Important": The common name is one of the critical pieces of information to be entered in the certificate. It is the DNS name of the Web site (i.e., the name that the user enters when he wants to visit your site). If the certificate name does not match the site name, a problem with the certificate is reported when users visit the site. If the site is located on the Web and its name is "http://www.plant.com", you should enter this as the common name. If the site is an intranet site and users select it based on the computer name, enter the NetBIOS or DNS name of the computer, in this example: "WinCCWebServer01.laboratory.plant.com". 12. Enter a common name for the site in the "Common Name (CN)" field and then click "Next". 13. Enter the relevant information in the "Country/Region", "State/Province" and "City" fields and click "Next". Enter a file name for the certificate request. The file contains information such as:
-----BEGIN NEW CERTIFICATE REQUEST----MIIDZjCCAs8CAQAwgYoxNjA0BgNVBAMTLW1penJvY2tsYXB0b3Aubm9ydGhhbWVy... -----END NEW CERTIFICATE REQUEST-----
This is a Base64-coded representation of your certificate request. The request contains the information entered in the Wizard as well as your public key. It also contains information that is signed by the private key. The request file is sent to the certification authority. The certification authority then uses the public key information from the certificate request to verify the information signed with the private key. The certification authority also checks the information sent with the request. Once you have sent the request to the certification authority, the certification authority sends back a file containing the certificate. Start the Web Server Certificate Wizard again. 14. Click "Next". The Wizard now shows a summary of the information contained in the certificate request. 15. Click "Next" and then "Finish" to complete the request process. The certificate request can now be sent to the certification authority for analysis and processing. Once you have received a response, you can continue and, using the IIS Certificate Wizard again, install the certificate contained in the response on the Web server.
7-60
7.5.4.2
Procedure
1. Open the certificate file you created in the previous procedure in Notepad and copy its entire content to the clipboard. 2. Open Internet Explorer and navigate to "http://SUS-CA/CertSrv", where SUS-CA is the name of the computer on which Microsoft Certificate Services is to run. 3. Click "Request a Certificate". 4. On the "Request a Certificate" page, click "Advanced Request". 5. On the "Advanced Request" page, select "Submit a certificate request using a base64-encoded CMC or PKCS #10 file, or a renewal request using a base64-encoded PKCS #7 file". 6. On the "Submit Certificate or Renewal Request" page, click the text field for the Base64-coded certificate request (PKCS #10 or #7). Now press "CTRL+V" to paste the certificate request you copied to the clipboard. 7. Click "Submit". 8. Close Internet Explorer.
7.5.4.3
Procedure
Issuing a Certificate
1. Start the "Certification Authority" utility by selecting "Administration Tools" under Programs. 2. Expand your Certification Authority and select the Pending Requests folder. 3. Select the certification request you just submitted. 4. Select the menu command Action > All Tasks and click "Issue". 5. Check that the certificate is appearing in the "Issued certificates" folder and double-click to display it. 6. In the "Details" tab, click "Copy to file" and save the certificate as a base64-coded X.509 certificate. 7. Close the properties window of the certificate. 8. Close the "Certification Authority" utility.
7-61
7.5.4.4
Procedure
1. Start Internet Information Services if it is not already running. 2. Expand the node with the name of your server and select the "WebNavigator" Web site. 3. Right-click the Web site and select "Properties". 4. Click the "Directory Security" tab. 5. Click "Server Certificate" to start the Web Server Certificate Wizard. 6. Click "Process the pending request and install the certificate" and then "Next". 7. Type the location and name of the file containing the response from the certification authority and then click Next. 8. Make sure that 443 is entered as the SSL port and click "Next". 9. Verify that the information is correct in the certificate overview, then click "Next" and "Finish". The certificate is now installed on the Web server.
7.5.4.5
Procedure
1. Start Internet Information Services if it is not already running. 2. Expand the name of your server and the "WebNavigator" Web site. 3. Click the "Directory Security" tab. 4. Click "Edit" under "Secure Communication". 5. Click "Require secure channel (SSL)". Web clients that wish to access the Web site must now use HTTPS. 6. Click "OK" and then click "OK" again to close the "Properties" dialog box. 7. Close Internet Information Services.
7-62
8
8.1
Concluding remarks
Residual Risks
Comprehensive protection for your plant can be assured if you implement without exception all of the principles described in the previous sections. This will eliminate all known security vulnerabilities and threats. However, there is always a risk of unforeseen events and threats arising. Hardware can fail or malfunction Software can malfunction New and as yet unknown viruses can infiltrate the plant
8.2
Additional Measures
Residual risks cannot be entirely avoided. To guard against problems arising from these residual risks or to enable you to locate and overcome such problems quickly, we recommend that you monitor all hardware and software extensively. "Production Admin" should employ the following methods and tools as part of this monitoring effort: Monitoring of all plant PCs and hardware using special programs such as WinCC Scope or APDiag, see: WinCC Information System Planning logical monitoring policies and evaluating the logs created as a result
8-1
Concluding remarks
8-2
References
/1/ /2/ /3/ /4/ /5/ BSI IT Baseline Security Manual FDA 21 CFR 11; http://www.gmppublications.com NAMUR Worksheet; http://www.namur.de NA 67 "Information Protection for Process Control Systems (PCS)" NAMUR Worksheet; http://www.namur.de NA 103 "Use of Internet Technology in Process Automation" ISA TR99.00.01-2004 "Security Technologies for Manufacturing and Control Systems, dated March 11, 2004 Online Help WinCC V6.0 SP4 Release Notes Online Help WinCC Web Navigator V6.1 SP1 Release Notes Windows Server 2003 Security Guide: http://www.microsoft.com/... Windows XP Security Guide: http://www.microsoft.com/... Threats and Countermeasures Guide (companion guide): Security settings available in Windows Server 2003 and Windows XP: http://www.microsoft.com/... Microsoft Initiative "Strategic Technology Protection Program" (STPP): http://www.microsoft.com/smserver/evaluation/overview/secure.mspx Microsoft Windows Server 2003 Server Resource Kit Microsoft Windows XP Resource Kit Microsoft Windows 2000 Security Resource Kit Trend Micro OfficeScan 7 Installation and Deployment Guide Trend Micro OfficeScan 7 Administrators Guide
/6/ /7/ /9/ /10/ /11/ /12/ /13/ /14/ /15/ /16/ /17/
9-1
References
9-2
10
MES plant segment (e.g., quality control) Physical access control (e.g., guards, security services)
Ethernet bus system in a plant Red - bus in the ERP system Yellow - bus in the MES system Green - terminal bus Blue - plant bus
Service, office PC or external PC that may be able to access the visualization system or associated data via a special application (application described in graphic) WinCC single-user system
10-1
WinCC server
SIMATIC IT client
SIMATIC IT server
A WinCC database is installed on the PC (for user data or archive data). A WinCC archive database is installed on the PC (for user data or archive data). A database for updates and backups is installed on the PC.
A SIMATIC IT database is installed on the PC (for user data or archive data). Storage group for ERP systems
10-2
Group
The group or this user is a member of a global group in the domain or is a domain user. (Different groups). Indicates that Active Directory is running on the domain controller. Folder
Organization units
Local policy
Router Firewall
10-3
10-4
Glossary
3DES
Source: Microsoft Help and Support Center Windows Server 2003 See definition for 3DES
3DES
An implementation of DES (Data Encryption Standard) that uses three cryptographic iterations in each data block. Because a 56-bit key is used in each iteration, this results in 168-bit encryption of the data. Although 3DES is slower in performance due to the additional cryptographic calculations, it is much more secure than DES.
Access Control
Source: Microsoft Help and Support Center Windows Server 2003 Access Control is a security mechanism that determines which actions can be carried out by a user, group, service, or computer for a computer or a specific object such as a file, a printer, a registry subkey or a directory services object.
Account
Access permission for an explicit person on a network A user name and password are usually part of an account.
Active Directory
Source: Microsoft Help and Support Center Windows Server 2003 A Windows-based directory service. Active Directory stores information about objects on a network and makes this information available to users and network administrators. Active Directory gives network users access to permitted resources anywhere on the network using a single logon process. It provides network administrators with an intuitive hierarchical view of the network and a single point of administration for all network objects. See also: Domain
Address
Source: Microsoft Help and Support Center Windows Server 2003 A unique identifier used by a network node to identify itself to other nodes on the network. It is also referred to as the "network address" or "MAC address".
Glossar-1
Glossary
Administrator
Source: Microsoft Help and Support Center Windows Server 2003 In the Windows Server 2003 product family, an administrator is a person who is responsible for installing and managing local computers, stand-alone servers, member servers or domain controllers. An administrator sets up user and group accounts, assigns passwords and permissions and helps users who have network problems. Administrators can be members of the Administrator group on local computers or servers. A person who is a member of the Administrator group on a local computer or server has full access rights to the computer or server and can assign users access rights as needed. Administrators can also be members of the Domain Admins on domain controllers. In this case they have full control rights for users and computer accounts in the domains. See also: Domain, User account, Domain controller, Access control
AS
See definition for Automation system (AS).
Authentication
Source: Microsoft Help and Support Center Windows Server 2003 Authentication is the process for verifying that an entity or object is who or what it claims to be. Examples include confirming the source and integrity of information by verifying a digital signature or verifying the identity of a user or computer.
Authentication protocol
Source: Microsoft Help and Support Center Windows Server 2003 The protocol that an entity on a network uses to prove its identity to a remote entity. The identity is typically proven by a secret key such as a password or with a key that is even more secure such as a Smart card. Some authentication protocols implement procedures for the shared use of keys between client and server in order to ensure message integrity or data protection.
Authorization
Authorization is the process of granting a user on a computer system or network permission to perform certain actions. See also: Authentication
Glossar-2
Glossary
Building
Source: BSI Baseline Security Manual Chapter 4.1 Buildings surround the installed information technology and thereby ensure its outer protection. The infrastructure facilities of a Building are also a necessary requirement for IT operation. Therefore, the building structure, such as walls, ceilings, floors, roof, windows, and doors must be taken into consideration, along with all building-wide utilities such as electricity, water, gas, heating, letter shoots, etc.
Central clock
The following central clocks are suitable for synchronizing a plant with an exact time of day: GPS - Global Positioning System Global satellite system for computing exact positions on the earth. The satellites transmit a time signal. DCF77 - Radio signal from a time code transmitter in Frankfurt/Mainflingen (Federal Republic of Germany). The radio signal can be received with sufficient signal strength in many parts of Europe. Time servers publicly available and recognized on the Internet (e.g., time.nist.gov.) Plant-specific, locally restricted clock
Certificate
Source: Microsoft Help and Support Center Windows Server 2003 A digital document that is commonly used for authentication and secure exchange of information on open networks. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing certification authority (CA) and can be issued for a user, a computer, or a service. See also: Certification Authority (CA)
Glossar-3
Glossary
Certificate Service
Source: Microsoft Help and Support Center Windows Server 2003 A software service that issues certificates for a particular certification authority. It provides customizable services for issuing and managing certificates for the organization. Certificates can be used to provide authentication support. This includes secure e-mail, web-based authentication and Smart Card authentication. See also: Authentication, Service, Internet Authentication Service (IAS), Certificate, Certification Authority (CA)
Class A IP address
Source: Microsoft Help and Support Center Windows Server 2003 A unicast IP address between 1.0.0.1 and 127.255.255.254. The first octet indicates the network, and the last three octets indicate the host on the network. Class-based IP addressing has been replaced by Classless Interdomain Routing (CIDR).
Class B IP address
Source: Microsoft Help and Support Center Windows Server 2003 A unicast IP address between 128.0.0.1 and 191.255.255.254. The first two octets indicate the network, and the last two octets indicate the host on the network. Class-based IP addressing has been replaced by Classless Interdomain Routing (CIDR).
Class C IP address
Source: Microsoft Help and Support Center Windows Server 2003 A unicast IP address between 192.0.0.1 and 223.255.255.254. The first three octets indicate the network, and the last octet indicates the host on the network. Network Load Balancing provides optional session support for Class C IP addresses (in addition to support for single IP addresses) to accommodate client-side use of multiple proxy servers. Class-based IP addressing has been replaced by Classless Interdomain Routing (CIDR).
Glossar-4
Glossary
Client
Source: Microsoft Help and Support Center Windows Server 2003 Any computer or program connecting to, or requesting the services of, another computer or program. A client can also refer to the software that a computer or program can use to establish the connection. On a local area network (LAN) or the Internet, a client is a computer that accesses shared network resources provided by another computer (called a server).
Closed system
Source: FDA 21 CFR 11 A closed system means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.
Control layer
The name of the bottom layer of the automation pyramid. (Top: ERP - Middle: MES - Bottom: Control layer) Typical systems used in this area of the automation hierarchy, which is close to the process, are operator control and monitoring systems such as SIMATIC WinCC (SCADA = Supervisory Control and Data Acquisition), PLCs such as SIMATIC S7-300 and S7-400 (PLC = Programmable Logic Controller), drives, sensors, etc.
Control system
All of the automation systems and SCADA systems available on the control layer.
Data integrity
Source: Microsoft Help and Support Center Windows Server 2003 A property of secure communication by means of which a computer can verify that data has not been altered or corrupted during transmission from the source. Data protected by IPSec (Internet Protocol Security), for example, are assigned a cryptographic checksum that uses a secret key known only to the communicating IPSec peers. An intermediate node can change the data, but without knowing the secret key it cannot correctly recalculate the cryptographic checksum.
Glossar-5
Glossary
Delegation
Source: Microsoft Help and Support Center Windows Server 2003 The assignment of responsibility for management and administration tasks to a user, computer, group, or organization. For Active Directory, the assignment of responsibility in such a way that users can perform certain administration tasks or manage certain directory objects without administrative logon information. Responsibility is assigned by means of membership of a security group, the wizard for assigning object management, or Group Policy settings. For DNS, the assignment of responsibility for a DNS zone. Delegation occurs when a resource record of a name server (NS) in a parent zone lists the DNS server authoritative for the delegated zone. See also: ActiveDirectory, DNS (Domain Name System), DNS server, Group Policies, Security group, Zone
Glossar-6
Glossary
DES
Source: Microsoft Help and Support Center Windows Server 2003 See definition for: Data Encryption Standard, DES
Desktop
Source: Microsoft Help and Support Center Windows Server 2003 The desktop is the on-screen work area in which windows, icons, menus, and dialog boxes appear.
Device
Source: Microsoft Help and Support Center Windows Server 2003 Any piece of equipment that can be attached to a network or computer, for example, a computer, printer, joystick, adapter or modem card, or any other peripheral equipment. Devices normally require a device driver to function with Windows. For Windows licensing, electronic devices such as computers, workstations, terminals, and handheld computers that can access or use the services of the Windows operating system, including file and printer sharing, remote access and authentication.
DHCP
Source: Microsoft Help and Support Center Windows Server 2003 See definition for: Dynamic Host Configuration Protocol (DHCP)
DHCP server
Source: Microsoft Help and Support Center Windows Server 2003 A computer running the Microsoft DHCP service. This provides active DHCP clients with dynamic configuration of IP addresses and related information. See also: Dynamic Host Configuration Protocol (DHCP), IP address, DHCP service
Glossar-7
Glossary
DHCP service
Source: Microsoft Help and Support Center Windows Server 2003 A DHCP service is a service that enables a computer to function as a DHCP server and to configure DHCP-enabled clients on a network. DHCP runs on a server, enabling the automatic, centralized management of IP addresses and other TCP/IP configuration settings for network clients.
DMZ
See definition for: Demilitarized zone (DMZ)
DNS client
Source: Microsoft Help and Support Center Windows Server 2003 A client computer that asks the DNS server to resolve domain names. DNS clients keep a temporary cache of known DNS domain names. See also: Client, DNS (Domain Name System), DNS server
DNS server
Source: Microsoft Help and Support Center Windows Server 2003 A server that administers information for part of the DNS database and responds to and resolves DNS queries. See also: DNS (Domain Name System), DNS client, Server
Domain
Source: Microsoft Help and Support Center Windows Server 2003 In Active Directory, a domain is a collection of computer, user and group objects defined by an administrator. These objects share a common domain database, security policies and trust relationships with other domains. In DNS, any structure or partial structure within the DNS namespace. Although the names of DNS domains and Active Directory domains are often the same, DNS domains should not be confused with Active Directory domains. See also: ActiveDirectory; DNS (Domain Name System)
Glossar-8
Glossary
Domain controller
Source: Microsoft Help and Support Center Windows Server 2003 A computer in a Windows domain environment, which runs Active Directory and manages user access to a network. Its responsibilities include logon management, authentication and access to directories and shared resources.
Domain name
Source: Microsoft Help and Support Center Windows Server 2003 The name given by an administrator to a group of networked computers that access a shared directory. Domain names are part of the DNS namespace tree and consist of a sequence of names separated by a period.
Encryption
The process of encoding data or messages so that content cannot be viewed.
Glossar-9
Glossary Finances and accounting Controlling Human resources Research and development Sales and marketing Master data management
Since different branches of industry pose highly varying requirements for ERP systems, most major suppliers offer solutions that include specially designed packages for specific branches.
FDA
Food & Drug Administration (FDA) (USA) The Food & Drug Administration (FDA) sets guidelines for the validation of processes and products. The most important, internationally applicable requirements for automation engineering (in regard to validation) are included in the GMP regulations 21 CFR Part 11.
Firewall
Source: Microsoft Help and Support Center Windows Server 2003 A combination of hardware and software that provides a security system, usually to prevent unauthorized access from outside to an internal network or intranet. A firewall prevents direct communication between computers on the network and external machines by routing communication via a proxy server outside the network. The proxy server determines whether it is safe to let a file pass through to the network. A firewall is also called a "security-edge gateway". See also: Proxy server
FQDN
See definition for: Fully Qualified Domain Name (FQDN)
Glossar-10
Glossary
Group Policy
Source: Microsoft Help and Support Center Windows Server 2003 The Active Directory infrastructure, which enables the directory-based change and configuration management of users or computer settings, including security and user data. Group Policies can be used to define configurations for groups of users and computers. You can use Group Policies to make settings for registry-based policies, security, the installation of software, scripts, folder redirection, remote installation services, and Internet Explorer maintenance. The Group Policy settings you make are stored in a Group Policy Object (GPO). You can assign a GPO to selected Active Directory system containers (for locations, domains and organizational units) in order to apply the Group Policy settings in the GPO to users and computers in these Active Directory containers. Use the Group Policy Editor to create individual GPOs. You can use the Group Policy Console to manage Group Policy objects throughout the company.
Host
Source: Microsoft Help and Support Center Windows Server 2003 A device in a TCP/IP network that has an IP (Internet Protocol) address. This includes servers, workstations, printers with a network interface, and routers. Sometimes it refers to a specific network computer that performs a service used by network or remote clients. For Network Load Balancing, a cluster consists of multiple hosts connected over a local area network (LAN). See also: Service, Transmission Control Protocol/Internet Protocol (TCP/IP), Server, Client, Local Area Network (LAN)
Host ID
Source: Microsoft Help and Support Center Windows Server 2003 The part of the IP address uniquely identifying a computer in a specific network ID. See also: IP address
Host name
Source: Microsoft Help and Support Center Windows Server 2003 The DNS name of a device on a network. This name is used to locate computers on the network. Before a computer can be located, its host name must be included in the host file or be known to a DNS server. On most computers running Windows, the host name and computer name are identical. See also: DNS (Domain Name System), DNS server, HTTP See definition for: Hypertext Transfer Protocol (HTTP)
HTTPS
See definition for: Secure Hypertext Transfer Protocol
Glossar-11
Glossary
IAS
See definition for: Internet Authentication Service (IAS)
Identity
Source: Microsoft Help and Support Center Windows Server 2003 A person or entity who or which must be verified by means of authentication based on criteria such as a password or certificate. See also: Authentication, Certificate
IIS
See definition for: Internet Information Services (IIS)
Glossar-12
Glossary
IP
See definition for: Internet Protocol (IP)
IP address
Source: Microsoft Help and Support Center Windows Server 2003 In the context of IPv4 (Internet Protocol, Version 4), a 32-bit address to identify a node on an IPv4 network. Each node in the IP network must be assigned a unique IPv4 address. This consists of the network ID and a unique host ID. The address is normally represented by the decimal values of the individual octets separated by periods (for example, 192.168.7.27). The IP address can be configured manually or dynamically with DHCP (Dynamic Host Configuration Protocol). In the context of IPv6 (Internet Protocol, Version 6), an ID that is assigned to an interface or a set of interfaces at IPv6 level and can be used as the source or destination for IPv6 packets.
L2TP
See definition for: Layer Two Tunneling Protocol (L2TP)
LAN
See definition for: Local Area Network (LAN)
Glossar-13
Glossary
Logon rights
Source: Microsoft Help and Support Center Windows Server 2003 Logon rights are user rights that are assigned to users enabling them to log onto the system as users. An example of a logon right is the right to log onto a system remotely. See also: User rights
Glossar-14
Glossary
Glossar-15
Glossary
NetBIOS name
Source: Microsoft Help and Support Center Windows Server 2003 A 16-byte name for a process that uses NetBIOS (Network Basic Input/Output System). The NetBIOS Name is recognized by WINS, which maps the name to an IP address. See also: IP Address, Network Basic Input/Output System (NetBIOS), Windows Internet Name Service (WINS)
Organizational unit
An Active Directory container object used within domains. An organizational unit is a logical container into which users, groups, computers, and other organizational units are placed. It can contain objects only from its parent domain. An organizational unit is the smallest scope to which a Group Policy object (GPO) can be linked, or over which administrative authority can be delegated. See also: ActiveDirectory
Glossar-16
Glossary
Package
Source: Microsoft Help and Support Center Windows Server 2003 An icon that represents embedded or linked information. This information can consist of a complete file, e.g., a Paint bitmap, or part of a file, e.g., a spreadsheet cell. When a package is selected, the application used to create the object either plays the object back (if it is a sound file, for example) or opens and displays the object. If the original information changes, linked information is then updated. However, embedded information has to be updated manually.
Permission
Source: Microsoft Help and Support Center Windows Server 2003 A rule associated with an object to regulate which users can gain access to that object and by what means. Permissions are granted or denied by the object's owner. See also: Privilege
Plant bus
The plant bus connects WinCC PCs, such as WinCC servers, to the automation systems (AS). Communication between the automation systems also takes place via the plant bus. See also: Terminal bus
Plant PC
All PCs in the plant, in other words, all WinCC PCs and all PCs for managing the infrastructure, such as DNS, Wins and DHCP servers, domain controllers, etc., for which the operating personnel are responsible. See also: WinCC PC
Plant personnel
All persons that have access to the plant, in other words, all plant operating personnel and any other persons such as cleaning personnel.
Glossar-17
Glossary
PPP
See definition for: Point-to-Point Protocol (PPP)
PPTP
See definition for: Point-to-Point Tunneling Protocol (PPTP)
Privilege
Source: Microsoft Help and Support Center Windows Server 2003 A user's right to perform a specific task, usually one that affects an entire computer system rather than an individual object. Privileges are assigned by administrators to individual users or groups of users as part of the security settings for the computer. See also: User rights, Permission
Protocol
Source: Microsoft Help and Support Center Windows Server 2003 A set of rules and conventions for sending information via a network. In respect of messages exchanged between network devices, these rules govern content, format, timing, sequence, and error control.
Proxy server
Source: Microsoft Help and Support Center Windows Server 2003 A firewall component that manages Internet traffic to and from a local area network (LAN) and can support other features such as document caching and access control. A proxy server can improve performance by supplying frequently requested data, such as frequently visited Web pages, and it can filter and discard requests that the owner does not consider appropriate, such as requests for unauthorized access to proprietary files.
Quarantine control
See Network Access Quarantine Control
Glossar-18
Glossary
RADIUS
See definition for: Remote Authentication Dial-In User Service (RADIUS)
RAS Service
Source: Microsoft Help and Support Center Windows Server 2003 A Windows NT 4.0 service that provides network access from a remote location to remote workers, field personnel and system administrators monitoring and managing servers at various branch locations of a company.
Remote Access
Source: Microsoft Help and Support Center Windows Server 2003 Part of the integrated routing and Remote Access Service (RAS), which provides network access from a remote location to remote workers, field personnel and system administrators managing servers at various branch locations of a company. Users can dial into the network from a remote location and use certain services such as file and printer sharing, e-mail, schedule planning and SQL databases.
Glossar-19
Glossary
Router
Source: Microsoft Help and Support Center Windows Server 2003 This hardware device helps LANs (Local Area Networks) and WANs (Wide Area Networks) achieve interoperability and connectivity and can link LANs that have different network topologies, such as Ethernet and Token Ring. Routers compare the information contained in packet headers with a LAN segment and then select the best possible transmission route for the packet in an attempt to optimize network performance. See also: Local Area Network (LAN), Routing, Wide Area Network (WAN), Routing Source: Microsoft Help and Support Center Windows Server 2003 The process of forwarding a packet via a network from a source host to a destination host. See also: Host, Packet
RPC
See definition for: Remote Procedure Call (RPC)
Security
Source: Microsoft Help and Support Center Windows Server 2003 On a network, security refers to the protection of a computer system and the data stored on it against damage and loss. Security is implemented in such a way that only authorized users can access shared files. See also: Authorization
Glossar-20
Glossary
Security group
Source: Microsoft Help and Support Center Windows Server 2003 A group that can be included in discretionary access control lists (DACLs) used to define permissions for resources and objects. A security group can also be used as an e-mail group. An e-mail sent to the group is automatically sent to all members of that group.
Server
Generally, a computer that makes shared resources available to network users. See also: Client
Service
Source: Microsoft Help and Support Center Windows Server 2003 A program, routine or process that performs a specific system function to support other programs, particularly at a low (close to the hardware) level. When services are provided via a network, they can be published in Active Directory, facilitating service-centric administration and usage. Services include security account management, file replication service and routing and RAS services.
SMS
See definition for: Systems Management Server (SMS)
SSL
See definition for: Secure Sockets Layer (SSL)
Stratum
A stratum is a layer (area) in a hierarchically organized network (subnet) in which all devices are synchronized with the same time source. The clock itself (atomic clock, GPS receiver, radio time signal receiver, etc.) is on stratum 0. A stratum 1 server gets its time data via a time service (e.g., SNTP) directly from stratum 0. Computers that are synchronized directly with the stratum 1 time source are on stratum 2, etc.
Glossar-21
Glossary
Subnet
Source: Microsoft Help and Support Center Windows Server 2003 A subdivision of an IP (Internet Protocol) network. Each subnet has its own unique network ID. See also: Internet Protocol (IP)
SUS
See definition for: Software Update Service (SUS)
TCP/IP
See definition for: Transmission Control Protocol/Internet Protocol (TCP/IP)
Terminal bus
The terminal bus connects the WinCC PCs on the control layer. See also: Plant bus
Trojan horse
Source: Microsoft Help and Support Center Windows Server 2003 A program disguised as another common program in order to gain information. An example of a Trojan horse is a program purporting to be a system message prompting for the users name and password, which it later uses to penetrate the system. See also: Virus
Glossar-22
Glossary
Tunnel
Source: Microsoft Help and Support Center Windows Server 2003 A logical connection over which data are encapsulated. This usually involves both encapsulation and encryption. The tunnel forms a private, secure connection between the remote user or host and a private network. See also: Host, Encryption
Tunneling protocol
Source: Microsoft Help and Support Center Windows Server 2003 A tunneling protocol is a communication standard used to manage tunnels and encapsulate private data. Tunneled data must also be encrypted to be a VPN (Virtual Private Network) connection. Two frequently used tunneling protocols are Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP). See also: Layer Two Tunneling Protocol (L2TP), Point-To-Point Tunneling Protocol (PPTP), Virtual Private Network (VPN)
User account
Source: Microsoft Help and Support Center Windows Server 2003 In Active Directory, an object that consists of all the information that defines a domain user. This includes the user name, the password and the groups of which the user account is a member. User accounts can be stored in Active Directory or on the local computer. Use local users and groups to manage local user accounts on computers running Windows XP Professional and member servers running Windows Server 2003. Use Active Directory users and computers to manage domain user accounts on domain controllers running Windows Server 2003.
User rights
Source: Microsoft Help and Support Center Windows Server 2003 Tasks a user is permitted to perform on a computer system or domain. There are two types of user right: privileges and logon rights. An example of a privilege is the right to shut down the system. An example of a logon right is the right to log onto a computer locally. Both types are assigned by administrators to individual users or groups as part of the security settings for the computer. See also: Logon rights, Domain, Privilege
Glossar-23
Glossary
Virus
Source: Microsoft Help and Support Center Windows Server 2003 A program that attempts to install itself from one computer to another and then do damage there (by deleting or corrupting files) or aggravate users (by displaying unwanted messages on the screen or changing the normal display). See also: Trojan horse
WinCC PC
All PCs used in a WinCC plant, such as WINCC servers and clients, WinCC configurators, central archive servers, etc. See also: Plant PC
Glossar-24
Glossary
See also: Microsoft Baseline Security Analyzer (MBSA), Software Update Services (SUS), Systems Management Server (SMS)
WINS
See definition for: Windows Internet Name Service (WINS)
Workgroup
Source: Microsoft Help and Support Center Windows Server 2003 A simple grouping of computers created for the sole purpose of helping users to find objects such as printers or shared folders in this group. Workgroups in Windows provide neither centralized user accounts nor centralized authentication, as are available in domains. See also: Authentication, Domain
Worm
A computer virus that is solely designed to replicate itself and lead to substantial impairment of normal data processing.
Zone
Source: Microsoft Help and Support Center Windows Server 2003 In the Macintosh environment, a logical grouping that facilitates browsing the network for resources, such as servers and printers. In a DNS database, a contiguous portion of the DNS tree that is administered as a single separate entity by a DNS server. A zone stores the domain names and data with a corresponding name, except for domain names that are stored in delegated subdomains.
Glossar-25
Glossary
Glossar-26