When you install the FactoryTalk Services Platform on a computer for the first time – rather than upgrading from a previous version – the FactoryTalk Network Directory and the FactoryTalk Local Directory are configured to allow access to all users by default.
However, by default, user accounts have slightly different levels of access in the Network Directory and Local Directory.
Because the Network Directory and Local Directory are separate, you must secure them separately.
On a new system
If you installed the FactoryTalk Services Platform software for the first time and all computers participating in the system are using only FactoryTalk Services Platform, version 2.10 (CPR 9) or later:
In the FactoryTalk Network Directory, all users who successfully log on to Windows on any local computer connected to the FactoryTalk Network Directory have full access to the distributed FactoryTalk system on the network
In the FactoryTalk Local Directory, any user who successfully logs on to Windows on the local computer has full access to the FactoryTalk system on the local computer Tighten security on a new system:
These instructions are for use on a system where FactoryTalk Services Platform has been installed for the first time.
1. Decide which FactoryTalk Directory you want to configure for tightened security. If you need to tighten security in both the Network Directory and Local Directory, choose one, complete the steps below, and then repeat these steps for the other directory.
2. Log on to Windows using an account that is a member of the Windows Administrators group on the local computer (Computer1 for this example).
3. Start FactoryTalk Administration Console, and then log on to the FactoryTalk Network Directory where you want to tighten security.
From the Windows Start menu, click Start > All Programs > Rockwell Software >
FactoryTalk Administration Console.
4. To ensure that you always have administrative access to the FactoryTalk Directory, create one or more FactoryTalk user accounts or Windows-linked user accounts. You will add these accounts to the Administrators group in the next step:
In the Explorer window, expand System > Users and Groups > Users. Right-click Users, point to New, and then Right-click User or Windows-Linked User.
If you are creating a user account, in the New User dialog box, type a user name and password for the account. For help with the other options in the dialog box, click the Help button in the dialog box.
If you are creating a Windows-linked user account, in the New Windows-Linked User dialog box, click Add. In the Select Users dialog box, type the names of one or more Windows-linked accounts you want to link to and then click OK, or click Advanced and then click Find Now to search for the accounts. When you are finished in the New Windows-Linked User dialog box, click Create.
5. Add the user accounts you created in the previous step to the Administrators group:
In the Explorer window, expand System > Users and Groups > User Groups.
Right-click the Administrators group, and then click Properties on the pop-up menu.
In the Administrators Properties dialog box, click Add. In the Select User or Group dialog box, click Show users only, select the user accounts you want to have administrative access, and then click OK. Click OK to close the
Administrators Properties dialog box for the account.
6. Log off FactoryTalk:
On the File menu, click Log Off.
7. Log on to the FactoryTalk Network Directory you are configuring – use the administrator user name and password that you created in step 4.
For this example, add yourself as a Windows-linked user.
8. Restrict access to each FactoryTalk Directory. In the FactoryTalk Network Directory and the FactoryTalk Local Directory, remove the Windows-linked groups called Windows Administrators and Authenticated Users .
In the Explorer window, expand System > Users and Groups > User Groups.
Right-click Windows Administrators and then click Delete on the pop-up menu.
Removing the Windows Administrators group from the Administrators group prevents all users who are members of the Windows Administrators group on any local computer connected to the FactoryTalk Network Directory from having administrative access to the directory.
In the Explorer window, expand System > Users and Groups > User Groups.
Right-click Authenticated Users and then click Delete on the pop-up menu.
Deleting the Authenticated Users group prevents all user accounts that have successfully logged on to Windows on any local computer connected to the FactoryTalk Network Directory from having access to the directory.
9. Restrict access to All Users:
Be sure you have created an administrator user and added that user to the
Administrators group for both the Network and Local Directories — not the Windows Administrators group.
At the top of the Explorer window, right-click Network or Local, and then click Security on the pop-up menu.
On the Permissions tab, select All Users.
In the Permissions list, beside All Actions, clear the Allow and Deny check boxes.
Expand the Common group of actions, and then select the Allow check boxes for Read and List Children.
10. Remove All Users from product policies:
The last step for reducing rights to the All Users group is to remove the rights granted to All Users in the Product Polices.
From the Explorer window, expand the FactoryTalk Directory as shown and locate the Product Policies folder.
Right-click Product Policies, and then click Configure Features Security on the context menu.
On the Feature Security for Product Policies dialog box, select All Users, and then click the Remove button.
The All Users group is removed from the FactoryTalk Directory and all permissions that were set for that group are deleted.
11. Next, secure your system policy settings, which define general rules for implementing security across all FactoryTalk products in your system. For details about securing policies, see Chapter 7, “Setting up system-wide policies and product policies”.
Once you have set this basic level of security, create user groups and user accounts for those users that need greater access to the system, and then configure security for those accounts.
On an upgraded system
If you upgraded an existing FactoryTalk system from FactoryTalk Automation Platform version 2.00, your security system will continue to work as it did before, so you might not need to tighten security any further.
However, during the upgrade, if a valid (not disabled or expired) FactoryTalk administrator account could not be found in the FactoryTalk Network Directory or FactoryTalk Local Directory, you cannot log on to the directory and you must run the FactoryTalk Directory Configuration Wizard manually after installation. Running the wizard manually the first time gives full access to all users on any local computer that is connected to the FactoryTalk Network Directory. To tighten security in your system, you must revoke this access manually. For more information on tightening security on an upgraded system, see “Tightening security” on page 35.