You are on page 1of 74

Getting Results with Rockwell Softwares Security Server (Network Edition)

August 2000

Contacting Technical Support Telephone1-440-646-7800 Rockwell Software Technical Support Fax1-440-646-7801 World Wide Webwww.software.rockwell.com Copyright Notice 1999, 2000 Rockwell Software Inc., a Rockwell Automation company. All rights reserved Printed in the United States of America Portions copyrighted by Allen-Bradley Company, LLC, a Rockwell Automation company. This manual and any accompanying Rockwell Software products are copyrighted by Rockwell Software Inc. Any reproduction and/or distribution without prior written consent from Rockwell Software Inc. is strictly prohibited. Please refer to the license agreement for details. Trademark Notices The Rockwell Software logo, RSAlarm, RSAnimator, RSAssistant, RSBatch, RSBreakerBox, RSButton, RSChart, RSCompare, RSControlRoom, RSData, RSDataPlayer, RSEventMaster, RSGauge, RSJunctionBox, RSLogix Emulate 5, RSLogix Emulate 500, RSGuardian, RSHarmony, RSKeys, RSLadder, RSLadder 5, RSLadder 500, RSLibrary Builder, RSLinx, RSLogix 5, RSLogix 500, RSLogix Frameworks, RSLogix SL5, RSMailman, RSNetworx for ControlNet, RSNetworx for DeviceNet, RSPortal, RSPower, RSPowerCFG, RSPowerRUN, RSPowerTools, RSRules, RSServer32, RSServer, RSServer OPC Toolkit, RSSidewinderX, RSSlider, RSSnapshot, RSSql, RSToolbox, RSToolPak I, RSToolPak II, RSTools, RSTrainer, RSTrend, RSTune, RSVessel, RSView32, RSView, RSVisualLogix, RSWheel, RSWire, RSWorkbench, RSWorkshop, SoftLogix 5, A.I. Series, Advanced Interface (A.I.) Series, AdvanceDDE, AutomationPak, ControlGuardian, ControlPak, ControlView, INTERCHANGE, Library Manager, Logic Wizard, Packed DDE, ProcessPak, View Wizard, WINtelligent, WINtelligent LINX, WINtelligent LOGIC 5, WINtelligent VIEW, WINtelligent RECIPE, WINtelligent VISION, and WINtelligent VISION2 are trademarks of Rockwell Software Inc., a Rockwell Automation company. Data Highway Plus, DH+, DHII, DTL, MicroLogix, Network DTL, PLC, PLC-2, PLC-3, PLC-5, PowerText, Pyramid Integrator, PanelBuilder, PanelView, PLC-5/250, PLC-5/20E, PLC-5/40E, PLC-5/80E, SLC, SLC 5/01, SLC 5/02, SLC 5/03, SLC 5/04, SLC 5/05, and SLC 500 are trademarks of the Allen-Bradley Company, LLC, a Rockwell Automation company. Microsoft, MS-DOS, Windows, and Visual Basic are registered trademarks, and Windows NT, Windows 98, Microsoft Access, and Visual SourceSafe are trademarks of the Microsoft Corporation. ControlNet is a trademark of ControlNet International. DeviceNet is a trademark of the Open DeviceNet Vendors Association. Ethernet is a registered trademark of Digital Equipment Corporation, Intel, and Xerox Corporation. Pentium is a registered trademark of the Intel Corporation. Adobe and Acrobat are trademarks of Adobe Systems Incorporated. IBM is a registered trademark of International Business Machines Corporation. AIX, PowerPC, Power Series, RISC System/6000 are trademarks of International Business Machines Corporation. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company Limited. AutoCAD is a registered trademark of Autodesk, Inc. Warranty This Rockwell Software product is warranted in accord with the product license. The product's performance will be affected by system configuration, the application being performed, operator control and other related factors. The product's implementation may vary among users. This manual is as up-to-date as possible at the time of printing; however, the accompanying software may have changed since that time. Rockwell Software reserves the right to change any information contained in this manual or the software at anytime without prior notice. The instructions in this manual do not claim to cover all the details or variations in the equipment, procedure, or process described, nor to provide directions for meeting every possible contingency during installation, operation, or maintenance.

Preface
Purpose of this book
This getting results book provides you with information on how to install and use Rockwell Software's Security Server. It also explains how to access and navigate the online help.

Intended audience
We assume that you are a network engineer, and that you are familiar with: Windows NT Microsoft

Domain administration for Windows networks

How does it fit in with other Rockwell Software product documentation?


The getting results book can be considered the entry point into our documentation set. The documentation set contains pertinent, easily accessible product information and ships with the software product. The documentation set is designed to free you from tedious paper shuffling and reduce information overload. The getting results book and online help make up the RSI documentation set.

Online help
The online help includes all overview, procedural, screen, and reference information for the product. The help contains four basic components: overview topics, quick start topics, step-by-step procedures, and screen element descriptions (for example, text boxes, drop-down lists, and option buttons). All of the help is context sensitive with the application and provides the user with immediate access to application tasks and screen element descriptions.

Preface i

Document conventions
The conventions used throughout this document for the user interface comply with those recommended by Microsoft Corporation. If you are not familiar with the Microsoft Windows user interface, we recommend that you read the documentation supplied with the operating system you are using before attempting to use this software.

Feedback
Please use the feedback form, which you will find packaged with your software, to report errors and/or let us know what information you would like to see added in future editions of this document.

ii Getting Results with Rockwell Softwares Security Server (Network Edition)

Contents
Preface ....................................................................................... i
Purpose of this book .................................................................................................................. i Intended audience ....................................................................................................................... i How does it fit in with other Rockwell Software product documentation? ...................... i Document conventions.............................................................................................................ii Feedback......................................................................................................................................ii Chapter 1

Introducing Rockwell Softwares Security Server................... 1


What Rockwell Software's Security Server is .........................................................................1 What is a resource? ....................................................................................................................1 What is an access control list? ..................................................................................................2 What is an action? ......................................................................................................................4 The Network Edition of the Security Server .........................................................................5 The Standalone Edition of the Security Server .....................................................................5 Chapter 2

Installing the Security Server and clients ............................... 7


Introduction ................................................................................................................................7 System requirements..................................................................................................................7 Before installing the server .......................................................................................................9 Installing the Security Server ..................................................................................................11 Setting the start up parameters for the Security Server service.........................................13 Setting up DCOM for the users of the Security Server .....................................................14 Installing clients for the Security Server ...............................................................................18 Chapter 3

Managing your Security Server configuration ....................... 23


The Security Server Configuration Explorer .......................................................................23 The Security Server model......................................................................................................23
Table of Contents iii

Adding user groups to the system ...................................................................................... 25 Importing actions for Rockwell Software applications...................................................... 26 Adding a single user to a group ............................................................................................. 26 Adding workstation groups to the system ........................................................................... 27 Creating a resource .................................................................................................................. 28 Grouping resources ................................................................................................................. 29 Grouping actions ..................................................................................................................... 29 Assigning access to individuals and groups ......................................................................... 30 Finding users, workstations, actions, or groups.................................................................. 32 Viewing and changing the server properties ....................................................................... 32 Refreshing access control lists ............................................................................................... 36 Using admin accounts to control access to the Security Server's Configuration Explorer ............................................................................ 36 Roaming security ..................................................................................................................... 37 Chapter 4

Backing up and synchronizing Security Servers....................39


Using directory replication ..................................................................................................... 39 Exporting your Security Server database ............................................................................. 39 Importing your Security Server database ............................................................................. 40 Restoring a previously saved configuration......................................................................... 40 Chapter 5

Upgrading from Standalone Edition to Network Edition........43


Appendix A

Setting up A.I. Series software to use Security Server .........45


Creating the global resource for PLC-5 A.I. Series ............................................................ 45 Creating the global resource for PLC-3 A.I. Series ........................................................... 46 Creating a resource based on processor name for PLC-5 processors............................. 47 Creating a resource based on processor name for PLC-3 processors............................. 48 Appendix B

Setting which account domain controller to use...................49


Background............................................................................................................................... 49
iv Getting Results with Rockwell Softwares Security Server (Network Edition)

Changing the account domain controller .............................................................................51 Appendix C

Consolidating processor resources for RSLogix 5 and RSLogix 500 ..................................................................... 53


Rules for resource consolidation ...........................................................................................54 Consolidating processor resources ........................................................................................55 Unconsolidation .......................................................................................................................57

Glossary .................................................................................. 59 Index ....................................................................................... 63

Table of Contents v

vi Getting Results with Rockwell Softwares Security Server (Network Edition)

1
Chapter

Introducing Rockwell Softwares Security Server


It's easy to protect a system from unwanted intrusion or unauthorized use. Lock it up and don't let anyone use it at all. Don't connect it to a network, don't leave it where someone could get to it, and most likely, you won't have anything to worry about. The problem with that scenario, of course, is that we don't use computers that way. We can't lock them up and we can't keep them off our networks. We have to allow people to use them, and that is where security problems arise. We want to protect our systems from unauthorized use, but we also want authorized users to use the systems efficiently. We also want to make security efficient for ourselves, making changes to the system as simple as possible. Rockwell Software's Security Server is a centralized system for restricting access to resources. Centralizing the system makes it easier for you to establish and maintain secure systems. There are two forms of the Security Server: A Network Edition (the edition this book discusses), which gives you centralized control over security functions for Rockwell Software products over your entire network.

What Rockwell Software's Security Server is

A Standalone Edition, which gives you local control over security functions on the machine where you install the Security Server.

These two forms operate in much the same way, except that the Network Edition has some features the standalone edition does not have.

What is a resource?
A resource is an application, processor, or computer that Security Server can restrict access to. Resources contain actions, functions that can be controlled.

Introducing Rockwell Softwares Security Server 1

Resources contain rules for access to actions, called access control lists (ACLs). These rules define who can access the resources actions, and the circumstances under which a user can access those actions.

Global and application resources


Resources are either global, controlling access to actions in an application, or they are application resources, controlling access to a particular aspect of an applications functions. For example, in PLC-5 A.I. Series software, there is an global resource called AI5GLOBALRIGHTS. With this global resource, you can control actions in the software globally, without respect to the processors being used. However, PLC-5 A.I. Series software also allows you to define application resources for your processors. By using these application resources, you can control the actions in PLC-5 A.I. Series software based on what processors are being used. A computer can also be a resource. RSLinx, for example, uses the computer running RSLinx as a resource. To use the Security Server with RSLinx, you create a resource with the name of the computer running RSLinx, then grant or deny RSLinx actions to users for that computer.

What is an access control list?


Access control lists are lists of rules regarding access to actions. Simply put, access control lists (ACLs) define who can do what to a resource and from where they can do it. Each rule in an ACL requires a user or user group, a workstation or workstation group, and a software function (action). ACL rules are called access control entries (ACEs).

Who can do what from where


Access control lists answer the question who can do what from where. Forming and maintaining ACLs is the central activity in the Security Server. Therefore, understanding how ACLs work is critical to using the Security Server effectively and efficiently.

Access control entries


An ACL contains entries, each of which contains four parts: User , which defines who can or can't access the resource and action

Workstation, which is the physical location of the user (Network Edition only)

2 Getting Results with Rockwell Softwares Security Server (Network Edition)

Action, which is an operation performed on an resource Deny/Grant, which defines whether the user can or cannot use the function

Access Control List

Member Member Member Member Member Member Member

ACL Member User Workstation Member Deny/Grant Action

Of course, many facilities will have hundreds of potential users, workstations, and actions available. The Security Server permits you to group users, workstations, and actions to make the process of creating ACLs more efficient. (Workstations are part of ACLs only in the Network Edition of the Security Server.) For example, if you have a group of electricians, all of whom can perform certain actions from certain workstations, you can create a group called Electricians and place all of your electricians in that group. You can then create a group of workstations called Electrician Workstations and place all of the workstations the electricians use into that group. You can then create a group of actions called Electrician Actions and place all of the actions electricians can perform in that group. You could then create an ACE that says: Electricians at Electrician Workstations are granted Electrician Actions.

Introducing Rockwell Softwares Security Server 3

These electricians
Bob Hans Sue Ray Hilda Maria

at these workstations
Machine 1 Machine 2 Machine 3 Machine 4 Machine 5 Machine 6

and these actions


Data Table Value Modification Description Editing Downloading Program to PLC-5 Forcing Functions Offline Monitoring Offline Programming Online Monitoring Online Processor Mode Changes Online Programming Updating Program from PLC-5

can be grouped

"Electricians" group

"Electrician Workstations" group

"Electrician Actions" group

and used to form this simple ACL

"Electricians"

at "Electrician Workstations"

are granted "Electrician Actions"

You can create groups based on however your facility is organized: by job function, by area, by whatever means you like. However you do it, you'll want to plan how you are going to organize people, workstations, and actions before you begin using the Security Server.

What is an action?
An action is a software function. The Security Server controls access to actions through Access Control Lists (ACLs). For example, online programming is a software function that is an action for PLC-5 A.I. Series software. With the Security Server, you can control who can program online and from which workstations a given person can program online. Applications provide a list of their actions to the Security Server. See your application's documentation for information about how it sends its list of actions to the Security Server.
4 Getting Results with Rockwell Softwares Security Server (Network Edition)

The Network Edition of the Security Server


In the Network Edition of the Security Server, the software maintains the resources, user groups, and workstation groups and provides access to them from applications. Applications access the Security Server when they are about to perform a secured function (the exact timing of these accesses varies from application to application). The Security Server responds to the application, either granting or denying the user-requested action based on the ACEs. The Network Edition of the Security Server provides network level security. Users of this edition are domain users. User groups may be either defined in Security Server or in domain user groups.

The Standalone Edition of the Security Server


The Standalone Edition of the Security Server operates in much the same way as the Network Edition, except there is no separate computer running the Security Server. Standalone Edition provides workstation level security. For Windows NT or Windows 2000, users may be local users or private users. Private users exist only within the Security Server database. For Windows 95, Windows 98, or Windows Me platforms, users can be only private users.
Tip The Security Server does not work if the Rockwell Software applications on a given computer are not aware that a Security Server system exists. Generally, you must configure applications to use the Security Server, and you can override the configurations by reinstalling the software (the details of overriding the Security Server depend on the individual application). To ensure your system is secure, make sure you secure the installation disks for your Rockwell Software applications.

Introducing Rockwell Softwares Security Server 5

6 Getting Results with Rockwell Softwares Security Server (Network Edition)

Chapter

Installing the Security Server and clients


This chapter explains how to install and start the Security Server software. This chapter includes information on the following: system requirements installation methods installation procedures updating an existing installation starting procedures

Introduction

After installing the software, we recommend that you read the release note located in the online help. The release note may contain more up-to-date information than was available when this document was published. To view the release note, click Start > Rockwell Software > Security Server Network Edition > Release Notes.

System requirements
The Network Edition of the Security Server installs in two phases: A server installation, which takes place on the computer on which you want to run the server.

A client installation, which takes place on the client workstations. The server installation places the software for installing the client in a directory you can share with the workstations that will install the client for the Security Server. This saves you from having to carry disks to the client workstations, and provides a centralized point for updating the client.

The Security Server requires: A computer running one of the following operating systems:

Installing the Security Server and clients 7

Microsoft Windows NT Workstation or Windows NT Server, version 4.0 (with service pack 4 or higher.) Additional computers are required if you want backup security servers. See page 9 for information about whether to run the Security Server on Windows NT Workstation or Windows NT Server. Microsoft Windows 2000 Workstation or Windows 2000 Server. Additional computers are required if you want backup security servers. See Should you run the Security Server on a Workstation or Server? on page 9 for information about whether to run the Security Server on Windows 2000 Workstation or Windows 2000 Server.

Connection to a network supporting Microsoft Networking with a Windows NT 4.0 Server acting as a primary domain controller. Note that the Security Server will not work in Windows 2000 native (Active Directory) environments. It will work in mixed domain environments (without Active Directory).

The client for the Security Server requires: A computer running one of the following operating systems:

Microsoft Windows NT Workstation or Windows NT Server, version 4.0 (with service pack 4) or higher Microsoft Windows 2000 Workstation or Windows 2000 Server Microsoft Windows Me Microsoft Windows 98 Microsoft Windows 95 with the DCOM patch (see Microsofts Web site for this patch: www.microsoft.com)

Connection to a network supporting Microsoft Networking with a Windows NT 4.0 Server acting as a primary domain controller. Note that the Security Server will not work in Windows 2000 native (Active Directory) environments. It will work in Windows 2000 forest/domains configured as mixed mode.

8 Getting Results with Rockwell Softwares Security Server (Network Edition)

Should you run the Security Server on a Workstation or Server?


A significant difference between the Workstation and Server versions of Windows 2000 and Windows NT is that the Workstation versions can support only ten simultaneous network connections. This does not mean that you can have only ten Rockwell Software client applications connected to one Security Server running on a Workstation system. Communication to the Security Server takes place only when it's needed, so it's likely that you could use a Workstation to run the Security Server for much larger facilities. However, if more than ten Rockwell Software client applications try to perform a secured action at the same time, the client workstations will not be able to connect to the Security Server. If you already have a Server system, it's probably a good idea to run the Security Server on that system.

Before installing the server


Before running the server setup, you must verify the settings for the currently logged on user account. Failure to do so will result in improper installation of the software. You must have administrator rights on your Windows NT or Windows 2000 machine to install the Security Server. If you are not an administrator of your machine, an administrator can add your account to the Administrators group or install the Security Server for you.
Tip Installing the Security Server requires an account in which the server will run.

The Security Server runs as a service


The Security Server runs as a service. However, it can't run correctly in the System account (the System account can't access network services, and the Security Server relies on network services). It must run under a user account, which means that the software must log on as a user. You may want to give the Security Server a user account of its own rather than having it run in the account of a human user. (The account you use will be validated with your account domain.) When you install the Security Server, you must log on with an account that has Administrator rights. The installation program will establish the following rights for the user account under which the Security Server will run:
Installing the Security Server and clients 9

Act as part of the operating system Generate security audits Log on as a service Manage auditing and security log

Where you should install the Security Server


If you intend users in more than one domain to access the same Security Server, you must run the server under an account in a domain that is trusted by the other domains containing users of the Security Server. The following illustration shows where you can install the Security Server in four basic networking scenarios. Note this applies only to Windows NT 4.0 domains; Windows 2000 native domains (with Active Directory) are not currently supported.
Two domains, two-way trust relationship
Domain A (account domain) Install server on either domain Domain B

Two domains, one-way trust relationship


Domain A (account domain) Install server on Domain A Domain B

Three domains, one-way trust relationships


Domain A (account domain) Domain B There is no trust relationship between Domain C and Domain A. There is no configuration that would allow one RSSecurity Server to serve users on all three domains. Domain C

Three domains, one-way trust relationships


Domain B Domain A (account domain) Install server on Domain A Domain C

10 Getting Results with Rockwell Softwares Security Server (Network Edition)

Installing the Security Server


Tip Before installing the Security Server, you must log on to the domain in which you intend to run the Security Server. Make sure the user name under which the Security Server will run has an account on the domain. Otherwise the software will install, but it won't configure properly.

1.

On the machine on which you want to install the Security Server, insert the Security Server CD-ROM into the CD-ROM drive.
If autorun is: Then:

enabled

The Setup program starts automatically and the Welcome dialog box appears. Proceed to step 2.

disabled

Perform the following steps:


a. b. c.

Click Start, then click Run. The Run dialog box appears. In the Open field, type x:\setup, where x is the letter of the drive containing the Security Server CD-ROM. Click OK. The Welcome dialog box appears.

2.

Follow the instructions that appear on the screen.


a. b. On the Welcome dialog box - Read the Security Server introductory information, and then click Next. On the Software License Agreement dialog box -

Read the entire Software License Agreement. Click Yes to accept and continue installation, or click No to decline and exit the installation.

c.

On the Registration Information dialog box -

Type your name, the name of your company, the support ID number of your software, and then click Next.
You can find the support ID number on the product box label.

Tip

d.

On the Select Folder dialog box -

Select a directory location for the

Security Server application files.

Installing the Security Server and clients 11

A dialog box appears, indicating that a Security Server subdirectory will be created in the specified destination directory. Click Yes to confirm, or No to exit.
e. On the Select Components dialog box -

Select installation options. In the Product (left) pane, select the Security Server product(s) that you want to install. In the Product Options (right) pane, select the component(s) of each product that you want to install. If you want to create a centralized location for the workstation client software, make sure Client Install is checked. Click Next.
If you have a number of computers that will be clients for the Security Server, you can automate the process of selecting servers for the clients. See page 20 for more information.

Tip

f.

On the Specify Start Menu Item dialog box -

Accept the default program folder, or type the name of the program folder in which you want the Security Server application icons to appear. Click Next. A dialog box appears, indicating the specified location of the Security Server icons in the Start menu. Click Yes to confirm, or No to exit.

g.

On the Security Server Network Edition dialog box - Confirm your previous selections, and then click Next. The Setup dialog box appears while files are being copied to the hard disk drive. On the Rockwell Softwares Security Service Installer dialog box -

h.

set the parameters for running the Security Server. These parameters are described on page 13.
i. On the Rockwell Softwares Security Service Installer dialog box -

read and follow the instructions. You can also refer to the instructions starting on page 14 for information regarding setting up DCOM for the server.
j. On the Setup Complete dialog box -

Select the activation and readme

viewing options and click Finish. To begin activation, insert the Master disk into the 3.5-inch disk drive.
k. l. 3.

Follow the instructions that appear on the screen to activate the Security Server software.
On the EVMOVE dialog box On the Restart Windows dialog box -

Specify the restart option for your operating system and click Finish. The installation is complete.

When you are finished installing the software, remove the Security Server CD-ROM from the CD-ROM drive and the Security Server Master disk from the disk drive. Store them in a safe place.

12 Getting Results with Rockwell Softwares Security Server (Network Edition)

Setting the start up parameters for the Security Server service


After the setup program copies its files to your server's hard drive, it will display the Rockwell Software's Security Service Installer window. The following table describes the installation parameters.
This parameter: Does this:

Domain

The domain of the user account in which the Security Server will run. The user account under which the Security Server will run. By default, this field shows the account you are currently using. If this is not the account you want to run the Security Server, enter the correct account name. The password for the account under which the Security Server will run. The field is blank by default. You must enter the password for the account. The Security Server runs as a service. You can have the service start when Windows starts or you can choose to start the service manually. Manual: The Security Server starts when an application requests it. This is the default setting. Automatic: The Security Server starts when the machine boots. Most likely, you'll want the service to start manually. That way, the server does not run until an application requests it, taking the minimum amount of resources. However, for large networks, you probably will want the service to start automatically.

Account

Password

Startup Mode

The Security Server runs as a service whether it starts automatically at machine startup, or manually when a client requests it to start, or through the Services applet. (See your Windows NT or Windows 2000 documentation for information about running the Services applet.) If the server starts manually through DCOM (when a client requests it to start), it will stop when the last client disconnects from it.

Installing the Security Server and clients 13

If the service fails to install properly


When you click OK, the Security Server validates the user name with the domain controller. If you did not log on to the correct domain, or if the user name you have entered is not a valid user and enabled in the domain you entered, configuration of the Security Server service will fail. If you have entered a valid domain and user, but not a valid password for that user, the Security Server service will fail to start due to a logon failure. To solve these problems, verify that the user for the Security Server exists in the domain, then log on to that domain. Run the Security Server Service Installer, and correct the problem. (Click Start > Rockwell Software > Security Server Network Edition > Security Service Installer.) For the account validation to work properly, you must disable the Guest account. See your Windows NT or Windows 2000 documentation for information about disabling accounts.

Changing the service installation parameters


You can change the service installation parameters by running the Security Server Service Installer. Click Start > Rockwell Software > Security Server Network Edition > Security Service Installer. The server will be identified for the Security Server clients by the name of the machine running the Security Server. Note the name of the machine running the server. If the service is started automatically at machine startup or manually through the Services applet, the service can only be stopped by the Services applet. (See your Windows NT or Windows 2000 documentation for information about running the Services applet.)

Setting up DCOM for the users of the Security Server


Applications communicate to the Security Server using Microsoft's Distributed Component Object Model system, otherwise known as DCOM. You must set up DCOM so users of the Security Server can launch and access the Security Server.

14 Getting Results with Rockwell Softwares Security Server (Network Edition)

There are two layers to DCOM configuration. There is a default layer, which applies to all DCOM-enabled applications. There is also an application-specific layer, which applies only to the application being accessed (in this case, the Security Server database). Users must have rights to both layers; if they are denied access to the default layer, they cannot access the application-specific layer.
Tip DCOM connections are cached by the server. If a user attempts a connection and the connection fails because the user does not have rights to make the connection, the server will continue to deny that user access until the server is rebooted. The same thing applies to made connections; once a user can make a connection, that user will be able to make that connection until the computer running the Security Server is rebooted. Therefore, when you make changes to the DCOM configuration, it is a good idea to reboot the computer running Security Server.

Create a group of users for the Security Server


Probably the most efficient way of handling the configuration is to create a group of users. You must be an administrator of the computer on which you are creating the group. See your Windows NT or Windows 2000 documentation for information about creating user groups.

Give the group access to the service


Give the new user group the Access this computer from network right. The group members will need this right, since they will be using the network to access the server.

Installing the Security Server and clients 15

Set up the DCOM configuration so the group has access


Tip The DCOMCNFG application may look somewhat different on your system. The setting location and names should be the same.

DCOM configuration is done through the DCOMCNFG.EXE application.


Start DCOMCNFG

To start DCOMCNFG, click Start > Run. Type DCOMCNFG, then click OK. This opens the Distributed COM Configuration Properties window.
Set the default properties

In the Distributed COM Configuration Properties window, click the Default Properties tab. Set the default DCOM properties as shown.
Make sure this box is checked!

Set the Default Authentication Level to Connect

Set the Default Impersonation Level to Identify

16 Getting Results with Rockwell Softwares Security Server (Network Edition)

Setting the default DCOM permissions

In the Distributed COM Configuration Properties window, click the Default Security tab.
Set the default launch permissions

In the Default Launch Permissions section, click the Edit Default button. Add the Security Server users group to the list of who can launch a DCOM application. Make sure Type of Access is set to Allow Launch. If the SYSTEM account is not added with Allow Launch access, DCOM cannot start (the System Control Manager, which runs DCOM, runs in the SYSTEM account). Make sure the SYSTEM account is in the default launch permissions list with Allow Launch access. It is also a very good idea to have the INTERACTIVE user in this list as well. Otherwise, someone using the Security Server on the server machine may not be able to start it.
Set the application-specific DCOM properties

In the Distributed COM Configuration Properties window, click the Applications tab. Click the Sentinel.Database application, then click Properties. This displays the Sentinel.Database properties window. In the Sentinel.Database properties window, click the Security tab.

Sets who can access the Security Server

Sets who can launch the Security Server

Installing the Security Server and clients 17

For the access permissions section, click Use custom access permissions. Click Edit and add the Security Server user group. Make sure Type of Access is set to Allow Access. For the launch permissions section, click Use custom launch permissions. Click Edit and add the Security Server user group. Make sure Type of Access is set to Allow Launch.

Reboot the server computer


To make sure your changes to the DCOM configuration are in place, reboot the computer. Otherwise, old cached connections could prevent proper configuration.

Installing clients for the Security Server


Tip When you install a Rockwell Software application that uses the Security Server, client software is installed along with the application (except for A.I Series software). When you install a client for the Security Server on a client machine, you can also install the Security Server Configuration Explorer, which allows you to administer security rights from client workstations. This can be very convenient for administration of your security system. If you install the Configuration Explorer on a client machine, make sure you create administrator accounts for the Security Server (see page 36). Otherwise, any user on the client machine will be able to change the security configuration.

To install the client for computers running A.I. Series software (or to place the Configuration Explorer on a client machine): 1. From the computer running the Security Server, give read access for the ClientSetup directory (by default, C:\Program Files\Rockwell Software\Security Server\ClientSetup) to the client workstations.
2.

From the client workstations, install the client software from the ClientSetup directory on the server. (The client is already installed on the computer running the Security Server.)

18 Getting Results with Rockwell Softwares Security Server (Network Edition)

Configuring the clients to use servers


From a computer that has a client for the Security Server installed, click Start > Rockwell Software > Security Server Client > Security Server Definition. This application defines the servers to which you are attaching the client.
When you select a workstation name, it appears here. Click New to define a new server.

When you have defined a server, it appears in this list.

Click these arrows to change the server priority.

Click Add to add the selected server to the list

Click Browse to locate a server.

Important

If you are configuring a backup Security Server, make sure its server list matches the primary Security Servers list.

To define a server: 1. Click Browse to display a Network Neighborhood view of computers on your workstations domain.
2. 3.

In the list of machines that appears, click the name of the machine that is running the Security Server, then click OK. To add backup Security Servers into the list, click New, select a server, then click OK.

Installing the Security Server and clients 19

4.

You can adjust the priority of machines (the order in which the client will look at servers) by clicking on a server then clicking the arrow buttons next to the server list. Servers toward the top of the list have higher priority. Click the OK button. You have now configured the client to use Security Servers. If the client is unable to connect to the primary Security Server, it will try to connect to backup servers in the order set in step 4.

5.

Enable remote DCOM (for Windows 98 clients)


If you are running the Security Server client on a computer running Windows 98, you must enable remote DCOM before you can connect the client to the Security Server computer. To enable remote DCOM: 1. Start the DCOMCNFG application. This application allows you to configure DCOM settings. To run DCOMCNFG:
a. b. 2. 3.

Click Start > Run. Type DCOMCNFG, then click OK. This opens the Distributed COM Configuration Properties window.

Click the Default Security tab. Check the Enable Remote Connection checkbox.

Automating client setup


You can automate the client setup process by changing the SERVER.INI file found in the ClientSetup directory on the Security Server. Changing the SERVER.INI file simplifies and speeds the process of configuring clients by placing the server names into the client configuration by default. This is an example of a SERVER.INI file:
; This file will contain the machine name where the Security Server ; has been installed as the "Primary" server. You can define backup ; servers by adding multiple entries to this file. ; [ServerNames] Primary = SECURITY_SERVER ;Backup#n = <machine name> ; where n = 1, 2, 3, ...

(Comment lines start with a semicolon.)

20 Getting Results with Rockwell Softwares Security Server (Network Edition)

Note that the primary server is defined for you. When the Security Server is installed, the primary server is defined as being the computer on which the server was installed. In the example shown above, the computer called SECURITY_SERVER is the primary Security Server. You can define backup servers as shown in the following example:
[ServerNames] Primary = SECURITY_SERVER Backup#1 = MAIL_SERVER Backup#2 = ACCOUNT_SERVER Backup#3 = BACKUP_SERVER

Once the SERVER.INI file is changed, you will find those four servers defined without having to run the Security Server Definition application, saving some time in selecting and arranging those servers.

Installing the Security Server and clients 21

22 Getting Results with Rockwell Softwares Security Server (Network Edition)

Chapter

Managing your Security Server configuration


The Security Server Configuration Explorer is the tool you use to configure Rockwell Software application security. It is used to create resources, to define resource ACLs, to group users, workstations and resources. It is also used to configure the properties of the Security Server, to perform access checks, and to provide troubleshooting help. It also allows you to import and export databases for synchronizing the databases for Security Servers. You can use the Security Server Configuration Explorer from a machine on which you have the Security Server. If you have installed the Configuration Explorer on machines running the client, you can also run it from there. However, you must run Configuration Explorer from the domain in which the Security Server is running. Otherwise, you may not be able to access all of the users or machines you need to configure the Security Server system.

The Security Server Configuration Explorer

Starting Configuration Explorer


To run Configuration Explorer, click Start > Rockwell Software > Security Server Network Edition > Security Config Explorer.
Important Configuration Explorer can make changes only to the primary Security Server. To make changes to both your primary and backup Security Servers, you must make the changes to the primary Security Server, then copy the database from the primary server to the backup server. See page 39 for more information.

The Security Server model


Rockwell Software's Security Server is based on resources. Rules are set up for each resource. Each rule specifies a user or user group, a workstation or workstation group, an action or action group, and whether the access is granted or denied.

Managing your Security Server configuration 23

For example, you may want certain users to be able to monitor a specific PLC5 processor from any workstation. You may want these same users to be able to modify that processor's program while online with that processor, but only from workstations in line-of-sight of that processor. You can create rules (ACLs) to do this with the Security Server.

About resources
In the Security Server, there are two types of resources: global or application. Global resources control access to actions (functions) in a software product. Application resources control access to specific applications of a software product. For example, in PLC-5 A.I. Series software, there is an global resource called AI5GLOBALRIGHTS. With this global resource, you can control actions in the software globally, without respect to the processors being used. However, PLC-5 A.I. Series software also allows you to define application resources for your processors. By using these application resources, you can control the actions in PLC-5 A.I. Series software based on what processors are being used. A computer can also be a resource. RSLinx, for example, uses the computer running RSLinx as a resource. To use the Security Server with RSLinx, you create a resource with the name of the computer running RSLinx, then grant or deny RSLinx actions to users for that computer. Precicely what an application resource is varies depending on the software you use with the Security Server. For example, for PLC-5 A.I. Series software, an application resource is a processor. When rules of access are applied to functions associated with one of these application resources, software functions are controlled with respect to that processor. For RSLinx software, an application resource is the computer running RSLinx.
Resource names and IDs

Resources have a name, an ID, and a description. The description helps let users of the resource understand what the resource is for. The name and ID are used by the client application to identify the resource.
Tip You can change whether the server grants or denies actions by default through the Security Server's Configuration Explorer Properties function (see page 32).

24 Getting Results with Rockwell Softwares Security Server (Network Edition)

How actions are added to the Security Server database


Before you can create access control lists for using actions, you must add the actions to the Security Server database. Different applications have different methods of adding actions; consult the documentation for the application for the correct method. See Importing actions for Rockwell Software applications on page 26 for information on how to import the actions for several Rockwell Software applications.

Adding user groups to the system


For large systems with many users and workstations, it's best to group users into logical groups, such as Managers or Electricians. You can then assign actions to entire groups rather than to individuals. If you want to assign actions to groups of users, you need to assign users to a group. To add a group of users to the system: 1. Right-click the Users/Groups folder, then click New Group. The software displays the User Group - New window.
2.

Type a name for this group in the Name field. You can add a description for the group in the Description field. The name can contain any characters except: comma (,), pipe (|), or slash (/) Click the Group Members tab. Click the Add button. The software displays a browser window, which allows you to browse through your Windows network to find users. Once you find the user you want to add, click the user name, and then click OK. Repeat steps 4 and 5 for all of the users you want to add to the group.
Tip As a convenience, once you add a user or workstation to a group in Configuration Explorer, that user or workstation becomes available in the _Security Server domain in Configuration Explorer. You can use the Security Server domain as a shortcut to the users or workstations you have previously added.

3. 4. 5. 6.

Managing your Security Server configuration 25

Importing actions for Rockwell Software applications


Action lists for several Rockwell Software applications are available as Security Server database backup files. You can import these files to add actions for these applications. To import one of these files, open Configuration Explorer, click File > Import, then select the file you want to import. (Alternately, you can rightclick the Actions/Groups folder, then click Import Actions.) The files are located (by default) in the \Rockwell Software\Security Server\System folder.
For this application: Import this file:

RSLogix 5 RSLogix 500 PLC-3 A.I. Series software PLC-5 A.I. Series software RSBatch RSLinx RSLogix Frameworks Diagram Developer Offline and Online

RSLogix5Security.bak RSLogix500Security.bak AI3Security.bak AI5Security.bak RSBatchSecurity.bak RslinxSecurity.bak FrameworksSecurity3.bak

Consult the documentation for your specific application for more information about configuring it to use the Security Server.

Adding a single user to a group


If you are adding one or two users and you know the logon names of those users, it is probably faster to add them individually. To add a single user: 1. Open the group to which you want to add the new user.
2. 3. 4.

Click the Group Members tab. Click the Add User button. The Enter user name dialog appears. Type the logon name of the user in the User Name field. If the user is in the same domain that you are currently logged onto, type just the users log on name (you can type the domain name too, but it is not necessary). If the user is in another domain, you need to type the domain and user name.

26 Getting Results with Rockwell Softwares Security Server (Network Edition)

5.

To validate that the user is a member of the domain (or that you have the correct user), click Display. The Description and Full Name fields will show the users information from the account domain controller (if the information exists). To finish, click Add User. This also validates that the user exists on the account domain controller, and adds the user to the group.

6.

Adding workstation groups to the system


You can also group workstations and assign actions to those groups. For instance, you may want people in your office to be able to program offline but not online. If you grouped workstations into Office and Plant groups, and assigned rights based on location, you could then restrict online programming from your office.
Tip One use of workstation groups is to create line of sight access rules, allowing access to process only from those workstations where the process can be seen.

If you want to assign actions to groups of workstations, you need to assign workstations to a group. To add a group of workstations to the system: 1. Right-click the Workstations/Groups folder, then click New Group. The software displays the Workstation Group - New window.
2.

Type a name for this group in the Name field. You can add a description for the group in the Description field. The name can contain any characters except: comma (,), pipe (|), slash (/), or backslash (\) Click the Group Members tab. Click the Add button. The software displays a browser window, which allows you to browse through your Windows network to find workstations. Once you find the workstation you want to add, click the workstation name, and then click OK. Repeat steps 4 and 5 for all of the workstations you want to add to the group.

3. 4.

5. 6.

Managing your Security Server configuration 27

Creating a resource
To create a resource: 1. Right-click the Resources/Groups folder, then click New. The software displays the Resource - New window.
2.

If you are creating a resource for an application (a global resource), click the Global Resources (Application Name) drop-down list, and select the application for which you want to create a global resource. The fields fill in with the appropriate information.
Tip Do not change the name or resource ID of the global resource for an application. Applications use this information when communicating with the Security Server; if it is changed, user access will be denied.

If your application is not shown in the Global Resources (Application Name) drop-down list, consult the documentation for your application for information about the name and resource ID it requires.
3.

If you are creating an application resource, click the Application Resources drop-down list, then click the application for which you want to create a resource. Click the Browse button, then browse for the resource you want to create. Currently, there are two types of resource available by browsing. Depending on the application for which you are creating a resource, you can browse for a workstation (through a network browse window) or for a processor (through RSLinx Super Who). The type of browse window you will see depends on the application you select in the Application Resources list.
Tip If you are creating application resources for RSLogix 5 or RSLogix 500 (which consist of processors and the communication drivers used to communicate with them), you may want to consolidate those resources so they are not dependent on the computers from which they are being accessed. See Consolidating processor resources for RSLogix 5 and RSLogix 500 on page 53 for more information.

28 Getting Results with Rockwell Softwares Security Server (Network Edition)

Grouping resources
You can group resources to efficiently create ACLs for them. For example, if you have a series of PLC-5 processors in one location, and those processor all have resources, you can group those resources to make assigning rights easier. To create a resource group: 1. Right-click the Resources/Groups folder, then click New Group. The software displays the Resource Group - New window.
2.

Type a name for this group in the Name field. You can add a description for the group in the Description field. The name can contain any characters except: comma (,), pipe (|), slash (/), or backslash (\) Click the Group Members tab. You'll see a list of the available resources in the security system. Select the actions you want in the group, then click the right arrow (>>) button. The selected actions move into the Member Items list. Click the OK button. The resource group is now ready to have users assigned to it.

3.

4.

Grouping actions
If your system is particularly complex, you may want to group actions as well. Grouping actions permits you to assign combinations of actions to individuals or groups. For example, you may want your maintenance employees to be able to monitor machines but not modify data values or program them. You could group all of the monitoring actions and assign them to your maintenance employees. (On top of that, you could group your maintenance employees, group the maintenance actions, and then assign the action group to the maintenance employee group). To create an action group: 1. Right-click the Actions/Groups folder, then click New Group. The software displays the Action Group - New window.
2.

Type a name for this group in the Name field. You can add a description for the group in the Description field. The name can contain any characters except: comma (,), pipe (|), slash (/), or backslash (\) Click the Group Members tab. You'll see a list of the available actions in the security system. Select the actions you want in the group, then click the right arrow (>>) button. The selected actions move into the Member Items list.
Managing your Security Server configuration 29

3.

4.

Click the OK button. The action group is now ready to have users assigned to it.

Assigning access to individuals and groups


Tip Use user and workstation groups in resource ACLs. You'll probably find it easier to debug your ACLs if you do it that way.

You can assign access to actions to individuals and groups through the resource. For example, if you want to assign the actions for an application, go to that application's resource. To assign actions to individuals or groups: 1. Click the resource containing actions you want to assign.
2. 3.

Click the Access Control List tab. The access control list, or ACL, is the list of who has rights to actions for that resource. In the Users/Groups field, type the name of the user or group of users you want to have rights to an action. If you want to browse for the name, click the button next to the Users/Groups field. If you want to limit the action to a particular workstation or group of workstations, type the name of the workstation or workstation group in the Workstations/Groups field. If you want to browse for the name, click the button next to the Workstations/Groups field. Select the actions you want to assign, then click the right arrow (>>) button. The selected actions move to the Selected Actions list. If you intend to grant access to these actions, click the Grant button. If you intend to deny access to these actions, click the Deny button. Click OK. The access control list fills with the actions you assigned.

4.

5. 6. 7.

Editing an access control list entry


To change an access control list entry, click the entry then click Edit. A window appears, allowing you to change the entry.

30 Getting Results with Rockwell Softwares Security Server (Network Edition)

How access control list entries are applied


An access control list entry (ACE) that comes first in an access control list has precedence over the rules below it. For example, if the first ACE in an access control list grants a group of users every action for a resource, you can't deny those users an action later in the list. However, if you want to deny a group of users a particular action but grant all others, you can place the denial first in the access control list, then place an ACE granting access to all actions under the denial. The denial takes precedence because it came first, but that group of users still has access to the other actions from that resource. The same thing applies to groups of users. If a user is denied access to an action early in an access control list, but the user is part of a group that is granted access to that same action later in the same list, the user is denied access to that action.
Let's say we have a user named Bob at a workstation called Workstation 1. Bob is trying to perform an action for which there are two access control entries (ACEs). ACE Grant for Bob/ Workstation1

ACE

Deny for */ Workstation1

Because Bob was granted the action in the first ACE, the second ACE is ignored.

Result

Grant for Bob/ Workstation1

Managing your Security Server configuration 31

Let's say Bob is still at Workstation1, but we change the ACE order. Deny for */ Workstation1

ACE

ACE

Grant for Bob/ Workstation1

Because everyone (*) at Workstation1 was denied the action in the first ACE, the second ACE has no effect. Even though the second ACE would allow Bob to perform the action, it is ignored because the first ACE has priority.

Result

Deny for */ Workstation1

Moving access control list entries


Because access control list entries that come first take precedence over entries that come later, you can move rules higher or lower in the access control list to try to avoid rule conflicts (or set up conflicts to your advantage). To move an entry, click the entry, then click the up or down arrow buttons to move the rule into the position you want.

Finding users, workstations, actions, or groups


You can search for users, workstations, actions, or groups in the project tree. To do this, click Edit > Find, and enter a string to find in the Search for field. Do not use wildcards (like ? or *) in your search strings. You can enter a partial string (like down for download). You can search down in the tree, up in the tree, or in both directions.

Viewing and changing the server properties


Through the Security Server's Configuration Explorer, you can view and modify the current configuration of the Security Server. To view the server's configuration, click File > Properties. The Property Page window appears.

32 Getting Results with Rockwell Softwares Security Server (Network Edition)

General tab
The General tab shows general system information. This information may be useful for troubleshooting or if you require technical support with the Security Server.

Setup tab
This information: Means:

Server Machine Name Database Version

The name of the computer running the server. The version of the Security Server database (where the security information is stored) The number of workstation groups in your current database The number of workstations in your current database The number of resource groups in your current database The number of resources in your current database The number of action groups in your current database The number of actions in your current database The number of user groups in your current database The number of users in your current database

Workstation Groups

Workstations

Resource Groups

Resources Action Groups

Actions User Groups

Users

The Setup tab allows you to control some of the behavior of the Security Server.

Managing your Security Server configuration 33

Default Security Access

You can set the Security Server to grant or deny access to actions by default. (When you first install the Security Server, it denies access by default. If you have more actions you want to grant than deny, you may want to set up the Security Server to grant access by default then create denials in the access control lists for your resources).
Tip Resources must always be defined in the Security Server database whether default access is set to grant or deny. If a resource is not defined, access to it will be denied.

Database Backup Files

By default, the Security Server keeps three backup files of your security database. If the Security Server database becomes corrupt, you may be able to recover your database from one of these backup files. (See page 39 for more information.) You can select from zero to nine backup files.
Security Audit Events

Windows NT has an Application Log that allows you to see when certain actions take place. If you want to log client and Configuration Explorer events in the Application Log, check the appropriate boxes. (Security Server events, such as startup and shutdown of the server, are always logged.) You can access and view the Application Log through the Event Viewer application that comes with Windows NT or Windows 2000. See your Windows NT or Windows 2000 documentation for information regarding using Event Viewer.
Log Audit Events to Sentinelx.log

Check this box if you want to log Security Server events to a file rather than to the Windows NT/Windows 2000 Application Log. If you choose to log events to a file, the Security Server writes event log information to a comma-delimited ASCII file that can be imported into other applications (such as Microsoft Excel) for review.
Maximum Log Files

If you choose to log events to a file, the Maximum Log Files listbox becomes available. Use this box to set how many days of logging you want to retain. The Security Server will create a new Sentinelx.log file for each day on which an entry occurs (new files are created at midnight). The log files are stored in the System\log folder under the folder where the Security Server is installed.

34 Getting Results with Rockwell Softwares Security Server (Network Edition)

Server Information tab


The Server Information tab shows information about your networking setup.
Default Account Domain and Default Account Domain Controller

The Default Account Domain and Default Account Domain Controller settings work in tandem. The Security Server will access the default account domain controller for user and group information if the domain of the user or group matches that of the default account domain. In large and geographically diverse networks, this may greatly speed network access. See Appendix B on page 49 for more information.
Network information refresh rate (minutes)

The refresh rate is the rate at which the Security Server checks its database. For example, when a user is removed from a group, the refresh removes any user groups to which the user belonged and no other user belonged. Another example is when a new user is added to a new domain network group. The Security Server will add this new user group to its database when it performs the check. At each refresh, the Security Server rewrites its database.
Client Connections to Server

These fields indicate the maximum number of client workstations that can connect to the Security Server at one time, the peak number of client workstations that have connected to the Security Server at one time, and the number currently connected. The peak number of client workstations indicates the number of licences required for your system. If it is at the maximum number, it is possible that you may need more licences. If you need to increase the number of client workstations that can connect to the Security Server, please contact your Rockwell Software sales representative.

Configuration Explorer tab


The Configuration Explorer tab shows information about your networking setup.
Default Account Domain and Default Account Domain Controller

The Default Account Domain and Default Account Domain Controller settings work in tandem. The Configuration Explorer gathers and presents network information for you to create user groups or resource ACLs. These two settings allow you to select a domain controller for a particular domain. The domain controller is then used for all Configuration Explorer browsing of the domain. Note these settings may be different for each instance of Configuration Explorer on your network.
Managing your Security Server configuration 35

See Appendix B on page 49 for more information.


Display Full Names

When Display Full Names is checked, Configuration Explorer displays full names and descriptions (when available from the server) for members of Security Server groups. When domain groups are displayed, the full names and descriptions of users in those groups are also displayed. Displaying full names and descriptions can take time. Turning this function off (by clearing the Display Full Names checkbox) will speed up these network operations.

Refreshing access control lists


Your access control lists (ACLs) can contain users who no longer have accounts or whose accounts are disabled. You may wish to remove these users from your ACLs. To do this, click File > Refresh ACLs. When you choose to refresh ACLs, the Security Server performs that task during the next refresh cycle, and makes a log entry including the domain account and action taken. You can change the time to the next refresh cycle by changing the server preferences. See Network information refresh rate (minutes) on page 35 for more information.

Using admin accounts to control access to the Security Server's Configuration Explorer
If you install the Configuration Explorer on a user's computer, you must define an administrator for the Configuration Explorer. Otherwise, anyone with access to the Configuration Explorer can change the configuration of your entire Security Server system. To define an administrator: 1. Click View > Admin Accounts. This displays the Administration Accounts window.
2. 3.

Click Add. This displays a browse window, allowing you to select a user to be an administrator for Configuration Explorer. Locate a user to be an administrator, click that user's logon name, and then click OK. If you want to search for a user, type the beginning of the user's logon name in the Search for field, then click Find.
Tip As a convenience, the _Security Server domain contains all users that are currently in the Security Server's database. To save time, you can choose administrators from this domain.

36 Getting Results with Rockwell Softwares Security Server (Network Edition)

Roaming security
With the Network Edition of Security Server, it is possible to disconnect from your network and maintain access to secured functions. For example, a maintenance engineer may need to take a laptop with secured software off of his or her network to perform operations in a plant. This is accomplished through a process called roaming. Roaming operates by caching security information for a set number of days. A Security Server administrator decides whether roaming should be enabled, and for how many days. If Roaming is enabled, any user can cache security information to run while disconnected from the network. While roaming, access is checked for each resource using the logged-in user and workstation. The system creates a roaming database that remains in effect until a timeout occurs (the number of days roaming is permitted expires) or the Configuration Explorer terminates the roaming session. If a timeout occurs, the user will no longer be able to access secured Rockwell Software applications.

Enabling or disabling roaming


Roaming is enabled through Configuration Explorer. Only Security Server administrators are able to enable or disable roaming (if you have not defined administrators for your Security Server, see Using admin accounts to control access to the Security Server's Configuration Explorer on page 36 for information about doing this.
Important If you do not define administration accounts, any user can enable or disable roaming.

To enable roaming, click View > Set Roaming Security Timeout. By default, roaming is enabled. To disable roaming, check the Disable Roaming Security Caching checkbox. If you wish to enable roaming, set the number of days roaming should be enabled with the Roaming Security Timeout (days) listbox. You can set between 0 and 90 days. If you want to make roaming valid only during the current day, set the timeout to 0 days (the day ends at midnight).

Using roaming
To use roaming: 1. Start Configuration Explorer.
2.

Click View > Configure Roaming Security Information.


Managing your Security Server configuration 37

3.

Since there is no network server available to validate users, you must provide a name and password to use with Security Server while roaming. Under the Alias User Information section of the Configure Roaming Security Information dialog, enter your user name in the User Name field. Do not use your network user name for this field. Enter a password to use with Security Server while roaming in the Password and Confirm Password fields.
Important Do not forget your user name and password! If you do, you will not be able to use roaming, and you will not be able to use software that is secured with Security Server.

4.

Roaming remains enabled until either the Configuration Explorer reattaches to the Security Server, or the timeout period elapses. If the roaming timeout period elapses, connect Configuration Explorer to the Security Server to restore operation.

38 Getting Results with Rockwell Softwares Security Server (Network Edition)

4
Chapter

Backing up and synchronizing Security Servers


Rockwell Software's Security Servers do not communicate with each other. If you want to keep the same security information on primary and secondary Security Servers, you may handle this process in any of three ways: export your Security Server database from your primary Security Server and import the database on your backup Security Servers directly copy the database files from the primary Security Server to backup servers. use Windows NT/2000 directory replication to copy the database files from the primary Security Server computer to backup computers (this is the preferred method since it happens automatically)

Using directory replication


Windows NT and Windows 2000 have a built-in replication service that allows you to copy files from one computer to another automatically. In Windows NT this is called the LAN Manager Replication service; in Windows 2000 this is called the File Replication service. You can configure this service to copy files from the folder containing the Security Server database from the primary Security Server to backup servers. Note that the Windows 2000 File Replication Service is not available on Windows 2000 Professional. Therefore, if you are using a computer running Windows 2000 Professional as a Security Server, you will not be able to use this method for replicating your database. For more information about using directory replication, see the documentation for Windows NT or Windows 2000.

Exporting your Security Server database


To export your Security Server database, run the Configuration Explorer, then click File > Export Database.
Backing up and synchronizing Security Servers 39

This function allows you to save a backup file. The backup file contains all of the information necessary to reconstruct your Security Server database either on your primary Security Server or on a backup Security Server.

Importing your Security Server database


When you import a Security Server database into a Security Server, the imported database will be added to the current configuration of that Security Server. To import a Security Server database, run the Security Server Configuration Explorer, then click File > Import Database. The software allows you to select a backup database file to import. If the database import detects conflicts, you can choose to overwrite the current database with the imported information or not. You can do this on a case-by-case basis or for the entire imported database. For example, if a user already exists in the database and the imported database contains the same user, you can choose whether to overwrite the current database with the information about that user from the imported database.

If there are errors detected during the import


If the database import detects errors, the import notifies you that there are errors and writes descriptions of the errors to a log file. The file is named SentinelImport.log, and it is found in the Security Server system directory (by default, that directory is C:\Program Files\Rockwell Software\Security Server\System). You can open the log file in Windows Notepad and examine it. (A typical error is that a user described in the backup database no longer exists or is no longer enabled in the domain the import removes such users and notifies you in the log file.) The error log file describes errors by line numbers. These line numbers refer to the end of a resource or user list, not to the line containing the error. The string (invalid user name, for example) causing the error is listed with the error description. You should search for the string causing the error and not the line number if you wish to correct the backup database.

Restoring a previously saved configuration


Each time you change your Security Server configuration and save those changes, the software writes a backup of your last saved security database as well as your most recent changes. (The database is also saved and backed up during each refresh cycle.) If you make a mistake and need to revert to a previously saved version of your Security Server database, you can do so.
40 Getting Results with Rockwell Softwares Security Server (Network Edition)

To restore a previous version of your Security Server database, locate the directory containing the Security Server system. By default, the Security Server system is located in C:\Program Files\Rockwell Software\Security Server \System\db. In that directory, you'll find the files that make up a Security Server database. The following table describes these files:
This file: Does this:

Sentinel.sdb

The primary security database. Contains all of the database information necessary for the Security Server to provide security functions. The backup security database files. Contains previous versions of the security database. With each save of the security database, the Security Server copies the previously saved version to a backup file. For information about setting the number of security database backups maintained by the Security Server, see page 34.

Sentinel.sb1 .sbN

Important

Before overwriting a database file, make sure the Security Server is not running.

Delete the Sentinel.sdb file and replace it with one of the backup files. If you just made the change you need to correct, the backup file you need is Sentinel.sb1 (the number on the backup file is incremented with subsequent saves).
Tip If you are restoring a database that was backed up during a resource consolidation or unconsolidation, the backed-up database is located (by default) in C:\Rockwell Software\Security Server\System\SentinelResourcen.bak (where n is a sequence number indicating how many times the consolidation or unconsolidation has been done). For information about resource consolidation, see Consolidating processor resources for RSLogix 5 and RSLogix 500 on page 53.

Backing up and synchronizing Security Servers 41

42 Getting Results with Rockwell Softwares Security Server (Network Edition)

5
Chapter

Upgrading from Standalone Edition to Network Edition


The databases for Security Server Standalone Edition and Network Edition vary in the following ways: Standalone Edition provides security for a single workstation, while Network Edition provides network-wide security. Standalone Edition does not contain references to workstations. Standalone Edition users can be either users local to a Windows NT machine, or they can be private users, known only to the Security Server. Network Edition uses only domain users, validated by a domain controller.

Because of these differences, access control lists and users created in Standalone Edition are not compatible with Network Edition. This information will be lost during an upgrade to Network Edition. It is possible to retain the resource/group and action/group definitions from Standalone Edition when upgrading to Network Edition. To upgrade a Standalone Edition database to a Network Edition database: 1. Export the Standalone Edition database.
2. 3.

Install Security Server Network Edition. Import the exported Standalone Edition database file into Network Edition. During the import, there will be warnings concerning importing the Standalone Edition database. Review the SentinelImport.log file for import errors. See Restoring a previously saved configuration on page 40 for more information.

4.

Upgrading from Standalone Edition to Network Edition 43

44 Getting Results with Rockwell Softwares Security Server (Network Edition)

Appendix

Setting up A.I. Series software to use Security Server


A.I. Series software can use the Security Server to secure resources. To set up A.I. Series software to do this, you need to tell the software to send its actions to the Security Server.
Tip You must run A.I. Series software under Windows NT or Windows 2000 to use it with Security Server.

There are two types of resource for A.I. Series software. There is a global resource called AI5GLOBALRIGHTS or AI3GLOBALRIGHTS, which controls access to functions in the software. You can also create resources for each processor being programmed (in case you want to vary the actions granted based on the processor being programmed).

Creating the global resource for PLC-5 A.I. Series


1.

In the Security Server's Configuration Explorer, create the global resource for PLC-5 A.I. Series software. See page 28 for information about creating the resource. If you are using the Network Edition of the Security Server, make sure the client for the Security Server is configured on the machine where you are using PLC-5 A.I. Series software. See page 18 for information about configuring the Security Server client. From the PLC-5 A.I. Series top menu, press [F9] Configure Program Parameters > [F5] Modify System Security Parameters. Enter the system master password (the password for access to the PLC-5 A.I. Series security setup). If you have not entered this password before, make sure you remember it! After you enter the master password, the Security System Setup menu appears. Press [F3] RSSecurity Server Tests.
Setting up A.I. Series software to use Security Server 45

2.

3.

4.

5. 6.

Press [F2], then type AI5GLOBALRIGHTS. Press [F4] to send the actions for PLC-5 A.I. Series to the Security Server. (Alternatively, you can import the actions from a backup database that comes with the Security Server software. See Importing actions for Rockwell Software applications on page 26 for more information.) You can now refresh the display in the Configuration Explorer by clicking View > Refresh. In the Actions/Groups list you'll find a group called AI5. You can open that group to see the actions for PLC-5 A.I. Series, and you can create ACLs based on those actions. In PLC-5 A.I. Series, you can check whether a user has the rights to actions by pressing [F1], typing the user's name, then typing [F3].

7.

8.

Creating the global resource for PLC-3 A.I. Series


1.

In the Security Server's Configuration Explorer, create the global resource for PLC-3 A.I. Series software. See page 28 for information about creating a resource. If you are using the Network Edition of the Security Server, make sure the Security Server client is configured on the machine where you are using PLC-3 A.I. Series software. See page 18 for information about configuring the client for the Security Server. From the PLC-3 A.I. Series top menu, press [F8] Configure Program Parameters > [F5] Modify System Security Parameters. Enter the system master password (the password for access to the PLC-3 A.I. Series security setup). If you have not entered this password before, make sure you remember it! After you enter the master password, the Security System Setup menu appears. Press [F3] RSSecurity Server Tests. Press [F2], then type AI3GLOBALRIGHTS. Press [F4] to send the actions for PLC-3 A.I. Series to the Security Server. (Alternatively, you can import the actions from a backup database that comes with the Security Server software. See Importing actions for Rockwell Software applications on page 26 for more information.) You can now refresh the display in the Configuration Explorer by clicking View > Refresh. In the Actions/Groups list you'll find a group called AI3. You can open that group to see the actions for PLC-3 A.I. Series, and you can create ACLs based on those actions. In PLC-3 A.I. Series, you can check whether a user has the rights to actions by pressing [F1], typing the user's name, then typing [F3].

2.

3.

4. 5. 6.

7.

8.

46 Getting Results with Rockwell Softwares Security Server (Network Edition)

Creating a resource based on processor name for PLC-5 processors


You must use RSLinx version 2.0 or higher to perform the following procedure. 1. In the Security Server's Configuration Explorer, create a new resource (right-click the Resources/Groups folder, then click New).
2.

Click the Application Resources drop-down list, then click AI5. This sets up the correct type of application resource for PLC-5 A.I. Series software. Click the Browse button. This launches RSLinxs Super Who function, allowing you to choose a processor for the resource. Use the Super Who window to locate the processor for which you want to create a resource, then double-click it. In the Configuration Explorer, the resource Name field fills with a default name (the processor name followed by _AI5), the Description fields fills with Resource for AI5, and the Resource ID field fills with the communications link identifier for the processor. From the PLC-5 A.I. Series top menu, press [F9] Configure Program Parameters > [F5] Modify System Security Parameters. Enter the system master password (the password for access to the PLC-5 A.I. Series security setup). If you have not entered this password before, make sure you remember it! After you enter the master password, the Security System Setup menu appears. Press [F3] RSSecurity Server Tests. Press [F2], then type the name of the resource (the processor name followed by _AI5). Press [F4] to send the actions for PLC-5 A.I. Series to the Security Server. (Alternatively, you can import the actions from a backup database that comes with the Security Server software. See Importing actions for Rockwell Software applications on page 26 for more information.) You can now refresh the display in the Configuration Explorer by clicking View > Refresh. In the Actions/Groups list you'll find a group called AI5. You can open that group to see the actions for PLC-5 A.I. Series, and you can create ACLs based on those actions (see page 30). In PLC-5 A.I. Series, you can check whether a user has the rights to actions by pressing [F1], typing the user's name, then typing [F3].

3.

4.

5.

6. 7. 8.

9.

10.

Setting up A.I. Series software to use Security Server 47

Creating a resource based on processor name for PLC-3 processors


You must use RSLinx version 2.0 or higher to perform the following procedure. 1. In the Security Server's Configuration Explorer, create a new resource (right-click the Resources/Groups folder, then click New).
2.

Click the Application Resources drop-down list, then click AI3. This sets up the correct type of application resource for PLC-3 A.I. Series software. Click the Browse button. This launches RSLinxs Super Who function, allowing you to choose a processor for the resource. Use the Super Who window to locate the processor for which you want to create a resource, then double-click it. In the Configuration Explorer, a description is added and the Resource ID field fills with the communications link identifier for the processor. You must enter a name for the resource in the Name field. From the PLC-3 A.I. Series top menu, press [F9] Configure Program Parameters > [F5] Modify System Security Parameters. Enter the system master password (the password for access to the PLC-3 A.I. Series security setup). If you have not entered this password before, make sure you remember it! After you enter the master password, the Security System Setup menu appears. Press [F3] RSSecurity Server Tests. Press [F2], then type the name of the resource. Press [F4] to send the actions for PLC-3 A.I. Series to the Security Server. (Alternatively, you can import the actions from a backup database that comes with the Security Server software. See Importing actions for Rockwell Software applications on page 26 for more information.) You can now refresh the display in the Configuration Explorer by clicking View > Refresh. In the Actions/Groups list you'll find a group called AI5. You can open that group to see the actions for PLC-3 A.I. Series, and you can create ACLs based on those actions (see page 30). In PLC-3 A.I. Series, you can check whether a user has the rights to actions by pressing [F1], typing the user's name, then typing [F3].

3.

4.

5.

6. 7. 8.

9.

10.

48 Getting Results with Rockwell Softwares Security Server (Network Edition)

Appendix

Setting which account domain controller to use


In Configuration Explorer, you can set which account domain controller the Security Server and Configuration Explorer use to get information about users and workstations for a specified account domain. By default, the Security Server and Configuration Explorer read this information from the respective domains primary domain controller (PDC). However, in a large and geographically disparate domain, the PDC may be remote to the Security Server and Configuration Explorers location. In many cases, a backup domain controller (BDC) may be local to the domain containing the Security Server and Configuration Explorer. In those cases, using the backup (local) domain controller can speed up Security Server and Configuration Explorer network operations. The account domain and default account domain controller settings work in tandem. Note there are separate pairs for the Security Server and the Configuration Explorer to provide you more flexibility. If the Security Servers default account domain controller fails to respond to Security Server requests, the server will use the primary domain controller. If this happens, the Security Server will create an entry in the Windows NT Event Log.

Background

An example of a geographically disparate domain


Consider this example of a three domain network. The domains are: LONDON, which is a resource domain with its primary domain controller (LONDON_PDC) in London.

PARIS, which is a resource domain with its primary domain controller (PARIS_PDC) in Paris. EUROPA, which is a resource domain with its primary domain controller in London.

Setting which account domain controller to use 49

EUROPA domain (account domain) LONDON domain (resource domain)

LONDON_PDC SECURE_LON PARIS_BDC EUROPA_PDC (located in London)

PARIS domain (resource domain)

PARIS_PDC CONFIG_EXPL LONDON_BDC EUROPA_BDC (located in Paris)

In this example, a user of Configuration Explorer in the PARIS domain (at a workstation called CONFIG_EXPL) wants the most efficient way to browse users. To make this happen, this person would set Configuration Explorer to use the backup domain controller for EUROPA (EUROPA_BDC, located in Paris). However, this same user would want to set Configuration Explorer to use EUROPA_PDC for those actions that require data to go through the Security Server. Since the Security Server is physically located in London, the connection between it and EUROPA_PDC is faster than its connection to EUROPA_BDC.
Tip In general, you should use the primary or backup domain controller that is physically located nearest to the computer you are using.

50 Getting Results with Rockwell Softwares Security Server (Network Edition)

Changing the account domain controller


To change the default account domain and account domain controller: 1. Open Configuration Explorer, then click File > Properties.
2. 3.

Click the Server Information tab. Select the default domain you want to use for the Security Server from the Default Account Domain list. The Default Account Domain Controller list fills in with the account domain controllers available from the default account domain. Choose the default account domain controller you want to use for the Security Server from the Default Account Domain Controller list. Click the Configuration Explorer tab. Select the default domain you want to use for Configuration Explorer from the Default Account Domain list. The Default Account Domain Controller list fills in with the account domain controllers available from the default account domain. Choose the default account domain controller you want to use for Configuration Explorer from the Default Account Domain Controller list.

4. 5. 6.

7.

Setting which account domain controller to use 51

52 Getting Results with Rockwell Softwares Security Server (Network Edition)

C
Appendix

Consolidating processor resources for RSLogix 5 and RSLogix 500


For processors in RSLogix 5 and RSLogix 500, the resource ID for a processor resource has three components: The name of the computer using the processor resource The name of the RSLinx driver used to communicate with the processor The address of the processor on the network being used to communicate

the computer name (the exclamation point is where the computer name ends)

the RSLinx driver being used to communicate with the processor (the slash separates the driver name from the address) the address of the processor

MACHINE!AB_ETH1\130.151.175.25

This means that for every computer using a given processor, you would have to have a separate resource. This can be quite inefficient, especially in large installations. You can consolidate these machine-based resources into a single resource for each processor, making security easier to manage. For example, if two different machines had access to the same processor over the same network, the IDs for these unconsolidated resources would look something like this:
WORKSTATION1!\TCP-1\63 WORKSTATION2!\TCP-1\63

Consolidating processor resources for RSLogix 5 and RSLogix 500 53

Each of these two resources would have their own, possibly different ACLs. Consolidating these two different resources into a single resource results in a resource called
TCP-1\63

This means that a singular ACL now applies where there were previously two ACLs.

Rules for resource consolidation


The simplest case for describing the rules for resource consolidation is a tworesource case. If you consolidate two resources to one: The first resource changes its resource ID to the new, consolidated ID.

The first resource keeps all of its ACEs and their order in its ACL. If an ACE from the second resource is different than all of the ACEs from the first resource, that ACE is added to the end of the consolidated resources ACL. If any ACE being added to the consolidated resource conflicts with an ACE in the consolidated resource, the software displays a warning and logs the warning in a file. By default, that file is at C:\Program Files\Rockwell Software\Security Server\System\SentinelConsolidate.log. Such conflicts should be flagged during the consolidation process, however, you should check your ACLs for potential conflicts after consolidation.
Tip After consolidation, it is a good idea to check the order of ACEs in the newly formed ACLs.

54 Getting Results with Rockwell Softwares Security Server (Network Edition)

Consolidating processor resources


Important Make sure the RSLinx driver mappings and configurations are identical for all machines using the resources you are going to consolidate. For example, make sure the resources all use the same name for the communications driver (for example, TCP-1) they use to communicate with processors. Otherwise, consolidation will not be effective (the result of the consolidation will be the same resources without their machine names, and none of them will be consolidated).

To consolidate processor resources: 1. Open Configuration Explorer (Start > Programs > Rockwell Software > Security Server Network Edition > Security Config Explorer).
2.

Click File > Consolidate Resources. The Consolidate Resources dialog appears. (You may see a dialog that tells you that the Resource Consolidation flag has been changed. This means that the consolidation procedure has been performed at some point. Check to see if the resources need consolidation. If they do, click OK on that dialog.)
Tip If you see Unconsolidate Resources on the file menu instead of Consolidate Resources, the resources are already consolidated. If you selected Unconsolidate Resources in error, click Cancel on the Consolidate Resources dialog to stop the procedure.

Consolidating processor resources for RSLogix 5 and RSLogix 500 55

3.

On the Consolidate Resources dialog, click the Consolidate Resources checkbox, then click OK.

Click the Consolidate Resources checkbox

Then click OK to continue with the consolidation


4.

A dialog appears informing you that the database will be backed up. This is done so you can revert to the preconsolidated version of the database if you wish. Click OK. The database backs up, and the RSLogix 5 and RSLogix 500 processor resources are consolidated.
Tip The backed-up database is stored (by default) in C:\Program Files\Rockwell Software\Security Server\System directory. The backup file has a name like SentinelResourcen.bak, where n indicates which consolidate or unconsolidate operation created the backup. For example, if you are restoring the database backed up during the twelfth consolidate/unconsolidate, the file would be called SentinelResource12.bak. There are a maximum of twenty such files; the most recent always has the highest number. If there are twenty backup files, the SentinelResources20.bak file is overwritten during consolidate/ unconsolidate operations.

5.

56 Getting Results with Rockwell Softwares Security Server (Network Edition)

Unconsolidation
Unconsolidating these resources means re-adding the machine name back into the ACLs. This is not the same as an undo. (There is no undo for the consolidation, but the pre-consolidation database is stored and is available for restoration. See Restoring a previously saved configuration on page 40 for information about restoring the database that is saved during the consolidation.) It is possible to unconsolidate after consolidating, but the result is not always the same as restoring the database to its pre-consolidation state. Here are a couple of examples:
Example 1: A set of resources

This preconsolidated set of resources:


Machine1!AB_ETH-1\130.151.175.25 Machine2!AB_ETH-1\130.151.175.25 Machine3!AB_ETH-1\130.151.175.25

Consolidates to:
AB_ETH-1\130.151.175.25

The ACLs for the Machine2 and Machine3 resources are added to the ACL for the Machine1 resource to form the ACL for the consolidated resource. If this resource is unconsolidated, it becomes:
Machine1!AB_ETH-1\130.151.175.25

The ACLs remain combined.


Example 2: A single resource

If there is only one resource, unconsolidating it results in the preconsolidated resource: This preconsolidated resource:
Machine1!AB_ETH-1\130.151.175.20

Consolidates to:
AB_ETH-1\130.151.175.20

The ACL for the consolidated resource is the same as for the preconsolidated resource. If this resource is unconsolidated, it becomes:
Machine1!AB_ETH-1\130.151.175.20

The ACL for the unconsolidated resource is the same as it was when it was consolidated (which is also the same as it was when it was preConsolidating processor resources for RSLogix 5 and RSLogix 500 57

consolidated).

Unconsolidating resources
To unconsolidate processor resources: 1. Open Configuration Explorer (Start > Programs > Rockwell Software > Security Server Network Edition > Security Config Explorer).
2.

Click File > Unconsolidate Resources. The software informs you that the Resource Consolidation flag has been changed, and asks if you want to continue. If you want to unconsolidate the resources, click OK.
Tip If you see Consolidate Resources on the file menu instead of Unconsolidate Resources, the resources are not consolidated. If you selected Consolidate Resources in error, click Cancel on the Consolidate Resources dialog to stop the procedure.

3. 4.

On the Consolidate Resources dialog, uncheck the Consolidate Resources checkbox, then click OK. A dialog appears informing you that the database will be backed up. This is done so you can revert to the consolidated version of the database if you wish. Click OK. The database backs up, and the RSLogix 5 and RSLogix 500 processor resources are unconsolidated.

5.

58 Getting Results with Rockwell Softwares Security Server (Network Edition)

Glossary
This term: Means:

Access control list (ACL)

A list of rules for determining access to a resource. Each rule contains a user, workstation, action, and grant/deny properties. It defines who can perform a given set of functions, the objects on which those functions can be performed, and from where those functions can be performed. A rule assigned to a resource that determines who can perform an action from a given workstation to a resource. ACLs are built from ACEs. A domain that contains user accounts. The Security Server accesses user account information from the PDC (Primary Domain Controller) unless otherwise configured. A domain controller for an account domain. An account domain controller authenticates user accounts on logon. A function of an RSI client application that the application wishes to restrict. For example, RSLogix 500 actions include forcing functions, online monitoring, online programming, etc. A built-in feature of Windows NT and Windows 2000. The Application Log contains information about the activity of applications, and can give you information regarding changes made to your security setup. See your Windows NT or Windows 2000 documentation for information regarding viewing the Application Log. A server that receives a copy of the domains security database from the primary domain controller and shares the user login authentication load. The BDC can be configured to perform user authentication as well as be promoted to PDC if the PDC fails. A service provided by NT Servers and NT Workstations. The browser stores network information (such as domain users and workstations) and provides the information to NT workstations.

Access control list entry (ACE) Account domain

Account domain controller Action

Application Log

Backup domain controller (BDC)

Browse services

Glossary 59

Client

A client for the Security Server is any Rockwell Software application that is aware of the Security Server and uses it as a common security database. It adds actions to and performs access checks with the Security Server. PLC-5 A.I. Series software is an example of a client. (The Security Server Configuration Explorer is not a client.) Client connections refer to the connection between two machines. For example, if Machine 1 is running the Security Server and Machine 2 is running PLC-5 A.I. Series software and Frameworks software, and Machine 3 is running the Security Server Configuration Explorer, then only one license is required for the connection between Machine 1 and 2. PLC-5 A.I. Series software and RSLogix Frameworks software are clients. The Security Server Configuration Explorer is not a client. The license applies to the connection between the machine running the server and the machine running the client software. You can check the client connections to the server by viewing the Property Page - Network Information tab (File > Properties) in the Configuration Explorer. This displays the number of active client connections, the maximum number of clients that can be connected (based on the number of licences), and the peak number of clients that have connected at one time. Computer system architecture in which clients request a service and a server provides that service. Each machine can then be optimized for the task. A common example would be a client using a database server. In this case the entry and display of users' data are separated (often on separate machines) from the storage and retrieval of the data. The client may have a large color display with a graphical user interface. The server may have dual power supplies (in case one fails), fast duplicated hard disks (in case one fails and to increase the number of disk requests that can be serviced per second), and a built-in tape drive for fast backup. Process that reduces the number of RSLogix 5 and RSLogix 500 processor resources by removing workstation-specific information from the resources and combining access control list entries from the existing resources into a new, non-workstation specific resource. RSLinx driver configurations must be identical for all resources being consolidated. For the Security Server, the collection of information regarding users, workstations, groups, resources, actions, access control lists, and client and server properties. Distributed Component Object Model, a Microsoft standard protocol for applications to communicate over networks.

Client connections

Client-server

Consolidate resources

Database

DCOM

60 Getting Results with Rockwell Softwares Security Server (Network Edition)

Domain

In Windows NT security, a domain is a collection of computers that are grouped for viewing and administrative purposes, and that share a common security database. This setting in Configuration Explorer shows the full name and description for users or workstations when they are being displayed in groups. A resource that does not apply to a particular processor. Global resources act on the actions associated with a particular software package. For example, if you set an ACL to deny a user the download action for PLC-5 A.I. Series software, that user cannot download. If you want to control actions based on individual processors, you could create resources for those processors and control actions through those resources. A collection of users, workstations, resources, or actions. The number of licenses determines the number of client connections available. (See also the definition of Client and Client Connections.) Line-of-sight refers to the rule in many industrial operations that an operator cannot change values or programs on a process that the operator cannot directly view. A repository of event information useful in documenting a process. Security Server can be configured to log entries into the Windows NT/2000 Application Log or to a file. A version of Security Server which provides security for Rockwell Software applications on a network-wide basis. A trust relationship where a domain (trusting domain) trusts another domain (trusted domain) to access its resources, but the trusted domain does not trust the trusting domain. A server that maintains the domain's security database and authenticates user logons. It also provides a copy of the domain's security database to backup domain controllers (BDCs), which share the user login authentication load. The length of time between the Security Servers validations of users and user groups with the account domain controller. A database of information concerning the configuration of Windows and applications running under Windows.

Full names

Global resource

Group Licenses (for the Security Server) Line-of-sight

Log

Network Edition

One-way trust

Primary domain controller (PDC)

Refresh cycle

Registry

Glossary 61

Resource

For the Security Server, a resource is what an application wishes to protect. What a resource is varies depending on the application you use with the Security Server. For example, for PLC-5 A.I. Series software, a resource is a processor. For RSLinx, a resource is the name of the workstation running RSLinx. A domain which contains resources such as workstations and printers. The ability to cache security server information to allow secured operation of Rockwell Software applications on a computer that is disconnected from a Security Server. The Security Server is an application that provides central control and administration of the Security Server database, by acting as a DCOM server and running as an NT service. A program that performs a specific system function and often provides an interface for other programs to call. The Security Server is such a program, providing security services for Rockwell Software applications running on a network. A version of Security Server which provides security for Rockwell Software applications on a single workstation. The link between two domains that enables a user with an account in one domain to have access to resources on another domain. In the context of the Security Server, a computer running Windows 95, Windows 98, or Windows NT Workstation or Windows NT Server on the same network with the computer running the Security Server.

Resource domain Roaming

Server

Service

Standalone Edition Trust relationship Workstation

62 Getting Results with Rockwell Softwares Security Server (Network Edition)

Index
Symbols .SB1, .SB2 ... files 41 .SDB file 41 A A.I. Series software setting up with the Security Server 45 Access control entries 5 defined 2, 59 editing 30 how they are applied 31 moving 32 order of 31 parts of 2 Access control lists 2 creating 30 defined 2, 59 refreshing 36 Account for the Security Server 13 required for the Security Server 9 System account 9 user account 9 Account domain 35 default 35 defined 59 Account domain controller 35 default 35 example of setting 50 setting which to use 49 ACE. See Access control entries ACL. See Access control lists Action groups creating 29 displaying number of 33 Actions adding A.I. 3 software 46 A.I. 5 software 45 applications provide lists of 4 come from applications 25 default permissions for 24, 34 defined 4, 59 displaying number of 33 grouping 29 importing for Rockwell Software products 26 Administrator accounts 36 Administrators group to install the Security Server 9 AI3GLOBALRIGHTS 45 AI5GLOBALRIGHTS 2, 24, 45 Application Log auditing Security Server events in 34 defined 59 Auditing Security Server events 34 Automatic mode for staring the Security Server 13 B Backup database 39 number of database backups 34 Backup domain controller defined 59 BDC. See Backup domain controller Browse services defined 59 C Client defined 60 Client connections to server 35 Configuration Explorer administrator accounts for 36 changing server properties with 32 controlling access to 36 defined 23 in which domain to run 23 installing with the Security Server client 18 properties 24 securing 36 Consolidating processor resources 53
Index 63

D Database backing up 39 backup files for 34 defined 60 exporting 39 importing 40 refresh rate 35 restoring from automatic backup 40 synchronizing 39 version of 33 DCOM caching 15 default launch permissions 17 defined 60 setting up for the Security Server 14, 16 DCOMCNFG application 16, 20 Default account domain 35 Default account domain controller 35 Default launch permissions 17 Default security access 34 Display full names 36 Domain defined 61 for the Security Server 13 in Security Server client configuration 19 E Event Viewer 34 Events auditing 34 logging 34 Export database 39 G Global resource A.I. 3 Series 46 A.I. 5 Series 45 Group defined 61 Grouping actions 29 example of 3 resources 29 users 25 workstations 27 H help i

I Import actions for Rockwell Software products 26 Import database 40 Installation before installing Security Server 9 location for Security Server 10 requirements for 7 Security Server 7 Security Server client 18, 20 L Launch permissions 17 Line-of-sight 24 defined 61 Logging Security Server events 34 Logon failure when trying to install the Security Server 14 M Manual mode for starting the Security Server 13 N Names of users displaying 36 Network Edition 1 described 5 installation requirements for 7 workstations part of ACLs in 3 Network information refresh rate 35 O One-way trust defined 61 online help i P Password for the Security Server 13 PDC. See Primary domain controller PLC-3 A.I. Series software setting up to use with the Security Server 46 PLC-5 A.I. Series software resource in 2, 24 setting up to use with the Security Server 45 Primary domain controller defined 61 Processor resources consolidating 53

64 Getting Results with Rockwell Softwares Security Server (Network Edition)

R Refresh ACLs 36 Refresh rate 35 Registry defined 61 Resource application 2 consolidating 53 creating 28 creating for PLC-3 A.I. Series software 48 creating for PLC-5 A.I. Series software 47 defined 1, 24, 62 displaying number of 33 global 2, 24 grouping 29 ID 24 in PLC-5 A.I. Series software 2, 24 name 24 Security Server based on 23 user-defined 24 Resource domain defined 62 Resource groups creating 29 displaying number of 33 Restoring a database 40 Roaming defined 37, 62 enabling or disabling 37 RSI documentation set getting results book i online help i S Security Server access control entries and 5 account for 13 account required in which to run 9 before installing 9 changing parameters for 14 changing properties of 32 domain in which to run 13 installation 11 installation requirements 7 installing the software 7 logon failure when trying to install 14 must not run in System account 9

must run in user account 9 parameters for installing 13 password for 13 rights for account for 10 run on NT Workstation or NT Server 9 runs as Windows NT service 9 startup mode for 13 trust relationships for 10 where you should install 10 Security Server client automating installation of 20 configuring 19 installation requirements 8 installing 18 installing Configuration Explorer with 18 Security Server Definition 19 Security Server model 23 Security Server Service Installer 14 Server defined 62 Server machine name 33 SERVER.INI 20 Service defined 62 Security Server runs as 9 Standalone Edition described 5 workstations not part of ACLs in 3 Startup mode for the Security Server 13 System account must not run the Security Server in 9 T Trust relationships defined 62 for the Security Server 10 U User account must run the Security Server in 9 User groups creating for DCOM configuration 15 displaying number of 33 User Manager 15 User rights for the account in which the Security Server runs 10
Index 65

Users displaying full names of 36 displaying number of 33 grouping 25 W Workstation defined 62 displaying number of 33 displaying number of groups 33 grouping 27

66 Getting Results with Rockwell Softwares Security Server (Network Edition)