1、 Logix v20 Security Enhancements Logix v20 Security Enhancements 5/20/2012 Page 3 of 80 Logix v20 Security Enhancements Contents ABOUT THIS LAB _ 5 FactoryTalk Users 5 Tools at this point we are going to login as the FTAdmin user. Why Logon to FactoryTalk when Launching RSLogix 5000 The reason you a
2、re asked to logon to FactoryTalk when you launch RSLogix 5000 is two-fold. First, beginning in RSLogix 5000 v20 the design editor is made FactoryTalk Security aware during the install. This does not mean that your controllers are by default secured, it just means that the design software is aware of
3、 FactoryTalk Security. Secondly, in this lab we disabled a feature called Single-Sign-On (SSO) in our FactoryTalk Directory. This means that each time we launch a FactoryTalk enabled application we will be asked to provide our user credentials. For more information on SSO see the Help Index from the
4、 FactoryTalk Administration Console. Logon Credentials User: ftadmin Password: rockwell Logix v20 Security Enhancements 5/20/2012 Page 8 of 80 4. From the main menu, go to Communications Who Active. 5. The Who Active window comes up. Logix v20 Security Enhancements 5/20/2012 Page 9 of 80 6. Browse t
5、hrough AB_ETHIP-1 172.16.1xx.4 Backplane 01, 1756-L63 LOGIX5563 and click on Set Project Path as shown above. 7. Now click on Download. Logix v20 Security Enhancements 5/20/2012 Page 10 of 80 8. Click Download again at the following dialog. Quick Tip: Take notice that the area boxed in blue. This in
6、dicates to us that the controller currently is not secured. We will review later what it looks like when the controller is secured. 9. Once the application has successfully downloaded, set the controller to Run from the controller menu. Logix v20 Security Enhancements 5/20/2012 Page 11 of 80 10. Onc
7、e you are successfully online with the controller, click Save. 11. You may also be asked to upload tag values, select Yes. 12. From the Controller menu click the button and navigate to the Date/Time tab. 13. Click the button that says, Set Date, Time, and Zone from Workstation (Circled in Red above)
8、. 14. Click OK. 15. Save and CLOSE RSLogix 5000. If you are prompted to upload tag values, click Yes. Logix v20 Security Enhancements 5/20/2012 Page 12 of 80 Section 1: FactoryTalk Directory Security Overview This section of the lab provides a detailed overview of the FactoryTalk Directory structure
9、 and functionality. You will step through most of the features and functions of the FactoryTalk Administration Console and implement the security model we will use for the remainder of this hands on lab. Finally, you will be introduced to FactoryTalk Security, how it works, how to configure both are
10、 components of the FactoryTalk Services Platform. Lets take a few minutes to examine the FactoryTalk Directory structure and familiarize ourselves with different components. 1. Launch FactoryTalk Administration Console: A. Double click on the following icon on the desktop: OR Click on the Start butt
11、on and then select Programs Rockwell Software FactoryTalk Administration Console. 2. Select the Network option when prompted and click OK. Select Network in the FactoryTalk Directory Window and click OK. Logix v20 Security Enhancements 5/20/2012 Page 13 of 80 3. You will be asked to Log on to Factor
12、yTalk with a dialog that looks like the image below. 4. The image below illustrates the structure for the FactoryTalk Network Directory following the FactoryTalk Services Platform installation. The Instant Fizz Application used by this lab has also been added to the directory. Quick Tip: Notice in t
13、he image above where it says Network (THIS COMPUTER) circled in blue. This indicates to you the name of the computer that hosts the FactoryTalk Network Directory that we are managing. For the purposes of our lab our FactoryTalk Directory server is our lab station. In most implementations this would
14、be a server computer that hosts your application. Logon Credentials User: ftadmin Password: rockwell Logix v20 Security Enhancements 5/20/2012 Page 14 of 80 5. Expand the System directory structure as shown below by clicking on the + signs next to the individual folders. We will review these items i
15、n more detail throughout the lab. Note the available policy information for “FactoryTalk-aware” products is in FactoryTalk Directory. These policies can be modified on a product-by-product basis for specific users, groups, and computers included within the FactoryTalk Directory. Several examples of
16、these settings will be explored in subsequent sections of this lab. Names of Computers participating in the FactoryTalk Directory. FactoryTalk Users defined within the FactoryTalk Directory. These can be either native FactoryTalk Users or linked to Windows User Accounts. FactoryTalk User Groups defi
17、ned within the FactoryTalk Directory. These can be either native FactoryTalk User Groups or linked to Windows User Groups. Logix v20 Security Enhancements 5/20/2012 Page 15 of 80 How Does FactoryTalk Security Work FactoryTalk Security essentially answers the question: Who, what, and where? When inst
18、alling many Rockwell Automation products, such as RSLogix 5000 or FactoryTalk View Site Edition, a software component called the FactoryTalk Services Platform is installed as a prerequisite software package. That FactoryTalk Services Platform (FTSP) is the gatekeeper of FactoryTalk Security technolo
19、gy. By default, when a user installs FTSP the security model is wide-open allowing all administrative users on the PC to access the entire FactoryTalk system. Due to the fact that enabling security has many considerations we ask the user to perform some steps within the FactoryTalk Administration Co
20、nsole prior to the system being considered secure. These steps are answering the questions of whom, what, and where. Who: The who is the FactoryTalk user or group that you want to grant or restrict access to. What: The what is the resource or action, (this may be a controller, a computer, or a softw
21、are package) that you want to grant or restrict access to. Where: The where is the computer or computer group that you want to grant or restrict access to. Warning: Be sure to back up your FactoryTalk Directory configuration prior to making any changes to an existing configuration. Beginning with ve
22、rsion 2.50 of the FactoryTalk Services Platform the unique identifier, or GUID, that we will learn about later in this lab can only be recovered from a previously created backup. A loss of this GUID could compromise access to the control system resources. Logix v20 Security Enhancements 5/20/2012 Pa
23、ge 16 of 80 Creating Initial Backup of FactoryTalk Directory Configuration The first step to configuring or modifying a FactoryTalk Security configuration is to back up the FactoryTalk Network Directory prior to making any changes. The following steps will walk you through this process. 1. With the
24、FactoryTalk Administration Console window open, right-click on Network (THIS COMPUTER) and select Backup (circled in Red below) 2. Click OK to create the backup from the Backup dialog after making note of several items below: Warning: If you encrypt a backup and forget the password, there is no way
25、to decrypt the backup archive. Be sure to remember your password. The Archive name has a cryptic set of digits added by default to the name. This field is editable. Location where the backup file will be saved. Leave Blank the option to create a password encrypting this backup archive. Logix v20 Sec
26、urity Enhancements 5/20/2012 Page 17 of 80 3. Click OK to acknowledge that our backup completed successfully. You have successfully created a backup of your Network FactoryTalk Directory, including the security configuration. Enable you would have to create a similar account in your own applications
27、. Removing the “Window Administrators” Group 1. Locate the Windows Administrators group under Users and Groups. Then right click on Windows Administrators and select Delete. We are removing the Windows Administrators group from our directory to harden our security model and prevent unauthorized user
28、s from accessing our FactoryTalk Directory just because they might be a Windows administrator. Logix v20 Security Enhancements 5/20/2012 Page 18 of 80 2. When prompted respond Yes to confirm deletion. Modify “All Users” Permissions Some additional modifications must be made to the FactoryTalk Direct
29、ory to enable security. The default installation of FactoryTalk Services Platform in CPR9 grants all FactoryTalk users full rights to all actions and resources. This means that any user added to the FactoryTalk Directory will have the same rights as FactoryTalk Administrator. To change this default
30、behavior the rights granted to All Users must be removed. Remove Permissions for All Users 1. Right click on Network at the top of the FactoryTalk Directory Explorer window and select Security. So far the security rights set have limited which users can login to the FactoryTalk Directory, but has no
31、t set what rights user have once they have logged in. Now we will configure security rights being set to control the rights individual users have on secured resources and individual FactoryTalk Security aware products. Logix v20 Security Enhancements 5/20/2012 Page 19 of 80 2. On the Permissions tab
32、, highlight the All Users group to see that the group is granted full rights in the FactoryTalk Directory. 3. Select the All Users group and click the Remove button to remove the default full security access for all users on the FactoryTalk system. Why Remove vs. Deny: When you deny an action to a u
33、ser or group that denial takes precedence over an allow to the action made elsewhere. For instance, if Adam is a member of both the Maintenance at this point we are going to login as kylee.engineer user. 4. Click on the Controller Properties button shown below circle in red: Logon Credentials User:
34、kylee.engineer Password: rockwell Logix v20 Security Enhancements 5/20/2012 Page 24 of 80 5. From the Controller Properties dialog select the Security tab You will notice that the Security Authority field (circled in red above), where we configure the project to communicate with FactoryTalk Security
35、, is not editable. This field is a feature security item controlled in the FactoryTalk Administration Console; we will have to grant our user permission to set this field. Why is the Security Authority field Non-Editable by Default: Since resource security does restrict access to automation resource
36、s, the ability to apply it to RSLogix 5000 projects is prevented at the FactoryTalk Directory level be default. Users & Groups must be explicitly granted this feature security to enable the functionality in RSLogix 5000. 6. Leaving RSLogix 5000 open, switch over to the FactoryTalk Administration Con
37、sole. Logix v20 Security Enhancements 5/20/2012 Page 25 of 80 7. Double click on Feature Security from the System Policies RSLogix 5000 container. You will see the dialog shown below: 8. From the Feature Security property dialog open the Configure Security window by clicking on the button in the Con
38、troller: Secure field (shown in the image above in blue). 9. From the configuration window (1) click the Add button, (2) select the Engineers group from the Select User and Computer dialog, and (3) click OK to close the Select User and Computer dialog. 1 2 3 Logix v20 Security Enhancements 5/20/2012
39、 Page 26 of 80 10. Ensure that the Engineers group has been allowed access to this security feature and click OK to close the Configure Securable Action dialog. 11. Once you have added the Engineers group to this feature security click OK in the Feature Security Property window to apply these change
40、s. 12. Minimize the FactoryTalk Administration console and switch back over to RSLogix 5000. 13. From the RSLogix 5000 main menu, go to Tools Security Refresh Privileges. If you have the Controller Properties window open you will see that the Security Authority field becomes editable. Logix v20 Secu
41、rity Enhancements 5/20/2012 Page 27 of 80 14. From the drop down menu select FactoryTalk Security (NIS05-SECURITY) and click OK to apply this change to the project after taking notice of the callouts below. 15. After clicking OK, applying the security configuration for this project, you will receive
42、 a dialog alerting you that applying security will result in a loss of some privileges, acknowledge this warning by clicking Yes. 16. From the Controller menu select Download, to download the application. Notice where it says NIS05-SECURITY, this is the name of our directory and security server. Sta
43、rting in RSLogix 5000 v20 resource based security is bound to specific FactoryTalk Directory & Security server. Checking the Use only the selected Security Authority for Authentication and Authorization box requires that the unique identification key (GUID) of the FactoryTalk Security server selecte
44、d match the value encrypted in this project. We will learn more about this value in the next section. Logix v20 Security Enhancements 5/20/2012 Page 28 of 80 17. From the Download dialog take notice that the processor we are downloading to currently is not security enabled, circled in blue below, an
45、d click Download. 18. Once the download completes, you will be asked to change the controller back to Remote Run, click Yes to initialize the project. 19. Click the save button to apply our changes to the project 20. Close RSLogix 5000. 21. Once RSLogix 5000 closes open the application once again th
46、is time logon as our denied user, Gordon. Logix v20 Security Enhancements 5/20/2012 Page 29 of 80 22. Logon as gordon.denied using the password, rockwell. 23. You should see the message window displayed below that informs the user they are not authorized to open this project according to our securit
47、y policy. 24. Click OK to close the dialog 25. Close RSLogix 5000. Logon Credentials User: gordon.denied Password: rockwell Logix v20 Security Enhancements 5/20/2012 Page 30 of 80 Bind Physical Controller Resource to FactoryTalk Security Server Now that we have configured both the security server an
48、d secured our RSLogix 5000 project file we need to bind the newly secured controller resource to our FactoryTalk Security server to protect it from unauthorized connections. 1. In the FactoryTalk Administration Console, right click on the 1, 1756-L63 LOGIX5575, InstantFizz_Controller resource from t
49、he Networks and Devices Workstation,NIS05-SECURITY AB_ETHIP1,Ethernet 172.16.1xx.4 Backplane and select Properties 2. From the Logical name: field select newly created InstantFizz_Controller item from the drop down list and click OK. This logical name was created by RSLogix 5000 when we bound the project to FactoryTalk Security. Design Tip: Logical Names can be assigned like above or to a specific area resource, such as an HMI Area controller. We have now secured our
