SIMATIC. Process Control System PCS 7 PCS 7 Security Concept. Preface Contents Planning the Security Cells and Access Points 1. Managing the Network 2

Transcription

1 s SIMATIC Process Control System PCS 7 PCS 7 Security Concept Recommendations and Notes Preface Contents Planning the Security Cells and Access Points 1 Managing the Network 2 Managing Computers and Users 3 User and Access Management in PCS 7 and Integration in the Windows Management 4 Planning Time Synchronization 5 Implementing Patch Management 6 Secure Network Access to the Security Cells 7 Final Considerations 8 References 9 Meaning of the Symbols 10 Glossary Edition 12/2005 A5E

2 Safety Information This manual contains information that must be observed to ensure your personal safety and to prevent property damage. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring to property damage only have no safety alert symbol The warnings appear in decreasing order of risk as given below.!!! Danger Indicates that death or severe personal injury will result if proper precautions are not taken. Warning Indicates that death or severe personal injury may result if proper precautions are not taken. Caution With a warning triangle this indicates that minor personal injury may result if proper precautions are not taken. Caution Without a warning triangle this indicates that property damage may occur if proper precautions are not taken. Notice Indicates that an unwanted result or situation can result if the relevant information is not taken into account. If several hazards of different degrees are present, the warning notice representing the highest degree of danger will be used. If a warning note with a warning triangle warns of personal injury, the same warning note can also contain a warning about property damage. Qualified Personnel Startup and operation of the device/equipment/system in question must only be performed using this documentation. The device/system must only be commissioned and operated by qualified personnel. Qualified personnel as referred to in the safety instructions in this documentation are persons authorized to start up, ground, and label devices, systems, and circuits in accordance with the relevant safety standards. Correct Usage Note the following:! Warning The equipment may only be used for the applications described in the catalog or in the technical description; it may only be used in conjunction with third-party devices and components recommended or approved by Siemens. This product can only function correctly and safely if it is transported, stored, set up, and installed correctly, and operated and maintained as recommended. Registered Trademarks All designations with the trademark symbol are registered trademarks of Siemens AG. Other designations in this documentation may be trademarks whose use by third parties for their own purposes can violate the rights of the owner. Liability Disclaimer We have conscientiously checked the contents of this manual to ensure that they coincide with the hardware and software described. Since deviations cannot be precluded entirely, we cannot guarantee full agreement. The information given in this publication is reviewed at regular intervals and any corrections that might be necessary are made in the subsequent editions. Siemens AG Automation and Drives Postfach NÜRNBERG DEUTSCHLAND A5E /2005 Copyright Siemens AG 2005 Subject to change without notice

3 Preface Purpose of this Documentation The documentation PCS 7 Security Concept contains recommendations and information for planning and building secure, integrated PCS 7 automation solutions with connected Web clients, SIMATIC IT applications and office networks based on customer specifications. This documentation serves as both a reference and a guide for network administrators working in the following areas: Configuration of PCS 7 Commissioning and servicing PCS 7 Management of company networks It is intended to facilitate cooperation between network administrators managing company networks and automation networks. Required Knowledge This documentation is intended for persons involved in configuration, commissioning and servicing of automation systems using SIMATIC PCS 7. It assumes basic knowledge of the common IT technology used in offices. Notice This documentation cannot replace training of personnel in the fields of network engineering, management of Microsoft Windows desktop and server stations and operation of these stations in Windows domains; in part it assumes these skills as prerequisites. Validity of the Documentation The PCS 7 Security Concept documentation applies to process control plants built on the basis of PCS 7 V6.1 SP1. A5E iii

4 Preface IT Security in Your Plant The aim of this security concept is the validation of an integrated process control plant as a "closed system" according to FDA 21 CFR 11 section A 11.3 number (4): Quote: Closed system means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system. End of quote. To this end, the plant is divided into separate security cells. Each cell can represent such a "closed system" and the network of security cells can also be validated as a "closed system." Several security measures are necessary to realize this. Optimal protection of the plant can only be achieved by implementing all of these security measures in their entirety. Security Cells Security cells in this document are zones, sections, subsections or plant units that can only be accessed by authorized personnel. These accesses include: Operator permissions for individual production sections Physical access to the production areas and process control facilities Access permissions for the file system of a process control system station or entire computer and control networks and their power supplies The following security concept documents should be used as references in this context: BSI IT Baseline Security Manual, Chapter 4 "Infrastructures" FDA 21 CFR 11, "Electronic Records; Electronic Signatures" NAMUR Worksheet NA 67 "Information Security for Process Control Systems (PLS)" NAMUR Worksheet NA 103 "Use of Internet Technology in Process Automation" ISA TR "Security Technologies for Manufacturing and Control Systems, dated March 11, 2004 iv A5E

5 Preface System Types The PCS 7 Security Concept is illustrated in this document based on the following types of systems. Single-station system as a process control system without Web clients Figure 1 Schematic diagram of a single-station system A5E v

6 OSM OSM TP62 OSM OSM TP62 OSM OSM TP62 OSM OSM TP62 OSM OSM TP62 OSM OSM TP62 OSM OSM TP62 Preface Multiple-station system as a process control system with Web clients Figure 2 Schematic diagram of a multiple-station system vi A5E

7 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M S P OSM O T M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 Preface Large system as a process control system with MES and ERP layers 6 2 Figure 3 Schematic diagram of a large system A5E vii

8 Preface Note This SIMATIC PCS 7 Security Concept has been system tested and should be implemented in your plant. You should be aware that not all security concepts from the IT world can be implemented 1-to-1 in process automation. IT focuses mainly on global accessibility and maximum security. The most important factor for process automation is the functionality of the plant. Notice Deviations from the recommended PCS 7 security concept can result in security vulnerabilities. Always keep your plant up-to-date so that security vulnerabilities do not occur. This documentation contains the PCS 7 Security Concept V6.1 SP1. In addition, Automation & Drives representative can inform you about the latest version of this manual. viii A5E

9 Preface Guide The topics are listed in the order in which an administrator should perform the configuration of the required components. Background information and context is provided for each task to help the administrator understand the security concept and the purpose of the respective tasks. This documentation consists of the following topics: Section Contents Planning the Security Principle: Division into security cells Cells and Access Points Security Cells and Room Security Specifying the Network Access Points Managing the Network Assigning IP Addresses and Division into Subnets Name Resolution Managing Computers and Principle: Division of responsibility Users Operating Plants in Windows Workgroups Managing Plants Using a Windows Domain (Active Directory) Shared domains - dedicated organizational unit Shared forest subordinate domains User and Access Principle: Assigned logon Management in PCS 7 Relationship between Windows user rights and the and Integration in the project-specific management of user rights and operator Windows Management rights Integration into Windows management Planning Time Synchronization Implementing Patch Management Principle: Exact time of day Time Synchronization in a Windows Workgroup without a Central Plant Clock Time Synchronization in a Windows Workgroup with a Central Plant Clock Time Synchronization in a Windows Active Directory Domain without a Central Plant Clock (with NTP Time Server) Time Synchronization in a Windows Active Directory Domain with a Central Plant Clock Principle:Management of software updates and security patches Implementing Patch Management Installing and Configuring the Software Update Service (SUS) Configuring AU Clients (AU = Automatic update) A5E ix

10 Preface Section Contents Secure Network Access to Principle: Closed system in accordance with FDA the Security Cells Using Firewalls for the Access Points Using Virus Scanners for the Access Points Principle: Integration of Remote PCS 7 PCs in the Closed System according to FDA Using and Configuring Authentication and Encryption with IP Security Using and Configuring Authentication and Encryption with Secure Sockets Layer Using and Configuring VPN (Virtual Private Network) and Network Access Quarantine Control for Secure Support Access Additional Measures Log/Audit x A5E

11 Preface Further Support Please contact your local Siemens representative if you have any questions about the products described in this manual. Find your Siemens representative at: A guide to the documentation of the various SIMATIC products and systems is available at: The online catalog and the online ordering system are available at: Training Center We offer various courses for newcomers to the PCS 7 process control system. Please contact your regional training center, or the central training center in D Nuremberg. Tel.: +49 (911) Internet: Technical Support You can access Technical Support for all A&D products: With the Support Request form on the Web: Via Telephone: Via Fax: Further information about our technical support is available on the Internet at Service & Support on the Internet In addition to our documentation, we offer a comprehensive knowledge base online on the Internet at: There you will find: Newsletters providing the latest information on your products. Relevant documentation, via our Service & Support search engine. A forum where users and experts from all over the world exchange ideas. Your local Automation & Drives representative. Information about local service, repairs, and spare parts and much more is available under "Services." A5E xi

12 Preface xii A5E

13 Contents 1 Planning the Security Cells and Access Points Security Cells and Room Security Specifying the Network Access Points Managing the Network Assigning IP Addresses and Division into Subnets Name Resolution Managing Computers and Users Operating Plants in Windows Workgroups Managing Plants Using a Windows Domain (Active Directory) General Information on Domains Embedding Plants in Existing Domains (Active Directory) User and Access Management in PCS 7 and Integration in the Windows Management Rights Management in Windows User Management in PCS Planning Time Synchronization Time Synchronization in a Windows Workgroup without a Central Plant Clock Time Synchronization in a Windows Workgroup with a Central Plant Clock Time Synchronization in a Windows Active Directory Domain without a Central Plant Clock (with NTP Time Server) Time Synchronization in a Windows Active Directory Domain with a Central Plant Clock Implementing Patch Management Implementing Patch Management Detecting Security Vulnerabilities with MBSA Assessing Security Vulnerabilities Obtaining Software Updates and Security Patches Testing Security Patches Deploying Security Patches Maintaining the Patch Environment Installing and Configuring the Software Update Service (SUS) Basics of SUS Installing SUS Configuring the SUS Server Configuring AU Clients A5E xiii

14 Contents 7 Secure Network Access to the Security Cells Mapping the Data Traffic Using Firewalls for the Access Points General Information on Firewalls Using the Microsoft ISA Server as a Firewall Using Local Firewalls on PCS 7 PCs Using Virus Scanners for the Access Points Using Local Virus Scanners on PCS 7 PCs (Distributed Access Points) Using a Microsoft ISA Server Virus Scanning Module at the Central Access Point of a Plant Integration of Remote PCS 7 PCs in the Closed System according to the FDA Using and Configuring Authentication and Encryption with IP Security Using and Configuring Authentication and Encryption with Secure Sockets Layer Using and Configuring VPN (Virtual Private Network) and Network Access Quarantine Control for Secure Support Access Requesting and Installing Certificates Installing a Stand-alone Root Certification Authority Downloading a Certification Authority Certificate Requesting a Local Computer Certificate for IPSec Configuring SSL on a Web Server Creating a Certificate Request Submitting a Certificate Request Issuing a Certificate Installing the Certificate on the Web Server Configuring the Resources for Requesting SSL Access Final Considerations Residual Risks Additional Measures References Meaning of the Symbols 10-1 Glossary Glossary-1 xiv A5E

15 1 Planning the Security Cells and Access Points 1.1 Security Cells and Room Security Principle: Division into security cells The first and most important step in building a modern and secure process automation plant is careful planning of the security cells in this plant. To this end, the plant is divided into separate segments. Segments and security cells Segment represent specific zones, sections, subsections or units. They become security cells when they fulfill the conditions described in the section "IT Security in Your Plant". Several segments can form a security cell. This is where the first basic differences with the usual IT environment become apparent: Whereas conventional IT environments focus on global networking and accessing, emphasis in industrial environments is on ensuring that only authorized persons can access the system over a network. The room security of this plant is even more important. Even the best firewall or encryption is useless if a saboteur can simply remove the server s hard disk and walk away with it, for example. This is why individual plants and plant units need to be segmented and provided with room security. A5E

16 Planning the Security Cells and Access Points Rules for forming segments and security cells Each segment must form a self-sufficient "functioning plant" that can be operated for a certain amount of time without connection to other plants or units; in other words, a segment must be capable of operating autonomously for a period of time and remain so. All components immediately belonging to such a segment and involved in its function must be connected directly to one another (i.e., not through leased lines). Units that cause high network and computer load when connected from the outside via a complex security mechanism should always be integrated directly in the segment. Any access to a security cell should take place only after the user's identity has been verified and logged and only under supervision of authorized persons, for example, physical access by operators, file access, etc. Only trusted persons with appropriate training should be given access to a security cell. What does this ensure? This ensures that only persons intending no deliberate threat to a plant are given direct physical access to a security cell within the plant. Ramifications for security measures Within a plant security cell, only standard access authorizations are required to protect against maloperation by plant personnel. This also means that within a security cell no measures need to be taken for encryption of data traffic or the use of firewalls at each single device; the network can be operated without encryption, which also simplifies support. If these recommendations for dividing the plant into segments and security cells are not heeded, all other protection measure describe here will have no effect. 1-2 A5E

17 Planning the Security Cells and Access Points Application to plant types Single-station system In a single-station system, the single station represents a security cell and can also form a closed system. This requires it to be located in a room with appropriate room protection. In the case of multiple single-station systems, each single station represents a security cell and several stations can form a closed system. Multiple-station system A multiple-station system represents a security cell and can form a closed system at the same time. The recommended separation of the terminal bus and the system bus must also be taken into account on the process control level (DCS). - The terminal bus connects the PCS 7 PCs to the DCS level. - The system bus connects the OS server to the programmable logic controllers (PLC). The communication between the PLCs is performed on the system bus. - The separation is implemented to avoid loading the system bus with the communication for the visualization on the OS clients. The availability of the system bus is thereby increased. - Figure 1-1 shows the division of the DCS into terminal bus and system bus segments using the production shop security cell as an example. The PC stations of the DCS are assigned to the terminal bus. The AS stations of the DCS are assigned to the system bus. Figure 1-1 Production shop security cell A5E

18 Planning the Security Cells and Access Points Large system In the example configurations shown in Figure 1-2 and Figure 1-2, referred to as the company "plant.com" in the following, there are three main buildings with various functions and different devices. Each building corresponds to a security cell in this example because: There are persons with similar responsibilities and permissions in each of the segments. Each security cell can fulfill its task isolated from the others for a certain period of time. Figure 1-2 Building security cells layers 1-4 A5E

19 Planning the Security Cells and Access Points The only exception in this example is the building for the access control of the entire company site. This building contains a single device that displays special alarms but does not allow any operator inputs. Figure 1-3 Building security cells devices FDA requirements for room protection The important factor for room protection in the context of FDA certification, especially Part 21 CFR 11, is the definition of a "closed system" and its security requirements. The most important requirements are: Restriction of access to authorized persons Restriction of access to permitted devices Protection of documents and data against change and deletion Methods for increasing network performance Methods for increasing network performance are mainly implemented only within a segment. Switched and possibly redundant networks should only be built within a segment, for example. Note In practice, different requirements have emerged for the two networks due to their different characteristics, for example, the fault tolerance (redundancy) and the substantially faster response times of the system bus, especially between individual PLCs. To prevent the terminal bus and system bus from interfering with each other, we strongly recommend that they be built and operated as physically separate networks. A5E

20 Planning the Security Cells and Access Points 1.2 Specifying the Network Access Points Central access points Many network applications are susceptible to attacks such as denial of service or buffer overruns. You can protect against these attacks by regularly performing the most up-to-date security updates for these applications and the operating system. Contradicting this is the need to operate the plant as long as possible without downtime, since security updates often require restarting the system. This can be reconciled by providing the security cells of a plant reliable central access points that can protect all network components (even those not yet updated) for a specific period of time. The security updates must still be installed after testing (even with this central protection). You thus ensure the security of the individual components even when the central access point fails. Network access point - what does this ensure? Network access points are intended to: Prevent unauthorized data traffic to sensitive process control systems Enable authorized data traffic and therefore problem-free, normal operation of the process control system 1-6 A5E

21 Planning the Security Cells and Access Points Defined access points using routers The individual segments and subnets must be interconnected through defined access points. Routers are most suitable for this, because data communication can be more precisely regulated using the routing and filter rules directly on these devices, thus providing a simple protection mechanism without impeding the network traffic. Suitable routers are selected based on the: Required network bandwidth Required availability The dimensioning of the router must correspond to the actual requirement of the network traffic and any planned expansions of the plant. The router represents a bottleneck for network traffic due to its status as a stand-alone device. Therefore, modern "GigaBit" technology may need to be used for the router. The router may need to be configured redundantly. Note We recommend the temporary use of routers as an isolation and connection component for the individual security cells especially during the commissioning phase of a plant. This allows you to functionally test all the devices and their communication much more easily. You must later replace these routers either with firewalls or by installing and configuring firewall software on computers used as routers (see chapter 7.2 "Using Firewalls for the Access Points). A5E

22 Planning the Security Cells and Access Points Application to plant types Single-station system Assuming that a single-station system represents a security cell and is therefore in a protected room, the network adapters represent the access points. If this is not the case, all interfaces of a single-station system such as the drives, keyboard, mouse, USB connections etc., form the access points. Multiple-station system The DCS router forms the access point to a multiple-station system (see Network access points Router). Large system The access points are illustrated in Network access points Router: Access point to DCS via DCS router Access points to MES via DCS router and MES router All devices of the ERP layer are located in a physical subnet on the top layer. This is connected with the next MES layer via the MES router. The MES layer in turn is connected to the process control layer via the DCS router. In this example, the OS servers swap out production data from the process control layer (DCS) to the SIMATIC IT Historian Server or Central Archive Server (CAS) at regular intervals. Although the process control layer can work for a certain amount of time without a connection to the MES layer, it must be regularly connected to the archive servers on the MES layer, because its archive capacity is limited. The production data are collected, archived, and evaluated on the MES layer and made available to the ERP layer via a Web solution (OSWebServer01). An important aspect is that these production data cannot be destroyed and can no longer be changed. 1-8 A5E

23 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 Planning the Security Cells and Access Points Figure 1-4 Network access points Router Note The operation of a SIMATIC IT Historian or Central Archive Server is not absolutely necessary on the MES layer. If given conditions do not allow such a layer to be formed, you must do without these additional security zones. This is not recommended, however. A5E

24 Planning the Security Cells and Access Points 1-10 A5E

25 2 Managing the Network 2.1 Assigning IP Addresses and Division into Subnets Selecting IP addresses and division in subnets As stated in chapter 1.1 "Security Cells and Room Security", the selected division into segments should also be reflected in the IP address range of the networks by forming individual subnets. Rules for IP addresses Selecting the IP address range is the first step in increasing the network security: Preferably, you should select IP addresses from the internationally reserved private address listings. Addresses in the x.x range are recommended to provide a simple and clear structure for small and medium-sized plants. What does this ensure? Since the IP addresses from private listings cannot be forwarded on the Internet, this provides a first line of defense against direct attacks on your plant PC from the Internet. A5E

26 Managing the Network Recommended IP addresses In the x.x range, for example, there are: 256 class C networks (subnet x to subnet x) each with 254 subscribers (IP address x.1 to IP address x.254) Figure 2-1 Levels with IP subnets The office environment addresses are often already used by the company IT department. The IT department must be included in the early planning of the plant network if a connection to the office network is planned or planned for a later time. Use of DHCP (Dynamic Host Configuration Protocol) DHCP offers the possibility of a secure, reliable and simple TCP/IP network configuration. DHCP prevents address conflicts and helps to standardize the use of IP addresses by providing centrally managed address assignments. Note Never install services for network management such as DNS, WINS, DHCP, domain controllers, etc., on a PCS 7 PC. 2-2 A5E

27 Managing the Network The following should be noted when using DHCP in a PCS 7 system: A DHCP server must be in each segment. It can be located on a computer together with the DNS and WINS servers. We recommend the following settings for the DHCP server on the terminal bus in our example: Settings Reservations Address pool Range or server options Explanation Make reservations for all plant PCs on the terminal bus. This will ensure that the plant PCs always receive the same IP address even when they have been switched off for a long period. Tip: Select a random dummy name such as dummy01 as a reservation name. Based on the entered FQDN name under the reservations, you can later easily recognize if the computer with the corresponding MAC address is properly logged on. Once you have made reservations for all plant PCs, you only need to select a very small address pool, for example, to Router 006 DNS Servers 015 DNS Domain Name 044 WINS/NBNS Servers 046 WINS/NBT Node Type * production.plant.com * 0x8 * only applies when a DNS or WINS server is also installed on the domain controller, for example. Otherwise the IP addresses must be adapted. Other options may be useful based on the local requirements, for example: 042 NTP Servers 033 Static Route Options Note that DHCP servers cannot be configured redundantly. This does not mean, however, that the PCS 7 PC will no longer function following the failure a DHCP server. Problems only arise once the lease time expires or the PCs are rebooted. - Select a lease time long enough to meet your requirements. - If DHCP server redundancy is required, you have the option of clustering them like all other Windows servers. - Another possibility is the configuration of an alternative IP address in the case of Windows XP or Windows Server To avoid duplicate addressing in the event a DHCP server fails, these alternative IP addresses must be maintained parallel to the DHCP entry. A5E

28 Managing the Network Allocation and reservation of IP addresses Note Ensure that you reserve the following: IP address x.x.x.0 as network address IP address x.x.x.1 as router IP address x.x.x.255 as broadcast address The allocation might appear as follows: Figure 2-2 Levels with IP address allocation 2-4 A5E

29 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 Managing the Network The plant configuration and the IP address assignments for our example plant might appear as follows: Figure 2-3 General overview with IP address Figure 2-3 contains devices and configurations that will be explained in detail in later sections. Although a simpler diagram might be preferable here, this figure better illustrates the subnet division and IP address assignments. A5E

30 Managing the Network Application to plant types Single-station system The IP address configuration can be statically set on every PC; this does not mean, however, that the single-station system cannot be located in a network with DHCP servers. Make sure that you do not duplicate addresses. Multiple-station system, Large system We recommend you use an additional PC as the DHCP server. The DNS and WINS servers can also be located on this PC. In a domain, the DHCP, DNS and WINS servers can also be installed on a domain controller. 2-6 A5E

31 Managing the Network 2.2 Name Resolution Symbolic names All network subscribers must be assigned symbolic names in order to keep the network structure and administration flexible and make it possible to react to changes. These names then correspond to the IP addresses of the network subscribers. Task-oriented symbolic names such as OSServer01, PressSrv01 etc., have proven to be popular. Most applications use these names to find desired contacts in the network. Rules for name resolution At least one DNS server and one WINS server must be available in each segment when DNS and WINS servers are used. Of course, they can both be physically located on one PC. The symbolic names for plant PCs can contain up to 15 characters and must consist of characters and numbers only. The name resolution must be quick, reliable and always available to each and every network subscriber. Note As soon as a Windows 2000 or Windows 2003 domain is used to manage the Windows computer (see chapter "Managing Plants Using a Windows Domain (Active Directory)"), a writable DNS server is an absolute necessity for resolving names in this domain. The name resolution for each individual segment must also function without connection to the other segments. Fast and reliable name resolution is a requirement for high-level performance in each individual segment. A5E

32 Managing the Network Name resolution with DNS servers You can assign the name by selecting Start > Settings > Control Panel > System, and clicking the Change on the Computer Name tab. Figure 2-4 Name resolution DNS suffix DNS suffix: Specification of the DNS suffix is important for the PC to be correctly entered on the DNS server. This also applies to the DNS server itself. 2-8 A5E

33 Managing the Network DNS server address: The DNS server address on the plant PC is set by selecting Start > Settings > Control Panel > Network Connections > LAN Connection, and clicking Properties on the General tab. In the "Internet Protocol (TCP/IP) Properties" dialog, select either of the following: "Obtain DNS server address automatically" "Use the following DNS server addresses:" A5E

34 Managing the Network Name resolution with WINS servers You can assign the name by selecting Start > Settings > Control Panel > System, and clicking Change on the Computer Name tab. The "NETBIOS computer name" is formed from the "Computer name" specified here and can be displayed by clicking More. Both names should be the same to avoid name resolution errors. WINS server address: The WINS server address on the plant PC is set by selecting Start > Settings > Control Panel > Network Connections > LAN Connection, and clicking Properties on the General tab. In the Internet Protocol (TCP/IP) Properties dialog, click Advanced and select the WINS tab A5E

35 Managing the Network Application to plant types Single-station system Name resolution is not a necessity for PCS 7 networking, but the single-station system must be able to identify itself. This does not mean, however, that the single-station system cannot be located in a network with DNS and WINS servers. Multiple-station system, Large system We also recommend using at least one additional PC as a DNS and WINS server in a workgroup. The DHCP server can also be located on this PC. In a domain, the DHCP, DNS and WINS servers can also be installed on a domain controller. A5E

36 Managing the Network 2-12 A5E

37 3 Managing Computers and Users Principle: Division of responsibility Windows users are assigned certain rights required to perform specific tasks for managing computers and users. Objective: Carefully dividing the spheres of responsibility between the IT department and the plant operation personnel on the one hand ensures that an IT department administrator is prevented from unintentionally rebooting a PCS 7 PC and, on the other hand, that an administrator of the plant operation personnel is prevented from unintentionally making changes to the domain settings. 3.1 Operating Plants in Windows Workgroups Distributed management of computers and users Operating the plant without centralized Windows management is generally useful and efficient when: The plant has no more than approximately 10 computers. The plant does not undergo changes on a routine basis (for example, adding new users, changing computers, introducing new security policies, changing passwords, etc.). The operation of a Windows domain infrastructure cannot be guaranteed by appropriately trained personnel. The uniformity of network settings, computer configurations, security policies, users and passwords can be guaranteed by meticulous, centralized plant documentation. A5E

38 Managing Computers and Users Notes about distributed management Special attention should be given to the following: The passwords of a user must always be changed on all affected computers. User accounts that are no longer needed must be removed everywhere. All computers in the plant must be configured with the same security policy (for example, use of the LanManager V2 protocol, signing of SMB communication, passport complexity and password age). A central record of assigned computer names and IP addresses must be created and kept up-to-date. When local LMHost and Host files are used to support name resolution, all files must always be updated at the same time. Field experience has shown that the operation of an entire plant can be seriously jeopardized by incorrect configuration of a single computer. Moreover, locating the error in such cases is often tedious and complicated. 3-2 A5E

39 Managing Computers and Users Example configuration distributed management Figure 3-1 illustrates the configuration of each individual computer in a plant operating in the Production (A) workgroup: Figure 3-1 User management in a workgroup All computers in the Production (A) workgroup must be set up with the same security policy (B), the correct network adapter configuration (C), and a consistent group and user configuration (D) and must always be updated at the same time. It is easy to see that the amount of administration work will increase as the number of users and computers increases. A5E

40 Managing Computers and Users Application to plant types Single-station system The use of a workgroup is suitable when one or more single-station systems is involved, because the amount of administration work required for a domain is not justified. Nevertheless, it can be useful to operate an additional PC with DNS, WINS and DHCP functionality. Multiple-station system For a multiple-station system, the use of a workgroup is only practical when the criteria mentioned above can be fulfilled. Otherwise, we recommend the use of a domain as described in chapter "Managing Plants Using a Windows Domain (Active Directory)" In any case, centralized management using an additional PC with DNS, WINS and DHCP functionality is recommended. Large system Although the use of a workgroup is possible, it is not recommended in this case, because the criteria described in the following chapter "Managing Plants Using a Windows Domain (Active Directory)" are applicable. In any case, centralized management using an additional PC with DNS, WINS and DHCP functionality is recommended. 3-4 A5E

41 Managing Computers and Users 3.2 Managing Plants Using a Windows Domain (Active Directory) General Information on Domains Centralized management of computers and users Configuration of centralized Windows management is generally useful and efficient when: The plant contains 10 or more computers. The plant undergoes changes on a routine basis (for example, adding new users, changing computers, introducing new security policies, changing passwords, etc.) System events and system properties must be stored in a central location. Centralized configuration of the individual computers is required. Additional criteria for centralized management Centralized management (Active Directory) should be configured for the computers and users in a plant if: The company has its own security policy that requires an Active Directory domain. Legal standards and guidelines or regulations must be fulfilled (for example, when the use of Kerberos as an authentication procedure or centralized logging of logon events, etc., is required). Centralized fault-tolerant user management and logon is required. Centralized fault-tolerant IP address assignment (DHCP), centralized management of the name resolution and registration for computers (DNS/WINS) is required. There is a requirement for a certificate server based on Active Directory for such services as secure Web services with encrypted communication via Secure Socket Layer (SSL), signatures for applications and documents, authentication, certificate-based IP security communication and tunneling protocols such as the Layer Two Tunneling Protocol (L2TP). The total number of computers, accounts and persons to be managed is very large. A5E

42 Managing Computers and Users Management by operating personnel Note When a separate Windows domain is set up for the plant, this domain must be managed by the plant operating personnel. This responsibility cannot be transferred to persons outside the production plant, because such persons are not in a position to judge whether or not a given configuration change will have a negative effect on the production process. This may require additional training of the operating personnel. Note It is important that no unauthorized persons have the capability to change the configuration of a plant PC. The administrative user accounts may only be used for responsibilities within PCS 7. Active Directory in PCS 7 plants With Active Director, the production plant can be configured almost totally independently from the requirements of the IT department. The production plant is protected against unintentional intervention from the IT department. Data communication across domains can be configured using one-sided or transitive trust settings between the domains. Data communication across domains can also be performed at a later time by merging the individual domains into a forest, provided the domains share a common namespace but were created separately. 3-6 A5E

43 Managing Computers and Users Configuration of centralized Windows management with "plant.com" as an example The configuration of such domains using "plant.com" as an example might appear as follows: Rule The domains must be configured as failsafe. The domains must always be available with high-performance. The individual objects must be managed grouped in organizational units. The use of additional subdomains should be avoided. The responsibility for the domains and the PCS 7 PCs must be separate. The management and initial configuration of the domain by the domain administrator must be performed by qualified operating personnel or a designated employee of "Plant.com s" IT department. The accounts of the domain administrators may only be used for actual administrative duties. Implementation in the example plant This means that at least two domain controllers must be set up with intelligent load distribution for their tasks (involving logon tasks and socalled operation master roles). For this, at least one of the two domain controllers must be located directly in the network. This ensures that a domain logon and Group Policy update can always be performed, even when the connection to the other networks fails. This reduces the risk of misconfiguration of an individual object. This saves from having to use two (or more) additional domain controllers for each subdomain and reduces the administration work. The "Production" organizational unit containing all user and computer objects relevant for production is created in the "Plant.com" example for this. Responsibility for this is transferred to an administrative account, which only manages the domain properties of this organizational unit and not those of the entire domain (for example, the Chief Operator (B), a foreman of "Plant.com"). As a result, inherent errors can be avoided, which may only become apparent at a later time requiring a complete reconfiguration of the domain. This prevents unintentional misconfiguration or a local virus from affecting the entire domain. These accounts normally do not need to be used later for day-to-day activities. A5E

44 Managing Computers and Users Figure 3-2 shows the potential for simplification of management provided by centralized configuration of security policies, network configuration and user management. 1. The administration of the plant PCs (for example, network configuration, name resolution and IP address assignment) is centralized by the "Production.Plant.com" (A) domain. The responsibility for this infrastructure server (C) is given to the "Domain-Admin." 2. An organizational unit, "OU-Production", is created to manage the plant in the example. This is where all general properties are defined and administration is performed for the global groups "OS-Servers", "OS-Clients" and "Web-Servers" as well as the domain user accounts, "Server-Desktop-User-Dom", "Client- Desktop-User-Dom" and "WebServer-Desktop-User-Dom" (E), which are later used as the accounts for the runtime operation of the plant. 3. The administration for the subordinate organizational unit "Production-PC" is performed by a real administrative account "Chief-Operator" in the "Operator- Group". This operator is responsible for the properties that should only be assigned on the PCS 7 PCs (for example, software to be installed, settings for the time synchronization, memberships in the local groups (D), rights, settings for managing software updates, etc.). Note The permissions that should be given to global groups and domain user accounts on the PCS 7 PCs are described in detail in chapter 4 "User and Access Management in PCS 7 and Integration in the Windows Management" and are only indicated in Figure 3-2 as orange-colored lines. 3-8 A5E

45 Managing Computers and Users Figure 3-2 User management with Active Directory A5E

46 Managing Computers and Users Embedding Plants in Existing Domains (Active Directory) Shared domains - dedicated organizational unit If a company already has an Active Directory domain, you can form a dedicated organizational unit for managing the plant. The main advantage here is that the plant operating personnel do not have to manage a domain. An additional company domain controller is installed with support from the company s IT department. The plant personnel receive no administrative permissions to modify the domain, however. This scenario demands the most communication between the plant personnel and the company s IT department. The latter must delegate part of their responsibility to the plant personnel and transfer the management of the production organizational unit to them. The plant personnel must ensure that they carry out this responsibility with the utmost care. Provided this scenario is planned by experts and implemented with full cooperation between the IT department and plant personnel, it represents the optimum solution in terms of efficiency, flexibility and reliability. Note It is important that no unauthorized persons from the IT department are capable of changing the configuration of the plant PC. It is equally important that the operation of the office network is not endangered by plant personnel A5E

47 Managing Computers and Users Example configuration dedicated organizational unit Figure 3-3 shows the management of "OU-Production" as a subordinate, independent organizational unit in the Active Directory domain, "Plant.com." The organizational unit (A) is managed by the production administrator (B). This person can be provided by the IT department and is trusted with all matters concerning the production department. The plant operator and "Chief-Operator" (C) manage the domain user accounts (D) and PCS 7 PCs global groups. Figure 3-3 User management using Active Directory with dedicated OU A5E

48 Managing Computers and Users Shared forest subordinate domains If a company already has an Active Directory forest, you can form a subordinate domain for managing the plant. This makes it substantially easier to subsequently administer services and accesses across domains throughout the company. However, this makes it necessary to create and manage a dedicated (sub)domain for the plant as described in the scenario, "Managing Plants using a Windows Domain (Active Directory)." The only difference is the use of a shared domain root. Figure 3-4 Subdomains Notice Only precise delineation of the spheres of responsibility through delegation of responsibilities and rights to the operating personnel can ensure that no undesirable configuration changes are made to the plant PCs by the IT department A5E

49 Managing Computers and Users Example configuration subdomains Figure 3-5 shows an independent domain/subdomain (A) for managing the production plant. The administration of the domain and responsibility for the domain controllers are transferred in full to the operating personnel. Figure 3-5 User management with independent domain A5E

50 Managing Computers and Users 3-14 A5E

51 4 User and Access Management in PCS 7 and Integration in the Windows Management Principle: Assigned logon Assigning a logon for each task on PCS 7 PCs achieves the following: 1. When logging onto Windows, each user is given exactly those rights that are required to fulfill the user s respective function; for example, the user must be a member of the local groups "Power User" and "SIMATIC HMI" to work on the PCS 7 project. 2. When logging on during runtime, the operator is given exactly those rights required to operate the plant as defined in the UserAdministrator. This makes apparent the complete separation of computer access permission (Windows users, for example) and plant operating permission (plant operator). This is supported by the SIMATIC permissions model, although it requires the user to perform administration in various configuration dialogs. A5E

52 User and Access Management in PCS 7 and Integration in the Windows Management 4.1 Rights Management in Windows Microsoft Windows permissions model The ALP strategy (Add User Account to Local Group and assign Permission) recommended by Microsoft is used within a workgroup; this means you add local users with the same function to a local group and then assign the group the required permissions. The AGLP strategy (Add Domain User Account to Global Group, add global Group to Local Group and assign Permission) is used in a domain; this means you add domain users with the same function to a global group, you add this to a local group and then assign the group the required permissions. Application with the SIMATIC permissions model You are supported in these tasks in PCS 7 by the SIMATIC permissions model. The following SIMATIC user groups are usually created as local groups during installation: SIMATIC HMI SIMATIC HMI CS SIMATIC HMI VIEWER The corresponding share permissions and security settings are automatically handled by the PCS 7 software. The user only needs to make the local users and global groups members of these SIMATIC user groups. Note In addition, all Windows users who are to work on PCS 7 PCs with SIMATIC components need to added to the power users local group. SIMATIC WinCC WinCC uses the SIMATIC HMI, SIMATIC HMI CS and SIMATIC HMI VIEWER user groups for project sharing and project file access. The first time a project is opened, project sharing is automatically set and configured with the required sharing permissions and security settings. Management of project sharing and project file access is automatically handled by the PCS 7 software. A detailed illustration of the required group membership is shown in Figure 4-1 to Figure A5E