SIMATIC. Process Control System PCS 7 PCS 7 Security Concept. Preface Contents Planning the Security Cells and Access Points 1. Managing the Network 2

Transcription

1 s SIMATIC Process Control System PCS 7 PCS 7 Security Concept Recommendations and Notes Preface Contents Planning the Security Cells and Access Points 1 Managing the Network 2 Managing Computers and Users 3 User and Access Management in PCS 7 and Integration in the Windows Management 4 Planning Time Synchronization 5 Implementing Patch Management 6 Secure Network Access to the Security Cells 7 Final Considerations 8 References 9 Meaning of the Symbols 10 Glossary Edition 12/2005 A5E

2 Safety Information This manual contains information that must be observed to ensure your personal safety and to prevent property damage. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring to property damage only have no safety alert symbol The warnings appear in decreasing order of risk as given below.!!! Danger Indicates that death or severe personal injury will result if proper precautions are not taken. Warning Indicates that death or severe personal injury may result if proper precautions are not taken. Caution With a warning triangle this indicates that minor personal injury may result if proper precautions are not taken. Caution Without a warning triangle this indicates that property damage may occur if proper precautions are not taken. Notice Indicates that an unwanted result or situation can result if the relevant information is not taken into account. If several hazards of different degrees are present, the warning notice representing the highest degree of danger will be used. If a warning note with a warning triangle warns of personal injury, the same warning note can also contain a warning about property damage. Qualified Personnel Startup and operation of the device/equipment/system in question must only be performed using this documentation. The device/system must only be commissioned and operated by qualified personnel. Qualified personnel as referred to in the safety instructions in this documentation are persons authorized to start up, ground, and label devices, systems, and circuits in accordance with the relevant safety standards. Correct Usage Note the following:! Warning The equipment may only be used for the applications described in the catalog or in the technical description; it may only be used in conjunction with third-party devices and components recommended or approved by Siemens. This product can only function correctly and safely if it is transported, stored, set up, and installed correctly, and operated and maintained as recommended. Registered Trademarks All designations with the trademark symbol are registered trademarks of Siemens AG. Other designations in this documentation may be trademarks whose use by third parties for their own purposes can violate the rights of the owner. Liability Disclaimer We have conscientiously checked the contents of this manual to ensure that they coincide with the hardware and software described. Since deviations cannot be precluded entirely, we cannot guarantee full agreement. The information given in this publication is reviewed at regular intervals and any corrections that might be necessary are made in the subsequent editions. Siemens AG Automation and Drives Postfach NÜRNBERG DEUTSCHLAND A5E /2005 Copyright Siemens AG 2005 Subject to change without notice

3 Preface Purpose of this Documentation The documentation PCS 7 Security Concept contains recommendations and information for planning and building secure, integrated PCS 7 automation solutions with connected Web clients, SIMATIC IT applications and office networks based on customer specifications. This documentation serves as both a reference and a guide for network administrators working in the following areas: Configuration of PCS 7 Commissioning and servicing PCS 7 Management of company networks It is intended to facilitate cooperation between network administrators managing company networks and automation networks. Required Knowledge This documentation is intended for persons involved in configuration, commissioning and servicing of automation systems using SIMATIC PCS 7. It assumes basic knowledge of the common IT technology used in offices. Notice This documentation cannot replace training of personnel in the fields of network engineering, management of Microsoft Windows desktop and server stations and operation of these stations in Windows domains; in part it assumes these skills as prerequisites. Validity of the Documentation The PCS 7 Security Concept documentation applies to process control plants built on the basis of PCS 7 V6.1 SP1. A5E iii

4 Preface IT Security in Your Plant The aim of this security concept is the validation of an integrated process control plant as a "closed system" according to FDA 21 CFR 11 section A 11.3 number (4): Quote: Closed system means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system. End of quote. To this end, the plant is divided into separate security cells. Each cell can represent such a "closed system" and the network of security cells can also be validated as a "closed system." Several security measures are necessary to realize this. Optimal protection of the plant can only be achieved by implementing all of these security measures in their entirety. Security Cells Security cells in this document are zones, sections, subsections or plant units that can only be accessed by authorized personnel. These accesses include: Operator permissions for individual production sections Physical access to the production areas and process control facilities Access permissions for the file system of a process control system station or entire computer and control networks and their power supplies The following security concept documents should be used as references in this context: BSI IT Baseline Security Manual, Chapter 4 "Infrastructures" FDA 21 CFR 11, "Electronic Records; Electronic Signatures" NAMUR Worksheet NA 67 "Information Security for Process Control Systems (PLS)" NAMUR Worksheet NA 103 "Use of Internet Technology in Process Automation" ISA TR "Security Technologies for Manufacturing and Control Systems, dated March 11, 2004 iv A5E

5 Preface System Types The PCS 7 Security Concept is illustrated in this document based on the following types of systems. Single-station system as a process control system without Web clients Figure 1 Schematic diagram of a single-station system A5E v

6 OSM OSM TP62 OSM OSM TP62 OSM OSM TP62 OSM OSM TP62 OSM OSM TP62 OSM OSM TP62 OSM OSM TP62 Preface Multiple-station system as a process control system with Web clients Figure 2 Schematic diagram of a multiple-station system vi A5E

7 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M S P OSM O T M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 Preface Large system as a process control system with MES and ERP layers 6 2 Figure 3 Schematic diagram of a large system A5E vii

8 Preface Note This SIMATIC PCS 7 Security Concept has been system tested and should be implemented in your plant. You should be aware that not all security concepts from the IT world can be implemented 1-to-1 in process automation. IT focuses mainly on global accessibility and maximum security. The most important factor for process automation is the functionality of the plant. Notice Deviations from the recommended PCS 7 security concept can result in security vulnerabilities. Always keep your plant up-to-date so that security vulnerabilities do not occur. This documentation contains the PCS 7 Security Concept V6.1 SP1. In addition, Automation & Drives representative can inform you about the latest version of this manual. viii A5E

9 Preface Guide The topics are listed in the order in which an administrator should perform the configuration of the required components. Background information and context is provided for each task to help the administrator understand the security concept and the purpose of the respective tasks. This documentation consists of the following topics: Section Contents Planning the Security Principle: Division into security cells Cells and Access Points Security Cells and Room Security Specifying the Network Access Points Managing the Network Assigning IP Addresses and Division into Subnets Name Resolution Managing Computers and Principle: Division of responsibility Users Operating Plants in Windows Workgroups Managing Plants Using a Windows Domain (Active Directory) Shared domains - dedicated organizational unit Shared forest subordinate domains User and Access Principle: Assigned logon Management in PCS 7 Relationship between Windows user rights and the and Integration in the project-specific management of user rights and operator Windows Management rights Integration into Windows management Planning Time Synchronization Implementing Patch Management Principle: Exact time of day Time Synchronization in a Windows Workgroup without a Central Plant Clock Time Synchronization in a Windows Workgroup with a Central Plant Clock Time Synchronization in a Windows Active Directory Domain without a Central Plant Clock (with NTP Time Server) Time Synchronization in a Windows Active Directory Domain with a Central Plant Clock Principle:Management of software updates and security patches Implementing Patch Management Installing and Configuring the Software Update Service (SUS) Configuring AU Clients (AU = Automatic update) A5E ix

10 Preface Section Contents Secure Network Access to Principle: Closed system in accordance with FDA the Security Cells Using Firewalls for the Access Points Using Virus Scanners for the Access Points Principle: Integration of Remote PCS 7 PCs in the Closed System according to FDA Using and Configuring Authentication and Encryption with IP Security Using and Configuring Authentication and Encryption with Secure Sockets Layer Using and Configuring VPN (Virtual Private Network) and Network Access Quarantine Control for Secure Support Access Additional Measures Log/Audit x A5E

11 Preface Further Support Please contact your local Siemens representative if you have any questions about the products described in this manual. Find your Siemens representative at: A guide to the documentation of the various SIMATIC products and systems is available at: The online catalog and the online ordering system are available at: Training Center We offer various courses for newcomers to the PCS 7 process control system. Please contact your regional training center, or the central training center in D Nuremberg. Tel.: +49 (911) Internet: Technical Support You can access Technical Support for all A&D products: With the Support Request form on the Web: Via Telephone: Via Fax: Further information about our technical support is available on the Internet at Service & Support on the Internet In addition to our documentation, we offer a comprehensive knowledge base online on the Internet at: There you will find: Newsletters providing the latest information on your products. Relevant documentation, via our Service & Support search engine. A forum where users and experts from all over the world exchange ideas. Your local Automation & Drives representative. Information about local service, repairs, and spare parts and much more is available under "Services." A5E xi

12 Preface xii A5E

13 Contents 1 Planning the Security Cells and Access Points Security Cells and Room Security Specifying the Network Access Points Managing the Network Assigning IP Addresses and Division into Subnets Name Resolution Managing Computers and Users Operating Plants in Windows Workgroups Managing Plants Using a Windows Domain (Active Directory) General Information on Domains Embedding Plants in Existing Domains (Active Directory) User and Access Management in PCS 7 and Integration in the Windows Management Rights Management in Windows User Management in PCS Planning Time Synchronization Time Synchronization in a Windows Workgroup without a Central Plant Clock Time Synchronization in a Windows Workgroup with a Central Plant Clock Time Synchronization in a Windows Active Directory Domain without a Central Plant Clock (with NTP Time Server) Time Synchronization in a Windows Active Directory Domain with a Central Plant Clock Implementing Patch Management Implementing Patch Management Detecting Security Vulnerabilities with MBSA Assessing Security Vulnerabilities Obtaining Software Updates and Security Patches Testing Security Patches Deploying Security Patches Maintaining the Patch Environment Installing and Configuring the Software Update Service (SUS) Basics of SUS Installing SUS Configuring the SUS Server Configuring AU Clients A5E xiii

14 Contents 7 Secure Network Access to the Security Cells Mapping the Data Traffic Using Firewalls for the Access Points General Information on Firewalls Using the Microsoft ISA Server as a Firewall Using Local Firewalls on PCS 7 PCs Using Virus Scanners for the Access Points Using Local Virus Scanners on PCS 7 PCs (Distributed Access Points) Using a Microsoft ISA Server Virus Scanning Module at the Central Access Point of a Plant Integration of Remote PCS 7 PCs in the Closed System according to the FDA Using and Configuring Authentication and Encryption with IP Security Using and Configuring Authentication and Encryption with Secure Sockets Layer Using and Configuring VPN (Virtual Private Network) and Network Access Quarantine Control for Secure Support Access Requesting and Installing Certificates Installing a Stand-alone Root Certification Authority Downloading a Certification Authority Certificate Requesting a Local Computer Certificate for IPSec Configuring SSL on a Web Server Creating a Certificate Request Submitting a Certificate Request Issuing a Certificate Installing the Certificate on the Web Server Configuring the Resources for Requesting SSL Access Final Considerations Residual Risks Additional Measures References Meaning of the Symbols 10-1 Glossary Glossary-1 xiv A5E

15 1 Planning the Security Cells and Access Points 1.1 Security Cells and Room Security Principle: Division into security cells The first and most important step in building a modern and secure process automation plant is careful planning of the security cells in this plant. To this end, the plant is divided into separate segments. Segments and security cells Segment represent specific zones, sections, subsections or units. They become security cells when they fulfill the conditions described in the section "IT Security in Your Plant". Several segments can form a security cell. This is where the first basic differences with the usual IT environment become apparent: Whereas conventional IT environments focus on global networking and accessing, emphasis in industrial environments is on ensuring that only authorized persons can access the system over a network. The room security of this plant is even more important. Even the best firewall or encryption is useless if a saboteur can simply remove the server s hard disk and walk away with it, for example. This is why individual plants and plant units need to be segmented and provided with room security. A5E

16 Planning the Security Cells and Access Points Rules for forming segments and security cells Each segment must form a self-sufficient "functioning plant" that can be operated for a certain amount of time without connection to other plants or units; in other words, a segment must be capable of operating autonomously for a period of time and remain so. All components immediately belonging to such a segment and involved in its function must be connected directly to one another (i.e., not through leased lines). Units that cause high network and computer load when connected from the outside via a complex security mechanism should always be integrated directly in the segment. Any access to a security cell should take place only after the user's identity has been verified and logged and only under supervision of authorized persons, for example, physical access by operators, file access, etc. Only trusted persons with appropriate training should be given access to a security cell. What does this ensure? This ensures that only persons intending no deliberate threat to a plant are given direct physical access to a security cell within the plant. Ramifications for security measures Within a plant security cell, only standard access authorizations are required to protect against maloperation by plant personnel. This also means that within a security cell no measures need to be taken for encryption of data traffic or the use of firewalls at each single device; the network can be operated without encryption, which also simplifies support. If these recommendations for dividing the plant into segments and security cells are not heeded, all other protection measure describe here will have no effect. 1-2 A5E

17 Planning the Security Cells and Access Points Application to plant types Single-station system In a single-station system, the single station represents a security cell and can also form a closed system. This requires it to be located in a room with appropriate room protection. In the case of multiple single-station systems, each single station represents a security cell and several stations can form a closed system. Multiple-station system A multiple-station system represents a security cell and can form a closed system at the same time. The recommended separation of the terminal bus and the system bus must also be taken into account on the process control level (DCS). - The terminal bus connects the PCS 7 PCs to the DCS level. - The system bus connects the OS server to the programmable logic controllers (PLC). The communication between the PLCs is performed on the system bus. - The separation is implemented to avoid loading the system bus with the communication for the visualization on the OS clients. The availability of the system bus is thereby increased. - Figure 1-1 shows the division of the DCS into terminal bus and system bus segments using the production shop security cell as an example. The PC stations of the DCS are assigned to the terminal bus. The AS stations of the DCS are assigned to the system bus. Figure 1-1 Production shop security cell A5E

18 Planning the Security Cells and Access Points Large system In the example configurations shown in Figure 1-2 and Figure 1-2, referred to as the company "plant.com" in the following, there are three main buildings with various functions and different devices. Each building corresponds to a security cell in this example because: There are persons with similar responsibilities and permissions in each of the segments. Each security cell can fulfill its task isolated from the others for a certain period of time. Figure 1-2 Building security cells layers 1-4 A5E

19 Planning the Security Cells and Access Points The only exception in this example is the building for the access control of the entire company site. This building contains a single device that displays special alarms but does not allow any operator inputs. Figure 1-3 Building security cells devices FDA requirements for room protection The important factor for room protection in the context of FDA certification, especially Part 21 CFR 11, is the definition of a "closed system" and its security requirements. The most important requirements are: Restriction of access to authorized persons Restriction of access to permitted devices Protection of documents and data against change and deletion Methods for increasing network performance Methods for increasing network performance are mainly implemented only within a segment. Switched and possibly redundant networks should only be built within a segment, for example. Note In practice, different requirements have emerged for the two networks due to their different characteristics, for example, the fault tolerance (redundancy) and the substantially faster response times of the system bus, especially between individual PLCs. To prevent the terminal bus and system bus from interfering with each other, we strongly recommend that they be built and operated as physically separate networks. A5E

20 Planning the Security Cells and Access Points 1.2 Specifying the Network Access Points Central access points Many network applications are susceptible to attacks such as denial of service or buffer overruns. You can protect against these attacks by regularly performing the most up-to-date security updates for these applications and the operating system. Contradicting this is the need to operate the plant as long as possible without downtime, since security updates often require restarting the system. This can be reconciled by providing the security cells of a plant reliable central access points that can protect all network components (even those not yet updated) for a specific period of time. The security updates must still be installed after testing (even with this central protection). You thus ensure the security of the individual components even when the central access point fails. Network access point - what does this ensure? Network access points are intended to: Prevent unauthorized data traffic to sensitive process control systems Enable authorized data traffic and therefore problem-free, normal operation of the process control system 1-6 A5E

21 Planning the Security Cells and Access Points Defined access points using routers The individual segments and subnets must be interconnected through defined access points. Routers are most suitable for this, because data communication can be more precisely regulated using the routing and filter rules directly on these devices, thus providing a simple protection mechanism without impeding the network traffic. Suitable routers are selected based on the: Required network bandwidth Required availability The dimensioning of the router must correspond to the actual requirement of the network traffic and any planned expansions of the plant. The router represents a bottleneck for network traffic due to its status as a stand-alone device. Therefore, modern "GigaBit" technology may need to be used for the router. The router may need to be configured redundantly. Note We recommend the temporary use of routers as an isolation and connection component for the individual security cells especially during the commissioning phase of a plant. This allows you to functionally test all the devices and their communication much more easily. You must later replace these routers either with firewalls or by installing and configuring firewall software on computers used as routers (see chapter 7.2 "Using Firewalls for the Access Points). A5E

22 Planning the Security Cells and Access Points Application to plant types Single-station system Assuming that a single-station system represents a security cell and is therefore in a protected room, the network adapters represent the access points. If this is not the case, all interfaces of a single-station system such as the drives, keyboard, mouse, USB connections etc., form the access points. Multiple-station system The DCS router forms the access point to a multiple-station system (see Network access points Router). Large system The access points are illustrated in Network access points Router: Access point to DCS via DCS router Access points to MES via DCS router and MES router All devices of the ERP layer are located in a physical subnet on the top layer. This is connected with the next MES layer via the MES router. The MES layer in turn is connected to the process control layer via the DCS router. In this example, the OS servers swap out production data from the process control layer (DCS) to the SIMATIC IT Historian Server or Central Archive Server (CAS) at regular intervals. Although the process control layer can work for a certain amount of time without a connection to the MES layer, it must be regularly connected to the archive servers on the MES layer, because its archive capacity is limited. The production data are collected, archived, and evaluated on the MES layer and made available to the ERP layer via a Web solution (OSWebServer01). An important aspect is that these production data cannot be destroyed and can no longer be changed. 1-8 A5E

23 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 Planning the Security Cells and Access Points Figure 1-4 Network access points Router Note The operation of a SIMATIC IT Historian or Central Archive Server is not absolutely necessary on the MES layer. If given conditions do not allow such a layer to be formed, you must do without these additional security zones. This is not recommended, however. A5E

24 Planning the Security Cells and Access Points 1-10 A5E

25 2 Managing the Network 2.1 Assigning IP Addresses and Division into Subnets Selecting IP addresses and division in subnets As stated in chapter 1.1 "Security Cells and Room Security", the selected division into segments should also be reflected in the IP address range of the networks by forming individual subnets. Rules for IP addresses Selecting the IP address range is the first step in increasing the network security: Preferably, you should select IP addresses from the internationally reserved private address listings. Addresses in the x.x range are recommended to provide a simple and clear structure for small and medium-sized plants. What does this ensure? Since the IP addresses from private listings cannot be forwarded on the Internet, this provides a first line of defense against direct attacks on your plant PC from the Internet. A5E

26 Managing the Network Recommended IP addresses In the x.x range, for example, there are: 256 class C networks (subnet x to subnet x) each with 254 subscribers (IP address x.1 to IP address x.254) Figure 2-1 Levels with IP subnets The office environment addresses are often already used by the company IT department. The IT department must be included in the early planning of the plant network if a connection to the office network is planned or planned for a later time. Use of DHCP (Dynamic Host Configuration Protocol) DHCP offers the possibility of a secure, reliable and simple TCP/IP network configuration. DHCP prevents address conflicts and helps to standardize the use of IP addresses by providing centrally managed address assignments. Note Never install services for network management such as DNS, WINS, DHCP, domain controllers, etc., on a PCS 7 PC. 2-2 A5E

27 Managing the Network The following should be noted when using DHCP in a PCS 7 system: A DHCP server must be in each segment. It can be located on a computer together with the DNS and WINS servers. We recommend the following settings for the DHCP server on the terminal bus in our example: Settings Reservations Address pool Range or server options Explanation Make reservations for all plant PCs on the terminal bus. This will ensure that the plant PCs always receive the same IP address even when they have been switched off for a long period. Tip: Select a random dummy name such as dummy01 as a reservation name. Based on the entered FQDN name under the reservations, you can later easily recognize if the computer with the corresponding MAC address is properly logged on. Once you have made reservations for all plant PCs, you only need to select a very small address pool, for example, to Router 006 DNS Servers 015 DNS Domain Name 044 WINS/NBNS Servers 046 WINS/NBT Node Type * production.plant.com * 0x8 * only applies when a DNS or WINS server is also installed on the domain controller, for example. Otherwise the IP addresses must be adapted. Other options may be useful based on the local requirements, for example: 042 NTP Servers 033 Static Route Options Note that DHCP servers cannot be configured redundantly. This does not mean, however, that the PCS 7 PC will no longer function following the failure a DHCP server. Problems only arise once the lease time expires or the PCs are rebooted. - Select a lease time long enough to meet your requirements. - If DHCP server redundancy is required, you have the option of clustering them like all other Windows servers. - Another possibility is the configuration of an alternative IP address in the case of Windows XP or Windows Server To avoid duplicate addressing in the event a DHCP server fails, these alternative IP addresses must be maintained parallel to the DHCP entry. A5E

28 Managing the Network Allocation and reservation of IP addresses Note Ensure that you reserve the following: IP address x.x.x.0 as network address IP address x.x.x.1 as router IP address x.x.x.255 as broadcast address The allocation might appear as follows: Figure 2-2 Levels with IP address allocation 2-4 A5E

29 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 Managing the Network The plant configuration and the IP address assignments for our example plant might appear as follows: Figure 2-3 General overview with IP address Figure 2-3 contains devices and configurations that will be explained in detail in later sections. Although a simpler diagram might be preferable here, this figure better illustrates the subnet division and IP address assignments. A5E

30 Managing the Network Application to plant types Single-station system The IP address configuration can be statically set on every PC; this does not mean, however, that the single-station system cannot be located in a network with DHCP servers. Make sure that you do not duplicate addresses. Multiple-station system, Large system We recommend you use an additional PC as the DHCP server. The DNS and WINS servers can also be located on this PC. In a domain, the DHCP, DNS and WINS servers can also be installed on a domain controller. 2-6 A5E

31 Managing the Network 2.2 Name Resolution Symbolic names All network subscribers must be assigned symbolic names in order to keep the network structure and administration flexible and make it possible to react to changes. These names then correspond to the IP addresses of the network subscribers. Task-oriented symbolic names such as OSServer01, PressSrv01 etc., have proven to be popular. Most applications use these names to find desired contacts in the network. Rules for name resolution At least one DNS server and one WINS server must be available in each segment when DNS and WINS servers are used. Of course, they can both be physically located on one PC. The symbolic names for plant PCs can contain up to 15 characters and must consist of characters and numbers only. The name resolution must be quick, reliable and always available to each and every network subscriber. Note As soon as a Windows 2000 or Windows 2003 domain is used to manage the Windows computer (see chapter "Managing Plants Using a Windows Domain (Active Directory)"), a writable DNS server is an absolute necessity for resolving names in this domain. The name resolution for each individual segment must also function without connection to the other segments. Fast and reliable name resolution is a requirement for high-level performance in each individual segment. A5E

32 Managing the Network Name resolution with DNS servers You can assign the name by selecting Start > Settings > Control Panel > System, and clicking the Change on the Computer Name tab. Figure 2-4 Name resolution DNS suffix DNS suffix: Specification of the DNS suffix is important for the PC to be correctly entered on the DNS server. This also applies to the DNS server itself. 2-8 A5E

33 Managing the Network DNS server address: The DNS server address on the plant PC is set by selecting Start > Settings > Control Panel > Network Connections > LAN Connection, and clicking Properties on the General tab. In the "Internet Protocol (TCP/IP) Properties" dialog, select either of the following: "Obtain DNS server address automatically" "Use the following DNS server addresses:" A5E

34 Managing the Network Name resolution with WINS servers You can assign the name by selecting Start > Settings > Control Panel > System, and clicking Change on the Computer Name tab. The "NETBIOS computer name" is formed from the "Computer name" specified here and can be displayed by clicking More. Both names should be the same to avoid name resolution errors. WINS server address: The WINS server address on the plant PC is set by selecting Start > Settings > Control Panel > Network Connections > LAN Connection, and clicking Properties on the General tab. In the Internet Protocol (TCP/IP) Properties dialog, click Advanced and select the WINS tab A5E

35 Managing the Network Application to plant types Single-station system Name resolution is not a necessity for PCS 7 networking, but the single-station system must be able to identify itself. This does not mean, however, that the single-station system cannot be located in a network with DNS and WINS servers. Multiple-station system, Large system We also recommend using at least one additional PC as a DNS and WINS server in a workgroup. The DHCP server can also be located on this PC. In a domain, the DHCP, DNS and WINS servers can also be installed on a domain controller. A5E

36 Managing the Network 2-12 A5E

37 3 Managing Computers and Users Principle: Division of responsibility Windows users are assigned certain rights required to perform specific tasks for managing computers and users. Objective: Carefully dividing the spheres of responsibility between the IT department and the plant operation personnel on the one hand ensures that an IT department administrator is prevented from unintentionally rebooting a PCS 7 PC and, on the other hand, that an administrator of the plant operation personnel is prevented from unintentionally making changes to the domain settings. 3.1 Operating Plants in Windows Workgroups Distributed management of computers and users Operating the plant without centralized Windows management is generally useful and efficient when: The plant has no more than approximately 10 computers. The plant does not undergo changes on a routine basis (for example, adding new users, changing computers, introducing new security policies, changing passwords, etc.). The operation of a Windows domain infrastructure cannot be guaranteed by appropriately trained personnel. The uniformity of network settings, computer configurations, security policies, users and passwords can be guaranteed by meticulous, centralized plant documentation. A5E

38 Managing Computers and Users Notes about distributed management Special attention should be given to the following: The passwords of a user must always be changed on all affected computers. User accounts that are no longer needed must be removed everywhere. All computers in the plant must be configured with the same security policy (for example, use of the LanManager V2 protocol, signing of SMB communication, passport complexity and password age). A central record of assigned computer names and IP addresses must be created and kept up-to-date. When local LMHost and Host files are used to support name resolution, all files must always be updated at the same time. Field experience has shown that the operation of an entire plant can be seriously jeopardized by incorrect configuration of a single computer. Moreover, locating the error in such cases is often tedious and complicated. 3-2 A5E

39 Managing Computers and Users Example configuration distributed management Figure 3-1 illustrates the configuration of each individual computer in a plant operating in the Production (A) workgroup: Figure 3-1 User management in a workgroup All computers in the Production (A) workgroup must be set up with the same security policy (B), the correct network adapter configuration (C), and a consistent group and user configuration (D) and must always be updated at the same time. It is easy to see that the amount of administration work will increase as the number of users and computers increases. A5E

40 Managing Computers and Users Application to plant types Single-station system The use of a workgroup is suitable when one or more single-station systems is involved, because the amount of administration work required for a domain is not justified. Nevertheless, it can be useful to operate an additional PC with DNS, WINS and DHCP functionality. Multiple-station system For a multiple-station system, the use of a workgroup is only practical when the criteria mentioned above can be fulfilled. Otherwise, we recommend the use of a domain as described in chapter "Managing Plants Using a Windows Domain (Active Directory)" In any case, centralized management using an additional PC with DNS, WINS and DHCP functionality is recommended. Large system Although the use of a workgroup is possible, it is not recommended in this case, because the criteria described in the following chapter "Managing Plants Using a Windows Domain (Active Directory)" are applicable. In any case, centralized management using an additional PC with DNS, WINS and DHCP functionality is recommended. 3-4 A5E

41 Managing Computers and Users 3.2 Managing Plants Using a Windows Domain (Active Directory) General Information on Domains Centralized management of computers and users Configuration of centralized Windows management is generally useful and efficient when: The plant contains 10 or more computers. The plant undergoes changes on a routine basis (for example, adding new users, changing computers, introducing new security policies, changing passwords, etc.) System events and system properties must be stored in a central location. Centralized configuration of the individual computers is required. Additional criteria for centralized management Centralized management (Active Directory) should be configured for the computers and users in a plant if: The company has its own security policy that requires an Active Directory domain. Legal standards and guidelines or regulations must be fulfilled (for example, when the use of Kerberos as an authentication procedure or centralized logging of logon events, etc., is required). Centralized fault-tolerant user management and logon is required. Centralized fault-tolerant IP address assignment (DHCP), centralized management of the name resolution and registration for computers (DNS/WINS) is required. There is a requirement for a certificate server based on Active Directory for such services as secure Web services with encrypted communication via Secure Socket Layer (SSL), signatures for applications and documents, authentication, certificate-based IP security communication and tunneling protocols such as the Layer Two Tunneling Protocol (L2TP). The total number of computers, accounts and persons to be managed is very large. A5E

42 Managing Computers and Users Management by operating personnel Note When a separate Windows domain is set up for the plant, this domain must be managed by the plant operating personnel. This responsibility cannot be transferred to persons outside the production plant, because such persons are not in a position to judge whether or not a given configuration change will have a negative effect on the production process. This may require additional training of the operating personnel. Note It is important that no unauthorized persons have the capability to change the configuration of a plant PC. The administrative user accounts may only be used for responsibilities within PCS 7. Active Directory in PCS 7 plants With Active Director, the production plant can be configured almost totally independently from the requirements of the IT department. The production plant is protected against unintentional intervention from the IT department. Data communication across domains can be configured using one-sided or transitive trust settings between the domains. Data communication across domains can also be performed at a later time by merging the individual domains into a forest, provided the domains share a common namespace but were created separately. 3-6 A5E

43 Managing Computers and Users Configuration of centralized Windows management with "plant.com" as an example The configuration of such domains using "plant.com" as an example might appear as follows: Rule The domains must be configured as failsafe. The domains must always be available with high-performance. The individual objects must be managed grouped in organizational units. The use of additional subdomains should be avoided. The responsibility for the domains and the PCS 7 PCs must be separate. The management and initial configuration of the domain by the domain administrator must be performed by qualified operating personnel or a designated employee of "Plant.com s" IT department. The accounts of the domain administrators may only be used for actual administrative duties. Implementation in the example plant This means that at least two domain controllers must be set up with intelligent load distribution for their tasks (involving logon tasks and socalled operation master roles). For this, at least one of the two domain controllers must be located directly in the network. This ensures that a domain logon and Group Policy update can always be performed, even when the connection to the other networks fails. This reduces the risk of misconfiguration of an individual object. This saves from having to use two (or more) additional domain controllers for each subdomain and reduces the administration work. The "Production" organizational unit containing all user and computer objects relevant for production is created in the "Plant.com" example for this. Responsibility for this is transferred to an administrative account, which only manages the domain properties of this organizational unit and not those of the entire domain (for example, the Chief Operator (B), a foreman of "Plant.com"). As a result, inherent errors can be avoided, which may only become apparent at a later time requiring a complete reconfiguration of the domain. This prevents unintentional misconfiguration or a local virus from affecting the entire domain. These accounts normally do not need to be used later for day-to-day activities. A5E

44 Managing Computers and Users Figure 3-2 shows the potential for simplification of management provided by centralized configuration of security policies, network configuration and user management. 1. The administration of the plant PCs (for example, network configuration, name resolution and IP address assignment) is centralized by the "Production.Plant.com" (A) domain. The responsibility for this infrastructure server (C) is given to the "Domain-Admin." 2. An organizational unit, "OU-Production", is created to manage the plant in the example. This is where all general properties are defined and administration is performed for the global groups "OS-Servers", "OS-Clients" and "Web-Servers" as well as the domain user accounts, "Server-Desktop-User-Dom", "Client- Desktop-User-Dom" and "WebServer-Desktop-User-Dom" (E), which are later used as the accounts for the runtime operation of the plant. 3. The administration for the subordinate organizational unit "Production-PC" is performed by a real administrative account "Chief-Operator" in the "Operator- Group". This operator is responsible for the properties that should only be assigned on the PCS 7 PCs (for example, software to be installed, settings for the time synchronization, memberships in the local groups (D), rights, settings for managing software updates, etc.). Note The permissions that should be given to global groups and domain user accounts on the PCS 7 PCs are described in detail in chapter 4 "User and Access Management in PCS 7 and Integration in the Windows Management" and are only indicated in Figure 3-2 as orange-colored lines. 3-8 A5E

45 Managing Computers and Users Figure 3-2 User management with Active Directory A5E

46 Managing Computers and Users Embedding Plants in Existing Domains (Active Directory) Shared domains - dedicated organizational unit If a company already has an Active Directory domain, you can form a dedicated organizational unit for managing the plant. The main advantage here is that the plant operating personnel do not have to manage a domain. An additional company domain controller is installed with support from the company s IT department. The plant personnel receive no administrative permissions to modify the domain, however. This scenario demands the most communication between the plant personnel and the company s IT department. The latter must delegate part of their responsibility to the plant personnel and transfer the management of the production organizational unit to them. The plant personnel must ensure that they carry out this responsibility with the utmost care. Provided this scenario is planned by experts and implemented with full cooperation between the IT department and plant personnel, it represents the optimum solution in terms of efficiency, flexibility and reliability. Note It is important that no unauthorized persons from the IT department are capable of changing the configuration of the plant PC. It is equally important that the operation of the office network is not endangered by plant personnel A5E

47 Managing Computers and Users Example configuration dedicated organizational unit Figure 3-3 shows the management of "OU-Production" as a subordinate, independent organizational unit in the Active Directory domain, "Plant.com." The organizational unit (A) is managed by the production administrator (B). This person can be provided by the IT department and is trusted with all matters concerning the production department. The plant operator and "Chief-Operator" (C) manage the domain user accounts (D) and PCS 7 PCs global groups. Figure 3-3 User management using Active Directory with dedicated OU A5E

48 Managing Computers and Users Shared forest subordinate domains If a company already has an Active Directory forest, you can form a subordinate domain for managing the plant. This makes it substantially easier to subsequently administer services and accesses across domains throughout the company. However, this makes it necessary to create and manage a dedicated (sub)domain for the plant as described in the scenario, "Managing Plants using a Windows Domain (Active Directory)." The only difference is the use of a shared domain root. Figure 3-4 Subdomains Notice Only precise delineation of the spheres of responsibility through delegation of responsibilities and rights to the operating personnel can ensure that no undesirable configuration changes are made to the plant PCs by the IT department A5E

49 Managing Computers and Users Example configuration subdomains Figure 3-5 shows an independent domain/subdomain (A) for managing the production plant. The administration of the domain and responsibility for the domain controllers are transferred in full to the operating personnel. Figure 3-5 User management with independent domain A5E

50 Managing Computers and Users 3-14 A5E

51 4 User and Access Management in PCS 7 and Integration in the Windows Management Principle: Assigned logon Assigning a logon for each task on PCS 7 PCs achieves the following: 1. When logging onto Windows, each user is given exactly those rights that are required to fulfill the user s respective function; for example, the user must be a member of the local groups "Power User" and "SIMATIC HMI" to work on the PCS 7 project. 2. When logging on during runtime, the operator is given exactly those rights required to operate the plant as defined in the UserAdministrator. This makes apparent the complete separation of computer access permission (Windows users, for example) and plant operating permission (plant operator). This is supported by the SIMATIC permissions model, although it requires the user to perform administration in various configuration dialogs. A5E

52 User and Access Management in PCS 7 and Integration in the Windows Management 4.1 Rights Management in Windows Microsoft Windows permissions model The ALP strategy (Add User Account to Local Group and assign Permission) recommended by Microsoft is used within a workgroup; this means you add local users with the same function to a local group and then assign the group the required permissions. The AGLP strategy (Add Domain User Account to Global Group, add global Group to Local Group and assign Permission) is used in a domain; this means you add domain users with the same function to a global group, you add this to a local group and then assign the group the required permissions. Application with the SIMATIC permissions model You are supported in these tasks in PCS 7 by the SIMATIC permissions model. The following SIMATIC user groups are usually created as local groups during installation: SIMATIC HMI SIMATIC HMI CS SIMATIC HMI VIEWER The corresponding share permissions and security settings are automatically handled by the PCS 7 software. The user only needs to make the local users and global groups members of these SIMATIC user groups. Note In addition, all Windows users who are to work on PCS 7 PCs with SIMATIC components need to added to the power users local group. SIMATIC WinCC WinCC uses the SIMATIC HMI, SIMATIC HMI CS and SIMATIC HMI VIEWER user groups for project sharing and project file access. The first time a project is opened, project sharing is automatically set and configured with the required sharing permissions and security settings. Management of project sharing and project file access is automatically handled by the PCS 7 software. A detailed illustration of the required group membership is shown in Figure 4-1 to Figure A5E

53 User and Access Management in PCS 7 and Integration in the Windows Management SIMATIC BATCH The following additional user group is created for SIMATIC BATCH during installation: SIMATIC BATCH Add the local users and global groups who will use BATCH to this user group. The following are set for sharing: BATCH BATCH_Backup Management of sharing permissions is automatically handled by the PCS 7 software. Also add the "SIMATIC BATCH" user group with full permission in the security settings for sharing. SIMATIC Route Control The following additional user groups are created for SIMATIC Route Control during installation: RC_ENGINEER RC_MAINTENANCE RC_OPERATOR_L1 RC_OPERATOR_L2 RC_OPERATOR_L3 You only need to assign the local users and global groups to these groups according to their function. The following sharing is also configured: RC_LOAD Management of sharing permissions and security settings is automatically handled by the PCS 7 software. A5E

54 User and Access Management in PCS 7 and Integration in the Windows Management What does this ensure? Only a member of the local "Administrators" (Windows) group can install software or change the configuration of a station or project at will or assign these rights to other users. Normal operation of the plant is performed under an account of a Windows user who, at the most, has the rights of a member of the local "Power User" (Windows) group. Such users are referred to in the following as a "ClientDesktopUser" and "ServerDesktopUser." This prevents intervention in the management of a station or network by the plant operator. Access to the Windows user interface must be completely blocked during runtime operation. In order for the PCS 7 OS to continually operate and guarantee permanent access to the plant, no "logoff" of Windows desktop can be performed. Even if a Web server service (IIS) of a Web navigator server is disrupted by a virus or hacker attack, it cannot write to the configuration data because the Web server service account is only a member of the "SIMATIC HMI VIEWER" group and therefore only has read access to the project. Another user cannot access this project, even remotely, if his user account is not known on the station and he is not a member of the "SIMATIC HMI" group. An additional differentiation is planned for runtime and configuration. Rules Use the Microsoft-recommended ALP strategy (Add User Account to Local Group and assign Permission) and AGLP strategy (Add Domain User Account to Global group, add global group to Local Group and assign Permission). The plant operator logs on and off the PCS 7 OS where he receives his plant operation permissions, which were configured in the UserAdministrator and the individual graphical function objects. The project engineer and operator of a project must not only be local power users, they must also be members of the "SIMATIC HMI" group. The "ClientDesktopUser" account for each OS client must be a member of the "SIMATIC HMI" group on the server, otherwise there will be no remote access to the project. 4-4 A5E

55 User and Access Management in PCS 7 and Integration in the Windows Management Explanation of the following illustrations User / user group Server-Desktop- User Description is a local Windows user on the OS server where process mode (Runtime) runs in a workgroup is a member of the following groups on each OS server: Power User, SIMATIC HMI and SIMATIC HMI VIEWER is not a member of a local group on the OS client or Web server Client-Desktop-User is a local Windows user on the OS client where process mode (Runtime) runs in a workgroup is a member of the following groups on an OS client: Power User, SIMATIC HMI and SIMATIC HMI VIEWER must also be configured on the OS server and be a member of the SIMATIC HMI and SIMATIC HMI VIEWER groups on the OS server Web Server- Desktop-User is a local Windows user on a Web server where process mode (Runtime) runs in a workgroup is a member of the following groups on each Web server: Power User, SIMATIC HMI and SIMATIC HMI VIEWER must also be configured on the OS server and be a member of the SIMATIC HMI and SIMATIC HMI VIEWER groups on the OS server an OS client is always installed on a Web server in PCS 7 plants ES-Project-Engineer local Windows user on a PCS 7 ES where configuration is performed in a workgroup is a member of the Power User, SIMATIC HMI and SIMATIC HMI CS groups on an ES When project configuration changes are to be made on an OS server or OS client, they should always be made by this user. This is why the OS project engineer should also be configured on an OS server and OS client and be a member of the following groups on the OS server and OS client: Power User, SIMATIC HMI and SIMATIC HMI CS OS-Server is a global domain group that contains all domain users and where process mode (Runtime) runs on an OS server in a domain is a member of the following local groups on each OS server: Power User, SIMATIC HMI and SIMATIC HMI VIEWER is not a member of a local group on the OS client or Web server OS-Client is a global domain group that contains all domain users and where process mode (Runtime) runs on an OS client in a domain is a member of the following local groups on each OS server: SIMATIC HMI and SIMATIC HMI VIEWER is a member of the following local groups on each OS client: Power User and SIMATIC HMI Web Server is a global domain group that contains all domain users and where process mode (Runtime) runs on an Web server in a domain is a member of the following local group on each OS server: SIMATIC HMI VIEWER is a member of the following local groups on each Web server: Power User, SIMATIC HMI and SIMATIC HMI VIEWER A5E

56 User and Access Management in PCS 7 and Integration in the Windows Management Example configuration local user management of an OS server Figure 4-1 Local user management of OS server 4-6 A5E

57 User and Access Management in PCS 7 and Integration in the Windows Management Example configuration local user management of an OS client Figure 4-2 Local user management of OS client A5E

58 User and Access Management in PCS 7 and Integration in the Windows Management Example configuration local user management of a Web Navigator server Figure 4-3 Local user management of Web Navigator server 4-8 A5E

59 User and Access Management in PCS 7 and Integration in the Windows Management 4.2 User Management in PCS 7 User Administrator The actual user management for operating the plant is performed in the UserAdministrator. The UserAdministrator is divided into two components for assigning permissions and managing them: Users and permissions are managed in the UserAdministrator configuration system. This is where new users are entered, passwords are assigned, permissions are managed in a table and the link to SIMATIC Logon is made. The main purpose of the "UserAdministrator Runtime System" is to monitor system logons and access rights. SIMATIC Logon Service If you intend to use the SIMATIC Logon Service for support in managing rights, the users and their group memberships will be stored in the Windows User Management (local, logon server for SIMATIC Logon or domains). Note Is important to note in this regard that these users have absolutely no rights in the Windows environment; in other words, they are members of no Windows group. Their permissions are configured by assigning user rights to groups in the UserAdministrator. A5E

60 User and Access Management in PCS 7 and Integration in the Windows Management 4-10 A5E

61 5 Planning Time Synchronization Principle: Exact time of day Regardless of the source chosen for synchronizing the time of day in a plant, in the final analysis, time errors can only be minimized by ensuring that all subscribers use the same source. Time synchronization sources Time synchronization in a PCS 7 plant is of utmost importance for synchronizing, tracing, documenting and archiving all time-critical processes. Essentially, two different setups are used for time synchronization, either a standalone time server ((S)NTP server) with a connected clock and time stamp receiver module or a clock and time stamp receiver module integrated directly at the location to be synchronized (OS server/domain controller) or a combination of the two. A central plant clock is recommended for PCS 7 plants as it allows both setups to be used. SICLOCK TM GPS Package 24V with order number 2XV9450-1AR24 or SICLOCK TM GPS Package 230V with order number 2XV9450-1AR25 Both packages containing the SICLOCK TM central plant clock and the SICLOCK GPSDEC radio clock. Other time synchronization products can also be used depending on the application requirements. Further information: Time synchronization concept for industrial plants on the Internet at: English: > Portfolio A5E

62 Planning Time Synchronization Criteria for planning time synchronization The configuration of time synchronization requires very careful planning. Errors are difficult to analyze and can lead to dangerous consequences. The configuration is based on the following factors: Time master types, such as the Siemens SICLOCK TM/TS central plant clock on the system bus, a server with a directly integrated receiver module, Internet time server or company time server Synchronization methods, such as SICLOCK with broadcast time signal via the "Layer 2 GMT" protocol (SIMATIC procedure), SICLOCK with a serial connection to a server (DCF 77 emulation), WinCC time synchronization with Windows direct access, Windows time service with SNTP and NTP protocols, DCF 77 reception service with DCF 77 signal processing Physical network configuration, for example, not all media support all synchronization methods Logical network configuration, for example, broadcast messages cannot be forwarded beyond the subnet boundaries Windows Active Directory Recommended configurations Essentially, four different configurations are recommended: Windows workgroup without plant central clock Windows workgroup with plant central clock Windows Active Directory without plant central clock (with NTP time server) Windows Active Directory with plant central clock Operation in a Windows workgroup is designed for small plants that do not need to be operated synchronized to the company network or other networks. However, if a plant is to be operated in a Windows domain (Windows Active Directory), no competing time synchronization mechanisms may influence the plant PC. Whereas an incorrect time only causes problems in the interpretation of causal relationships for most applications, imprecise time here can lead to logon denials of domain clients on their domain controller. The reason for this is a security feature of the domain controller in Windows 2000 and higher, which is intended to prevent hijacking of an established session. The standard authentication protocol, Kerberos V5, uses the time of a workstation as part of the generation process for authentication tickets. If the configured time tolerance (default 5 min.) between client and server is exceeded, it is assumed that an attacker has decrypted the logon and hijacked the session. This is prevented by invalidating the session and denying logon to this client on its domain. 5-2 A5E

63 M S P T M 6 S P T 2 M 6 S P T 2 Planning Time Synchronization 5.1 Time Synchronization in a Windows Workgroup without a Central Plant Clock Example configuration Windows workgroup without a central plant clock 6 OSM O 2 OSM O OSM O Figure 5-1 Windows workgroup without central plant clock Configuring time synchronization of the system bus A PLC, such as the SIMATIC S7-400, is defined as the master clock on the system bus and synchronizes the system bus cyclically using a broadcast time signal. All other PLCs are configured as slave clocks. The interface modules of the OS servers, e.g., CP1613, are set to transmit and receive these time-of-day frames (see figure below). A5E

64 Planning Time Synchronization Settings for the interface modules for the system bus are made by selecting Start > SIMATIC > SIMATIC NET > Configuration Console. Figure 5-2 Activating time of day adjustment for the CP A5E

65 Planning Time Synchronization If the dialog shown above in the "Activating time of day adjustment for the CP1613" is grayed out and the "Time of day adjustment" is deactivated, the CP 1613 must first be put into "PG operation" mode. Figure 5-3 Changing the operating mode of the CP1613 to PG operation A5E

66 Planning Time Synchronization Time of day adjustment can then be activated. However, the mode must then be changed back to Configured mode. Figure 5-4 Changing the operating mode of the CP1613 to Configured mode The OS servers function as so-called cooperative masters; in other words, only when a CP 1613 on the system bus is not receiving a broadcast time signal (from the PLC as master clock) will the WinCC time synchronization switch to "Master" clock mode and itself transmit broadcast time signals to the system bus as a substitute for the master clock, which has probably failed. This is described in more detail below. Configuring time synchronization of the terminal bus During runtime of a PCS 7 project, WinCC Time Synchronization takes the broadcast time signals received by the CP 1613 via the system bus and uses them to set the Windows system time for OSServer01 and OSServer02. Although the OS servers are configured in the following dialog as master clocks, they function as so-called cooperative masters; in other words, only when a CP 1613 on the system bus is not receiving a broadcast time signal (from the PLC as master clock) will the WinCC time synchronization switch to "Master" clock mode and itself transmit broadcast time signals on the system bus as a substitute for the master clock, which has probably failed. However, as soon as the CP1613 receives a broadcast time signal on the system bus, its own "Master" clock mode is automatically switched to Slave" clock mode. 5-6 A5E

67 Planning Time Synchronization The time synchronization setting is made in the Time Synchronization dialog in WinCC Explorer. Figure 5-5 WinCC time synchronization in a server project A5E

68 Planning Time Synchronization OSClient01 and OSClient02 are configured as "Slave" clocks on the connected OS server using WinCC time synchronization in their own projects and are synchronized during runtime of their projects with the clock of the respective OS server via the "terminal bus. Figure 5-6 WinCC time synchronization in a client project 5-8 A5E

69 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 Planning Time Synchronization 5.2 Time Synchronization in a Windows Workgroup with a Central Plant Clock Example configuration Windows workgroup with a central plant clock Figure 5-7 Windows workgroup with central plant clock SICLOCK TM A5E

70 Planning Time Synchronization Configuring time synchronization of the system bus The SICLOCK TM/TS connected to the system bus as the central plant clock transmits a highly accurate broadcast time signal on the system bus. It synchronizes its own time of day with a connected DCF 77 radio module or GPS receiver module. All PLCs are configured as slave clocks. The interface modules of the OS servers, e.g., CP1613, are set to transmit and receive these time-of-day frames (see figure below). Figure 5-8 Activating time of day adjustment for the CP1613 If the dialog shown above in "Activating time of day adjustment for the CP1613" is grayed out and "Time of day adjustment" is deactivated, the CP1613 must first be put into "PG operation" mode A5E

71 Planning Time Synchronization Settings for the interface modules for the system bus are made by selecting Start > SIMATIC > SIMATIC NET > Configuration Console. Figure 5-9 Changing the operating mode of the CP1613 to PG operation A5E

72 Planning Time Synchronization Time of day adjustment can then be activated. However, the mode must then be changed back to Configured mode. Figure 5-10 Changing the operating mode of the CP1613 to Configured mode The OS servers function as so-called cooperative masters; in other words, only when a CP1613 on the system bus is not receiving a broadcast time signal (from the central plant clock) will the WinCC time synchronization switch to "Master" clock mode and itself transmit broadcast time signals on the system bus as a substitute for the central plant clock, which has probably failed. This is described in more detail in the following section. Configuring time synchronization of the terminal bus During runtime of a PCS 7 project, WinCC Time Synchronization takes the broadcast time signals received by the CP1613 via the system bus and uses them to set the Windows system time for OSServer01 and OSServer02. Although the OS servers are configured in the following dialog as Master clocks, they function as so-called cooperative masters; in other words, only when a CP1613 on the system bus is not receiving a broadcast time signal (from the central plant clock) will the WinCC time synchronization switch to "Master" clock mode and itself transmit broadcast time signals on the system bus as a substitute for the central plant clock, which has probably failed. However, as soon as the CP1613 receives a broadcast time signal on the system bus, its own "Master" clock mode is automatically switched to Slave" clock mode A5E

73 Planning Time Synchronization The time synchronization setting is made in the Time Synchronization dialog in WinCC Explorer. Figure 5-11 WinCC time synchronization in a server project A5E

74 Planning Time Synchronization OSClient01 and OSClient02 are configured as time "Slaves" on the connected OS server using WinCC time synchronization in their own projects and are synchronized during runtime of their projects with the clock of the respective OS server via the "terminal bus. Figure 5-12 WinCC time synchronization in a client project 5-14 A5E

75 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 Planning Time Synchronization 5.3 Time Synchronization in a Windows Active Directory Domain without a Central Plant Clock (with NTP Time Server) Example configuration - Windows domain without a central plant clock but with NTP time server DCF/GPS signal Figure 5-13 Windows domain without central plant clock but with NTP time server SICLOCK TM A5E

76 Planning Time Synchronization Configuring time synchronization of the system bus All PLCs are configured as slave clocks. The interface modules of the OS servers, e.g., CP1613, are set to transmit and receive time messages (see figure below). Settings for the interface modules for the system bus are made by selecting Start > SIMATIC > SIMATIC NET > Configuration Console. Figure 5-14 Activating time of day adjustment for the CP A5E

77 Planning Time Synchronization If the dialog shown above in "Activating time of day adjustment for the CP1613" is grayed out and "Time of day adjustment" is deactivated, the CP1613 must first be put into "PG operation" mode. Figure 5-15 Changing the operating mode of the CP1613 to PG operation A5E

78 Planning Time Synchronization Time of day adjustment can then be activated. However, the mode must then be changed back to Configured mode. Figure 5-16 Changing the operating mode of the CP1613 to Configured mode The OS servers function as so-called cooperative masters, in other words, the first OS server activated on the system (that is not receiving a broadcast time signal!) automatically switches to "Master" clock mode. All other activated OS servers then detect a broadcast time signal on the system bus and automatically switch to "Slave" clock mode. This is described in more detail in the following section. Note Time synchronization of the PLC is only performed when at least one OS server is activated A5E

79 Planning Time Synchronization Configuring time synchronization of the terminal bus The NTP "TimeServer with a DCF 77 radio module or GPS receiver module represents an extremely reliable time source. The domain controller, which was configured as forest master, and/or the PDC emulator (Primary Domain Controller emulator, usually the first installed domain controller) is configured as a direct time client of the authoritative "TimeServer" time source. The procedure for this is described by Microsoft in the section: Configuring the Windows Time service to use an external time source See topic: How to configure an authoritative time server in Windows Server 2003: All other plant PCs are automatically time clients of the PDC emulator through their membership in the domain. However, since the Windows-internal time synchronization is too infrequent for runtime operation of a plant, OSServer01 and OSServer02 are additionally configured as "Slave clocks of the PDC emulator using WinCC time synchronization. Any other domain controller is configured as a substitute "Master clock. A5E

80 Planning Time Synchronization The time synchronization setting is made in the Time Synchronization dialog in WinCC Explorer. Fig WinCC time synchronization with domain controllers in a server project 5-20 A5E

81 Planning Time Synchronization OSClient01 and OSClient02 are configured as "Slave clocks of the domain controllers or the connected OS servers using WinCC time synchronization in their own projects and are synchronized during runtime of their projects with the clock of the respective domain controllers or OS servers via the "terminal bus. Figure 5-18 WinCC time synchronization with domain controllers in a client project A5E

82 Planning Time Synchronization Figure 5-19 WinCC time synchronization with connected WinCC server in the client project 5-22 A5E

83 Planning Time Synchronization PCS 7 PCs, such as OSClient02, BATCH PCs or ES, for which WinCC time synchronization is not available, are synchronized via the additionally installed DCF77 reception service. It can use one of the two domain controllers or OS servers as the master clock. Figure 5-20 DCF77 reception service on a client without WinCC time synchronization A5E

84 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 Planning Time Synchronization 5.4 Time Synchronization in a Windows Active Directory Domain with a Central Plant Clock Example configuration Windows domain with a central plant clock Figure 5-21 Windows domain with central plant clock SICLOCK TM 5-24 A5E

85 Planning Time Synchronization Configuring time synchronization of the system bus The SICLOCK TM/TS connected to the system bus as the central plant clock transmits a highly accurate broadcast time signal on the system bus. It synchronizes its own time of day with a connected DCF 77 radio module or GPS receiver module. All PLCs are configured as slave clocks. The interface modules of the OS servers, e.g., CP1613, are set to transmit and receive these time-of-day frames (see figure below). Settings for the interface modules for the system bus are made by selecting Start > SIMATIC > SIMATIC NET > Configuration Console. Figure 5-22 Activating time of day adjustment for the CP1613 A5E

86 Planning Time Synchronization If the dialog shown above in "Activating time of day adjustment for the CP1613" is grayed out and "Time of day adjustment" is deactivated, the CP1613 must first be put into "PG operation" mode. Figure 5-23 Changing the operating mode of the CP1613 to PG operation 5-26 A5E

87 Planning Time Synchronization Time of day adjustment can then be activated. However, the mode must then be changed back to Configured mode. Figure 5-24 Changing the operating mode of the CP1613 to Configured mode The OS servers function as so-called cooperative masters; in other words, only when a CP1613 on the system bus is not receiving a broadcast time signal (from the central plant clock) will the WinCC time synchronization switch to "Master" clock mode and itself transmit broadcast time signals on the system bus as a substitute for the central plant clock, which has probably failed. This is described in more detail in the following section. A5E

88 Planning Time Synchronization Configuring time synchronization of the terminal bus The SICLOCK TM/TS central plant clock with a DCF 77 radio module or GPS receiver module represents an extremely reliable time source. The domain controller, which is configured as a forest master, and/or the PDC emulator (Primary Domain Controller emulator, usually the first installed domain controller) is connected directly to the central plant clock using a serial cable. "DCF 77 Service needs to be installed to continually synchronize this domain controller with the central plant clock with a high degree of precision. The DCF 77 reception service settings can be made by selecting Start > Settings > Control Panel > DCF77 Service. Figure 5-25 DCF77 reception service on the domain controller This domain controller is then configured as the authoritative time source. The procedure for this is described by Microsoft in the section: Configuring the Windows Time service to use an internal hardware clock See topic: How to configure an authoritative time server in Windows Server 2003: All other plant PCs are automatically time clients of the PDC emulator through their membership in the domain A5E

89 Planning Time Synchronization However, since the Windows-internal time synchronization is too infrequent for runtime operation of a plant, OSServer01 and OSServer02 are additionally configured as "Slave clocks of the PDC emulator using WinCC time synchronization. Any other domain controller is configured as a substitute "Master clock. The time synchronization settings are made in the "Time Synchronization" dialog in WinCC Explorer. Figure 5-26 WinCC time synchronization with domain controllers in a server project A5E

90 Planning Time Synchronization OSClient01 and OSClient02 are configured as "Slave clocks of the domain controllers or the connected OS servers using WinCC time synchronization in their own projects and are synchronized during runtime of their projects with the clock of the respective domain controllers or OS servers via the "terminal bus. Figure 5-27 WinCC time synchronization with domain controllers in a client project 5-30 A5E

91 Planning Time Synchronization Figure 5-28 WinCC time synchronization with connected WinCC server in a client project A5E

92 Planning Time Synchronization PCS 7 PCs, such as OSClient02, BATCH PCs or ES, for which WinCC time synchronization is not available, are synchronized via the additionally installed DCF77 reception service. It can use one of the two domain controllers or OS servers as the master clock. Figure 5-29 DCF77 reception service on a client without WinCC time synchronization 5-32 A5E

93 6 Implementing Patch Management Comprehensive information about patch management is available at http: // A substantial portion of the following chapter has been taken from the reference above and adapted to a PCS 7 plant. Principle: Management of software updates and security patches Because some dangerous situations have arisen in the past due to security vulnerabilities and viruses, there must be a method for fast, controlled deployment and installation of new security patches, updates and hotfixes. In contrast to older plants, modern, networked process control systems must be capable of overcoming the latest detected security problems using newly available security patches. A5E

94 Implementing Patch Management Microsoft patch management process The patch management process recommended by Microsoft is a four-phase management method for software updates designed to put your company in the position of controlling the deployment and maintenance of software updates in your production environment. Figure 6-1 Microsoft patch management process Step Assess Identify Evaluate and plan Deploy Description The process starts with an assessment of what you have in your production environment, what security threats and vulnerabilities you might face, and whether your organization is prepared to respond to new software updates. Your goal during the Identify phase is to discover new software updates in a reliable way, determine whether they are relevant to your production environment, and determine whether an update represents a normal or emergency change. Your goal during the Evaluate and Plan phase is to make a go/no-go decision to deploy the software update and determine what is needed to deploy it. You should also test the software update in a production-like environment to confirm that it does not compromise business critical systems and applications. Your goal during the Deploy phase is to successfully roll out the approved software update into your production environment so that you meet all of the requirements of any deployment service level agreements (SLAs) you have in place. 6-2 A5E

95 Implementing Patch Management Patch management with the Software Update Services (SUS) Software Update Services (SUS) enables you to automatically implement important updates and security rollups on computers across the entire network without requiring that you personally search for each computer or write a script. More information about the use of SUS is available: In chapter 6.2 "Installing and Configuring the Software Update Service" Patch management with Systems Management Server (SMS) Systems Management Server (SMS) is a Microsoft tool for managing configurations and changes of Windows operating systems for servers and workstations. Comprehensive information about patch management with SMS is available at Patch management with the Windows Software Update Services (WSUS) px A5E

96 Implementing Patch Management 6.1 Implementing Patch Management This section is intended to support you in developing and automating the patch management process. Patch management process A patch management process consists of the following phases: Phase Detect Assess Obtain Test Deploy Manage Description With the support of appropriate tools, such as MBSA, you should scan your system for missing security patches. The detection process must be automated to trigger the patch management process. If the required updates are not installed, determine the severity of the problem for which the patch is intended and the preventative factors that will have an effect on your decision. By comparing the problems with the preventative factors, you can determine if the security risk represents a threat for you current environment. If the available security measures do not cover the security risk, download the patch for testing. Install the patch on a test system and test the effect of the update on your production configuration. Make the patch available for the plant PCs. Ensure there are no negative effects on your applications. Implement your rollback or security response plan as needed. Subscribe to the security bulletin notifications for information about newly discovered security vulnerabilities and restart the patch management process from the beginning. Current FAQs Read the latest FAQs when deploying security patches in PCS 7 plants available at The following FAQs are currently important: FAQ FAQ A5E

97 Implementing Patch Management Detecting Security Vulnerabilities with MBSA Using MBSA The Microsoft Baseline Security Analyzer (MBSA) can be used for two tasks: Scanning one or more computers for vulnerabilities Determining the availability of security updates MBSA can also be used in two modes: Graphic user interface Command line Either mode can be used to scan one or more computers. Note The logon account required for executing MBSA must be a member of the administrator group on the computers to be scanned. Use the net use \\computername\c$ command to check if the required access rights and permissions are available. The "computername" refers to the network name of the computer to be scanned for missing patches. First deal with any problems regarding access to the administrative privileges before scanning remote computers with MBSA. How to manually detect missing updates using the graphical user interface of MBSA 1. Start MBSA by double-clicking the corresponding desktop icon or selecting the command from the Program menu. 2. Click Scan a computer. MBSA scans the local computer with the default setting. To scan multiple computers, click on Scan Multiple Computers and then select a series of computers or an IP address range. 3. Select all check boxes (see Figure 6-2). 4. Click Start scan. Your server will now be analyzed. Once the scan is completed, MBSA displays a security report and also saves this report in the directory %userprofile%\securityscans. In the following example (see Figure 6-2), all options have been selected for checking the IP address (OSClient01). The subordinate SUS server (SEC-CA) is also checked. A5E

98 Implementing Patch Management Figure 6-2 MBSA Computer scan 1. When the scan is complete, click the link next to the negative items for details of the results (see Figure 6-3) to see a list of the security updates that have not yet been installed. The Security Bulletin reference number from Microsoft is displayed. You can receive more information about a bulletin by clicking the reference. How to detect missing updates using the command line interface of MBSA Go to the MBSA installation directory in a command line window and enter the following command: mbsacli /i /sus " This opens the same report that is available in the graphic user interface. The report in this case is also saved in the directory %userprofile%\securityscans. 6-6 A5E

99 Implementing Patch Management How to analyze the generated report 1. Run MBSA by double-clicking the corresponding desktop icon or selecting the command in the Program menu. 2. Click on the Pick a security report to display and open the report (or reports if you have scanned multiple computers). 3. If you want to display the results from a scanned computer, place the mouse pointer on the computer name in the list. The reports are listed in the order of their timestamp. Explanation of the MBSA results Figure 6-3 MBSA Scan results The upper portion of the MBSA screen shown in Figure 6-3 is self-explanatory. A red X indicates that a serious problem has been found. To display a list of missing patches, click on the corresponding Result details link. A5E

100 Implementing Patch Management Searching for security updates Searching for security updates may result in two types of problems: Missing patches Patches cannot be confirmed For both types, links are available to the relevant hotfix and security bulletin sites that provide information about the patch and download instructions. Missing security update Missing patches are indicated by a red X. Clicking the Results details in Figure 6-3 yields the following information: Figure 6-4 MBSA Missing security update Unconfirmed security update A blue asterisk indicates that a patch cannot be confirmed. This occurs when your system has a file that is newer than a file of the Security Bulletin. This may happen when you have installed a new version of a product that updates a common shared file. Figure 6-5 MBSA Unconfirmed security update If there is an update that cannot be confirmed, check the information in the bulletin and follow the instructions. This might involve installation of the patch or configuration changes. Further information Further information about patches that cannot be checked with MBSA is available in the Microsoft Knowledge Base Article , "HFNetChk Returns Note Messages for Installed Patches." 6-8 A5E

101 Implementing Patch Management Assessing Security Vulnerabilities Based on the list of missing patches detected by MBSA, you need to assess whether or not the security vulnerability poses a substantial risk. You must carefully weigh two factors, the security risk of uninstalled security patches on the one hand and the effort required for installation on the other (the computer may possibly need to be rebooted). Microsoft Security Bulletins contain technical information which you can use to determine the degree of threat posed by the security vulnerabilities in your system. Security Bulletins You can assess the risk of an attack by reading the following security bulletins: Technical information about what an attacker needs to exploit the security vulnerabilities described in bulletins. For example, physical access may be required for an attack or the user may have to open a harmful attachment. Mitigating factors you need to assess in light of your security policy to determine how much you are affected by a security vulnerability. Maybe a patch is not absolutely necessary because of your security policy. For example, if you are not using the index service on your server, there is no need to install a patch against a security threat in the service. Assessing threats to set priorities. Assessing the severity of threats involves several factors, including the role of the computer whose security is endangered as well as the degree it is affected by a security vulnerability. Note If you are using an affected product, you must almost always install the patch for security vulnerabilities that are characterized as critical or important. A patch rated as critical should be installed as soon as possible. A5E

102 Implementing Patch Management Obtaining Software Updates and Security Patches An SUS server can be used in PCS 7 plants. Using the Software Update Service (SUS) from Microsoft you can quickly and effectively implement automatic deployment of software updates and security patches on all plant PCs. The SUS server allows an Administrator to view all updates and release only those that are actually required for the plant PCs. Further information More detailed information is available in chapter 6.2 "Installing and Configuring the Software Update Service" Testing Security Patches If you have decided it is necessary to install a patch based on your assessment, this should first be performed in a test environment to avoid any negative effects on your plant operation. FAQ generally permits the use of Microsoft security patches in PCS 7 plants Deploying Security Patches Once you have ensured that the installation of the patch is safe, you must install the update reliably and efficiently on your production servers. There are a variety of options for deploying patches throughout the company. These include: Using the Software Update Service (SUS) Using the Systems Management Server (SMS) Using the Windows Software Update Service (WSUS) Maintaining the Patch Environment The patch management cycle also includes keeping your servers up-to-date using the latest patches. The patch management cycle begins again when you learn that new security vulnerabilities have been found and missing security updates are available. You must perform the entire patch management cycle to bring your servers up-todate with the latest security patches. Do the following to start the cycle again: Perform a security assessment Use the security bulletin notification services 6-10 A5E

103 Implementing Patch Management 6.2 Installing and Configuring the Software Update Service (SUS) This section includes the information you need to use the Software Update Service for installing and configuring updates in PCS 7. It is based on information made available by Microsoft. The installation of the SUS-CA server is described in our example Basics of SUS Software Update Service (SUS) SUS provides a way to deploy crucial updates (hotfixes that solve non-securityrelated bugs) and crucial security updates to computers throughout a network. You do not have to visit each computer or write any scripts. SUS is fairly flexible. You retain control over which updates to deploy, when to deploy them, and which computers should receive them. Limitations of SUS Limitations of SUS: SUS does not support Windows NT or Windows 9x computers. SUS does not support Microsoft Office or Microsoft BackOffice products. SUS updates the OS, Microsoft IIS, and Microsoft Internet Explorer (IE) only. SUS currently supports many languages but not every language that XP and Win2K support. SUS does not have an uninstall option to automatically remove an update it has deployed. Therefore, testing the updates before installing them with SUS is important. However, you can use the manual uninstall method to remove updates. A5E

104 Implementing Patch Management Components of the Software Update Service (SUS) SUS consists of the three components: SUS, which runs on your server Automatic Updates (AU), which runs on client machines Group Policy settings for AU clients The SUS server is basically an IIS Web site. You use Web pages to administer and monitor SUS. AU clients use Web pages to download updates. Microsoft stores the updates on its Windows Update servers. SUS's Windows Update Synchronization Service handles the periodic synchronization between the SUS server and Microsoft Windows Update servers. AU clients use HTTP to communicate with an SUS server. The SUS server also uses http. The AU clients periodically contact the Windows Update servers and synchronize the database of updates available for download. This database is called the catalog. You can perform catalog synchronizations on demand, or you can schedule them. The catalog does not contain the actual updates. It contains a description of the updates and information that the AU clients need to determine whether an update is applicable for their XP or Win2K installations. You can configure the SUS server to download and install the updates for each language you choose to support, or you can leave the updates on the Windows Update servers. In this case, the AU clients download and install the updates. No matter which configuration you choose, SUS checks the updates against Microsoft's public certificate before downloading and installing the updates. This prevents imposters from using SUS to insert malicious code into your computers. Although downloading and installation often occur in one step in many programs, they are two separate processes in SUS. For example, suppose you want to have the AU clients download and install the updates. The AU clients periodically check your SUS server for any newly approved updates. When the AU client finds an update that it needs to download, it begins the download process by connecting to the appropriate Windows Update server. You can configure the AU client to automatically download and install the update. Alternatively, you can configure it to notify the user that an update is ready for download. In the latter case, the AU client waits for the user to initiate the download. After the AU client downloads the update to a temporary folder, the installation process begins. The AU client checks the options you set to determine when to install the update. You can configure the AU client to automatically install updates according to a schedule you have set. You can optionally configure the AU client to notify the user that updates are available for installation. It then waits for the user to initiate the installation. After installing the updates, the AU client restarts the computer if required. If a user is currently logged on, the AU client gives the person 5 minutes to save his or her work, close all programs, and log off. The AU client then restarts the computer. Because the AU client uses the Qchain tool, it needs to restart the machine only once, even if it installed several updates A5E

105 Implementing Patch Management Rules for Patch Management All AU clients (for example, all plant PCs) must have access to SUS via http. New security patches on the SUS server must be deployed for the production operation following successful testing in the test environment. Depending on the configuration, the following must be performed: - The authorized administrator must download the new security patches to the plant PCs and perform installation step-by-step. - The authorized administrator must download and perform a hidden installation of the new security patches, putting them into effect at the next scheduled reboot. The configuration of the AU clients must be performed according to a Group Policy. Once the installation of the patches on the AU clients is complete, they must not be rebooted automatically. Scan the data traffic during the download and deployment of the patches using an application firewall with a virus scanner (for example, Microsoft Internet Security And Accelerator Server and the TrendMicro virus scanning module) A5E

106 Implementing Patch Management Example configuration SUS Server Configuration: Higher-level SUS server with firewall-protected Internet access to the MS Windows Update Web site Synchronization of the available updates of the lower-level SUS server through a firewall-protected http connection to the higher-level SUS server Placement of the SUS server ideally in a perimeter network The following figure shows the placement of the higher-level SUS server (A) in the ERP and the placement of the lower-level SUS server (B) in the MES. The lowerlevel SUS-CA server downloads its patches from the higher-level SUS-ERP server over the MES firewall via http. All plant PCs receive their patches from the lowerlevel SUS server. For this to work, http download from the lower-level SUS server must be permitted at all access points. To also allow a dial-up support computer (D) to install any missing updates before it accesses the plant, it must also be given access to the lower-level SUS server while it is still in the quarantine network. The MES network serves as the quarantine network. Figure 6-6 SUS placement 6-14 A5E

107 Implementing Patch Management Installing SUS To use SUS, you need a server on which to run SUS. AD domain controllers and machines running Microsoft Small Business Server (SBS) cannot be SUS servers. The SUS server as well as the domain controllers and workstations that SUS will manage all need to run: Windows 2000 SP2 or higher IE 5.5 or higher. The SUS server also needs to run IIS 5.0 or higher. You can install SUS on an IIS server that already hosts other Web sites. SUS can coexist with other Web sites because SUS uses only three IIS components: The Common Files folder Microsoft Management Console (MMC) Internet Information Services snap-in and the World Wide Web Server (not on a PCS 7 PC, however) Typically, SUS installs in the default Web site. If you do not have a default Web site or you have a different Web site bound to port 80, see Appendix A in the Microsoft white paper "Deploying Microsoft Software Update Services." To access this paper, click the Software Update Services Deployment White Paper link on the Software Update Services Web page: The Software Update Services Web page also contains a link to the SUS download. After you download SUS, open the sussetup.msi file to start the Setup Wizard. After reading and responding to the Welcome page and End User License Agreement (EULA), select the Typical installation option and click Next. When the wizard provides the SUS server's URL, make a note of it. You need this URL to configure the AU clients. Click Install. During installation, SUS runs the IIS Lockdown Tool to secure IIS on the SUS server. This lockdown prevents an intruder who has cracked into your SUS server from accessing AU clients. The IIS Lockdown Tool disables options that present security risks. Therefore, it might break existing Web applications. If your SUS server hosts other Web applications and those applications depend on components such as WWW Distributed Authoring and Versioning (WebDAV), Microsoft FrontPage Server Extensions, or FTP, you might run into problems. Although you can get SUS to coexist with these applications, you might need to enable certain options again after installing SUS. For a full description of the changes SUS makes to IIS, see Appendix A in the "Deploying Microsoft Software Update Services" white paper. Finally, the wizard displays the Finish page and provides the URL to SUS's administration Web page. Make a note of this URL. You will need it to administer the SUS server in the future. A5E

108 Implementing Patch Management Configuring the SUS Server The next step is to configure the SUS server. Through SUS server configuration, you can control how and when the SUS server synchronizes with the Windows Update servers and which updates to approve for deployment. You can configure your SUS server from any network computer that's running IE 5.5 or later. Open the IE browser and enter either a NetBIOS name e.g., //SUS-CA/SUSAdmin) or a DNS name (e.g., //susca.laboratory.siemens.net/susadmin) as a URL. The Welcome page appears as shown in Figure 6-7. The left pane on this page contains several important links, including the Set options link, the Synchronize server link and the Approve updates link. Figure 6-7 SUS Welcome page 6-16 A5E

109 Implementing Patch Management The Set options link. When you click on this link, the options page appears. This page contains five sections: In the "Select a proxy server configuration" section, you need to specify whether to use a proxy server configuration. If your network must access the Internet through a proxy server, you can configure SUS to authenticate to and use the proxy server to access the Windows Update servers. However, for this example, select the Do not use a proxy server to access the Internet option. Figure 6-8 SUS Configuration of the proxy server In the "Specify the name your clients use to locate this update server" section, you can edit the name of your SUS server, if necessary. By default, the Server name field will contain your SUS server's NetBIOS name. If you have disabled NetBIOS name resolution on your network, however, you can change it to the DNS name or IP address. You will also need to enter the SUS server name again in the AU client configuration. Why you need to configure this setting in both the server and client configurations is unclear. Figure 6-9 SUS Configuration of your update server s name A5E

110 Implementing Patch Management In the Select which server to synchronize content from section, you must specify the data source with which you want the SUS server to synchronize. There are two options: The Synchronize directly from the Microsoft Windows Update servers option, which is the default, and the Synchronize from a local Software Update Services server option, which lets you synchronize your SUS server with another SUS server to accommodate scalability needs. If you synchronize with another SUS server, you must enter that server's NetBIOS or DNS name. You can also choose the Synchronize list of approved items updated from this location (replace mode) option. If you select this option, your SUS server will not only synchronize its catalog of updates with the other SUS server but also use the other server's list of approved updates. Figure 6-10 SUS Configuration of the update source In the "Select how you want to handle new versions of previously approved updates" section, you need to specify how you want SUS to handle new versions of updates. Sometimes a bug in an update comes to light and Microsoft must rerelease the update. What happens if you've already approved that update? Do you want SUS to direct AU clients to automatically install the new version? If so, select the Automatically approve new versions of previously approved updates option. If you'd rather have SUS treat the new version of the update as a new update and wait for you to approve it before deployment, select the Do not automatically approve new versions of previously approved updates. I will manually approve these later." Figure 6-11 SUS Configuration of the updates 6-18 A5E

111 Implementing Patch Management In the "Select where you want to store updates" section, specify the location in which you want to store the updates. Remember that SUS always downloads the catalog. However, you control whether you want to download the updates to the SUS server or leave the updates on the Windows Update server. For this example, select the "Save the updates to a local folder" option. Then select the languages for which you want to maintain updates. Figure 6-12 SUS Configuration of the languages After you select the options you want in these five sections, click Apply to save those settings. You are now ready to configure SUS's synchronization schedule and approve the updates you want to deploy. A5E

112 Implementing Patch Management The Synchronize server link. When you click the "Synchronize server" link, the Synchronize server page appears. This page displays two options: "Synchronize Now", which you can click to manually perform an immediate synchronization, and Synchronization Schedule, which you can click to set up a schedule for automatic synchronizations. Click Synchronization Schedule. As the Schedule Synchronization dialog in Figure 6-13 shows, you can configure SUS to synchronize only when you initiate it (i.e., not set up a schedule) or you can schedule SUS to synchronize once a day at a certain time or once a week on a certain day at a certain time. If you choose to set up a schedule, it is recommended that you change the default time (i.e., 3:00 a.m.) - the Windows Update servers will probably be extremely busy at that time because all the default-configured SUS servers will be requesting updates. You can configure how many times SUS should retry synchronization if a synchronization attempt fails. The default is three attempts. SUS waits 30 minutes between attempts. Figure 6-13 SUS Configuration of the schedule In our example, SUS is configured to synchronize daily at 1:00 a.m. Notice how the Synchronize server page now specifies the date and time of the next scheduled synchronization. Next, click the "Synchronize Now" button. SUS displays the system with which it is synchronizing and displays the progress of that synchronization A5E

113 Implementing Patch Management The Approve updates link. When you click this link, you can view a list of all the updates in the catalog and configure the updates' status. This is shown in Figure You can sort the catalog by the updates' date, title, platform (Windows XP or Windows 2000), or status. An update can have the status of "Approved" (approved for distribution to the appropriate AU clients), "Not Approved" (not approved for distribution to any AU clients), "New" (recently downloaded update that has not been approved), "Updated" (new version of previously released update), or "Temporarily Unavailable" (update is not available for download). Figure 6-14 SUS Publishing updates If you could scroll through the list of updates in Figure 6-14, you would see that all IE security updates associated with KB have been approved. These include the IE for Windows XP, IE for Windows Server 2003, IE 6 SP1 and IE Although all these updates have been approved, each AU client installs only the update appropriate for its IE version. To approve one or more updates, select the check box next to each update, then click "Approve." In the confirmation dialog box that appears, click "Yes." SUS then displays a dialog box that lists the updates you are approving and asks you to accept the EULA for these updates. Depending on your screen resolution and browser settings, the "Accept" and "Don't Accept" buttons might not appear. This happens when the dialog box is too small to display all the updates. You cannot resize this dialog box, unfortunately. You can, however, put the mouse pointer in the list box and press Tab. This makes both buttons visible. Click "Accept" to approve your updates for distribution to the AU clients. A5E

114 Implementing Patch Management 6.3 Configuring AU Clients Installation of the AU clients You need to install AU Client on your plant PCs so that they can obtain update information from the SUS server. This occurs automatically with the following operating systems: Windows 2000 SP3 and higher Windows XP SP1 and higher Windows Server 2003 Because PCS 7 Version 6 plants meet these conditions, the AU Client is installed. Basically, the configuration only involves changing a few registry values. Since it is impractical to change these registry values manually, you should use a Group Policy that can be edited using the Microsoft Management Console (MMC) shown in Figure Figure 6-15 AU clients Configuring automatic updates 6-22 A5E

115 Implementing Patch Management 1. Double-click the "Configure Automatic Updates" policy. Select "Enabled" in the properties dialog (see Figure 6-16) In the "Configure automatic updating" dropdown list, select the option that matches your requirements: 2 - Notify for download and notify for install 3 - Auto download and notify for install 4 - Auto download and schedule the install Figure 6-16 AU clients Configuring automatic updates 2. After you finish configuring the policy, click OK. A5E

116 Implementing Patch Management 3. Double-click the "No auto-restart for scheduled Automatic Updates installations" policy. Click "Enabled" in the properties dialog shown in Figure Figure 6-17 AU client No auto-restart 4. After you finish configuring the policy, click OK A5E

117 Implementing Patch Management 5. Double-click the "Specify intranet Microsoft update service location" policy. Click "Enabled" in the properties dialog shown in Figure In the "Set the intranet update service for detecting updates" text box, specify the first URL you wrote down earlier (i.e., the URL of the SUS server that the AU client should periodically check for newly approved updates). In the "Set the intranet statistics server" text box, specify the URL of the IIS server to which the AU client should report its activities (usually, this URL is the same as the previous one). Click OK and close the Group Policy Editor. Apply the settings. Figure 6-18 AU client Configuring the intranet update service location 6. After you finish configuring the policy, click OK. 7. Force the application of the Group Policy. Computers reapply Group Policies every 90 minutes, with a random offset of up to 30 minutes. So, you might have to wait as long as 2 hours for computers in your domain to start checking the SUS server for approved updates. To force the immediate application of the Group Policy, log on to the computer, open a command shell window, and run the command: - on computers with Windows 2000: secedit /refreshpolicy machine_policy - on computers with Windows XP or Windows Server 2003: gpupdate The computer should now start downloading any updates you have approved. A5E

118 Implementing Patch Management Application to plant types Single-station system The procedure described above is too tedious for a single-station system. In this case, it is sufficient to enable the Automatic Update Service from Windows XP or Server 2003 and to use MBSA from time to time to check if all updates have actually been installed. Multiple-station system We recommend you use the instructions provided above for multiple-station systems. Large system In large plants, the instructions given above are absolutely necessary to avoid security risks A5E

119 7 Secure Network Access to the Security Cells Principle: Closed system in accordance with FDA Secure network access points are an absolute necessity for a closed system The following methods of achieving this are described in this chapter: 1. Using Firewalls for the Access Points 2. Using Virus Scanners for the Access Points 3. Integration of Remote PCS 7 PCs in the Closed System In order to configure firewalls, virus scanners and IPSec, the approved and necessary data traffic must be known and identifiable. Application to plant types The following section, "Mapping the Data Traffic", is mainly refers to large plants. Only the portions directly relating to the DCS network are relevant for a "multiplestation system." 7.1 Mapping the Data Traffic Overview of the data traffic in "Plant.com" In Figure 7-1 the "Plant.com" example has been simplified to provide a clearer view of the data traffic. The terminal bus (A) on the DCS layer contains one OS server and one OS client. The communication between the two does not require encryption or protection with complex measures, because it takes place in the security cell of the DCS layer. User permissions are the only security measures used. They prevent unauthorized operations and maloperation. The MES layer (B) is used for data transfer. Specific network subscribers in this network can be trusted when the appropriate security precautions have been carried out (installation of all required security updates, up-to-date virus scanner, restricted network access and access exclusively by authorized and trustworthy personnel). Subscribers on the ERP layer (C) only have access to the MES layer (B) and to the approved Web Server. Access to the latter is only possible using auditable mechanisms (http) through the MES firewall with a configured virus scanner module. A5E

120 M 6 S P OSM O T 2 M 6 S P OSM O T 2 Secure Network Access to the Security Cells No communication takes place between the ERP layer (C) and DCS layer (A). Figure 7-1 Data traffic Overview 7-2 A5E

121 M S P OSM O T M 6 S P OSM O T 2 Secure Network Access to the Security Cells Detailed mapping of the data traffic Data traffic on the DCS layer: Direct communication between the OS server and OS client is permitted on the terminal bus (A) and must not be inhibited by encryption. 6 2 Figure 7-2 Data traffic DCS A5E

122 M S P T M 6 S P T 2 Secure Network Access to the Security Cells Data traffic between the DCS and MES layers: Protected and securely authenticated communication between the OS server (A) and the remote OS client (B) is permitted, but it must always be verified. This may result in slight delays and reduced performance. 6 OSM O 2 OSM O Figure 7-3 Data traffic DCS-MES 7-4 A5E

123 M 6 S P T 2 M 6 S P T 2 Secure Network Access to the Security Cells Data traffic to the ERP layer via SUS-CA: Access to the SUS-CA server via http is permitted for every plant computer. OSM O OSM O Figure 7-4 Data traffic SUS A5E

124 M 6 S P OSM O T 2 M 6 S P OSM O T 2 Secure Network Access to the Security Cells Data traffic to the ERP layer with access by Web clients: A Web client (C) on the ERP layer is permitted to access a Web server (B) on the MES layer via the firewall. Figure 7-5 Data traffic Web Clients 7-6 A5E

125 Secure Network Access to the Security Cells 7.2 Using Firewalls for the Access Points General Information on Firewalls A firewall, according to the general definition, is not only a piece of technical equipment; its greatest effectiveness is based more on the fact that it provides an integrated security solution for protecting a network and its subscribers. That is why this chapter should not be viewed in isolation but should instead be considered in combination with all the other chapters of this manual. A plant will be far from secure if you only follow the suggestions presented in this chapter. In the following, the term firewall refers to firewall products, including ISA Server 2004, Windows Firewall and similar products. The best possible protection against spying on important information, unauthorized modification of data, network attacks, spreading of viruses and lapses of trustworthy employees can only be ensured by a carefully planned strategy Using the Microsoft ISA Server as a Firewall Microsoft ISA Server In contrast to many other firewall products, the Microsoft ISA Server (Internet Security & Acceleration Server) offers the following additional features: Filtering of http traffic on the application layer Inspection with a virus scanner module Permission of passing network traffic using computer and/or user authentication Receiving and decrypting of IPSec data traffic (see chapter 7.4.1) as a proxy, thereby offering the capability to analyze for anomalies Advantage: This not only allows you to block the required and especially vulnerable ports of the file services and Windows network services at the access points, but also to make these specific ports available again to special computers and users using certificate-based IPSec connections. Requirements: There are no other unprotected access points to the respective security cell. The special computers and users who are permitted access must be configured with at least an equal amount of care and protection as the security cell itself. They can therefore be defined as trusted. What does this ensure? Data traffic defined in this way is: Unique Authenticated or Auditable for harmful content Controllable Uninhibited in its important connections A5E

126 M 6 S P OSM O T 2 M 6 S P OSM O T 2 Secure Network Access to the Security Cells Example configuration overview of the data traffic in "Plant.com" As described in chapter 7.1 "Mapping the Data Traffic", configuration of the firewall requires good understanding of the data traffic. Figure 7-6 once again shows the data traffic permitted between the security cells. The firewall must be configured in such a way that it effectively blocks all other data traffic. Figure 7-6 Data traffic Overview 7-8 A5E

127 Secure Network Access to the Security Cells Configuration of the ISA Server 2004 Firewall DCS The ISA Server is a powerful firewall that offers many more options than a normal desktop firewall. For this reason, is not possible to go into detail about the exact configuration of an ISA Server. For more information, refer to the ISA Server 2004 descriptions provided by Microsoft. The following rules should be enforced on the otherwise configured ISA server to guarantee the data traffic between the MES and DCS networks described above. Figure 7-7 ISA Server configuration From: "Internal SECERP", "Internal SECMES" To: "Internal SECERP", "Internal SECMES" Protocols: HTTP, HTTPS Allow: All Users From: "Internal SECDCS", "Internal SECMES" To: "Internal SECDCS", "Internal SECMES" Protocols: HTTP, HTTPS Allow: All Users From: "Internal SECDCS", "Internal SECMES" To: "Internal SECDCS", "Internal SECMES" Protocols: ICE Client, ICE Server, IPSec-ESP, IPSec-ESP Server, IPSec-NAT- T Client, IPSec-NAT-T Server, L2TP Client, L2TP Server, PPTP, PPTP Server Allow: All Users A5E

128 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 M 6 S P OSM O T 2 Secure Network Access to the Security Cells Example configuration network access points for the firewall Figure 7-8 shows the three access points in the "Plant.com" example plant. These access points are the DCS firewall to protect the DCS layer (A), the integrated firewall of the support dial-up server (B) and the connection of the complete plant to the office network ERP (C). Figure 7-8 Network access points Firewall 7-10 A5E

129 Secure Network Access to the Security Cells Using Local Firewalls on PCS 7 PCs Note The activation of a local firewall on a PCS 7 PC V6.1 SP1 and lower is not allowed without this document. Application to plant types Single-station system Since the network adapter forms the access point in a single-station system, the local firewall must be enabled and configured. The required settings, however, cannot be published at this date. They will be made available in the next version of this document following long-term testing. Multiple-station system Large system Since the PCS 7 PCs are located within a security cell, only a few minimal settings are needed for the local firewall. The required settings, however, cannot be published at this date. They will be made available in the next version of this document following long-term testing. This is why only the firewall properties at the access points are used at this time. A5E

130 Secure Network Access to the Security Cells 7.3 Using Virus Scanners for the Access Points Using Local Virus Scanners on PCS 7 PCs (Distributed Access Points) The scanning of inbound data traffic for viruses must be performed on each individual plant PC if virus scanning cannot be carried out effectively or carried out at all from a central access point. As a result, each plant PC is its own access point, and the attainable protection for the plant is only as high as that of the individual plant PCs combined. Rules for local virus scanners Manual search: A manual search must not be performed on PCS 7 PCs during process operation (Runtime). It should be performed at regular intervals, for example, during scheduled maintenance on all plant PCs. Realtime search: It is sufficient to scan the inbound data traffic during a realtime search. Scheduled search: Scheduled searching must be disabled. What does this ensure? The inbound data traffic is free of viruses. The entire plant PC is free of viruses. Approved virus scanners according to the PCS 7 V6.1 Readme The following virus scanners have been tested for compatibility with PCS 7 V6.1: Trend Micro "Office Scan" V ServerProtect Corporate Edition - OfficeScan Corporate Edition Symantec AntiVirus Corporate Edition V9.0 (Norton Antivirus) NAI Active Virus Defense Suite Nodes Perpetual (McAfee VirusScan Enterprise V7.0). This virus scanner is not approved for runtime operation! Note No virus scanner may be enabled when operating Central Archive Server / StoragePlus at this time. The scanning operation can adversely affect the performance of Central Archive Server / StoragePlus A5E

131 Secure Network Access to the Security Cells Application to plant types Single-station system Since the network adapter forms the access point in a single-station system, the local virus scanner must be enabled and configured. Multiple-station system / Large system With a multiple-station system or large plant, it is practical to install server-client architecture for virus scanners. Figure 7-9 shows the basic principle using Trend Micro OfficeScan V7 as an example. The SUS-CA server operates as the OfficeScan server in our example plant. This PC, therefore, now performs three functions: Server for the Software Update Service Stand-alone certification authority (see chapter 7.5 "Requesting and Installing Certificates") OfficeScan server All plant PCs represent the OfficeScan clients. Figure 7-9 Virus scanner architecture A5E

132 Secure Network Access to the Security Cells Using a Microsoft ISA Server Virus Scanning Module at the Central Access Point of a Plant Virus scanning modules such as the "Trend Micro InterScan Web Security Suite", which can be integrated as a module in the Microsoft ISA Server, check the entire passing Web data traffic using antivirus, anti-phishing, anti-spyware and, optionally, URL filter technologies. With the Microsoft ISA Server and an integrated virus scanning module, IPSec connections can be received as a proxy for protected plant PCs, unpacked and their Web content checked for viruses. They are only forwarded to the destination computer if their content has been deemed to be safe. Rules for monitoring data traffic The entire data traffic through this access point must be inspected. No exceptions that would allow unsecured communication are permitted; in other words, there can be no way for data traffic to bypass the central access point. What does this ensure? All Web data traffic is trustworthy and free of viruses A5E

133 Secure Network Access to the Security Cells 7.4 Integration of Remote PCS 7 PCs in the Closed System according to the FDA Integration in the closed system means that PCS 7 PCs that are physically located outside the closed system or a security cell but nevertheless have access to the plant, are included in the closed system or security cell using network technology. What does this ensure? This ensures the integrity of the closed system or security cell. Rules for integration in the closed system Since the PCS 7 PCs outside the closed system have similar access privileges to those within following integration, these computers must first be made trustworthy. This means: The latest security updates must be installed. An up-to-date virus scanner must be installed and appropriately configured. User management must be configured as described in chapter 4 "User and Access Management in PCS 7 and Integration in the Windows Management." This ensures that "ClientDesktopUser" cannot make changes to the operating system, for example. This also applies to the software that runs within this context. Network access to these PCS 7 PCs must be restricted to the required level. For example, usually no one requires network access to a standard OS client; only Web clients need access to a OS Web server via http or https, etc. A secure authentication method must be provided to ensure that the PCS 7 PC to be integrated is in actual fact the computer it purports to be. A5E

134 M 6 S P T 2 M 6 S P T 2 Secure Network Access to the Security Cells Application to plant types Single-station system Currently none available. Multiple-station system, Large system Figure 7-10 shows an example for the integration of trusted computers, OSClient02 and OSWebServer01 (B), through an IPSec tunnel into OSServer01 (A) in the DCS security cell. OSM O OSM O Figure 7-10 Integration of remote OS clients 7-16 A5E

135 Secure Network Access to the Security Cells Using and Configuring Authentication and Encryption with IP Security IP Security IP Security (abbreviated as IPSec) is a secure communication method that can authenticate, sign and encrypt the data traffic between two or more network subscribers based on filtering rules and for the most part transparently. The additional computation required by this reduces performance, however. If the data are encrypted, the data traffic can no longer be inspected. There are three options for secure authentication of the communicating plant PCs: Active Directory Standard (Kerberos V5 Protocol) Using a certificate from a certification authority Using a character string for protecting the key exchange Rules for integration with IP Security If a certificate server is no longer needed, the service should be temporarily disabled. Only the data traffic to be protected is defined by the filter rules described under "IP Security Policy" (see page 7-18 et seqq.). The local IP Security settings must not compete with the settings required by the domain. The rules defined under "IP Security Policies" must not be changed. Each computer can have only one active IP Security Policy. Each IP Security Policy may contain several IP Security rules, lists and actions. Each IP Security rule must be described by one (and only one) IP Security list and one (and only one) IP Security action. What does this ensure? The DCS firewall with a centralized setting is responsible for protecting the plant against unknown network subscribers. This enables plant PCs within a security cell to securely communicate with other integrated plant PCs. The plant PCs can still be expanded and do not need to be individually adapted if an additional plant computer or diagnostic station is introduced. A5E

136 Secure Network Access to the Security Cells Description of the plant configuration - integration with IP Security An example is presented in the following sections describing how unique machinebased certificates are used to set an IP Security Policy on an OS server on the DCS layer for communication with an OS client on the MES layer. A certification authority is installed on the SUS server for this. A new rule is set on all plant PCs that need to communicate with one another via an IP Security tunnel. This rule is defined in the "Local Security Policy Management" console under the item "IP Security Policies." This rule defines the data traffic that will be permitted at the firewall for trusted plant PCs located outside the security cell. Overview of IP Security rules and IP filter lists IP security rules for plant PCs on the DCS layer for the "SIMATIC Networks" security policy: Name of rule DCS MES ERP Filter list Traffic to DCS Traffic to DCS Traffic to ERP Filter action Tunnel settings Connection type Authentication method Allow No tunnel All Not applicable 3DES required No tunnel All Certificate Block No tunnel All Not applicable HTTP HTTP Allow No tunnel All Not applicable Default response rule: Deactivated The names of the filter lists are chosen to reflect their function. The same applies to the filter action, "3DES required." The name should give an indication of the encryption method used A5E

137 Secure Network Access to the Security Cells Table of IP filter lists for plant PCs on the DCS layer: Filter list Source address Source mask Source port Destination address Destination mask Destination port Mirrored Protocol type Traffic to DCS Own IP address Any Any Yes Any Traffic to MES Own IP address Yes Any Any Any Traffic to ERP Own IP address Yes Any Any Any HTTP Own IP address Yes TCP Any 443 Own IP address Yes TCP Any 80 IP security rules for plant PCs on the MES layer for the "SIMATIC Networks" security policy: Name of rule Filter list Filter action Tunnel settings Connection type Authentication method DCS Traffic to DCS 3DES required No tunnel All Certificate MES ERP Traffic to DCS Traffic to ERP Allow No tunnel All Not applicable Allow No tunnel All Not applicable HTTP HTTP Allow No tunnel All Not applicable A5E

138 Secure Network Access to the Security Cells Default response rule: Deactivated IP filter lists for plant PCs on the MES layer: Filter list Source address Source mask Source port Destination address Destination mask Destination port Mirrored Protocol type Traffic to DCS Own IP address Any Any Yes Any Traffic to DCS Own IP address Any Any Yes Any Traffic to ERP Own IP address Any 443 Yes TCP Own IP address HTTP Any 443 Own IP address Yes TCP Any 80 Yes TCP IP filter actions for plant PCs on the DCS and MES layers: Filter action Action IP traffic security Communication with computers that do not support IPSec 3DES required Negotiate security Encryption and integrity No Allow (default) Allow Not applicable Not applicable Block Block Not applicable Not applicable 7-20 A5E

139 Secure Network Access to the Security Cells A resulting rule for the example configuration The following rule results for a Security Policy on an OS server on the DCS layer: IP Security Policy: "SIMATIC Networks" Default response rule: Deactivated IP Security Rule: MES + 3DES Required - Tunnel settings: The rule specifies no tunnel - Connection type: All network connections - Authentication method: Certificate of a certification authority: IP Filter List: MES - Description: Traffic to MES - Mirrored: Yes - Source address: Own IP address - Source mask: Destination address: Special IP subnet, Destination mask: IP protocol type: Any Filter Action: 3DES required - Description: Encryption and integrity - Filter action: Negotiate security - Communication with computers that do not support IPSec: None - IP traffic security: Encryption and integrity (Data will be encrypted, authenticated, and unmodified) Requirements for the example configuration The certification authority certificate must have been downloaded on both OSServer01 and OSClient02 as described in chapter "Downloading a Certification Authority Certificate." The local machine-based certificate must have been requested and installed on both OSServer01 and OSClient02 as described in chapter "Requesting a Local Computer Certificate for IPSec." IPSec data traffic on the DCS firewall has been enabled. A5E

140 Secure Network Access to the Security Cells Procedure To create a new IP Security Policy, follow the instructions in the following section. We recommend you use the available wizards. If you leave the default settings, the following wizard routines will be performed: IP Security Policy Wizard Security Rule Wizard IP Filter Wizard Filter Actions Wizard 1. Create a Microsoft Management Console (MMC) that contains the "IP Security Monitor" and "IP Security Policies on the Local Computer" snap-ins. Figure 7-11 MMC IPSec Default 2. Click on IP Security Policies in the console tree and then click on "Name" in the right pane. Then select Create IP Security Policy in the Action menu. Follow the instructions of the IP Security Policy Wizard until the Properties dialog for the new policy is displayed. - Assign the name "SIMATIC Networks" for your security policy. - Deactivate the standard response rule A5E

141 Secure Network Access to the Security Cells 3. In the properties dialog for the new security policy, open the Rules tab and click Add. Then follow the instructions of the Security Rule Wizard and make the following settings: - Tunnel settings: The rule specifies no tunnel. - Network type: All network connections - In the IP Filter Lists dialog of the Security Rule Wizard, click Add to start a new IP filter list. Select the name "Traffic to MES." 4. In the IP Filter List dialog, click on Add to start the IP Filter Wizard. Make the following settings: - Mirrored: Enabled - Source address: Own IP address - Destination address: Special IP subnet IP address: Subnet mask: IP protocol type: Any 5. Close the "IP Filter List" dialog with "OK" and select the newly created filter list in the Security Rule Wizard. 6. Click "Next" in the Security Rule Wizard. 7. In the Filter Action dialog of the Security Rule Wizard, click on Add to start the Filter Action Wizard. 8. Follow the wizard instructions and make the following settings: - Name of filter action 3DES required - Filter action: Negotiate security - Communication with computers that do not support IPSec None - IP traffic security: Encryption and integrity 9. Select the newly created filter action in the Security Rule Wizard. 10. Follow the instructions of the wizard and select A certificate from the following certification authority as the authentication method. Select the certification authority, Plant CA. A5E

142 Secure Network Access to the Security Cells 11. Close all dialogs and activate the security policy. Figure MMC IPSec "SIMATIC Networks 7-24 A5E

143 Secure Network Access to the Security Cells Using and Configuring Authentication and Encryption with Secure Sockets Layer SSL and https SSL (Secure Sockets Layer) is a transmission protocol developed by Netscape that enables encrypted communication using tunneling. SSL encryption today is mainly used with HTTPS. https is an acronym for hypertext transfer protocol secure and is a network protocol that enables secure HTTP connection between Web servers and Web clients. What do SSL and https ensure? The use of SSL and https assures the Web client that it is actually connected to the configured Web server. The download-signed applications and application components (ActiveX Controls) are made verifiable for the user. If an "outside" Web server offers itself, the user can decide if he wants to perform this download. The user can check the trustworthiness of the Web server from the information displayed about the certification authority. Example configuration connecting a PCS 7 Web client with https The connection of WebClient02 to OSWebServer01 is shown in Figure Figure 7-13 Data traffic Web Clients A5E

144 Secure Network Access to the Security Cells Requirements for the example configuration The certification authority certificate must have been download to both OSWebServer01 and WebClient02 as described in chapter "Downloading a Certification Authority Certificate." OSWebServer01 has been configured as described in chapter "Configuring SSL on a Web Server." The https data traffic has been enabled on the MES firewall. The multi-client project on OSWebServer01 must be configured for the Web Navigator and be open in runtime. Procedure for the example configuration 1. Start Internet Explorer on WebClient02 and type in 2. All three security certificate checks must be positive. Depending on the Internet Explorer settings, such a security notification may not be displayed even when all three checks are positive. Figure 7-14 Valid SSL security certificate 7-26 A5E

145 Secure Network Access to the Security Cells Figure 7-15 Invalid SSL security certificate 3. The logon on OSWebServer01 is performed with the user configured in the UserAdministrator. 4. If the PCS 7 WebNavigator is not yet installed on WebClient02, this can be performed now via https. The same applies for the WinCC/WebNavigator user plug-ins. 5. The plant displays can now be displayed on WebClient02. A5E

146 Secure Network Access to the Security Cells Using and Configuring VPN (Virtual Private Network) and Network Access Quarantine Control for Secure Support Access Adding Support Computers Maintenance and support for a plant sometimes makes it necessary to temporarily add an "outside" computer, i.e., a computer that does not belong to the plant, to the system. Since the entire plant has a uniform security configuration and a uniform update status, the addition of this support computer represents a high risk. It must therefore be ensured that the support computer poses no threat (e.g. viruses) to the plant and that it meets all security regulations. The computer may have to be reconfigured and updated before it is given access to the system. Network Access Quarantine Control and VPN Network Access Quarantine Control together with a VPN remote dial-up is the best way to achieve this. There are several solutions from hardware and software manufacturers to realize this method. Most of these solutions, however, are linked to the use of the manufacturers products and only provide limited configuration options for the administrator. This is why we recommend using ISA Server 2004, because it offers the most customizable configurations and provides a high degree of security compared to the standard Windows Server 2003 VPN quarantine tools. For example, only specific users can access the plant through the VPN quarantine. The following description refers exclusively to the VPN quarantine with ISA Server Network Access Quarantine Control (Definition according to Microsoft A5E

147 Implementing Patch Management Installing SUS To use SUS, you need a server on which to run SUS. AD domain controllers and machines running Microsoft Small Business Server (SBS) cannot be SUS servers. The SUS server as well as the domain controllers and workstations that SUS will manage all need to run: Windows 2000 SP2 or higher IE 5.5 or higher. The SUS server also needs to run IIS 5.0 or higher. You can install SUS on an IIS server that already hosts other Web sites. SUS can coexist with other Web sites because SUS uses only three IIS components: The Common Files folder Microsoft Management Console (MMC) Internet Information Services snap-in and the World Wide Web Server (not on a PCS 7 PC, however) Typically, SUS installs in the default Web site. If you do not have a default Web site or you have a different Web site bound to port 80, see Appendix A in the Microsoft white paper "Deploying Microsoft Software Update Services." To access this paper, click the Software Update Services Deployment White Paper link on the Software Update Services Web page: The Software Update Services Web page also contains a link to the SUS download. After you download SUS, open the sussetup.msi file to start the Setup Wizard. After reading and responding to the Welcome page and End User License Agreement (EULA), select the Typical installation option and click Next. When the wizard provides the SUS server's URL, make a note of it. You need this URL to configure the AU clients. Click Install. During installation, SUS runs the IIS Lockdown Tool to secure IIS on the SUS server. This lockdown prevents an intruder who has cracked into your SUS server from accessing AU clients. The IIS Lockdown Tool disables options that present security risks. Therefore, it might break existing Web applications. If your SUS server hosts other Web applications and those applications depend on components such as WWW Distributed Authoring and Versioning (WebDAV), Microsoft FrontPage Server Extensions, or FTP, you might run into problems. Although you can get SUS to coexist with these applications, you might need to enable certain options again after installing SUS. For a full description of the changes SUS makes to IIS, see Appendix A in the "Deploying Microsoft Software Update Services" white paper. Finally, the wizard displays the Finish page and provides the URL to SUS's administration Web page. Make a note of this URL. You will need it to administer the SUS server in the future. A5E

148 Secure Network Access to the Security Cells Operating principle Note We have decided to use a stand-alone ISA Server 2004 for VPN dial-up in the following example. Of course, one of the two firewalls (Figure 7-16) might also perform this job if it is an ISA Server The combination SUS and Quarantine Control PC is also only an example. The two functions could also be separated and run on different computers. 1. First, a dial-up file must be created by the "Production-Admin" for example (see chapter 3 "Managing Computers and Users"). This file establishes a VPN connection, checks the support computer (A), installs the security updates and certificates and then allows the support computer access to the plant (more information on this is available in section "Configuration overview" in this chapter). 2. The support employee must then connect to the network through an access point (C) assigned to him by the plant personnel. Figure 7-16 Support dial-up Hub 3. Although the support computer (A) is now connected to the ISA Server 2004 (B), as an unknown computer it has absolutely no permissions in the network and cannot access the plant. Only after the administrator has provided the support computer with the dial-up file can the actual support dial-up begin. The administrator can supply the dial-up file to the support employee on a floppy or CD, or make it available in a shared folder on the ISA server A5E

149 Secure Network Access to the Security Cells 4. Once the support employee has run the dial-up file, he now only has to enter his user name and password, which he has received from Production-Admin, to authenticate himself. This information must be specified by the administrator when configuring the ISA server VPN dial-up (see VPN Configuration). An encrypted VPN connection (D) to the ISA server is now established (see Figure 7-17). Figure 7-17 Support dial-up VPN tunnel 5. ISA Server 2004 detects the new VPN connection and, based on its firewall rules (see Quarantine Configuration), notices that it involves a support dial-up due to the IP address and user name. The ISA Server 2004 assigns the support computer an IP address in the quarantine network (E) (see Figure 7-18). Figure 7-18 Support dial-up Quarantine network A5E

150 Secure Network Access to the Security Cells 6. Once the support computer is in the quarantine network, it begins its check. Depending on the requirements of the plant, it might check if: - The virus scanner is activated - The support computer is free of viruses - A firewall is activated - All the latest updates and patches have been installed Any missing components and patches may be installed or activated from the SUS/Quarantine Control server (F). If the plant is working with IPSec, a certificate may be requested and installed from the certification authority. The computer does not have access to the plant during this entire procedure. 7. Only when all checks have been successfully completed, does the dial-up file inform the ISA Server 2004 of this and the ISA Server 2004 allow the support computer full access to the plant (G). Figure 7-19 Support dial-up Plant access Note Only the connection to the support hub is a real, physical connection. All other connections (Figure 7-17 Support dial-up VPN tunnel to Figure 7-19 Support dialup Plant access) are emulated as "virtual" connections by ISA Server This means that the support computer is given permissions by the policies and rules as if he were in these networks A5E

151 Secure Network Access to the Security Cells Configuration overview The configuration of the support dial-up is divided into three main parts: VPN configuration Quarantine configuration Creation of the connection manager profile This is the dial-up file that establishes the connection from the VPN client (support computer) to the dial-up computer (ISA Server 2004) and checks the VPN client. The basic steps involved in this configuration are explained in the following section based on the example above. The general settings for ISA Server 2004 are not described here. VPN configuration The VPN remote dial-up is configured by following the steps shown in Figure The chapter numbering corresponds to the individual steps. Click on the respective links to perform the configuration tasks. Figure 7-20 VPN Configuration overview A5E

152 Secure Network Access to the Security Cells 1. Verify that the VPN client access is enabled (Step 1): Figure 7-21 VPN Maximum connections For the ISA Server to accept VPN client connections, the "Enable VPN client access" check box must be selected. The "Maximum number of VPN clients allowed field specifies the maximum number of simultaneous connections. Enter a value of 10 here to allow ten clients simultaneous access A5E

153 Secure Network Access to the Security Cells 2. Specify Windows users (Step 2): ISA Server 2004 expects information about the users or group of users that are allowed to establish VPN connection to the ISA server. It does not matter whether this is a local group or a group from the domain. Enter a local group called "VPN Support Dial-up" in the Windows User Management. Add all users who are permitted to access the plant through the support dial-up to this group. It is best to create dedicated support users for this purpose. Figure 7-22 VPN Support employee group 1 A5E

154 Secure Network Access to the Security Cells Now add this group on the Groups tab of the VPN Clients Properties dialog. Figure 7-23 VPN Support employee group A5E

155 Secure Network Access to the Security Cells 3. Verify the VPN properties (Step 3.1): In the "Protocols tab, select the tunneling protocol for which ISA Server 2004 is to accept connections. Select the default tunneling protocol "Enable PPTP." Although it offers somewhat less security than a connection via IPSec, it does not require its own certificate for the connection. PPTP is fully sufficient for the support dial-up. Figure 7-24 VPN Protocols A5E

156 Secure Network Access to the Security Cells 4. Verify remote access configuration (Step 3.2): VPN access can take place from several networks. However, as mentioned previously support employees only have access to the plant through specific dialup points. Therefore, only one network, i.e., the support network including all dialup points for support employees, is required. If VPN connections from other networks are added later, for example, support dial-up via the Internet, they also have to be specified here. Figure 7-25 VPN Access networks How the VPN clients receive their IP address is specified in the "Address Assignment tab. The following options are available: through a static address pool or through a DHCP server. The "Use the following network for to obtain DHCP, DNS and WINS services field specifies which DNS and WINS server is assigned to the VPN client A5E

157 Secure Network Access to the Security Cells Select "Static address pool and click "Add. Enter the address range to The number of addresses in the range must exceed the number of simultaneous connections assigned by at least one. For DHCP, DNS, and WINS services, use the MES network where the access computer for the VPN clients is located. Figure 7-26 VPN Address assignment These settings could also be configured manually be clicking the Advanced button (see figure), but it is not necessary here. A5E

158 Secure Network Access to the Security Cells To establish the connection, an authentication method by which the support employee authenticates himself must be specified. It makes sense here to accept the MS-CHAPv2 authentication method, since this is the most secure of the available methods for authenticating with user name and password. Figure 7-27 VPN Authentication Items 4 and 5 in Figure 7-20, configuring the firewall rules for the VPN clients and configuring the network rules, are dealt with at the end of the quarantine configuration together with the required settings. Quarantine configuration overview The quarantine configuration is divided into the following steps: Installing the Windows 2003 Resource Kit Configuring the script for RQS service Starting the script for RQS service Setting up the firewall rules 7-40 A5E

159 Secure Network Access to the Security Cells Installing the Windows 2003 Resource Kit and update To configure "Network Access Quarantine Control", the following tools and updates must first be installed: Windows 2003 Resource Kit Windows 2003 Resource Kit RQS Update Microsoft RQSUtils The two notification components, RQS.exe and RQC.exe, are required from the Windows 2003 Resource Kit and the update. They are used to inform the dial-up computer that the VPN client has successfully completed its check. RQS.exe is a listener component that runs on the dial-up computer. It waits for notification from the VPN client. RQC.exe is the counterpart that sends the notification to the dial-up computer. The syntax is as follows: rqc connection name Tunnel name Domain User name Authentication string After installing the resource kit and update, install the RQSUtils. Follow the dialogs and specify an installation path. Figure 7-28 Quarantine Installing RQSUtil Figure 7-29 Quarantine RQSUtil path A5E

160 Secure Network Access to the Security Cells Starting the script for RQS service Now, start the script with the following parameters: cscript ConfigureRQSForISA.vbs /install AllowedSet RqsToolsPath AllowedSet is a string that must be sent by RQC.exe to identify itself to RQS.exe and to notify it that the check was successfully completed. Use "\0" to separate several strings (e.g. EverythingOK1\0EverythingOK2). RqsToolsPath is the path to the RQS Tools without specification of a file name. Example: cscript ConfigureRQSForISA.vbs /install EverythingOK1 "c:\program Files\Windows Resource Kit\Tools" Figure 7-30 ConfigureRQSForISA.vbs Parameters 7-42 A5E

161 Secure Network Access to the Security Cells Figure 7-31 ConfigureRQSForISA.vbs Success Creating the firewall rules When the script has finished successfully, open ISA Management Console to make the required firewall rules. A "Network Quarantine (RQS) rule has already been created by the ConfigureRQSForISA.vbs script. Creating the VPN Clients completes Items 4 and 5 from the VPN Configuration. Now create two new rules with the following content (see Figure 7-31): From: "VPN clients" To: "Internal", "Internal SECERP", "Internal SECMES", "Internal SECDCS" Protocol: All Outbound Traffic Allow: Support Access Group From: "Quarantine VPN Clients" To: "SUS/Quarantine Control Server" Protocol: All Outbound Traffic Allow: Support Access Group Figure 7-32 Quarantine Firewall rules A5E

162 Secure Network Access to the Security Cells Now open Configuration/Networks in the ISA Management Console and select the "Networks" tab. Select Quarantined VPN Clients, right-click on the object and select Properties from the context menu. In the "Quarantine" tab, select the Enable Quarantine Control check box and select "Quarantine according to ISA Server policies." Figure 7-33 Enabling quarantine This completes the configuration of the VPN quarantine dial-up. Creating a connection manager profile The creation of the Connection Manager Administration Kit is divided into two steps: Installing the Connection Manager Administration Kit Creating a Connection Manager profile Now use the Connection Manager Administration Kit on ISA Server 2004 to create a Connection Manager profile, the dial-up file that is used by a VPN client to establish a connection to the dial-up computer and that allows the VPN client to be checked A5E

163 Secure Network Access to the Security Cells Installing the Connection Manager Administration Kit The Connection Manager Administration Kit must first be installed. Click on Start > Settings > Add/Remove Programs, select "Add/Remove Windows Components and then select the Connection Manager Administration Kit in the submenu of "Management and Monitoring Tools." Figure 7-34 Connection Manager Administration Kit A5E

164 Secure Network Access to the Security Cells Creating a Connection Manager profile Once the installation is complete, use the Connection Manager Administration Kit Wizard to create a profile. The following figures illustrate only a few of the dialogs that are displayed during this process. In the remaining dialogs, click Next without making any changes. Figure 7-35 CMAK Wizard 7-46 A5E

165 Secure Network Access to the Security Cells Select the "Phone book from this profile" check box and enter the IP address of ISA Server Figure 7-36 CMAK Phone book A5E

166 Secure Network Access to the Security Cells Clear the "Automatically download phone book updates" check box. Figure 7-37 CMAK Phone book download 7-48 A5E

167 Secure Network Access to the Security Cells Enter a name for the profile to be later displayed in "My Network Places/ Connections on the VPN client. Enter a name for the dial-up file to be generated. Figure 7-38 CMAK Service and file names The most important thing comes at the end of this process, the quarantine script. As mentioned above, the quarantine script is the core of the VPN quarantine dialup. The Production-Admin can use it to perform all actions he deems necessary to check the support computer. You need to specify "Post-connect" as the Action type. This means that this script will be executed once the VPN client is in the quarantine network. When the script has successfully performed all actions, it uses RQC.exe to send a string (see ConfigureRQSForISA.vbs) to the dial-up computer, enabling it to take the VPN client out of quarantine and add it to the plant network. A5E

168 Secure Network Access to the Security Cells Figure 7-39 CMAK Quarantine script 7-50 A5E

169 Secure Network Access to the Security Cells Example script: The following is an example script published by Microsoft that has been changed slightly by This script does not have its own check function, it only serves as a basic framework. It can be modified as needed to execute any desired actions. The script syntax is as follows: script.bat %DialRasEntry% %TunnelRasEntry% %Domain% %UserName% %DialRasEntry% = %1 %TunnelRasEntry% = %2 %Domain% = %3 %UserName% = off echo RAS Connection = %1 echo Tunnel Connection = %2 echo Domain = %3 echo User Name = %4 set MYSTATUS= REM REM Network Policy Check REM REM Checks if ICF is enabled REM Sets ICFCHECK to 1 (pass). REM Sets ICFCHECK to 2 (fail). REM Checks for installed virus scanner REM Sets VIRCHECK to 1 (pass). REM Sets VIRCHECK to 2 (fail). REM Rqc.exe is run based on the results REM if "%ICFCHECK%" == "2" goto :TESTFAIL if "%VIRCHECK%" == "2" goto :TESTFAIL rqc.exe %1 % %3 %4 Version1 REM %1 = %DialRasEntry% REM %2 = %TunnelRasEntry% REM 7250 is the TCP Port where Rqs.exe sets a listener REM %3 = %Domain% REM %4 = %UserName% REM Version1 is the authentication string REM REM Status output A5E

170 Secure Network Access to the Security Cells REM if "%ERRORLEVEL%" == "0" ( set MYERRMSG=Success! ) else if "%ERRORLEVEL%" == "1" ( set MYERRMSG=No access possible. Quarantine Control may be disabled ) else if "%ERRORLEVEL%" == "2" ( set MYERRMSG=Access denied. Install the CMAK profile from the company network. ) else ( set MYERRMSG=Unknown error, client remains in quarantine mode) echo %MYERRMSG% goto :EOF :TESTFAIL echo echo This computer does not meet the requirements for the Security Policy of the IT TRAINING company echo GROTE. Contact your administrator to correct this and receive access to the echo company resources :EOF 7-52 A5E

171 Secure Network Access to the Security Cells You can include other files in the profile in the final dialog. Since the script needs RQC.exe to notify the dial-up computer that the check was successful, this file must be added (you can find it in the Windows 2003 Resource Kit directory). All other files required by your script must also be added. Fig CMAK File attachment A5E

172 Secure Network Access to the Security Cells Once you have finished, you will find a folder with the name of your profile in the Program Files\cmak\Profiles directory. All of the utilized files are stored there. The client only needs the EXE and the additionally attached files. When the EXE is now executed on the support computer, a connection to the dial-up computer is established, the client is entered in the quarantine network, checked and given access to the plant. Figure 7-41 CMAK Profile Application to plant types Single-station system The description above is not applicable to a single-station system. The support employee would simply work directly on the PC in a single-station system. Multiple-station system The description above can be applied without restriction in a multiple-station system. A stand-alone ISA Server 2004 can be used as the dial-up computer, or an access point, e.g. to the Internet, can fulfill this function if ISA Server 2004 is installed on it. Large system For large plants, the same applies as for multiple-station systems. The function of the dial-up computer can be fulfilled by a firewall between the networks (ERP-MES-DCS), provided the firewall is an ISA Server 2004, or by a stand-alone ISA Server A5E

173 Secure Network Access to the Security Cells 7.5 Requesting and Installing Certificates Installing a Stand-alone Root Certification Authority The following chapter describes the installation of a stand-alone root certification authority on the SUS-CA server on the MES layer. General information Certification authority type: Stand-alone root certification authority General name of the certification authority: Plant CA. Procedure The installation is described in the Microsoft "Help and Support Center" for Windows Server 2003, which is available through the following link: Installing a stand-alone certification authority 1. Log on to the system as an Administrator, or if you have the Active Directory service, log on to the system as a Domain Administrator. 2. Select Start > Settings > Control Panel. 3. Double-click on Add or Remove Programs and then on "Add/Remove Windows Components" 4. In the Windows Components Wizard, select the Certificate Services check box. A dialog box appears to inform you that the computer cannot be renamed and that the computer cannot be joined to or removed from a domain after Certificate Services is installed. Click "Yes", and then click "Next." 5. Click "Stand-alone: root CA. 6. Enter the general name of the certification authority. This information cannot be changed after the certification authority is installed. 7. In "Validity period", specify the validity duration for the root certification authority. See the note below for items to consideration when setting this value. Click "Next." 8. Specify the storage locations of the certificate database, the certificate database log, and the shared folder. Click "Next." 9. If Internet Information Services (IIS) is running, you will receive a request to stop the service before proceeding with the installation. Click "OK." 10. If prompted, enter the path to the Certificate Services installation files. A5E

174 Secure Network Access to the Security Cells 11. Check the certification authority in the following MMC: Figure 7-42 Checking the certification authority certificate 7-56 A5E

175 Secure Network Access to the Security Cells 12. In the IIS (Internet Information Services), ensure that the "Enable session state" check box is selected in the properties for the application configuration of the Web site where the service of the certificate server is to be performed. - Click "Start -> Programs -> Administration Tools -> Internet Information Services Manager. - Right-click the Web site where the Certificate Server service is running, and then select "Properties. - Click the "Home Directory" tab, and then under "Application Settings", click "Configuration. - Click the "App Options" tab in the Application Configuration dialog, and then select the "Enable session state" check box. - Restart Microsoft Internet Information Services (IIS). A5E

176 Secure Network Access to the Security Cells Downloading a Certification Authority Certificate The certification authority certificate must be installed on each plant PC. The installation is described in the Microsoft "Help and Support Center" of the operating system. Procedure 1. Open Internet Explorer. 2. Enter the path " as the Address, whereby "sus-ca is the name of the Web server under Windows Server 2003 where the corresponding certification authority is located. 3. Click "Download CA certificate, certificate chain or CRL" and then "Next. 4. If you want to trust all the certificates issued by this certification authority, click "Install this CA certificate chain. 5. If you are finished using the Certificate Services Web pages, close Internet Explorer. Check the installation of the certification authority certificate using the "Certificates (Local Computer)" and "Certificates Current User" snap-ins in the Microsoft Management Console (MMC). The certification authority certificate should be listed for the current user as well as the local computer under the Trusted Root Certification Authorities. If this is not the case, cut the certification authority certificate from the Trusted Root Certification Authorities for the current user and paste it to the same location for the local computer. Figure 7-43 Certificate Download 7-58 A5E

177 Secure Network Access to the Security Cells Requesting a Local Computer Certificate for IPSec A local computer certificate from the certification authority must be installed on each plant PC. This procedure is published by Microsoft under the article number : Install a Certificate for Use with IP Security The local computer certificate is requested via HTTP. Because a local computer certificate must be used with IPSec, you must submit an advanced request to the CA to specify this. Installing a local Computer Certificate from a Stand-Alone Windows Certification Authority 1. The request is a Web address that contains the IP address or name of the Certificate server, with "/certsrv" appended. In your Web browser, type the following Web address: where "IP address or certification authority" represents the IP address or name of the Certificate server. 2. In the initial Welcome screen of the Certificate server, click "Request a certificate. 3. In the "Choose Request Type" screen, click "Advanced request. 4. In the "Advanced Certificate Request" screen, click "Submit a certificate request to this CA using a form. 5. In the "Advanced Certificate Request" screen, type your name and your name in the appropriate boxes. 6. Under "Intended Purpose", select "Client Authentication Certificate" or "Server Authentication Certificate" but not "IPSec Certificate. 7. Under Key Options select: - Leave the: Create new key set option checked Cryptographic provider: "Microsoft Base Cryptographic Provider v1.0" Key Usage: "Both" Key Size: "1024" - Select the: Mark keys as exportable check box - Select the: Use local machine store check box 8. Leave all the other options set to the default value unless you need to make a specific change. 9. Click "Submit." 10. If the Certification Authority is configured to issue certificates automatically, the "Certificate Issued" screen should appear. Click "Install this Certificate. The "Certificate Installed" screen should appear with the message "Your new certificate has been successfully installed." A5E

178 Secure Network Access to the Security Cells 11. If the certification authority is not configured to issue certificates automatically, a "Certificate Pending" screen appears, requesting that you wait for an administrator to issue the certificate that was requested. To retrieve a certificate that an administrator has issued, return to the Web address and click "Check on a pending certificate." Click the requested certificate, and then click "Next. If the certificate is still pending, the "Certificate Pending" screen appears. If the certificate has been issued, the "Install this Certificate" screen appears. Checking the installation of the local computer certificate After you have installed the certificate, verify the location of the certificate by using the Certificate (Local Computer) snap-in in Microsoft Management Console (MMC). Your certificate should appear under "Personal." Figure 7-44 Unique computer certificate If the certificate you have installed does not appear here, the certificate was installed as a "User certificate request," or you did not select "Use local machine store within the advanced request A5E

179 Secure Network Access to the Security Cells Configuring SSL on a Web Server The Microsoft instructions for the configuration of SSL are available through the following topic: Procedure: Configuring SSL on a Web Server Summary Secure Sockets Layer (SSL) is a collection of encryption methods that provide authentication, trust verification and data integrity. SSL is the method most often used between Web browsers and Web servers to establish a secure communication channel. SSL can also be used for secure communication processes between client applications and Web services. A Web server must be configured with an SSL certificate in order to support SSL communication processes. This section describes how to request an SSL certificate and how to configure Microsoft Internet Information Services (IIS) to provide support for secure communication processes with Web browsers and other types of client applications that use SSL Creating a Certificate Request This procedure involves making a new certificate request, which can be sent to a certification authority (CA) for processing. When the request is successfully completed, the certification authority returns a file containing the verified certificate. Procedure 1. Start the "IIS-MMC" (Microsoft Management Console) snap-in. 2. Expand the node with the name of your Web server and select the "WebNavigator" Web site. 3. Right-click the Web site and select "Properties. 4. Click the "Directory Security" tab. 5. Under "Secure communications", click the "Server Certificate" button to start the Web Server Certificate Wizard. Note: If the "Server Certificate" button is not available, you have probably selected a virtual directory, a directory or a file. Repeat Step 2 and select a Web site. 6. Click Next to close the Welcome dialog box. 7. Click "Create a new certificate" and then click "Next. A5E

180 Secure Network Access to the Security Cells 8. The dialog box displayed now contains the following two options: - "Prepare the request now, but send it later" This option is always available. - "Send the request immediately to an online certification authority." This option is only available when the Web Server has access to one or more Microsoft certificate servers in a Windows 2000 domain, which are configured to issue Web server certificates. At a later point in the request procedure you will have the opportunity to select a certification authority to whom you wish to send your request from a list. Click "Prepare the request now, but send it later" and then "Next. 9. Enter a descriptive name for the certificate in the Name field, for example "WebNavigator." Now enter 1024 as the bit length of the key in the Bit length field and click "Next. The wizard uses the name of your current Web site as the default name. This is not used in the certificate, but serves as the displayed name to help orient administrators. 10. Type your organization name (e.g. Plant) in the "Organization" field and the organizational unit (e.g. Laboratory) in the "Organizational unit" field, and click "Next. Note: This information is entered into the certification request; check it carefully to ensure it is correct. The certification authority checks this information and enters it into the certificate. Visitors to your Web site might wish to display this information and decide if they want to accept this certificate. 11. Enter a common name for the site in the "Common Name (CN)" field and then click "Next. "Important": The common name is one of the critical pieces of information to be entered in the certificate. It is the DNS name of the website (i.e., the name that the user enters when he wants to visit your site). If the certificate name does not match the site name, a problem with the certificate is reported when users visit the site. If the site is located on the Web and its name is " you should enter this as the common name. If the site is an intranet site and users select it based on the computer name, enter the NetBIOS or DNS name of the computer, in this example: "oswebserver01.laboratory.plant.com" 12. Enter a common name for the site in the "Common Name (CN)" field and then click "Next A5E

181 Secure Network Access to the Security Cells 13. Enter the relevant information in the "Country/Region", "State/Province" and "City" fields and click "Next Enter a file name for the certificate request. The file contains information, such as shown below: -----BEGIN NEW CERTIFICATE REQUEST----- MIIDZjCCAs8CAQAwgYoxNjA0BgNVBAMTLW1penJvY2tsYXB0b3Aubm9ydGhhbWVy END NEW CERTIFICATE REQUEST----- This is a Base64-coded representation of your certificate request. The request contains the information entered in the wizard as well as your public key. It also contains information that is signed by the private key. The request file is sent to the certification authority. The certification authority then uses the public key information from the certificate request to verify the information signed with the private key. The certification authority also checks the information sent with the request. Once you have sent the request to the certification authority, the certification authority sends back a file containing the certificate. Start the Web Server Certificate Wizard again. 14. Click "Next." The wizard now shows a summary of the information contained in the certificate request. 15. Click "Next" and then "Finish" to complete the request process. The certificate request can now be sent to the certification authority for analysis and processing. Once you have received a response, you can continue and, using the IIS Certificate Wizard again, install the certificate contained in the response on the Web server. A5E

182 Secure Network Access to the Security Cells Submitting a Certificate Request This procedure involves using the Microsoft Certificate Services to submit a certification request that was created in the previous procedure. Procedure 1. Open the certificate file that you created in the previous procedure in Notepad and copy the entire contents to the clipboard. 2. Open Internet Explorer and navigate to " where SUS-CA is the name of the computer on which the Microsoft Certificate Services is to run. 3. Click "Request a Certificate." 4. In the "Request a Certificate" page, click "Advanced Request. 5. On the "Advanced Request" page, select "Submit a certificate request using a base64-encoded CMC or PKCS #10 file, or a renewal request using a base-64- encoded PKCS #7 file." 6. On the "Submit Certificate or Renewal Request" page, click the text field for the Base64-coded certificate request (PKCS #10 or #7). Now press "CTRL+V" to paste the certificate request that you have previously copied to the clipboard. 7. Click "Submit." 8. Close Internet Explorer Issuing a Certificate Procedure 1. Start the "Certification Authority" utility in the "Administrative Tools." 2. Expand your Certification Authority and select the Pending Requests folder. 3. Select the certification request that you have just submitted. 4. Select Action > All Tasks and click "Issue. 5. Ensure that the certificate is shown in the Issued certificates folder and double-click on it to display it. 6. In the "Details" tab, click "Copy to file" and save the certificate as a Base64- coded X.509 certificate. 7. Close the properties window of the certificate. 8. Close the "Certification Authority" utility A5E

183 Secure Network Access to the Security Cells Installing the Certificate on the Web Server In this procedure, the certificate issued in the previous procedure is installed on the Web server. Procedure 1. Start the Internet Information Services, if it is not already running. 2. Expand the node with the name of your server and select the "WebNavigator" Web site. 3. Right-click the Web site and select "Properties. 4. Click the "Directory Security" tab. 5. Click "Server Certificate" to start the Web Server Certificate Wizard. 6. Click "Process the pending request and install the certificate" and then "Next. 7. Type the location and name of the file containing the response from the certification authority and then click Next. 8. Ensure that 443 is entered as the SSL port and click "Next." 9. Verify that the information is correct in the certificate overview, then click Next and Finish. The certificate is now installed on the Web server Configuring the Resources for Requesting SSL Access In this procedure, the "WebNavigator" page is configured to require SSL for access. The Web clients must use the HTTPS protocol to access the WebNavigator. Procedure 1. Start the Internet Information Services, if it is not already running. 2. Expand the name of your server and the "WebNavigator" Web site. 3. Click the "Directory Security" tab. 4. Click Edit under "Secure Communication." 5. Click "Require secure channel (SSL)." Web clients that wish to access the Web site must now use HTTPS. 6. Click "OK" and again "OK" to close the "Properties" dialog. 7. Close the Internet Information Services. A5E

184 Secure Network Access to the Security Cells 7-66 A5E

185 8 Final Considerations 8.1 Residual Risks Comprehensive protection for your plant is ensured if you implement without exception all of the principles described in the previous sections. All known security vulnerabilities and threats can be eliminated in this way. However, unforeseen events and threats can always arise in the future. Hardware can fail or operate incorrectly. Software can operate incorrectly. New viruses, yet unknown, can penetrate the plant. 8.2 Additional Measures Residual risks cannot be avoided. To guard against problems arising from these residual risks or to enable you to quickly locate and overcome such problems, we recommend that you monitor all hardware and software. The "Production Admin" should employ the following methods and tools as part of this monitoring effort. Monitoring of all plant PCs and hardware using special programs such as Asset Management (Maintenance Station from PCS 7), see - Process Control System PCS 7; Operator Station configuration manual - Process Control System PCS 7; OS Process Control manual Planning logical monitoring policies and evaluating the protocols that result from them A5E

186 Final Considerations 8-2 A5E

187 9 References /1/ BSI IT Baseline Security Manual /2/ FDA 21 CFR 11; /3/ NAMUR Worksheet; NA 67 "Information Protection for Process Control Systems (PLS)" /4/ NAMUR Worksheet; NA 103 "Use of Internet Technology in Process Automation" /5/ ISA TR "Security Technologies for Manufacturing and Control Systems, dated March 11, 2004 /6/ PCS 7 V6.1 Readme /7/ PCS 7 V6.1 What s New /8/ PCS 7 V6.1 OS Web Option manual /9/ Windows Server 2003 Security Guide: /10/ Windows XP Security Guide: /11/ Threats and Countermeasures Guide (companion guide): Security settings available in Windows Server 2003 and Windows XP: /12/ Microsoft Initiative, "Strategic Technology Protection Program" (STPP): /13/ Microsoft Windows Server 2003 Server Resource Kit /14/ Microsoft Windows XP Resource Kit /15/ Microsoft Windows 2000 Security Resource Kit /16/ Trend Micro OfficeScan 7 Installation and Deployment Guide /17/ Trend Micro OfficeScan 7 Administrator s Guide /18/ /19/ IT terminology A5E

188 References 9-2 A5E

189 10 Meaning of the Symbols The following table provides an overview of the symbols used in this manual. Symbol Meaning ERP plant segment (e.g., accounting) MES plant segment (e.g., quality control) Physical access control (e.g., guards, security services) DCS plant segment (e.g., production shop) Ethernet bus system in a plant Red - bus in the ERP system Yellow - bus in the MES system Green terminal bus Blue system bus PC station single-station system (application described in graphic) Client PC station (application described in graphic) Server station (application described in graphic) Service, office PC or external PC that may be able to access the process control system or associated data via a special application (application described in graphic) PCS 7 single-station system A5E

190 Meaning of the Symbols Symbol Meaning PCS 7 client (operator control and monitoring station) PCS 7 WebClient PCS 7 server Central Archive Server (CAS) Office PC (EXCEL, WORD) or OPC client in MES or ERP Operating system server (domain server, domain controller) SUS Software Update Server SIMATIC IT client SIMATIC IT server A PCS 7 database is installed on the PC. (for user data or archive data) An OS archive database is installed on the PC. (for user data or archive data) A database for updates and backups is installed on the PC. A SIMATIC IT database is installed on the PC. (for user data or archive data) Storage group for ERP systems 10-2 A5E

191 Meaning of the Symbols Symbol Meaning A PCS 7 OS application is installed on the PC. A SIMATIC BATCH application is installed on the PC. A SIMATIC Route Control application is installed on the PC. A SIMATIC IT application is installed on the PC. An OPC application is installed on the PC. A WEB application is installed on the PC. Microsoft EXCEL is installed on the PC. A WinCC native application is installed on the PC. User Group Group or this user is a member of a global group of the domain or is a domain user. (different groups) Indicates that Active Directory is running on the domain controller. Folder Organization units A5E

192 Meaning of the Symbols Symbol Meaning Local policy Local groups of a PC station Switch Router Firewall Receiver for a time signal Printer External data storage Perimeter network with PC stations protected by a firewall The PC station has access to the Internet 10-4 A5E

193 Glossary 3DES Source: Microsoft Help and Support Center Windows Server 2003 An implementation of DES (Data Encryption Standard) that uses three cryptographic iterations in each data block. Because a 56-bit key is used in each iteration, this results in 168-bit encryption of the data. Although 3DES is slower in performance due to the additional cryptographic calculations, it provides much more security than DES. Access Control Source: Microsoft Help and Support Center Windows Server 2003 A security mechanism that determines which actions can be carried out by a user, group, service or computer for a computer or a particular object, such as a file, a printer, a registry subkey or a directory services object. Account Source: Access permission for an explicit person in a network. A user name and password usually are part of an account. Active Directory Source: Microsoft Help and Support Center Windows Server 2003 A Windows-based directory service. Active Directory stores information about objects on a network and makes this information available to users and network administrators Active Directory gives network users access to permitted resources anywhere on the network using a single logon process. It provides network administrators with an intuitive hierarchical view of the network and a single point of administration for all network objects. See also: Domains Address Source: Microsoft Help and Support Center Windows Server 2003 A unique identifier used by a network node to identify itself to other nodes in the network. Also referred to as network address or MAC address. A5E Glossary-1

194 Glossary Administrator Source: Microsoft Help and Support Center Windows Server 2003 In the Windows Server 2003 product family, a person who is responsible for installing and managing local computers, stand-alone servers, member servers or domain controllers. An administrator sets up user and group accounts, assigns passwords and permissions and helps users who have network problems. Administrators can be members of the Administrator group on local computers or servers. A person who is a member of the Administrator group on a local computer or server has full access rights to the computer or server and can assign users access rights as needed. Administrators can also be members of the Domain Admins on domain controllers. In this case they have full control rights for users and computer accounts in the domains. See also: Domains, User account, Domain controller, Access control Authentication Source: Microsoft Help and Support Center Windows Server 2003 The process for verifying that an entity or object is who or what it claims to be. Examples include confirming the source and integrity of information by verifying a digital signature or verifying the identity of a user or computer. Authentication protocol Source: Microsoft Help and Support Center Windows Server 2003 The protocol that an entity in a network uses to prove its identity to a remote entity. The identity is typically proven by a secret key such as a password or with a key that is even more secure such as a Smart card. Some authentication protocols implement a procedure for the shared use of keys between client and server in order to provide integrity or data protection for messages. Authorization The process of granting a user on a computer system or in a network the permission to perform certain actions. See also: Authentication Automatic Updates (AU) AU is a service that is executed on AU clients. It enables download and installation of Windows updates. If this service is disabled, neither the automatic update function nor the Windows Update website can be used. See also: Software Update Services (SUS) Glossary-2 A5E

195 Glossary Automation System (AS) An automation system is a programmable logic controller (PLC). Libraries especially adapted to the process control system enable optimal and easy-toconfigure integration of additional components (such as operator control and monitoring systems). These user programs are loaded in the automation systems. Note: The PLCs of the SIMATIC S7-400 class are used in the SIMATIC PCS 7 process control system. These include: Standard automation systems (S7 400) Fault-tolerant automation systems (S7 400H) Fail-safe automation systems (S7 400F) Fault-tolerant and fail-safe automation systems (S7 400FH) Building Source: BSI Baseline Security Manual Chapter 4.1 Buildings surround the assembled information technology and thereby ensure its outer protection. The infrastructure facilities of a building are also a necessary requirement for IT operation. Therefore, the building structure, such as walls, ceilings, floors, roof, windows and doors must be taken into consideration along with all of the building-wide utilities such as electricity, water, gas, heating, letter shoots, etc. CAS See definition for: Central Archive Server (CAS) Central archive server See definition for: Central Archive Server (CAS) Central Archive Server (CAS) Central archive server for PCS 7 PCs A5E Glossary-3

196 Glossary Central clock The following are suitable for serving as a central clock for synchronizing a plant with an exact time of day: GPS - Global Positioning System Global satellite system for computing exact positions on the earth. The satellites transmit a time signal. DCF77 - Radio signal from a time code transmitter in Frankfurt/Mainflingen (Federal Republic of Germany). The radio signal can be received with sufficient signal strength over a large area of Europe. Time servers publicly available and recognized on the Internet (e.g., time.nist.gov.) Plant-specific, locally restricted clock Certificate Source: Microsoft Help and Support Center Windows Server 2003 A digital document that is commonly used for authentication and secure exchange of information on open networks. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing certification authority (CA) and can be issued for a user, a computer, or a service. See also: Certification Authority (CA) Certificate Services Source: Microsoft Help and Support Center Windows Server 2003 A software service that issues certificates for a particular certification authority. It provides customizable services for issuing and managing certificates for the enterprise. Certificates can be used to provide authorization support. This includes secure , web-based authentication and Smart card authentication. See also: Authentication, Service, Internet Authentication Service (IAS), Certificate, Certification Authority (CA) Certification Authority (CA) Source: Microsoft Help and Support Center Windows Server 2003 An entity responsible for establishing and vouching for the authenticity of public keys belonging to requesters (usually users or computers) or other certification authorities. Activities of a certification authority can include binding public keys to unique names through signed certificates, managing certificate serial numbers, and certificate revocation. See also: Certificate; Root certification authority Glossary-4 A5E

197 Glossary Class A IP address Source: Microsoft Help and Support Center Windows Server 2003 A unicast IP address that ranges from to The first octet indicates the network, and the last three octets indicate the host on the network. Class-based IP addressing has been replaced by Classless Interdomain Routing (CIDR). Class B IP address Source: Microsoft Help and Support Center Windows Server 2003 A unicast IP address that ranges from to The first two octets indicate the network, and the last two octets indicate the host on the network. Class-based IP addressing has been replaced by Classless Interdomain Routing (CIDR). Class C IP address Source: Microsoft Help and Support Center Windows Server 2003 A unicast IP address that ranges from to The first three octets indicate the network, and the last octet indicates the host on the network. Network Load Balancing provides optional session support for Class C IP addresses (in addition to support for single IP addresses) to accommodate clientside use of multiple proxy servers. Class-based IP addressing has been replaced by Classless Interdomain Routing (CIDR). Client Source: Microsoft Help and Support Center Windows Server 2003 Any computer or program connecting to, or requesting services of, another computer or program. A client can also refer to the software that a computer or program can use to establish the connection. On a local area network (LAN) or the Internet, a computer that accesses shared network resources provided by another computer (called a server). Closed system Source: FDA 21 CFR 11 Closed system means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system. Data Encryption Standard, DES Source: Microsoft Help and Support Center Windows Server 2003 An encryption algorithm that uses a 56-bit key, and maps a 64-bit input block to a 64-bit out-{}-put block. The key appears to be a 64-bit key, but one bit in each of the 8 bytes is used for odd parity, resulting in 56 bits of usable key. A5E Glossary-5

198 Glossary Data integrity Source: Microsoft Help and Support Center Windows Server 2003 A property of secure communication by which a computer can verify that information has not been altered or corrupted during transmission from the source. Data protected by IPSec (Internet Protocol Security), for example, are assigned a cryptographic checksum that uses a secret key known only to the communicating IPSec peers. An intermediate node can change the data, but without knowing the secret key it cannot correctly recalculate the cryptographic checksum. DCS See definition for: Distributed Control System (DCS) Delegation Source: Microsoft Help and Support Center Windows Server 2003 Assignment of responsibility for management and administration tasks to a user, computer, group, or organization. For Active Directory, the assignment of responsibility in such a way that users without administrative logon information can perform certain administration tasks or manage certain directory objects. The responsibility is assigned by means of membership in a security group, the wizard for assigning object management, or Group Policy settings. For DNS, the assignment of responsibility for a DNS zone. Delegation occurs when a resource record of a name server (NS) in a parent zone lists the DNS server authoritative for the delegated zone. See also: Active Directory, DNS (Domain Name System), DNS Server, Group policy, Security group, Zone Glossary-6 A5E

199 Glossary Demilitarized Zone (DMZ) Source: de Abbreviated as DMZ. In telecommunication, a reference to a computer, router or small network that is set up as a "neutral zone" between the internal network of a business and the "external" public network. This is designed to prevent outside users from directly accessing a server with company data. Another term often used for DMZ is "perimeter network. Denial of Service Attack (DoS) (IT Glossary) Service denial: A computer (such as a server) can no longer execute the requested IP service or it can no longer execute any useful function, or such executions become extremely slow due to one of the following: It becomes overloaded by the processing of IP messages or other activities. It becomes inundated by a flood of mail (caused by hoaxes or viruses, for example) or it is partially or completely put out of service by the triggering of existing and known bugs (see Lovsan/Blaster worm). It is partially or completely put out of service by the activation of known trapdoors of network services or programs (see Internet worm of 1988). Causes: Network attacks using pings, or other IP messages, local sabotage A5E Glossary-7

200 Glossary DES Source: Microsoft Help and Support Center Windows Server 2003 See definition for: Data Encryption Standard, DES Desktop Source: Microsoft Help and Support Center Windows Server 2003 The on-screen work area in which windows, icons, menus, and dialog boxes appear. Device Source: Microsoft Help and Support Center Windows Server 2003 Any piece of equipment that can be attached to a network or computer, for example, a computer, printer, joystick, adapter or modem card, or any other peripheral equipment. Devices normally require a device driver to function with Windows. For Windows licensing, electronic devices such as computers, workstations, terminals and handheld computers that can access or use the services of the Windows operating system, including file and printer sharing, remote access and authentication. DHCP Source: Microsoft Help and Support Center Windows Server 2003 See definition for: Dynamic Host Configuration Protocol (DHCP) DHCP server Source: Microsoft Help and Support Center Windows Server 2003 A computer on which the Microsoft DHCP service runs. This provides active DHCP clients with dynamic configuration of IP addresses and related information. See also: Dynamic Host Configuration Protocol (DHCP), IP address, DHCP service DHCP service Source: Microsoft Help and Support Center Windows Server 2003 A service, that enables a computer to function as a DHCP server and to configure DHCP-enabled clients on a network. DHCP runs on a server, enabling the automatic, centralized management of IP addresses and other TCP/IP configuration settings for network clients. Glossary-8 A5E

201 Glossary Distributed Control Systems (DCS) An integrated process control system that, in contrast to a PLC with allocated operator control and monitoring systems, can be characterized as a unit of all associated components such as: Uniform concept for configuration and archiving Special libraries that reduce the effort required for configuration (for example, no need to configure individual signal paths for HMI systems, automated diagnostics, etc.) Simplified expansion options for fulfilling complex plant requirements (for example, interfaces to MES and ERP systems) Support for optimal and fast communication routes Guaranteed security due to optimal configuration variants (for example, separation of the communication routes on the terminal bus and system bus DMZ See definition for: Demilitarized Zone (DMZ) DNS (Domain Name System) Source: Microsoft Help and Support Center Windows Server 2003 A hierarchically distributed database containing assignments of DNS domain names to various data types, such as IP addresses. DNS allows computers and services to be found based on user-friendly names and also allows other information stored in the database to be found. See also: Service, IP address, Transmission Control Protocol/Internet Protocol (TCP/IP), Domain name DNS client Source: Microsoft Help and Support Center Windows Server 2003 A client computer that queries the DNS server for domain names. DNS clients keep a temporary cache of known DNS domain names. See also: Client, DNS (Domain Name System), DNS server DNS server Source: Microsoft Help and Support Center Windows Server 2003 A server that administers information for part of the DNS database and responds to and resolves DNS queries. See also: DNS (Domain Name System), DNS client, Server A5E Glossary-9

202 Glossary Domain Source: Microsoft Help and Support Center Windows Server 2003 In Active Directory, a collection of computer, user and group objects defined by an administrator. These objects share a common domain database, security policies and trust relationships with other domains. In DNS, any structure or partial structure within the DNS namespace. Although the names of DNS domains and Active Directory domains are often the same, DNS domains should not be confused with Active Directory domains. See also: Active Directory; DNS (Domain Name System) Domain controller Source: Microsoft Help and Support Center Windows Server 2003 A computer in a Windows domain environment which runs Active Directory and manages user access to a network. Its responsibilities include management of logon, realtime acknowledgement and access to directories and shared resources. Domain name Source: Microsoft Help and Support Center Windows Server 2003 The name given by an administrator to a collection of networked computers that access a common directory. Domain names are part of the DNS namespace tree and consist of a sequence of names separated by a period. Dynamic Host Configuration Protocol (DHCP) Source: Microsoft Help and Support Center Windows Server 2003 A TCP/IP service protocol that provides dynamically leased configuration of host IP addresses and, thus, distributes meaningful configuration parameters to authorized network clients. DHCP provides secure, reliable, and simple-to-use configuration of TCP/IP networks, prevents address conflicts and helps to conserve IP addresses in the network. DHCP uses a client/server model in which the DHCP server takes over central management of IP addresses used in the network. Clients with DHCP support can then request and obtain the lease of an IP address from a DHCP server when the network starts up. EAP Source: Microsoft Help and Support Center Windows Server 2003 See definition for: Extensible Authentication Protocol (EAP) Encryption The process of encoding data or messages so that the contents cannot be viewed. Glossary-10 A5E

203 Glossary ERP Abbreviation for "Enterprise Resource Planning" Source: ERP systems are designed to handle almost all business processes. Full integration and the movement away from isolated solutions results in a recentralized system, in which resources can be managed throughout the enterprise. Typical areas in which ERP software is used: Materials management (procurement, warehousing, dispatching, assessment) Production Financing and accounting Controlling Human resource management Research and development. Sales and marketing Master data management Since different branches of industry pose highly varying requirements for ERP systems, most major suppliers offer solutions that include specially designed packages for specific branches. Extensible Authentication Protocol (EAP) Source: Microsoft Help and Support Center Windows Server 2003 An extension of the Point-to-Point Protocol (PPP) that allows for arbitrary authentication mechanisms to be employed for the validation of a PPP connection See also: Point-to-Point Protocol (PPP) FDA Food & Drug Administration (FDA) US government agency Fully Qualified Domain Name (FQDN) Source: Microsoft Help and Support Center Windows Server 2003 A Domain Name System (DNS) that has been stated unambiguously to indicate with certainty its location in the domain namespace tree. Fully qualified domain names differ from relative names in that they typically are stated with a trailing period (.) to qualify their position to the root of the namespace (for example, host.example.microsoft.com.). See also: DNS (Domain Name System); Domain name A5E Glossary-11

204 Glossary Firewall Source: Microsoft Help and Support Center Windows Server 2003 A combination of hardware and software that provides a security system, usually to prevent unauthorized access from outside to an internal network or intranet. A firewall prevents direct communication between network and external computers by routing communication through a proxy server outside of the network. The proxy server determines whether it is safe to let a file pass through to the network. A firewall is also called a security-edge gateway. See also: Proxy server FQDN See definition for: Fully Qualified Domain Name, FQDN Group policy Source: Microsoft Help and Support Center Windows Server 2003 The Active Directory infrastructure enables directory-based changing and configuration management of users or computer settings including security and user data. Group Policies allow you to define configurations for groups of users and computers. You can use Group Policies to make settings for the following: registry-based policies, security, installation of software, scripts, folder redirection, remote installation services and Internet Explorer servicing. The Group Policy settings you make are stored in a Group Policy Object (GPO). You can assign a GPO to selected Active Directory system containers (for locations, domains and organizational units) in order to apply the Group Policy settings of the GPO to users and computers in these Active Directory containers. Use the Group Policy Editor to create individual GPOs. You can use the Group Policy Console to manage Group Policy objects throughout the company. Host Source: Microsoft Help and Support Center Windows Server 2003 A device in a TCP/IP network that has an IP (Internet Protocol) address. This includes servers, workstations, printers with a network interface, and routers. Sometimes it refers to a specific network computer that performs a service used by network or remote clients. For Network Load Balancing, a cluster consists of multiple hosts connected over a local area network (LAN). See also: Service, Transmission Control Protocol/Internet Protocol (TCP/IP), Server, Client, Local Area Network (LAN) Glossary-12 A5E

205 Glossary Host ID Source: Microsoft Help and Support Center Windows Server 2003 The part of the IP address with which a computer can be uniquely identified in a specific network ID. See also: IP address Host name Source: Microsoft Help and Support Center Windows Server 2003 The DNS name of a device on a network. This name is used to locate a computer in the network. Before a computer can be found, its host name must be included in the host file or be known to a DNS server. On most computers running Windows, the host name and computer name are identical. See also: DNS (Domain Name System), DNS server HTTP See definition for: Hypertext Transfer Protocol (HTTP) HTTPS See definition for: Secure Hypertext Transfer Protocol Hypertext Transfer Protocol (HTTP) The protocol used to transfer information on the World Wide Web. An HTTP address (one kind of Uniform Resource Locator [URL]) takes the form: See also: Protocol IAS See definition for: Internet Authentication Service (IAS) Identity Source: Microsoft Help and Support Center Windows Server 2003 A person or entity who must be verified by authentication based on criteria such as a password or certificate. See also: Authentication, Certificate IIS See definition for: Internet Information Services (IIS) A5E Glossary-13

206 Glossary Internet Authentication Service (IAS) Source: Microsoft Help and Support Center Windows Server 2003 The Microsoft implementation of a RADIUS server and RADIUS Proxy (Remote Authentication Dial-In User Service) which provides authentication and account management for network access. See also: Authentication, Service, RAS service, Remote Authentication Dial-In User Service (RADIUS), Virtual Private Network (VPN), Certificate services Internet Information Services (IIS) Source: Microsoft Help and Support Center Windows Server 2003 Software services that support creation, configuration, and management of Web sites, along with other Internet functions. Internet Information Services include Network News Transfer Protocol (NNTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP). Internet Protocol (IP) A routable network protocol in the TCP/IP protocol suite that is responsible for IP addressing, routing, and the fragmentation and reassembly of IP packets. See also: Transmission Control Protocol/Internet Protocol (TCP/IP) Internet Protocol Security (IPSec) Source: Microsoft Help and Support Center Windows Server 2003 A set of industry-standard, cryptography-based protection services and security protocols. IPSec protects all protocols in the TCP/IP protocol suite and Internet communications using L2TP (Layer Two Tunneling Protocol). See also: Layer Two Tunneling Protocol (L2TP), Transmission Control Protocol/Internet Protocol (TCP/IP), Protocol IP See definition for: Internet Protocol (IP) IP address Source: Microsoft Help and Support Center Windows Server 2003 In the context of IPv4 (Internet Protocol, Version 4), a 32-bit address to identify a node in an IPv4 network. Each node in the IP network must be assigned a unique IPv4 address. This consists of the network ID and a unique host ID. The address is normally represented by the decimal values of the individual octets separated by periods (for example ). The IP address can be configured manually or dynamically through DHC (Dynamic Host Configuration Protocol). In the context of IPv6 (Internet Protocol, Version 6), an ID that is assigned to an interface or a set of interfaces on the IPv6 level and can be used as the source or destination for IPv6 packets. Glossary-14 A5E

207 Glossary Kerberos V5 Authentication Protocol An authentication mechanism used to authenticate the identity of a user or host. The Kerberos V5 authentication protocol is used as the default authentication service. The Kerberos protocol can be used for authentication with IPSec (Internet Protocol Security). See also: Internet Protocol Security (IPSec) L2TP See definition for: Layer Two Tunneling Protocol (L2TP) LAN (Local Area Network) Source: Microsoft Help and Support Center Windows Server 2003 A communications network connecting a group of computers, printers, and other devices located within a relatively limited area (for example, a building). A LAN allows any connected device to interact with any other on the network. See also: Workgroup, Virtual Private Network (VPN), NetBIOS Extended User Interface (NetBEUI), Network Basic Input/Output System (NetBIOS) LAN See definition for: Local Area Network (LAN) Layer Two Tunneling Protocol (L2TP) Source: Microsoft Help and Support Center Windows Server 2003 An industry-standard Internet tunneling protocol that provides encapsulation for sending Point-to-Point Protocol (PPP) frames across packet-oriented media. For IP networks, Layer Two Tunneling Protocol traffic is sent as User Datagram Protocol (UDP) messages. In Microsoft operating systems, the L2TP protocol is used in conjunction with Internet Protocol security (IPSec) as a virtual private network (VPN) technology to provide remote access or router-to-router VPN connections. L2TP is described in RFC See also: Internet Protocol Security (IPSec), Point-to-Point Protocol (PPP), Tunneling, User Datagram Protocol (UDP) Logon rights Source: Microsoft Help and Support Center Windows Server 2003 The Food & Drug Administration (FDA) sets guidelines for validation of processes and products. The most important, internationally applicable requirements for automation engineering (in regard to validation) are included in the GMP regulations 21 CFR Part 11. A5E Glossary-15

208 Glossary MES Source: Abbreviation for Manufacturing Execution System Designation for software solutions on the plant control level. The MES is responsible for acquiring all production data generated with the goal of optimizing production processes. The Manufacturing Execution System processes the acquired data, thereby enabling it to be evaluated. Realtime production data are also processed for monitoring and controlling production processes. Automation level and management level Manufacturing Execution Systems enable effective production and plant management because they permit fast reactions to changing manufacturing conditions and reduce activities not related to the production. They therefore create a link between the automation level of production processes and the systems on the management level. This is referred to as vertical integration. Microsoft Baseline Security Analyzer (MBSA) Source: Microsoft Knowledge Base; Article ID: This program performs a general analysis on Windows computers for common misconfigurations of the system security and provides a security report for each computer it inspects. The MBSA can run on computers with Windows Server 2003, Windows 2000 and Windows XP. It can search for security vulnerabilities on computers running with Windows NT 4.0, Windows 2000, Windows XP and Windows Server The MBSA looks for common misconfigurations of the system security in Microsoft Windows, Microsoft Internet Information Services (IIS), Microsoft SQL Server, Microsoft Internet Explorer and Microsoft Office. The MBSA also checks for missing security updates in Windows, IIS, SQL Server, Internet Explorer, Windows Media Player, Exchange Server, Microsoft Data Access Components (MDAC), Microsoft XML (MSXML), Microsoft Virtual Machine (VM), Content Management Server, Commerce Server, BizTalk Server, Host Integration Server and Office (only local scans). Version 1.2 provides a graphic user interface and a command line interface. See also: Software Update Services (SUS), Windows Update Service (WUS), SMS Name resolution service Source: Microsoft Help and Support Center Windows Server 2003 A service, such as that provided by WINS or DNS, that allows friendly names to be resolved to an address or other specially defined resource data that is used to locate network resources of various types and purposes. See also: Service, DNS (Domain Name System), Windows Internet Name Service (WINS) Glossary-16 A5E

209 Glossary NetBIOS Extended User Interface (NetBEUI) Source: Microsoft Help and Support Center Windows Server 2003 A network protocol native to Microsoft Networking. This protocol is usually used in small local area networks (LANs) consisting of 1 to 200 clients (department size). NetBEUI uses Token Ring source routing as its only method of routing. NetBEUI is the Microsoft implementation of the NetBIOS standard. See also: Local Area Network (LAN, Local Network), Network Basic Input/Output System (NetBIOS) NetBIOS name Source: Microsoft Help and Support Center Windows Server 2003 A 16-byte name for a process that uses NetBIOS (Network Basic Input/Output System). The NetBIOS name is recognized by WINS, which maps the name to an IP address. See also: IP address, Network Basic Input/Output System (NetBIOS), Windows Internet Name Service (WINS) Network Access Quarantine Control Source: Microsoft See chapter Network Basic Input/Output System (NetBIOS) Source: Microsoft Help and Support Center Windows Server 2003 An application programming interface (API) that can be used by application programs on a local area network (LAN). NetBIOS provides application programs with a uniform set of commands for requesting the lower-level network services required to manage names, conduct sessions and transmit datagrams between nodes on a network. See also: Service, Local Area Network (LAN, Local Network) Organization unit An Active Directory container object used within domains. An organizational unit is a logical container into which users, groups, computers, and other organizational units are placed. It can contain objects only from its parent domain. An organizational unit is the smallest scope to which a Group Policy object (GPO) can be linked, or over which administrative authority can be delegated. See also: Active Directory A5E Glossary-17

210 Glossary Package Source: Microsoft Help and Support Center Windows Server 2003 An icon that represents embedded or linked information. That information can consist of a complete file, such as a Paint bitmap, or part of a file, such as a spreadsheet cell. When a package is chosen, the application used to create the object either plays the object (if it is a sound file, for example) or opens and displays the object. If the original information is changed, linked information is then updated. However, embedded information needs to be manually updated. PCS 7 PC Encompasses all PCs used in a PCS 7 plant such as OS, BATCH and RC server and clients, engineering stations, maintenance stations, central archive servers etc. See also: Plant PC Permission Source: Microsoft Help and Support Center Windows Server 2003 A rule associated with an object to regulate which users can gain access to the object and in what manner. Permissions are granted or denied by the object's owner. See also: Privilege Plant operating personnel Encompasses all persons authorized to operate the plant. Plant PC Encompasses all PCs in the plant, in other words, all PCS 7 PCs and all PCs for managing the infrastructure, such as DNS, Wins and DHCP servers, domain controllers, etc., for which the operating personnel are responsible. See also: PCS 7 PC Plant personnel Encompasses all persons that have access to the plant, in other words, all plant operating personnel and any other persons such as cleaning personnel User rights that are assigned to users enabling them to log on to the system as a user. An example of a logon right is the permission for remote logon to a system. See also: User rights PLC See definition for: Automation system (AS) Glossary-18 A5E

211 Glossary Point-to-Point Protocol (PPP) Source: Microsoft Help and Support Center Windows Server 2003 An industry standard suite of protocols for the use of point-to-point links to transport multiprotocol datagrams. PPP is documented in RFC See also: Transmission Control Protocol/Internet Protocol (TCP/IP) Point-to-Point Tunneling Protocol (PPTP) Source: Microsoft Help and Support Center Windows Server 2003 A network technology that supports multiprotocol VPNs (Virtual Private Networks). It provides remote users with secure access to company-internal networks over the Internet or other networks by dialing up an Internet Service Provider (ISP) or by establishing a direct Internet connection. PPTP encapsulates IP data (Internet Protocol), IPX data (Internetwork Packet Exchange) or NetBEUI data (NetBIOS Extended User Interface) in IP packets. This encapsulation is also referred to as tunneling. This means that users can remotely execute applications that depend of certain network protocols. See also: Internet Protocol (IP), Tunnel, Virtual Private Network (VPN), NetBIOS Extended User Interface (NetBEUI) PPP See definition for: Point-to-Point Protocol (PPP) PPTP See definition for: Point-to-Point Tunneling Protocol (PPTP) Privilege Source: Microsoft Help and Support Center Windows Server 2003 A user's right to perform a specific task, usually one that affects an entire computer system rather than a particular object. Privileges are assigned by administrators to individual users or groups of users as part of the security settings for the computer. See also: User rights, Permission Process control level See definition for: Distributed Control System (DCS) Protocol Source: Microsoft Help and Support Center Windows Server 2003 A set of rules and conventions for sending information over a network. These rules govern the content, format, timing, sequencing, and error control of messages exchanged among network devices. A5E Glossary-19

212 Glossary Proxy server Source: Microsoft Help and Support Center Windows Server 2003 A firewall component that manages Internet traffic to and from a local area network (LAN) and that can provide other features, such as document caching and access control. A proxy server can improve performance by supplying frequently requested data, such as frequently visited Web pages, and it can filter and discard requests that the owner does not consider appropriate, such as requests for unauthorized access to proprietary files. Quarantine control See Network Access Quarantine Control RADIUS See definition for: Remote Authentication Dial-In User Service (RADIUS) RAS service Source: Microsoft Help and Support Center Windows Server 2003 A Windows NT 4.0 service that provides network access from a remote location to remote workers, field personnel and system administrators who monitor and manage servers at various branch locations of an enterprise. Remote access Source: Microsoft Help and Support Center Windows Server 2003 Part of the integrated routing and Remote Access Service (RAS), which provides network access from a remote location to remote workers, field personnel and system administrators managing servers at various branch locations of a company. Users can dial into the network from a remote location and use certain services such as file and printer sharing, , schedule planning and SQL databases. Remote Authentication Dial-In User Service (RADIUS) Source: Microsoft Help and Support Center Windows Server 2003 A security authentication protocol based on the client/server model. Often used by Internet service providers (ISP). RADIUS is currently the most commonly used means for authentication and authorization of users in networks accessed by dialup connection and whose communication is controlled with tunneling. A RADIUS client is included in the routing and RAS service, which is a component of the Windows Server 2003 product family. A RADIUS server, referred to as the Internet Authentication Service (IAS), is part of the Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise Edition and Windows Server 2003 Datacenter Edition. See also: Authentication, Internet Authentication Service (IAS), Tunnel Glossary-20 A5E

213 Glossary Remote Procedure Call (RPC) Source: Microsoft Help and Support Center Windows Server 2003 A message-passing setup that allows a distributed application to call services that are available on various computers on a network. Used during remote servicing of computers. See also: Service Root certification authority Source: Microsoft Help and Support Center Windows Server 2003 The most trusted certification authority (CA), which is at the top of a certification hierarchy. The root CA has a self-signed certificate. Also called the root authority. Router Source: Microsoft Help and Support Center Windows Server 2003 This hardware device helps LANs (Local Area Networks) and WANs (Wide Area Networks) achieve interoperability and connectivity and can link local networks that have different network topologies, such as Ethernet and Token Ring Routers compare the information contained in packet headers with a LAN segment and then select the best possible transmission route for the packet, thereby attempting to optimize the network performance. See also: Local Area Network (LAN), Network Basic Input/Output System (NetBIOS) Routing Source: Microsoft Help and Support Center Windows Server 2003 The process of forwarding a packet through a network from a source host to a destination host. See also: Host, Package RPC See definition for: Remote Procedure Call ( RPC) Secure channel (S channel) A security support provider (SSP) that implements SSL (secure sockets layer) and TSL (transport layer security), the standard authentication protocols for the Internet. See also: Secure Sockets Layer (SSL), Authorization protocol A5E Glossary-21

214 Glossary Secure Hypertext Transfer Protocol Source: Microsoft Help and Support Center Windows Server 2003 A protocol that provides a secure http (Hypertext Transfer Protocol) connection. See also: Hypertext Transfer Protocol (HTTP), Protocol See also: Client Secure Sockets Layer (SSL) Source: Microsoft Help and Support Center Windows Server 2003 A proposed open standard for establishing a secure communication channel to prevent the interception of critical information, such as credit card numbers. Primarily, it enables secure electronic financial transactions on the World Wide Web, although it is designed to work on other Internet services as well. See also: Security Source: Microsoft Help and Support Center Windows Server 2003 The protection of a computer system in a network and the data stored on the computer against damage and loss. Security is implemented in such a way that only authorized users can access shared files. See also: Authorization Security group Source: Microsoft Help and Support Center Windows Server 2003 A group that can be included in the discretionary access control lists (DACLs) and used to define permissions for resources and objects. A security group can also be used as an group. An sent to the group is automatically sent to all members of the group. Server Generally, a computer that makes shared resources available to network users. Service Source: Microsoft Help and Support Center Windows Server 2003 A program, routine, or process that performs a specific system function to support other programs, particularly at a low (close to the hardware) level. When services are provided over a network, they can be published in Active Directory, facilitating service-centric administration and usage. Services include security account management, file replication service and the routing and RAS services. SMS See definition for: Systems Management Server (SMS) Glossary-22 A5E

215 Glossary Software Update Service (SUS) Source: Microsoft Knowledge Base; Article ID: The Software Update Services is a simple-to-use, robust tool for deployment and management of updates based on the successful, public Windows Update Service. See also: Automatic Updates (AU), Microsoft Baseline Security Analyzer (MBSA), SMS, Windows Update Service (WUS) SSL See definition for: Secure Sockets Layer (SSL) Stratum A stratum is a layer (area) in a hierarchically organized network (subnet) in which all devices are synchronized with the same time source. The clock itself (atomic clock, GPS receiver, radio time signal receiver, etc.) is on layer 0. A stratum 1 server gets its time data via a time service (e.g., SNTP) directly from stratum 0. Computers that are synchronized directly with the stratum 1 time source are on stratum 2, etc. A total of 16 strata are defined. Strata 1 to 4 are usually used. Subnet Source: Microsoft Help and Support Center Windows Server 2003 A subdivision of an IP network (Internet protocol). Each subnet has its own unique network ID. See also: Internet Protocol (IP) SUS See definition for: Software Update Services (SUS) System bus The system bus links the PCS 7 PCs such as OS servers or RC servers with the automation systems (AS). The communication between the automation systems is also performed on the system bus. See also: Terminal bus A5E Glossary-23

216 Glossary Systems Management Server (SMS) Source: Microsoft Help and Support Center Windows Server 2003 A Microsoft product that contains inventory collection, deployment, and diagnostic tools. SMS can significantly automate the task of upgrading software, allow remote problem solving, provide asset management information, manage software licenses, and monitor computers and networks. See also: Microsoft Baseline Security Analyzer (MBSA), Software Update Services (SUS), Windows Update Service (WUS) TCP/IP See definition for: Transmission Control Protocol/Internet Protocol (TCP/IP) Terminal bus The terminal bus connects the PCS 7-PCs in the DCS layer. See also: System bus Transmission Control Protocol/Internet Protocol (TCP/IP) Source: Microsoft Help and Support Center Windows Server 2003 A set of software networking protocols widely used on the Internet that provide communications across interconnected networks of computers with diverse hardware architectures and operating systems. TCP/IP includes standards for how computers communicate and conventions for connecting networks and routing traffic. See also: Internet Protocol (IP) Trojan horse Source: Microsoft Help and Support Center Windows Server 2003 A program disguised as another common program that is designed to gain information. An example of a Trojan horse is a program purporting to be a system message prompting for the user s name and password, which it later uses to penetrate the system. See also: Virus Tunneling Source: Microsoft Help and Support Center Windows Server 2003 A logical connection in which data are encapsulated. This usually involves both encapsulation and encryption. The tunnel forms a private, secure connection between the remote user or host and a private network. See also: Host, Encryption Glossary-24 A5E

217 Glossary Tunneling Protocol Source: Microsoft Help and Support Center Windows Server 2003 A communication standard used to manage tunnels and encapsulate private data. Data that are tunneled must also be encrypted to be a VPN (Virtual Private Network) connection. Two frequently used tunneling protocols are Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP). See also: Layer Two Tunneling Protocol (L2TP), Point-to-Point Tunneling Protocol (PPTP), Virtual Private Network (VPN) User account Source: Microsoft Help and Support Center Windows Server 2003 In Active Directory, an object that consists of all the information that defines a domain user. This includes the user name and password and the groups in which the user account has membership. User accounts can be stored in Active Directory or on the local computer. Use Local Users and Groups to manage local user accounts on computers running Windows XP Professional and member servers when using Windows Server Use Active Directory Users and Computers to manage domain user accounts on domain controllers running Windows Server User Datagram Protocol (UDP) Source: Microsoft Help and Support Center Windows Server 2003 An enhancement to TCP (Transmission Control Protocol) that offers a connectionless datagram service. This protocol guarantees neither delivery nor correct sequencing of delivered packets (similar to the Internet protocol, IP). User rights Source: Microsoft Help and Support Center Windows Server 2003 Tasks a user is permitted to perform on a computer system or domain. There are two types of user rights: privileges and logon rights. An example of a privilege is the right to shut down the system. An example of a logon right is the right to log on to a computer locally (at the keyboard). Both types are assigned by administrators to individual users or groups as part of the security settings for the computer. See also: Domain, Privilege Virtual Private Network (VPN) Source: Microsoft Help and Support Center Windows Server 2003 The extension of a private network that provides encapsulated, encrypted, and authenticated links across shared or public networks. VPN connections enable remote access and router-to-router connections for private networks over the Internet. See also: Authentication, Routing, Tunneling, Encryption, Remote access A5E Glossary-25

218 Glossary Virus Source: Microsoft Help and Support Center Windows Server 2003 A program that attempts to install itself from one computer to another and then do damage there (by deleting or corrupting files) or aggravate users (by displaying unwanted messages on the screen or changing the normal display). See also: Trojan horse Wide Area Networks (WAN) Source: Microsoft Help and Support Center Windows Server 2003 A communication network connecting geographically separated computers, printers, and other devices. A WAN allows any connected device to interact with any other on the network. Windows Internet Name Service (WINS) Source: Microsoft Help and Support Center Windows Server 2003 A software service that dynamically maps IP addresses to computer names (NetBIOS names - Network Basic Input/Output System). This allows users to access resources by name instead of requiring them to use IP addresses, which are difficult to recognize and remember. See also: Service, IP address, Network Basic Input/Output System (NetBIOS) Windows Software Update Service (WSUS) WSUS is the successor to the Microsoft Software Update Service (SUS). WSUS additionally enables security updates for Microsoft Office, Microsoft Exchange Server and Microsoft SQL Server. It also provides the following new features: Formation of groups for distribution of patches Improved reporting system Forced distribution at specific points in time Distribution of critical driver updates Simplified first-time installation Programming interface (API) See also: Microsoft Baseline Security Analyzer (MBSA), Software Update Services (SUS), Systems Management Server (SMS) WINS See definition for: Windows Internet Name Service (WINS) Glossary-26 A5E

219 Glossary Workgroup Source: Microsoft Help and Support Center Windows Server 2003 A simple grouping of computers that are created for the sole purpose of helping users find objects such as printers or shared folders in this group. Workgroups in Windows provide neither centralized user accounts nor centralized authentication, as are available in domains. See also: Authentication, Domains Worm Source: A computer virus that is solely designed to replicate itself and lead to substantial impairment of normal data processing. Zone Source: Microsoft Help and Support Center Windows Server 2003 In the Macintosh environment, a logical grouping that facilitates browsing the network for resources, such as servers and printers. In a DNS database, a zone is a contiguous portion of the DNS tree that is administered as a single separate entity by a DNS server. The zone stores the names and data of the domain with a corresponding name except for domain names that are stored in delegated subdomains. A5E Glossary-27

220 Glossary Glossary-28 A5E