FactoryTalk Security System Configuration Guide

1 Quick Start Guide FactoryTalk Security System Configuration Guide Rockwell Automation Publication FTSEC-QS001N-EN-E 3 Table of contents Summary of changes .. 9 About this publication .. 9 Additional resources .. 10 Legal Notices .. 11 Chapter 1 FactoryTalk systems .. 15 FactoryTalk Directory types .. 17 Accounts and groups .. 18 Account types .. 20 Applications and areas .. 22 Security in a FactoryTalk System .. 22 Example: Two directories on one computer .. 24 Chapter 2 Install FactoryTalk Services Platform .. 27 Chapter 3 FactoryTalk Security .. 29 Security on a local directory .. 31 Security on a network directory .. 31 How Security authenticates user accounts .. 32 Things you can secure .. 32 Best practices.

2 34 Audit trails and regulatory compliance .. 36 Configure a computer to be the FactoryTalk Directory network server .. 38 Configure a computer to be the network directory server .. 39 Configure a network directory client computer .. 40 Check network directory server connection status .. 40 FactoryTalk Directory Server Location 41 Chapter 4 Manage users .. 43 Add a FactoryTalk user account .. 43 Add a Windows-linked user account .. 45 Add group memberships to a user account .. 46 Remove group memberships from a user account .. 47 Delete a user account .. 48 Preface Legal Notices About FactoryTalk systems Install FactoryTalk Services Platform Getting started with FactoryTalk Security Manage users Table of contents 4 Rockwell Automation Publication FTSEC-QS001N-EN-E Chapter 5 Manage user 51 Add a FactoryTalk user group.

3 51 Add a Windows-linked user group .. 53 Edit or view user group properties .. 55 Delete a user group .. 56 Add accounts to a FactoryTalk user group .. 57 Remove accounts from a FactoryTalk user 58 Chapter 6 Manage computers .. 59 Add a computer .. 59 Delete a computer .. 60 Edit or view computer properties .. 61 Chapter 7 Add and remove user-computer pairs .. 63 Add a user-computer pair .. 63 Remove a user-computer pair .. 65 Edit or view user account properties .. 66 Chapter 8 Add and remove action groups .. 69 Add an action group .. 69 Delete an action group .. 70 Add an action to an action group .. 71 Remove an action from an action group .. 72 Chapter 9 Authorize an application to access the FactoryTalk Directory.

4 74 FactoryTalk Service Application 75 FactoryTalk Service Application Authorization settings .. 76 Publisher Certificate Information .. 78 Digitally signed FactoryTalk products .. 78 Assign user rights to make System policy changes .. 79 User rights assignment policies .. 80 User Rights Assignment Policy Properties .. 81 Configure Securable Action .. 82 Select a user or group .. 83 Change the default communications protocol .. 83 Manage user groups Manage computers Add and remove user-computer pairs Add and remove action groups Set System policies Table of contents Rockwell Automation Publication FTSEC-QS001N-EN-E 5 Default communications protocol settings .. 84 Live Data Policy Properties .. 85 Set network health monitoring policies.

5 86 Health Monitoring Policy Properties .. 86 Set audit policies .. 88 Audit policies .. 89 Audit Policy Properties .. 91 Monitor Security -related events .. 92 Example: Audit messages .. 93 Set System Security policies .. 93 Modify Account Policy Settings .. 94 Modify Computer Policy Settings .. 96 Modify Directory Protection Policy Settings .. 97 Modify Password Policy Settings .. 98 Enable single 100 Disable single sign-on .. 101 Account Policy Settings .. 101 Computer Policy Settings .. 103 Directory Protection Policy Settings .. 105 Cache expiration policies .. 106 Password Policy Settings .. 107 Single Sign-On Policy Settings .. 110 When to disable single sign-on .. 110 Security Policy Properties .. 111 Navigate the Policy Properties windows.

6 112 Export policies to XML .. 113 Chapter 10 Secure features of a single product .. 116 Secure multiple product 116 Feature Security for Product Policies .. 118 Feature Security Policies .. 119 Differences between securable actions and product policies .. 119 Chapter 11 Logical names .. 121 Add a logical name .. 123 Delete a logical name .. 123 Add a device to a logical name .. 124 Remove a device from a logical name .. 124 Assign a control device to a logical name .. 125 Add a logical name to an area or application .. 126 Delete a logical name from an area or application .. 127 New Logical Name .. 127 Set product-specific policies Manage logical names Table of contents 6 Rockwell Automation Publication FTSEC-QS001N-EN-E Logical Name Properties.

7 128 Device 129 Chapter 12 Resource groupings .. 131 Group hardware resources in an application or area .. 132 Move a resource between areas .. 133 Remove a device from a resource grouping .. 1 34 Resources Editor .. 135 Select Resources .. 135 Chapter 13 Secure resources .. 137 Permissions .. 138 Breaking the chain of inheritance .. 140 Order of precedence .. 142 Actions .. 142 Set FactoryTalk Directory permissions .. 146 Set application permissions .. 148 Set area permissions .. 149 Set System folder permissions .. 151 Set action group permissions .. 153 Set database permissions .. 154 Set logical name permissions .. 155 Allow a resource to inherit permissions .. 157 Prevent a resource from inheriting permissions.

8 157 View effective permissions .. 158 Effective permission icons .. 160 Chapter 14 Back up a FactoryTalk System .. 163 Back up a FactoryTalk Directory .. 164 Back up a System folder .. 166 Back up an application .. 168 Back up a Security Authority identifier .. 171 Backup .. 172 Backup and restore options .. 173 Modify Security Authority Identifier .. 174 Restore a FactoryTalk System .. 175 Restore a FactoryTalk Directory .. 176 Restore a System folder .. 178 Restore an application .. 180 Restore a Security Authority identifier .. 182 Resource grouping Secure resources Disaster Recovery Table of contents Rockwell Automation Publication FTSEC-QS001N-EN-E 7 Verify Security settings after restoring a FactoryTalk System .

9 183 Update computer accounts in the network directory .. 184 Recreate a Windows-linked user account .. 185 Update Windows-linked user groups .. 186 Update Security settings for Networks and Devices .. 186 Update Security settings for the FactoryTalk Linx OPC UA Connector .. 187 Restore database 187 Restore an earlier System after upgrading FactoryTalk platform software .. 188 Generate a Security Authority identifier .. 190 Restore .. 191 Restore ( FactoryTalk Directory) .. 192 Restore ( System folder) .. 193 Restore (Application) .. 194 Restore Backup File .. 195 FactoryTalk Directory Configuration Wizard .. 196 Select a FactoryTalk Directory to configure .. 197 Configure FactoryTalk Network Directory .. 198 Network directory and the FactoryTalk Directory Configuration Wizard.

10 199 Configure FactoryTalk Local Directory .. 200 Local directory and the FactoryTalk Directory Configuration Wizard 201 Product support for network and local directories .. 202 Enter an administrator user name and password .. 203 Reset an expired password .. 204 Change Password (local) .. 204 Change Password (network) .. 205 Summary .. 206 Default passwords .. 207 Appendix A Upgrade FactoryTalk Services Platform .. 209 Identify the installed FactoryTalk Services Platform version .. 210 Appendix B Install FactoryTalk Web 211 Add an HTTPS site binding for FactoryTalk Web Services .. 212 Client computers unable to connect to FactoryTalk Web Services .. 213 User cannot log into FactoryTalk Web 214 Upgrade FactoryTalk Services Platform FactoryTalk Web Services Index Rockwell Automation Publication FTSEC-QS001N-EN-E 9 Preface This manual includes new and updated information.