FactoryTalk Security System Configuration Guide

FactoryTalk Security System Configuration Guide

Quick Start

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021 Supersedes Publication FTSEC-QS001P-EN-E - September 2020

Original Instructions

FactoryTalk Security System Configuration Guide

Important User Information

Read this document and the documents listed in the additional resources section about installation, configuration, and operation of this equipment before you install, configure, operate, or maintain this product. Users are required to familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws, and standards. Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required to be carried out by suitably trained personnel in accordance with applicable code of practice. If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be impaired. In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment. The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for actual use based on the examples and diagrams. No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software described in this manual. Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is prohibited. Throughout this manual, when necessary, we use notes to make you aware of safety considerations.

WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which may lead to personal injury or death, property damage, or economic loss.

ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.

IMPORTANT Identifies information that is critical for successful application and understanding of the product. Labels may also be on or inside the equipment to provide specific precautions.

SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous voltage may be present.

BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may reach dangerous temperatures.

ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to potential Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL Regulatory requirements for safe work practices and for Personal Protective Equipment (PPE).

2

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

Preface

Table of Contents

Summary of changes .................................................................................. 9 About this publication ................................................................................ 9 Additional resources ..................................................................................10 Legal Notices...............................................................................................10

About FactoryTalk systems

Chapter 1

FactoryTalk systems................................................................................... 13 FactoryTalk Directory types ................................................................ 15 Accounts and groups............................................................................ 16 Account types .......................................................................................18 Applications and areas........................................................................ 20 Security in a FactoryTalk system ....................................................... 20 Example: Two directories on one computer ..................................... 22

Install FactoryTalk Services Platform

Getting started with FactoryTalk Security

Chapter 2

Install FactoryTalk Services Platform ..................................................... 25 Install FactoryTalk System Services and FactoryTalk Policy Manager. 26

Chapter 3

FactoryTalk Security ................................................................................. 29 Security on a local directory ................................................................ 31 Security on a network directory.......................................................... 31 How security authenticates user accounts ........................................32 Things you can secure..........................................................................32 Best practices........................................................................................34 Audit trails and regulatory compliance..............................................36

Configure a computer to be the FactoryTalk Directory network server 38 Configure a computer to be the network directory server ...............39 Configure a network directory client computer................................39 Check network directory server connection status .......................... 40 FactoryTalk Directory Server Location Utility ................................... 41

Manage users

Chapter 4

Manage users .............................................................................................43 Add a FactoryTalk user account ..........................................................43 Add a Windows-linked user account..................................................45 Add group memberships to a user account ...................................... 46 Remove group memberships from a user account............................47 Delete a user account .......................................................................... 48

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

3

Table of Contents

Manage user groups

Chapter 5

Manage user groups .................................................................................. 51 Add a FactoryTalk user group ............................................................ 52 Add a Windows-linked user group .....................................................53 Edit or view user group properties .....................................................55 Delete a user group ..............................................................................56 Add accounts to a FactoryTalk user group .........................................56 Remove accounts from a FactoryTalk user group .............................57

Manage computers

Chapter 6

Manage computers ....................................................................................59 Add a computer ....................................................................................59 Delete a computer ............................................................................... 60 Edit or view computer properties ....................................................... 61

Chapter 7

Add and remove user-computer Add and remove user-computer pairs......................................................63

pairs

Add a user-computer pair....................................................................63 Remove a user-computer pair .............................................................65

Edit or view user account properties..................................................65

Add and remove action groups

Chapter 8

Add and remove action groups.................................................................67 Add an action group.............................................................................67 Delete an action group........................................................................ 68 Add an action to an action group....................................................... 69 Remove an action from an action group ........................................... 69

Set system policies

Chapter 9

Authorize an application to access the FactoryTalk Directory .............. 72 FactoryTalk Service Application Authorization.................................73 FactoryTalk Service Application Authorization settings ..................73 Publisher Certificate Information ......................................................75 Digitally signed FactoryTalk products................................................76

Authorize a service to use FactoryTalk Badge Logon ..............................76 FactoryTalk Badge Authorization .......................................................77 FactoryTalk Badge Authorization settings.........................................77

Assign user rights to make system policy changes ................................. 78 User rights assignment policies..........................................................79 User Rights Assignment Policy Properties ....................................... 80 Configure Securable Action ............................................................... 80

4

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

Table of Contents

Select a user or group...........................................................................81 Change the default communications protocol ....................................... 82

Default communications protocol settings ...................................... 82 Live Data Policy Properties................................................................. 83 Set network health monitoring policies .................................................. 84 Health Monitoring Policy Properties ................................................ 85 Set audit policies ....................................................................................... 86 Audit policies ....................................................................................... 87 Audit Policy Properties ....................................................................... 89 Monitor security-related events......................................................... 90 Example: Audit messages .................................................................... 91 Set system security policies ....................................................................... 91 Modify Account Policy Settings ......................................................... 92 Modify Computer Policy Settings.......................................................93 Modify Directory Protection Policy Settings .....................................95 Modify Password Policy Settings....................................................... 96 Modify Badge login policies ............................................................... 98 Enable single sign-on.......................................................................... 99 Disable single sign-on....................................................................... 100 Account Policy Settings .................................................................... 100 Computer Policy Settings..................................................................102 Directory Protection Policy Settings ................................................103 Cache expiration policies ..................................................................105 Password Policy Settings...................................................................106 Single Sign-On Policy Settings .........................................................109 When to disable single sign-on ......................................................... 110 Security Policy Properties.................................................................. 110 Navigate the Policy Properties windows .................................................111 Export policies to XML............................................................................. 112

Set product-specific policies

Chapter 10

Secure features of a single product ........................................................ 114 Secure multiple product features ........................................................... 114 Feature Security for Product Policies ..................................................... 115 Feature Security Policies.......................................................................... 116 Differences between securable actions and product policies ............... 116

Manage logical names

Chapter 11

Logical names........................................................................................... 119 Add a logical name ................................................................................... 121 Delete a logical name ...............................................................................122 Add a device to a logical name.................................................................122

Rockwell Automation Publication FTSEC-QS001Q-EN-E - March 2021

5

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download