Security
Enhancements
CitectSCADA 7.10r0
The CitectSCADA
7.10 release includes changes that are designed to reduce the
security exposure of the product from external threats via the
network. The product features that have been affected are detailed
below. Please review the list to understand what effect they may
have on your system with regards to the upgrade and design process.
A set of new
configuration parameters have been added to provide control over
the CitectSCADA network interfaces. These parameters help you
protect your system by allowing control over unused features of the
product. The following services can be enabled or disabled: DDE,
Remote CTAPI, LAN, ODBC, OLEDB and
FTP.Theseservices are disabled by
default.
A user is now
required to be configured and logged in to CitectSCADA to allow the
display process to perform a tag write (control) action.
CitectSCADA projects should be designed to avoid Cicode tasks that
perform tag writes that are not issued by a user.
Note:
Due to
improvements in security CitectSCADA no longer supports projects
having multiple users with the same name and different passwords.
We recommend
projects be configured to take advantage of the change to provide
increased system security protection. If your system has existing
network security protection in place and does not require the
additional security protection, it can be turned off using the
following parameters to avoid the impact of the changes:
|
Parameter for
the client/display node:
|
[LAN]
SecureLogin
|
|
Parameter for
the server node:
|
[LAN]
AllowLegacyConnections
|
These parameters may be required during an upgrade process when there is a mix of old and new version CitectSCADA nodes in a running system.
The System
Parameters that have been introduced or modified as part of the
security enhancements are as follows. See below for more details.
[Client]
AutoLoginMode-
Set to enable
auto login. Users can select one of seven modes.
Mode 0 – Auto
login is disabled. Control Client starts in view-only mode.
Mode 1 - System
logs in with the current windows user at startup
Mode 2 - System
logs in with the current windows user at startup and on logout. If
the startup login fails the user will be prompted to login at
startup and on logout so the system will not switch to view-only
mode.
Note:
Modes 1 and 2
act as the same as modes 3 and 4 if the start up login of current
windows user fails.
Mode 3 - User
will be prompted with an empty login form at startup.
Mode 4 - User
will be prompted with an empty login form at startup and on log
out. If the user selects cancel, the process will shut down.
Note:
This mode
should not be used on server process (where the Server Login is
disabled).
Mode 5 -
Automatically login with saved user credentials at startup. If
login fails or there is no saved user credentials user will be
prompted to login.
Mode 6 -
Attempt to automatically login with saved credential at start up
and on logout. If saved credential is not available (or fails to
login) it will prompt the user at start up to log in. The re-login
of initial user on logout does not validate the user, therefore
does not need to prompt even if the password is changed (e.g. in
case of windows user).
To remove or
change the credentials saved during modes 5 or 6, the user needs to
set the mode to 3 or 4 and restart to be prompted for login. When
the user successfully logs in the saved credential will be removed
and the user can set the mode back to 5 or 6 and restart to be
prompted again.
Note:
In modes 1, 3
and 5 when the user logs out, system reverts to view-only mode and
no further action is taken.
|
Allowable Values:
|
0 - (Auto login
disabled. Control client starts in view-only mode, until valid user
logs on)
|
|
|
1 - (Login
current windows user at system start up)
|
|
|
2 - (Login
current windows user as system default user at start up)
|
|
|
3 - (Prompt
user for login at
startup)
|
|
|
4 - (Prompt
user for login at
startupand logout)
|
|
|
5 - (Try login
with saved credential at
startup)
|
|
|
6 - (Try login
with saved credential at
startupand on logout)
|
|
|
|
|
Default Value:
|
0
|
[LAN]
AnonymousLoginName
–
The name of the default
identifier to allow ‘view-only’ data access for a client process to
the SCADA server(s).
This is used
when no user is logged in on the client. This can be changed to
provide a site specific identifier for increased security.
|
Allowable Values:
|
|
|
Default Value:
|
"Anonymous"
|
[LAN]
AllowLegacyConnections-
Disables access
restrictions. When set to 1 previous versions of client can connect
to the server. This can be used when [LAN
]
SecureLoginis enabled.
|
Allowable Values:
|
0 or 1
|
|
Default Value:
|
0
|
[LAN]
SecureLogin-
Security
measures are active.
When set to 0
security measures are disabled and the system acts as it did in
versions prior to 7.10. When disabled, [LAN
]
AllowLegacyConnectionssetting is
not used, as legacy connections are allowed.
Note:
This option
should be used with caution and only if the network is not
accessible to outsiders.
|
Allowable Values:
|
0 or 1
|
|
Default Value:
|
1
|
[LAN]
ServerLoginEnabled-When
CitectScadais configured to run in
multi-process mode, the IO, Alarm, Trend and Report servers run
separate processes, and need to connect to other servers.
Server login
uses the specified identifier (similar to anonymous login) to
establish this initial communication between servers. Users can
configure the name of the identifier or disable it. If disabled the
server process will act similarly to a control client, depending on
the value set for [Client
]
AutoLoginMode.
|
Allowable Values:
|
0 or 1
|
|
Default Value:
|
1 (default
server login enabled)
|
[LAN]
ServerLoginName-
The name of the
default identifier to allow data access for a server process to
another SCADA server
process(
es). This can be changed to provide a
site specific identifier for increased security.
|
Allowable Values:
|
|
|
Default Value:
|
"
SuperUser"
|
[
CtAPI]
AllowLegacyConnections-
CTAPI server
only accepts connections from the current version of the CTAPI
client. When [
CtAPI
]
AllowLegacyConnectionsis set to
1 the CTAPI server will accept connections with previous versions
of CTAPI client.
|
Allowable Values:
|
0 - (Do not
allow connection)
|
|
|
1 - (Allow
connection)
|
|
Default Value:
|
0
|
[
CtAPI]
AllowLegacyServices-
When set, the
Citect Web Service and the Citect OLEDB Provider can connect to the
CTAPI server.
|
Allowable Values:
|
0 - (Disable
connection)
|
|
|
1 - (Allow
connection)
|
|
Default Value:
|
0
|
[
CtAPI]Remote -
Determines
whether remote computers using the CTAPI interface can call in to
this computer.
Note:
To use the
CTAPI on a remote computer without installing CitectSCADA, you will
need to copy the following files from the \CitectSCADA\BIN
directory to your remote computer: CTAPI.DLL, CT_IPC.DLL,
CTENG32.DLL, CTRES32.DLL, and CTUTIL32.DLL.
|
Allowable Values:
|
0 - (Do not
allow remote access)
|
|
|
1 - (Allow
remote access)
|
|
Default Value:
|
0
|
[DDE]
AllowCicode-
Allows Cicode
to be run on the Citect server via the DDE Execute command.
|
Allowable Values:
|
0 or 1
|
|
Default Value:
|
0
|
[DDE]
AllowWrites-
Allows tag
writes to the Citect server via the DDE Poke command.
|
Allowable Values:
|
0 or 1
|
|
Default Value:
|
0
|
ODBC
Parameters
[ODBC] Server
-
When set ODBC
connections are accepted.
|
Allowable Values:
|
0 - (Not
listening to ODBC connections)
|
|
|
1 - (Listening
for ODBC connections)
|
|
Default Value:
|
0
|