1.6.2   Windows 2000, 2003, XP and Vista Security

The Project Node is a Web Server. Using the appropriate Windows Security can protect your WebAccess system from hackers and intruders.

Web Server

Integrated Windows Authentication limits access to users you have created in the Local User Account and/or your Domain. It is recommended to use Integrated Windows Security and disable Anonymous Login, if possible. This effectively creates an intranet access to your WebAccess System.  Users will be prompted for a username and password.  These are encrypted passwords and highly secure. If all your users are part of an intranet or LAN, and they are logged on as a user recognized by the Project Node, the connection will be transparent (i.e. no login dialog box).

The best way to secure your system is to use Windows Authentication in IIS (the web server software). Your WebAccess Project will act as if it is on an intranet, requiring all users be recognized by the Windows Operating System (as either a local user or Domain User).  User will be asked for User Name, Password (and optionally Domain) just to connect.  Using Windows Authentication in IIS (the Web Server) will reduce load on your web server from spurious requests from malicious users (and viruses) by denying access to unauthorized users.

Anonymous Logon to project node is supported.  This may be the practical solution if you have a very large number of users (for example, a college campus).

FTP Service is not required by WebAccess.  You can further secure your project node by either stopping the ftp service, or not installing the ftp service, or adding read only access and disabling execute. If you plan to use the FTP service on your Project Node, for another application, it is recommended to use Read Only Access assigned to ftproot for the Internet Users. This assures no one can write or add any unauthorized data to your Web Server (Project Node).  Anonymous Access is preferable for the FTP server because the FTP protocol could allow passwords to be intercepted.  By limiting access as Read Only or disabling the ftp service, you prevent anyone from adding anything to your server.

SMTP Service is not required by WebAccess if you are using an external SMTP server and account (for example, your corporate email server or an ISP).  The Email of alarms and reports requires access to an SMTP server. 

Optionally the SMTP service of Windows IIS can be installed on the Project Node or a SCADA Node to send email. This might be acceptable for a LAN or Intranet that sends mail locally only within the same domain or workgroup. To use the SMTP Server on the Project Node to send outside of a local domain, a user account and password is configured to connect to a SMART HOST in the SMTP Properties of Windows IIS on the Project Node or a SMART HOST  (your corporate email server)  needs to accept relay from the Project Node.  This is not recommended procedure.

See 3.2.8 Outgoing Email Server - SMTP for more discussion on SMTP to send email.

Windows Vista

For WebAccess software to run on Windows Vista, the User Account Control feature on Windows Vista must be disabled. The User Account Control feature on Windows Vista is considered widely to be one of the largest downfalls of Vista by many tech reporters. We think the UAC feature is unnecessary. During WebAccess installation, User Account Control feature will be turned off. As a result of this, IE 7 Protected Mode is also turned off.  The Protected Mode of IE 7 must be off for the WebAccess Client and other important functions to work properly. If you do not agree this, please do not install WebAccess Node or Client on Windows Vista.

 Project Node

For WebAccess Project Node software to run on Windows Vista, install IIS on your project nodes first with following IIS features turned on before installing WebAccess Node.

Enable IIS (Internet Information Service) before installing Project Node software!

IIS is the “web server” in Windows. IIS must be enabled before installing the Project Node software to allow WebAccess files to be installed properly.

IIS is disabled by default in Windows Vista.  For those of you who wish to use WebAccess Project Node on Windows Vista, please enable IIS on your project nodes first with following IIS features turned on before installing WebAccess Project Node software.

To enable IIS in Windows Vista Business:

1. Start -> Control Panel -> Programs -> Programs and Features

2. On the left Side Bar select “Turn Windows features on or off”

3. Wait for the Windows Features dialog box to open and fill, then expand “Internet Information Services”.

In case the above  JPEG images does not appear in this, the typical settings for IIS in Vista for use with WebAccess on the Project Node as tested are:

Internet Information Services – ON

FTP Publishing Service – OFF (optionally ON, not needed and is security risk)

Web Management Tools – ON

IIS 6 Management Compatibility - ON

                             IIS 6 Management Console – OFF

                             IIS 6 Scripting Tools – OFF

                             IIS 6 WMI Compatibility – OFF

                             IIS Meta base and IIS 6 configuration compatibility – ON

                   IIS Management Console – ON

                   IIS Management Scripts and Tools – OFF

                   IIS Management Service - OFF

 

World Wide Web Services - ON

Application Development Features – ON

                             .NET Extensibility – OFF

                             ASP – ON

                             ASP.NET – OFF

                             CGI – OFF

                             IASPI Extensions – ON

                             IASPI Filters – OFF

                             Server Side Includes - ON

 

Common Http Features – ON

                             Default Document – ON

                             Directory Browsing – ON

                             Http Errors – ON

                             Http Redirection - ON

                             Static Content - ON

 

Health and Diagnostics – ON

                             Custom Logging – OFF

                             HTTP Logging – ON

                             Logging Tools – OFF

                             ODBC Logging – OFF

                             Request Monitoring – ON

                             Tracing - OFF

 

Performance Features – ON

                             Http Compression Dynamic – ON

                             Static Content Compression - On

 

Security - ON

Basic Authentication - OFF

Client Certificate Mapping Authentication - OFF

Digest Authentication - OFF

IIS Client Certificate Mapping Authentication - OFF

IP Security - OFF

Request Filtering - ON

URL Authorization - OFF

Windows Authentication (optional ON, usually OFF)