1.6        Security Considerations

This is a brief overview of Security considerations for a Web Access project (or any HMI and SCADA project). For a complete description, please refer to Chapter 8 - Users, Passwords & Security.

1.  Use a firewall appliance!  A firewall appliance (like a Netgear FR114P) can be purchased for under $100 and is more secure than firewall software, based on our experience.

If you do not have a Firewall appliance, then at least use a Router with port mapping.

Note - Always use a Firewall or Router to connect a new PC using a Public IP Address, especially if you have not downloaded Windows Service Packs and installed Virus scan software. A new PC is vulnerable to viruses and malicious software until the latest security updates are downloaded from Microsoft.  Always use a Firewall or a Router when first setting up a new PC.

See 1.6.1.3 TCP Ports and Firewalls for more information.

Windows XP, 2003 and Vista

Windows XP, 2003 and Vista come with Windows Firewall. WebAccess automatically configures Windows Firewall to allow the WebAccess Kernel (datacore.exe), the WebAccess Network Service (webvrpcs.exe), and the HTTP Service (port 80) to accept incoming network connections when WebAccess Node is installed. These ports must remain unblocked in order for WebAccess to work properly.

2.  Windows Update and latest Windows Service Packs

Warning - A new PC is vulnerable to viruses and malicious software until the latest security updates are downloaded from Microsoft.  Always use a Firewall or a Router when first setting up a new PC.  Do not use Windows Update over the Internet if you do not have a firewall or a router.

Hint - if you are using a private IP Address, then you are probably behind a firewall or router. The Private IP Addresses (also called Reserved Addresses) are 10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255, and 192.168.0.0 - 192.168.255.255

3.  Anti-Virus Software It is recommended to install and update Anti-virus software on all SCADA Nodes, the Project Node and all Clients.

4.  Stop or do not install FTP.  Its not needed by WebAccess. If you use FTP, make it read only by Internet Accounts.

5.  WWW Service not needed by SCADA Nodes. Only the Project Node or a combined Project / SCADA nodes needs the WWW service ( IIS ). See 1.4.1 Project Node - System Requirements and 1.4.2 SCADA Nodes - System Requirements.

6. Use Windows Integrated Security for Web Server (Project Node). - A user name and password required to connect to the web server (project node) to find the address of the SCADA node and download ASP pages. Windows Integrated Security can restrict access to your Web Server to only those users recognized by Windows security.  These can be Domain Users or Local Users and provide security similar to a company Intranet.

Only use Anonymous Access if you have a large number of Clients. It is the least secure and allows anyone or any software to access your web server.  It is recommended only for systems and large campuses with hundreds of users.

See 1.6.5 Web Server Security.

7.  WebAccess User accounts can limit which displays and tags a user can view.  WebAccess Area & Level Security restrict which tags a user can change. WebAccess User accounts are independent of Windows Security.  See the Engineering Manual, sections 1.6.5 WebAccess User Accounts and 1.6.6 WebAccess Area and Level Security .

8.  Use a Remote Access Code for Project Node and SCADA Node software.
See the Engineering Manual, 1.6.4 WebAccess Remote Access Code.

9.  Use the NTFS file system on your Project and SCADA Nodes. See 1.4.1 Project Node - System Requirements and 1.4.2 SCADA Nodes - System Requirements.