Managing Security for Ovation 3.6.

0
OW360_40

Version 1
May 2016
Copyright Notice

Since the equipment explained in this document has a variety of uses, the user and those
responsible for applying this equipment must satisfy themselves as to the acceptability of each
application and use of the equipment. Under no circumstances will Emerson Process
Management be responsible or liable for any damage, including indirect or consequential losses
resulting from the use, misuse, or application of this equipment.

The text, illustrations, charts, and examples included in this manual are intended solely to explain
TM
the use and application of the Ovation Unit. Due to the many variables associated with specific
uses or applications, Emerson Process Management cannot assume responsibility or liability for
actual use based upon the data provided in this manual.

No patent liability is assumed by Emerson Process Management with respect to the use of
circuits, information, equipment, or software described in this manual.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any
form or by any means, including electronic, mechanical, photocopying, recording or otherwise
without the prior express written permission of Emerson Process Management.

The document is the property of and contains Proprietary Information owned by Emerson Process
Management and/or its subcontractors and suppliers. It is transmitted in confidence and trust, and
the user agrees to treat this document in strict accordance with the terms and conditions of the
agreement under which it was provided.

This manual is printed in the USA and is subject to change without notice.

Ovation is the mark of Emerson Process Management. Other marks are the property of their
respective holders.

Copyright © Emerson Process Management Power & Water Solutions, Inc. All rights reserved.
Emerson Process Management
Power & Water Solutions
200 Beta Drive
Pittsburgh, PA 15238
USA

E-Mail: Technical.Communications@EmersonProcess.com
Web site: https://www.ovationusers.com
 Contents

1 Introduction to Ovation security 1

1.1 What is Ovation security? ................................................................................................... 1
1.1.1 What is the Ovation security management process? ............................................ 1
1.1.2 What is a domain? ................................................................................................. 2
1.1.3 What if the primary Domain Controller fails? ......................................................... 3
1.1.4 What are security roles? ........................................................................................ 3
1.1.5 What is the difference between workgroup security and domain security? ........... 3
1.1.6 What are security concerns for process control systems? .................................... 4
1.1.7 What security services does Emerson provide? .................................................... 4
1.2 Who sets security standards? ............................................................................................. 5
1.3 Security terminology ............................................................................................................ 5

2 Understanding Ovation external security 9

2.1 What is external security? ................................................................................................... 9
2.2 What types of external security threats should you be aware of? .................................... 10
2.3 What can you do to guard against external security threats? ........................................... 11
2.4 What is the recommended virus protection for Ovation Windows systems? .................... 12

3 Understanding Ovation internal security 13

3.1 What is Ovation internal security?..................................................................................... 13
3.2 What types of internal security threats should you be aware of? ..................................... 13
3.3 What can you do to guard against internal security threats? ............................................ 13

4 Planning Ovation security 15

4.1 Preparing for Ovation security........................................................................................... 15
4.2 Creating an Ovation security plan ..................................................................................... 16
4.3 What are the pre-defined Ovation roles? .......................................................................... 17
4.4 What are the pre-defined Group Policies? ........................................................................ 17
4.5 What are Ovation security rules? ...................................................................................... 18
4.6 What are the best practices for establishing a secure system? ........................................ 18

5 Using the Ovation Security Manager 19

5.1 Accessing the Ovation Developer Studio .......................................................................... 19
5.2 To access the Ovation Security Manager ......................................................................... 19
5.3 What are the Ovation Security Manager tasks? ............................................................... 20
5.4 What is the Ovation Security Manager? ........................................................................... 20
5.5 What are the Ovation Security Manager task functions? .................................................. 21

OW360_40 i
Table of Contents

6 Managing user accounts 23

6.1 What are user accounts? .................................................................................................. 23
6.2 To create a new user account ........................................................................................... 25
6.3 To rename a user account ................................................................................................ 26
6.4 To delete a user account ................................................................................................... 27
6.5 To reset a user password .................................................................................................. 27
6.6 To disable/enable a user's account ................................................................................... 28
6.7 To display and edit properties of a user account .............................................................. 28

7 Managing computer accounts 31

7.1 What are computer accounts? .......................................................................................... 31
7.2 To create a new computer account ................................................................................... 33
7.3 To delete a computer account........................................................................................... 34
7.4 To disable/enable a computer account ............................................................................. 34
7.5 To display and edit properties of a computer account ...................................................... 34
7.6 To create a new network ................................................................................................... 36
7.7 To delete a network account ............................................................................................. 37

8 Managing point security groups (PSG) 39

8.1 What are point security groups? ....................................................................................... 39
8.2 To edit a point security group ............................................................................................ 40

9 Managing Ovation roles 41

9.1 What are Ovation roles? ................................................................................................... 41
9.2 Defining roles at the local and remote console levels ....................................................... 43
9.3 To create a new role account ............................................................................................ 44
9.4 To duplicate a role account ............................................................................................... 44
9.5 To rename a role account ................................................................................................. 45
9.6 To delete a role account .................................................................................................... 45
9.7 What are the Ovation engineering security rules? ............................................................ 46
9.7.1 To display and edit properties of a role account (Rules tab for engineering) ...... 46
9.8 What are the Ovation operator security rules? ................................................................. 48
9.8.1 To display and edit properties of a role account (Rules tab for operator) ............ 48
9.9 What are the Ovation point security group (PSG) rules? .................................................. 50
9.9.1 To display and edit properties of a role account (PSG tab) ................................. 50
9.10 What is the Accounts tab? ................................................................................................ 51
9.10.1 To display properties of a role account (Accounts tab) ........................................ 52
9.11 What is the General tab? .................................................................................................. 53
9.11.1 To display and edit properties of a role account (General tab) ............................ 53

ii OW360_40
 Table of Contents

10 Managing group policies 55

10.1 What are group policies? .................................................................................................. 55
10.2 How are group policies enforced? .................................................................................... 56
10.3 To create a new group policy ............................................................................................ 57
10.4 To duplicate a group policy ............................................................................................... 57
10.5 To rename a group policy ................................................................................................. 58
10.6 To delete a group policy .................................................................................................... 58
10.7 To display and edit properties of a group policy (Policy Rules tab) .................................. 58
10.7.1 What are Ovation group security rules? ............................................................... 60
10.7.2 What is the Select Users dialog box? .................................................................. 60
10.7.3 What is the Select Values dialog box? ................................................................. 61
10.7.4 What is the enter text Value field? ....................................................................... 62
10.8 To display properties of a group policy (Accounts tab) ..................................................... 63
10.9 To display and edit properties of a group policy (General tab) ......................................... 64

11 Managing domain policies 65

11.1 What are domain policies? ................................................................................................ 65
11.2 What are default domain policies? .................................................................................... 66
11.3 What are default Domain Controller policies? ................................................................... 67
11.4 To display properties of a domain policy ........................................................................... 67

12 Managing administrators 69
12.1 What are administrators? .................................................................................................. 69
12.2 To assign administrative control........................................................................................ 70
12.3 To remove administrative control ...................................................................................... 71

13 Managing database users 73

13.1 What is the Manage Database Users functionality? ......................................................... 73
13.2 To reset the database user password ............................................................................... 75

14 Examples of security configuration 77

14.1 Configuring security for a domain ..................................................................................... 77
14.2 Creating Ovation role OPERATOR-1 ................................................................................ 78
14.3 Creating Ovation role OPERATOR-2 ................................................................................ 79
14.4 Creating Ovation role DEMOPC ....................................................................................... 79
14.5 Creating an account for Joe .............................................................................................. 80
14.6 Creating an account for computer DROP199 ................................................................... 80
14.7 Logging in locally to a local network ................................................................................. 81
14.8 Logging in locally to a remote network .............................................................................. 81
14.9 Logging in remotely to a local network .............................................................................. 82
14.10 Logging in remotely to a remote network .......................................................................... 82

OW360_40 iii
Table of Contents

14.11 Logging in locally to a restricted drop ............................................................................... 83

14.12 Logging in remotely to a restricted drop ............................................................................ 83

15 Using DigitalPersona Pro 5.5 fingerprint readers 85

15.1 What is the DigitalPersona Pro fingerprint reader?........................................................... 85
15.2 Why is multi-factor authentication so important? .............................................................. 85
15.3 How do you get started using DigitalPersona Pro fingerprint readers? ............................ 86
15.4 What are the system requirements? ................................................................................. 86
15.5 Overview of installing the DigitalPersona fingerprint reader software .............................. 86
15.5.1 To extend the Active Directory schema ............................................................... 87
15.5.2 To configure each domain.................................................................................... 89
15.5.3 To install the DigitalPersona Pro Server software on your Domain Controller .... 90
15.5.4 To install the administration tools on the Domain Controller ............................... 93
15.5.5 To configure a group policy for Domain Controllers ............................................ 93
15.5.6 To configure group policy for users and workstations ......................................... 98
15.5.7 To configure a shared workstation or kiosk (optional) ....................................... 105
15.5.8 To install the License Activation Manager ......................................................... 105
15.5.9 To activate licenses for DigitalPersona Enterprise Server ................................. 106
15.5.10 To install the DigitalPersona workstation software ............................................ 107
15.5.11 To install the VeriSign Primary PCA Root Certificate ........................................ 108
15.6 Adding fingerprints .......................................................................................................... 109
15.7 Uninstalling the DigitalPersona Pro fingerprint reader software ..................................... 110
15.7.1 To uninstall the DigitalPersona Pro Server software ......................................... 110
15.7.2 To run the DigitalPersona Pro cleanup wizard................................................... 110
15.7.3 To uninstall the DigitalPersona Pro workstation software from each
workstation ......................................................................................................... 111

16 RADIUS Server 113

16.1 What is a RADIUS server? .............................................................................................. 113
16.2 Installing a RADIUS server ............................................................................................. 113
16.3 To access the Network Policy Server (NPS) window ..................................................... 115
16.4 Configuring a RADIUS server ......................................................................................... 116
16.4.1 To disable or delete the default policies ............................................................. 117
16.4.2 To create a Connection Request policy ............................................................. 119
16.4.3 To create a Network policy................................................................................. 131
16.4.4 To add a Controller as a RADIUS client ............................................................ 142

Index 145

iv OW360_40
 S E C T I O N 1

1 Introduction to Ovation security

IN THIS SECTION

What is Ovation security? ................................................................................................... 1

Who sets security standards? ............................................................................................. 5
Security terminology ............................................................................................................ 5

1.1 What is Ovation security?

Microsoft Corporation describes computer security as “protection of a computer system and its
data from harm or loss. A major focus of computer security, especially on systems that are
accessed by many people or through communication lines, is the prevention of system access by
unauthorized individuals.”

Security for an Ovation system is designed to prevent unauthorized use and unauthorized actions
on an Ovation control system. This is accomplished by using a domain concept plus the
assignment of security roles for users and computers in the domain.

A domain is a logical collection of computers and users on a network that share a common
security database. All the computers and users in the domain are managed by a server, known as
a Domain Controller that contains the security database.

Note: The Domain Controller manages Ovation security and is not the Ovation Controller that
manages Ovation process control functions.

Security roles are collections of rules that control the behavior and functionality of users and
computers in a domain. When a role is applied to a user/computer account, then security settings
for that user/computer are the same as for any user/computer that has that same role applied.
This simplifies the configuration and management of security for Ovation systems.

1.1.1 What is the Ovation security management process?

In order to manage Ovation security, you need to understand the processes involved. Assume
that you are the security administrator for an Ovation system. The following steps provide a high-
level overview of defining security for that system:

1. During software installation of your system, you must first define a computer to be the
primary Domain Controller for your system. This controller will manage the security for your
system. (Refer to the Ovation Software Installation Manual.)

Note: It is NOT recommended that you configure a primary Domain Controller to be an Operator
Station or a Base Station.

OW360_40 1
1.1 What is Ovation security?

2. You may optionally define one or more computers to be redundant Domain Controllers for
your system. A redundant Domain Controller mirrors the security information in the primary
Domain Controller. The redundant controller takes over the authentication duties if the primary
Domain Controller fails. However, in this event, certain user configuration changes cannot be
performed (as described in What if the primary Domain Controller fails? (see page 3))

Note: You can configure a redundant Domain Controller to be an Operator Station, Base
Station, or a Database Server, but you must be running Windows 2003 server.

3. Once the primary Domain Controller is defined, define all the other computers in the domain
to be domain members. (Refer to the Ovation Software Installation Manual.)
4. Create Group Policies (see page 55) for the users and computers in your domain. These
Group Policies are a collection of rules that you enable or disable for each policy. These
policies control the behavior of a user's desktop environment and system.
5. Create Ovation roles (see page 41) for the users and computers in your domain. These
Ovation roles are a collection of Ovation rules (see page 5) that you enable or disable for
each role. These rules control the run-time behavior of the Ovation software.
6. Once you are satisfied with the Group Policies and Ovation roles, you assign a policy and a
role to every user (see page 23) in your domain. Optionally, you may assign a policy and a
role to any appropriate computer (see page 31) in your domain.

After all the policies, roles, users, and computers in your domain are properly identified and each
one has its security configuration, your Ovation system is secure and ready to begin controlling
your processes.

1.1.2 What is a domain?

Ovation systems prior to Ovation 2.4 used the Windows workgroup model (see page 3) to
logically group computers and handle security on a network.

Ovation 3.x uses the Windows domain model to logically group computers and handle security
on a network. In this configuration, all computers on a network are part of a domain whose
security is controlled by a drop that is configured to be a primary Domain Controller. All Ovation
2.4 and later systems must contain a primary Domain Controller and can optionally contain
redundant Domain Controllers.

All drops on the system can access a software package known as the Ovation Security Manager
application. However, only a drop that is selected to manage the security is promoted to be the
primary Domain Controller. This enables the drop to manage the security for all the drops in the
domain. Any drop in the system that is not a Domain Controller drop is configured to be a domain
member and runs the Security Manager Client software.

Ovation uses its Security Manager application to provide security for entire systems, even
systems that may contain multiple networks.

Note: The Security Manager Server software that runs on the Domain Controller can be
successfully installed on a drop even if the drop does not contain the Ovation software. This
means you can have a Domain Controller that is not an Ovation drop in an Ovation system. This
is typically the Ovation Security Server.

2 OW360_40
 1.1 What is Ovation security?

1.1.3 What if the primary Domain Controller fails?

You must define a primary Domain Controller for every Ovation system and optionally, you can
define one or more redundant Domain Controllers. If you have defined a redundant Domain
Controller for your Ovation system, then certain security functions, such as login authentication
and group policy distribution, continue to update even if your primary Domain Controller fails.

If the primary Domain Controller for your system does fail, the following occurs:
 Configured security settings are maintained, but you cannot modify Security Manager
settings.
 Latest security settings for Engineering and Operator functions are maintained.
 If the primary Domain Controller is also a Database Server, you can use Operator Station
functions, but you cannot use the Developer Studio, Graphics Builder, or Control Builder
functions.
 Logins are handled as follows:
 If you have redundant Domain Controllers:
 Logins are authenticated against any of the available redundant Domain Controllers.
 If none of the redundant Domain Controllers is available, then logins are
authenticated against cached security data.

Note: If you do not have redundant Domain Controllers, logins are authenticated against cached
login information. Security data is cached on every drop when you login for the first time with an
online Domain Controller.

When your primary Domain Controller is back up and running, logins and engineering tools will
function as they had been originally configured by the Security Manager before the primary
Domain Controller failed.

1.1.4 What are security roles?

Ovation security is based on the domain concept and on the concept of roles. Pre-defined
Ovation roles (see page 17) are included with your Ovation system. The Security Administrator of
a domain can also create "Ovation roles" based on specific groups of security rules.

After the roles have been created, the Administrator assigns a role to a user or computer in the
domain. This assigned Ovation role determines what tasks the user or computer has permissions
to perform.

1.1.5 What is the difference between workgroup security and domain security?

Ovation systems prior to Ovation 2.4 used the Windows workgroup model to logically group
computers on a network. In this configuration, all computers are equal and each maintains its own
security policies and database of resources, such as users, printers, file shares, and so forth.
Managing this model is difficult because the administrative tasks are decentralized and need to be
performed on each computer. For example, user accounts need to be created on each computer
in the network.

OW360_40 3
1.1 What is Ovation security?

Ovation systems, beginning with Ovation 2.4, use the Windows domain model to logically group
computers on a network. In this configuration, the security policies and database of resources,
such as users, printers, file shares, and so forth, are stored in a central location on a server, the
Domain Controller, and are shared by all computers. Although this model requires at least one
Domain Controller, it is easy to manage because of the centralized administrative nature. For
example, user accounts need to be created only once on the domain-controller and all member
computers can then share the user accounts.

The differences between the workgroup model and the domain model are listed in the following
table.

Workgroup model versus domain model

FUNCTION WORKGROUP MODEL DOMAIN MODEL

Administration Each computer Centralized

Scalability Limited number of Unlimited number of users/computers

users/computers

Security Low and locally managed High and centrally managed

1.1.6 What are security concerns for process control systems?

There are many security concerns for control systems. Some of the main concerns are:
 Corruptive actions and attacks – internal (see page 13) and external. (see page 9)
 Unintended consequences due to lack of internal controls.
 Compliance with government regulations.
 Competitive intelligence.
 Integration of systems and applications.

1.1.7 What security services does Emerson provide?

Emerson offers security services to secure an Ovation Process Control System from external (see
page 9) and internal (see page 13) security breaches.

Emerson can provide the following security services:

 Conduct an assessment of security needs.
 Identify areas of security concern.
 Provide solutions for security concerns.
 Implement security solutions.
 Evaluate security after implementation.
 Review security on a continual schedule.

4 OW360_40
 1.2 Who sets security standards?

Though Emerson designed the Ovation control system to be fully compliant with open-
architecture standards, running, installing, or configuring untested third-party applications on
Ovation drops can introduce security risks that have the potential to affect the robustness of your
plant's control system and ultimately the operation of your plant. Even adding standard
Microsoft/Solaris tools that have not been fully tested and certified with the Ovation system can
pose undue risk. Invalidated freeware and computer games are especially dangerous to the
security of your system.

Emerson strongly recommends that only Ovation-validated applications that are absolutely
necessary for the operation of your plant or control system be installed on Ovation workstations. If
you are interested in installing an application that has not been validated with Ovation, contact
your Emerson representative before you install or execute software. Emerson has rigorous design
and testing standards in place to ensure system stability with many third-party packages, and the
open architecture of the Ovation network makes it easy to interface to a multitude of business
systems using standard communications protocols, without installing software on critical
components of your control system.

Emerson provides an Ovation Security Center (OSC). The OSC is a suite of hardware and
software tools (appliances) that provide electronic security management functions. The OSC
appliances are designed to enhance and manage the cyber security of Ovation Distributed
Control Systems (DCS) without disrupting the controlled process. Refer to the Ovation Security
Center User Guide for more information about OSC.

1.2 Who sets security standards?

Most current process control systems were designed for functionality and performance, not for
security. In today's security-conscious climate, many organizations such as NERC are working
with the process control industry to improve the process control industry's approach to security.

NERC (North America Electric Reliability Corporation) is a non-profit industry group responsible
for ensuring that electricity is kept flowing smoothly throughout the United States and Canada.
One of the missions that NERC has undertaken is the goal of setting Security standards and
guidelines for Power Generators.

There are other organizations, such as government agencies, that are also looking for improved
security techniques and procedures. Emerson is working to incorporate all the latest and best
security techniques into the Ovation Process Control systems.

1.3 Security terminology

Security terms

TERM DESCRIPTION

Account Represents a physical entity, such as a computer or person.

Active Directory (AD) Component of Windows. Provides a method to securely manage the
Database identities and relationships in a domain.
Additional or Redundant This drop (hereafter referred to as redundant) mirrors the security
Domain Controller information in the primary Domain Controller and performs security
functions if the primary Domain Controller fails.

OW360_40 5
1.3 Security terminology

TERM DESCRIPTION

CIP Critical Infrastructure Protection (CIP) is a set of cyber security standards for
electric power generation, transmission, and distribution organizations. The
North American Electric Reliability Corporation (NERC) developed CIP
standards with oversight from the Federal Energy Regulatory Commission
(FERC).
Computer Account Information that uniquely identifies a computer in a domain. Every computer
that joins a domain has a computer account automatically assigned to it.
Similar to user accounts, computer accounts provide a means for
authenticating computer access to the network and to domain resources.
Domain Logical collection of computers and users on a network that share a
common security database.
Domain Administrator User in a domain who can install Ovation software in addition to performing
standard Windows administrative tasks. By default, the Administrator has
these privileges.
Domain Member Any computer in a domain that is not a Domain Controller but responds to
the Domain Controller computer.
Domain Security Model Security policies and resource database are maintained on one computer
(server) known as a Domain Controller. This data is shared with all
computers.
Firewall Security system intended to protect an organization's computer network
from external threats. All communication between the internal computer
network and the outside world is routed through a server that determines if a
message is safe to pass to the internal network.
Global Role A role defined as a global role enforces the same set of rules for a user on
all Ovation networks without having to create individual roles on every
network. There is only one global category for each domain.
Group Policy Collection of Windows group policy rules that defines what desktop and
system features a user or a computer has access to.
Local Console Identifies a Windows session for a user sitting directly in front of an Ovation
computer that he or she is logged on to.
NERC North American Electric Reliability Corporation (NERC) is an agency that
oversees the reliability and adequacy of bulk power supply in electric utility
systems.
Ovation Security Center Provides electronic security management functions to manage the cyber
(OSC) security of Ovation Distributed Control Systems (DCS) without disrupting the
controlled process.
Ovation Administrator User who has the authority to manage and configure the security for the
Ovation system.
Ovation Role Collection of Ovation rules that define what Ovation functions a user or
computer can perform on an Ovation system. A role must be assigned to a
User account and may be assigned to a Computer account.
Primary Domain Controller Server in a domain that contains the common security database for a
network and controls the access to network security resources. This drop
must be the first drop configured in a domain. If this drop fails, security is
managed by a redundant Domain Controller.
A primary Domain Controller can control security for separate Ovation
systems. These Ovation systems may or may not be configured for multi-
networking

6 OW360_40
 1.3 Security terminology

TERM DESCRIPTION

Private Role Private role enforces rules for only the network where the role is defined.
There is only one private category for each Ovation network.
Remote Console Identifies a Windows session for a user sitting directly in front of an Ovation
computer but remotely logged on to another computer. Remote Desktop is
used to perform this connection and login.
Remote Desktop on You can have access to a Windows session that is running on a computer
Windows when you are at another computer. For example, you can connect to an
Ovation computer from home and have access to your Ovation applications,
files, and resources as though you were in front of the computer at work.
Rule Defines an aspect of the run-time behavior of any software. For instance,
“Deny network access” could be a rule. May be Ovation rules or Microsoft
group policy rules.
Security Manager Client Software that runs on domain members and receives security configuration
settings from the security database in the Domain Controller.
Security Manager Server Software that runs on the Domain Controller and communicates security
configuration settings from the security database to the domain members.
User Account Information that uniquely identifies a person in a domain. A user account
enables a user to log on to computers in a domain with an identity that can
be authenticated by the domain.
Each user who logs on to the domain should have a unique user account
and password. Typically, the administrator creates user accounts for each
person on the network.
Workgroup security model All computers are peers and each computer maintains its own security
policies and resources database. User accounts must be created on each
computer. Used in Ovation systems prior to 2.4.

OW360_40 7
 S E C T I O N 2

2 Understanding Ovation external security

IN THIS SECTION

What is external security? ................................................................................................... 9

What types of external security threats should you be aware of? .................................... 10
What can you do to guard against external security threats? ........................................... 11
What is the recommended virus protection for Ovation Windows systems? .................... 12

2.1 What is external security?

External security refers to the concept of protecting the Ovation system from any outside
influences that might disrupt the operation and functions of the Ovation system. These influences
might include the Internet, a company intranet, and any external devices that are linked to a
system.

The following figure illustrates an Ovation system and the defense perimeter that is defined to
protect the system.

Figure 1: Defense perimeter for Ovation system

OW360_40 9
2.2 What types of external security threats should you be aware of?

2.2 What types of external security threats should you be aw are of?

There are many external threats to the security of an Ovation system. Some of the major ones
are:
 Viruses that may be introduced through the Internet or through careless users.
 Intrusions from unauthorized sources, such as hackers or industrial spies.
 Unauthorized activity involving the system and an outside party.
 Accessing unauthorized data.
 Misinformation being spread throughout the system from an external source.
 Misuse of Ovation workstations by employees for activities, such as:
 Playing games
 Using email or browsers
 Installing unauthorized software

The following figure illustrates some external threats and how they could enter the system:

Figure 2: Security threats to Ovation system

10 OW360_40
 2.3 What can you do to guard against external security threats?

2.3 What can you do to guard against external security threats?

The solutions that Emerson uses to provide external security for Ovation systems are the
following:
 Firewall: Firewalls serve as a buffer between external computers and the internal computers
controlling the Ovation system. External communication is routed through the buffer that
determines if the data should be passed to the company’s internal computers.
 Antivirus software: Software to prevent viruses from attacking application software in a
system.
 Secure Datalinks: Datalinks can be secured by isolating datalinks from outside security
threats.
 Backup and Recovery: Ovation provides software that will automatically backup designated
system data so that the system can be restored in case of a catastrophic event.
 Password Management: Rules are defined by the system security administrator so that
passwords must meet certain requirements to help ensure only valid users can perform
certain functions.
 Internal Security: Internal security must be managed so that only valid users and
workstations can perform functions that are linked to the outside world.
 Patch Management: Procedures are set in place to ensure the safe access and installation
of software patches in the Ovation system.
The following figure illustrates some possible solutions to the various security threats for Ovation
systems:

Figure 3: Security protection for Ovation systems

OW360_40 11
2.4 What is the recommended virus protection for Ovation Windows systems?

2.4 What is the recommended virus protection for Ovation Window s

systems?

Refer to the following antivirus manual for information on protecting Ovation from malware
attacks:
 Using Kaspersky antivirus software with Ovation.
Antivirus software provides many benefits, including:
 Detects certain non-virus threats, including spyware and adware.
 Scans POP3 email and attachments.
 Prevents worms from spreading via email.
 Helps ensure VPN connections are virus free.
 Automatically removes viruses, worms, and Trojan horses.
 Provides both automatic and on-demand security updates.
 Centralizes installation, configuration, and maintenance.
 Allows administrators to lock down business-wide policies and settings.
 Offers easily viewed, centralized event logging.

12 OW360_40
 S E C T I O N 3

3 Understanding Ovation internal security

IN THIS SECTION

What is Ovation internal security?..................................................................................... 13

What types of internal security threats should you be aware of? ..................................... 13
What can you do to guard against internal security threats? ............................................ 13

3.1 What is Ovation internal security?

Internal security protects an Ovation system from any inside influences that might disrupt the
operation and functions of the Ovation system. These influences might include unauthorized use
of Ovation functions, inability to manage security for a large complex system, and unprotected
workstations in remote sections of a plant.

3.2 What types of internal security threats should you be aw are of?

There are many internal threats to the security of an Ovation system. Some of the major ones are:
 Security is too complicated to manage easily.
 Workstations are not protected from misuse.
 Poorly controlled password usage or no passwords at all.
 Users and computers all have different and confusing security privileges.

3.3 What can you do to guard against internal security threats?

The solutions that Ovation uses to provide internal security for Ovation systems are the following:
 Simplify security configuration:
 Manage security accounts from a central location.
 Provide a selection of pre-defined typical users.
 Simplify the Global Management of users (option).
 Assign users to roles.
 Limit access to different functions of the Developers Studio:
 Engineering functions.
 Operator functions.
 Use the highly manageable domain security model.
 Restrict system engineering functions to authorized users.
 Enforce group policies throughout an entire plant.

OW360_40 13
3.3 What can you do to guard against internal security threats?

 Manage passwords to ensure only authorized users have access to the Ovation system:
 Require passwords on operator and engineering consoles.
 Require passwords to be changed after certain time periods.
 Enforce password rules governing the length, special characters, and so forth, of
passwords.
 React to failed login attempts.
 Create and use "hardened" workstations that are limited to Ovation functions only:
 Use the concept of security rules to manage internal security.
 Lock out applications other than Ovation functions (applications such as email, Web
browser, and so forth).
 Lock out devices such as CDROM, floppy, and so forth.
 Prevent the loading of software other than Ovation software.
 Prevent changes to files and directories.
 Require password access to the workstation.
 Restrict Remote Access functions.

14 OW360_40
 S E C T I O N 4

4 Planning Ovation security

IN THIS SECTION

Preparing for Ovation security ........................................................................................... 15

Creating an Ovation security plan ..................................................................................... 16
What are the pre-defined Ovation roles? .......................................................................... 17
What are the pre-defined Group Policies? ........................................................................ 17
What are Ovation security rules? ...................................................................................... 18
What are the best practices for establishing a secure system? ........................................ 18

4.1 Preparing for Ovation security

Planning security for Ovation requires a thorough understanding of how security is administered
in an Ovation 2.4 and later system. Ovation makes use of the Microsoft Windows security design
that is based on the domain concept.

In a domain, all computers are logically connected and their security settings are controlled by a
computer that is configured to be the Domain Controller. All computers in the domain that are not
the Domain Controller are known as domain members.

Ovation provides you with an Ovation Security Manager application to help you more easily
understand your security requirements. This user-friendly software GUI is used to define and
manage the security for all the users and computers in a domain.

The person who will administer security for the Ovation system should be identified before the
system is installed.

Ovation system designers study the security needs for a system and implement the latest state-of
the-art security practices for each system. After the security plan is in place, plant administrators
can easily manage the day-to-day changes needed in a dynamic security system.

When planning security, keep in mind that the ability to perform certain operations in the Ovation
system is dictated by two factors:
 The Windows session in which the Ovation application runs. This is based on the Group
policy assigned to the user/computer.
A Windows session consists of the logged-on user, the logged-on computer, and the
applicable console (that is, whether the user is locally logged on at the computer or remotely
logged on through the remote desktop service).
 The Ovation roles to which the Windows session belongs. This is based on the Ovation role
policy assigned to the user/computer.

OW360_40 15
4.2 Creating an Ovation security plan

4.2 Creating an Ovation security plan

There is no single procedure for designing security for an Ovation system, but the following steps
provide a pattern for a typical Ovation security plan. Also, refer to an Example of Security
Configuration for a sample scenario of a security configuration.

1. Identify what Ovation roles (see page 18) and Group Policies (see page 55) you want to
enforce for the Ovation roles you will create.

Note: For your convenience, an Ovation system comes with a selection of pre-defined roles
(see page 17) and pre-defined group policies (see page 17).

2. Create or modify Ovation roles (see page 44):

 Provide a name and description for the new role.
 Select if the network scope for the role will be private or global.
Create a global role if you want the Ovation role to be valid across all networks in the
domain.
Create a private role if you want the Ovation role to be valid only on the network where it
is created.
 Edit the role properties for each Ovation rule to define if a rule is enabled or disabled
when used on a local console or a remote console.
3. Create or modify group policies (see page 55):
 Provide a name and description for the new group policy.
 Select if the policy type will be a User or Computer policy.
 Edit the policy properties for each group policy rule to define if a rule is Not Configured,
Disabled or anything else that is applicable.
A group policy is a collection of Microsoft group policy rules that define what desktop and
system features a user or a computer has access to.
4. Create user accounts (see page 25) and computer accounts (see page 33).
5. Assign a defined group policy to each user account (see page 28) (required) and computer
account (optional).
6. Assign a defined Ovation role to each user account (see page 28) (required) and computer
account (optional).

16 OW360_40
 4.3 What are the pre-defined Ovation roles?

4.3 What are the pre -defined Ovation roles?

An Ovation system comes with a set of pre-defined security roles. These pre-defined roles can be
used or modified as needed. While some pre-defined roles can be deleted, pre-defined roles with
the "-default" suffix and pre-defined global roles cannot be deleted. The security administrator can
create new roles and, if desired, these new roles can be deleted.
 Admin: Security Administrator.
 IT: IT or Support (No Ovation capabilities).
 Supervisor: Supervisor.
 Engineer: Full Engineering functions.
 Engineer (Graphics): Engineering functions necessary to create/edit graphics.
 Engineer (DB, Graphics): Engineering functions for database and graphics.
 Operator: Full Operator functions.
 Operator (View, Alarms): Operator functions for view and alarms.
 Operator (View Only): Operator functions - view only.
 Technician: Technician.

4.4 What are the pre -defined Group Policies?

An Ovation system comes with a set of pre-defined security Group Policies. These policies deal
with Windows functions. These policies can be used or modified as needed.
 Global User Policies: Policies that will be inherited by all of the other user policies. These
policies cannot be directly assigned to a user. Policies set at an assignable level override
policies made at the global user level.
 Engineer (locked down): User will only have access to permitted Ovation Operator and
Engineering applications.
 Operator (locked down): User will only have access to permitted Ovation Operator
applications.
 Unrestricted User: User will have full access to Ovation and Windows programs.
 Global Computer Policies: Policies that will be inherited by all of the other computer
policies. Policies set at an assignable level override policies made at the global computer
level.
 Engineering (locked down): Computer will only have access to permitted Ovation Operator
and Engineering applications.
 Operator (locked down): Restricts all users of computer to permitted Ovation Operation
Station application. This policy is automatically assigned to new computer accounts by
default.
 Unrestricted Computer: Default computer that will not apply additional restrictions beyond
the user's policies.

OW360_40 17
4.5 What are Ovation security rules?

4.5 What are Ovation security rules?

A rule is a simple statement that defines an aspect of the run-time behavior for software. Ovation
security uses rules to define the usage limitations for various Ovation software functions. There
are four categories of functions that are managed by an Ovation Security Manager running on the
Domain Controller. The Security Manager uses the defined rules to determine the actions that are
permitted for users, computers, and roles.

Ovation security provides defined rules for various Ovation functions. These rules are enabled or
disabled through the Manage Roles function of the Security Manager.
 Engineering Rules (see page 46).
 Operator Rules (see page 48).
 Point Security Groups (PSG) Rules (see page 50).
 Group Security Rules (see page 60).

4.6 What are the best practices for establishing a secure system?
 Employ a standard firewall configuration for each Ovation system to prevent unwanted data
entering the control system from the outside world.
 Formalize plans for loading applications and software on an Ovation system so that only
designated users (administrators) can install software on the system.
 Assign roles so that functions can be performed throughout the Ovation system.
 Assign more than one Administrator to ensure the continuation of security in case the original
Administrator is not available.
 Define redundant Domain Controller(s) to ensure logins are dynamic and not based on a
cache of security data.
 Use backup programs and procedures to ensure that in case of a system disruption, the
system data can be restored.
 Use Virus detection software to help prevent system damage from the spread of software
viruses.
 Use the security patches that Microsoft provides to ensure the security of your Windows
Operating System. These patches have been tested by Emerson for compatibility with the
Ovation software. Access these tested patches from the Emerson Users Group Web site and
then download the patches onto the computer. (Refer to the Ovation Software Installation
Manual.)
 If you plan to use remote and local console design in your Ovation system, ensure that you
have adequate provisions for remote console security.
 Create a plan that outlines in detail how security will be implemented.

18 OW360_40
 S E C T I O N 5

5 Using the Ovation Security Manager

IN THIS SECTION

Accessing the Ovation Developer Studio .......................................................................... 19

To access the Ovation Security Manager ......................................................................... 19
What are the Ovation Security Manager tasks? ............................................................... 20
What is the Ovation Security Manager? ........................................................................... 20
What are the Ovation Security Manager task functions? .................................................. 21

5.1 Accessing the Ovation Developer Studio

When your Ovation system is loaded, the Developer Studio icon appears on your desktop.
Double-click the icon and the Developer Studio window appears. Refer to the Ovation Developer
Studio User Guide.

You can also access the Developer Studio from the context menu of the Operator Station
applications, such as Point Information. For more information, refer to the Ovation Operator
Station User Guide.

Note: Much of the setup and configuration of the Developer Studio contents and hierarchy is
performed by an Emerson representative before the system is installed in your plant.

5.2 To access the Ovation Security Manager

1. Access the Ovation Developer Studio (see page 19).
2. Use the system tree to navigate to Ovation Security:
System -> Security -> Ovation Security
The Ovation Security Manager appears in the Studio Workpad.
3. Double-click Security Manager to open the Ovation Security Manager window.

Note: You can also access the Ovation Security Manager from your Windows Start menu
(Start -> Ovation -> Ovation Security -> Ovation Security Manager); this is only available on
Ovation Security Server.

OW360_40 19
5.3 What are the Ovation Security Manager tasks?

5.3 What are the Ovation Security Manager tasks?

Functions that the Security Manager performs are presented as "tasks" that are selected from a
user-friendly interface. Typically, a security administrator manages the security configuration and
determines what tasks will be permitted for users, roles, and computers.

When a task is selected, applicable dialog boxes appear providing an easy method for configuring
security for the various security levels. These tasks are:
 Manage Users (see page 23).
 Manage Computers (see page 31).
 Manage Point Security Groups (see page 39).
 Manage Ovation Roles (see page 41).
 Manage Group Policies (see page 55).
 Manage Domain Policies (see page 65).
 Manage Administrator (see page 69).
 Manage Database Users (see page 73).

5.4 What is the Ovation Security Manager?

The Ovation Security Manager is a software package that is installed on all the drops in an
Ovation system. However, it can only be accessed by a member of the Ovation Administration
group (Manage Administrators) who has privileges to manage security on the Ovation system.
This package manages all the internal security functions or tasks for an Ovation system.

Note: You can only configure the Ovation Security Manager when the primary Domain
Controller is online.

Typically, a security administrator manages the security configuration and determines what tasks
will be permitted for users, roles and computers.

Figure 4: Ovation Security Manager main window

20 OW360_40
 5.5 What are the Ovation Security Manager task functions?

5.5 What are the Ovation Security Manager task functions?

When you select a security task in the Security Manager main window, the functions you can
perform for that task are represented by icons that are displayed to the right of the "Pick a task"
prompt. All the possible function icons are described in the following table.

Function icons

FUNCTION DESCRIPTION TASK THAT USES THIS FUNCTION

Inserts a new task item (or adds a Manage Users

new user if you are in Manage Manage Computers
Administrators). Manage Ovation Roles
Manage Group Policies
Manage Administrators
Duplicates a task item. Manage Ovation Roles
Manage Group Policies

Renames a task item. Manage Users

Manage Ovation Roles
Manage Group Policies
Manage Administrators

Deletes a task item. Manage Users

Manage Computers
Manage Ovation Roles
Manage Group Policies
Manage Administrators
Resets a user's password. Manage Users
Manage Database Users

Disables a task item. Manage Users

Manage Computers

Displays the properties for a task Manage Users

item. You can edit many of these Manage Computers
properties. Manage Ovation Roles
Manage Group Policies
Manage Domain Policies
Refreshes the window and includes Manage Users
any changes that were made since Manage Computers
the last refresh. Manage Ovation Roles
Manage Group Policies
Manage Domain Policies
Manage Administrators
Manage Database Users
Creates a new network or deletes an Manage Computers
existing network. The name of the
new network should be the network
alias name that is used in the Studio.

OW360_40 21
5.5 What are the Ovation Security Manager task functions?

22 OW360_40
 S E C T I O N 6

6 Managing user accounts

IN THIS SECTION

What are user accounts? .................................................................................................. 23

To create a new user account ........................................................................................... 25
To rename a user account ................................................................................................ 26
To delete a user account ................................................................................................... 27
To reset a user password .................................................................................................. 27
To disable/enable a user's account ................................................................................... 28
To display and edit properties of a user account .............................................................. 28

6.1 What are user accounts?

Each user account in an Ovation system represents a person in the Ovation domain. To see this
list, click Manage Users.

Figure 5: Manage Users task selected

User accounts utilize two different processes to validate the user and what functions can be
performed:
 Authentication: The process of verifying the identity of a user. To authenticate a user during
logon, a unique account and password should be created for every user.
 Authorization: The process that determines what a user is permitted to do. To authorize a
user to perform certain tasks in the Ovation system, each user should be assigned to an
Ovation Role (one or more Engineering/Operator rules) and a Group Policy (one or more
Group rules).
Each user account will have the following set of attributes that must be defined by the security
administrator through the New User dialog box (see page 25). When a field in the New User
dialog box is highlighted, information about that field appears in the bottom of the dialog box.

OW360_40 23
6.1 What are user accounts?

Attributes for user accounts

CATEGORY FIELD DESCRIPTION

General First Name First name of the user.

Last Name Last name of the user.
Initials First initial of the user's middle name.
Full Name This field mirrors what is entered in the First Name, Last
Name, and Initials fields or you can enter text in this field.
(required field)
Description Brief statement that describes the user account.
Logon information Logon Name Name user will use at login. This is the name the computer
will recognize and verify.
(required field)
Password Click to edit. A Password Editor dialog box appears.
(required field)
Password Option Set to True or False.
User must change If True is selected, then the user must change the password
password at next the next time he or she logs on. If False is selected, the user
logon. does not have to change the password.
Policy Group Policy Consists of one or more rules that control the behavior of any
user's desktop environment and system.
Typically, the administrator creates group policies and then
assigns the policies to user accounts.
Roles Roles Consists of one or more rules that control the run-time
behavior of any Ovation software.
Typically, the administrator creates roles and then assigns the
roles to user accounts.
You cannot assign a role to a user when you first create that
new user. Create the new user and select OK. You can then
assign a role to the new user as described in Display and Edit
Properties of a User's Account (see page 28).

While using the Manage Users task, the security administrator will be able to:
 Create (see page 25) new user accounts.
 Rename (see page 26) user accounts.
 Delete (see page 27) user accounts.
 Reset (see page 27) a user's password.
 Disable or enable (see page 28) a user's account.
 Display (see page 28) the properties for a user.
 Refresh the screen.
 Sort the user details by clicking the column headers on the window.

24 OW360_40
 6.2 To create a new user account

6.2 To create a new user account

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Users task button. The list of users appears in the Security Manager
window.
3. Select the New icon. The New User dialog box appears.
4. Enter the desired information in the appropriate entry fields (see page 23).

Note: Click a parameter and the parameter description appears in the bottom of the dialog box.

Figure 6: New User dialog box

5. Under the Logon Information section, enter the desired logon name and then you must
create a password for the user.
6. Click the Click to Edit field to display an ellipsis (...). Click the ellipsis and the Password
Editor dialog box appears. Enter the desired password and confirm it. Select OK.

Figure 7: Password Editor dialog box

OW360_40 25
6.3 To rename a user account

7. Return to the New User dialog box and select OK. A new user account will be created.

Note: You cannot assign a role to a user when you first create that new user. Create the new
user and select OK. You can then assign a role to the new user as described in "Display and
Edit Properties of a User's Account (see page 28)".

6.3 To rename a user account

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Users task button.
3. The list of users appears in the Security Manager window. Select the user you want to
rename.
4. Select the Rename icon or right-click the user name and select Rename.
5. The Rename User dialog box appears. The current name will appear in the Full Name and
Logon entry field. Change the user First Name, Last Name and Initials. Select OK.

Note: Click a parameter and the parameter description appears in the bottom of the dialog box.

Figure 8: Rename User dialog box

26 OW360_40
 6.4 To delete a user account

6.4 To delete a user account

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Users task button.
3. The list of users appears in the Security Manager window. Select the user account you want
to delete.
4. Select the Delete icon or right-click the user name and select Delete.
5. A message appears asking you to either to confirm the deletion or to warn you that you
cannot delete the user account. Select Yes if you want to continue the deletion.
When a user account is deleted, the account is removed from the system, and the user is
"locked out" and can no longer log on to the Ovation system.

6.5 To reset a user passw ord

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Users task button.
3. The list of users appears in the Security Manager window. Select the user whose password
you want to reset.
4. Select the Reset Password icon or right-click the user name and select Reset Password.
5. The Reset Password dialog box appears.

Note: Click a parameter and the parameter description appears in the bottom of the dialog.

Figure 9: Reset Password dialog box

OW360_40 27
6.6 To disable/enable a user's account

6. Use the pull-down menu to define if the "User must change password at next logon" or not.
Select True (must change password) or False (does not have to change password).
7. Select the ellipsis (...) in the Click to Edit field and the Password Editor dialog box appears.
Enter the desired password and confirm it. Select OK.

Figure 10: Password Editor dialog box

8. Return to the Reset Password dialog box and select OK. The password will be reset for the
user.

6.6 To disable/enable a user's account

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Users task button.
3. The list of users appears in the Security Manager window. Select the user whose account
you want to enable or disable.
4. Select the Enable/Disable icon or right-click the user name and select Disable or Enable.
This icon toggles between Enable and Disable.

6.7 To displa y and edit properties of a user account

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Users task button.
3. The list of users appears in the Security Manager window. Select the user whose properties
you want to display or edit.
4. Select the Properties icon or right-click the user name and select Properties.

28 OW360_40
 6.7 To display and edit properties of a user account

5. The User Properties dialog box appears. The first name and last name of the user appear in
the box. Select the Group Policy field. Select the ellipsis (...) that appears.

Note: Click a parameter and the parameter description appears in the bottom of the dialog box.

Figure 11: User Properties dialog box

6. The Policy Selection dialog box appears. Select the policy you want to assign to the user.
Select OK.

Figure 12: Policy Selection dialog box

OW360_40 29
6.7 To display and edit properties of a user account

7. Return to the User Properties dialog box. Highlight the Role that is selected. Select the
ellipsis (...) that appears.
8. The Role Selection dialog box appears. If there is a check mark in the None check box, click
the check mark to remove it. From the list of roles, select the role that you want to assign to
the user. Select OK.
OR
If you do not want to assign any roles to the user, go to Step 9.

Figure 13: Role Selection dialog box

9. Ensure that the None check box is checked so that no roles can be selected. Select OK.

Figure 14: Role Selection dialog box (no roles selected)

30 OW360_40
 S E C T I O N 7

7 Managing computer accounts

IN THIS SECTION

What are computer accounts? .......................................................................................... 31

To create a new computer account ................................................................................... 33
To delete a computer account ........................................................................................... 34
To disable/enable a computer account ............................................................................. 34
To display and edit properties of a computer account ...................................................... 34
To create a new network ................................................................................................... 36
To delete a network account ............................................................................................. 37

7.1 What are computer accounts?

Each computer account in an Ovation system represents a computer in the Ovation domain. Each
computer should have a unique account and this account is automatically created when the
computer is joined to the domain.

Figure 15: Manage Computers task selected

Like user accounts, computer accounts may be assigned an Ovation Role (one or more
Engineering/Operator rules) and a Group Policy (one or more Group Policy rules).

Ovation Role: Assigning a Role to a computer account is optional and can be thought of as
enforcing additional restrictions on users who login to it. For instance, if a computer DROP123 is
in a demo room, it may be desirable to prevent any user who logs in to it from acknowledging the
alarm. This can be achieved by assigning a Role to the computer account DROP123 that has the
rule "Allow alarm acknowledge" disabled.

OW360_40 31
7.1 What are computer accounts?

At run-time, the rules defined in the Role for a computer account will be combined with that of the
currently logged-on user account to calculate the total access permission. For example, in the
above scenario, any user who logs in to DROP123 will not be able to acknowledge the alarms
regardless of whether his/her user account grants permission to do so.

Group Policy: Typically, a Group Policy should be assigned to a user account so that no matter
on which computer the user logs on, he or she will have the same desktop environment.
However, in certain closely managed environments (such as demo rooms and reception areas), it
may be desirable to assign a Group Policy to a computer account so that any user who logs in to
it will have the same desktop and system environment.

Assigning a Group Policy to a computer account is optional. If one is assigned, it will be applied to
all users on that computer and the Group Policy assigned to the user account will be ignored.

Each computer account will have the following set of properties. A Security Administrator must
define required fields.

Properties for computer accounts

PROPERTY OR FIELD DESCRIPTION

Name Name of computer that is assigned by the security administrator, for

example, "BoilerRoomdrop230." This may or may not be the Ovation
(required field) drop name (for example, drop230 is the drop name in the Ovation
Studio).
Description Brief statement that describes the computer account.
Operating System Name This is identified by a query of the computer by the system software.
This displays in the Computer Properties dialog box and cannot be
(read-only field) edited.
Operating System Version This is identified by a query of the computer by the system software.
This displays in the Computer Properties dialog box and cannot be
(read-only field) edited.
Operating System Service This is identified by a query of the computer by the system software.
Pack This displays in the Computer Properties dialog box and cannot be
edited.
(read-only field)
Role Consists of one or more rules that control the run-time behavior of any
Ovation software.
Typically, the administrator creates roles and then assigns the roles to
user/computer accounts.
You cannot assign a role to a computer when you first create that new
computer account. Create the new computer account and select OK.
You can then assign a role to the new user as described in Display and
Edit Properties of a Computer Account (see page 34).
Group Policy Consists of one or more rules that control the behavior of any
computer's desktop environment.
Typically, the administrator creates Group Policies and then assigns the
policies to user/computer accounts.

Note: Only roles defined in a global scope can be assigned to the computer accounts. Only the
Role and Group Policy properties can be modified. All other properties are read-only.

32 OW360_40
 7.2 To create a new computer account

By default, all computers are assigned the Role of "None" and the Policy of "Operator (locked
down)." These settings mean that the computer itself does not impose any restrictions, and the
user who logs on to it will be governed only by the Role and Group Policy assigned to the user
account.

While using the Manage Computer task, the security administrator will be able to:
 Create new computer accounts (see page 33).
 Delete computer accounts (see page 34).
 Disable or enable a computer account (see page 34).
 Display the properties of a computer account (see page 34).
 Refresh the screen.
 Create a new network account (see page 36).
 Delete a network account (see page 37).

7.2 To create a new computer account

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Computers task button. The names of all the computers and their
networks that are currently in the domain appear.
3. Select the New icon. The New Computer dialog box appears.
4. Enter the desired information in the entry fields (see page 31).
5. Select the Group Policy and select the ellipsis (...) that appears.
6. The Policy Selection dialog box appears listing the names of the group policies and
descriptions of the policies. Select the desired policy and select OK.

Note: Click a parameter and the parameter description appears in the bottom of the dialog.

7. A new computer account will be created.

Note: You cannot assign a role to a computer when you first create that new computer account.
Create the new computer account and select OK. You can then assign a role to the new user as
described in "Display and Edit Properties of a Computer Account (see page 34)".

Figure 16: New Computer dialog box

OW360_40 33
7.3 To delete a computer account

7.3 To delete a computer account

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Computers task button. The names of all the computers and their
networks that are currently in the domain appear.
3. Highlight the computer that you want to delete.
4. Select the Delete icon. The selected computer will be deleted.
When a computer account is deleted, the computer is "locked out" and can no longer be used
to log on to the domain.

7.4 To disable/enable a computer account

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Computers task button. The names of all the computers and their
networks that are currently in the domain appear.
3. Select the computer whose account you want to enable or disable.
4. Select the Enable/Disable icon or right-click the user name and select Disable or Enable.
This icon toggles between Enable and Disable.

7.5 To displa y and edit properties of a computer account

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Computers task button.
3. The names of all the computers and their networks that are currently in the domain appear.
Select the computer whose properties you want to display or edit.
4. Select the Properties icon or right-click the computer name and select Properties.
5. The Computer Properties dialog box appears. The current properties for the selected
computer are displayed. Highlight the Group Policy. Select the ellipsis (...) that appears.

Note: Click a parameter and the parameter description appears in the bottom of the dialog.

Figure 17: Computer Properties dialog box

34 OW360_40
 7.5 To display and edit properties of a computer account

6. The Policy Selection dialog box appears. Select the policy you want to assign to the
computer. Select OK.

Figure 18: Policy Selection dialog box

7. Return to the Computer Properties dialog box. Highlight the Roles.

8. The Role Selection dialog box appears. If there is a check mark in the None check box, click
the check mark to remove it. From the list of roles, select the role that you want to assign to
the user. Select OK.
OR
If you do not want to assign any roles to the computer, go to Step 9.

Figure 19: Role Selection dialog box

OW360_40 35
7.6 To create a new network

9. Ensure that the None check box is checked so that no roles can be selected. Select OK.

Figure 20: Role Selection dialog box (no roles selected)

7.6 To create a new netw ork

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Computers task button. The names of all the computers and their
networks that are currently in the domain appear.
3. Select the Network icon and select New Networks. The New Network dialog box appears.
4. Enter the name of the new network. This name should also be used as the network alias
name when you create the network in the Studio. Then any security you may have created
offline for the network accounts using the Security Manager will be automatically assigned to
the network you have created in the Ovation Studio.
For example, if you create a new network (NET3) in the Security Manager and then you
assign an alias name (NET3) to a network in the Studio, the Studio can use all the security
accounts created in the Security Manager for the new network.

Note: You can name the new network before or after you assign the network name alias in the
Studio.

Figure 21: New Network dialog box

5. Click OK.

36 OW360_40
 7.7 To delete a network account

7.7 To delete a netw ork account

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Computers task button. The names of all the workstations and their
networks that are currently in the domain appear.
3. Select the Network icon and select Delete Networks. The Delete Network dialog box
appears.
4. Select the name of the network account you want to delete. Select from the following options:
 Unlink the network's security from the Ovation System.
 Permanently delete the network's security.
5. Select OK to delete the network account.

CAUTION: If a network is permanently deleted, all the security is deleted and the network is
"locked down." This means that the network and all the computers on it can no longer be
accessed.

Figure 22: Delete Network dialog box

OW360_40 37
 S E C T I O N 8

8 Managing point security groups (PSG)

IN THIS SECTION

What are point security groups? ....................................................................................... 39

To edit a point security group ............................................................................................ 40

8.1 What are point security groups?

An Ovation Point Security Group (PSG) consists of a collection of Ovation points that typically
share some common properties. For example, points that belong to a "boiler22" security group
are points associated with Boiler 22. (This is logical association and is not a hard-coded entity.)

Figure 23: Manage Point Security Groups task selected

There are 32 possible point security groups in an Ovation system. A group is inactive by default
until it is activated by assigning a custom label or name to the group. Once a group is labeled and
activated, points can be assigned to the security group. During the point building process, every
Ovation point must be assigned to a security group. (Refer to the Ovation Developer Studio User
Guide.)

After a point security group is defined and points are assigned to the group, the security group
can be assigned to a security role. Then the role will have access to all the points that belong to
that point security group. These point security groups are enabled or disabled through the
Manage Roles function of the Security Manager (see page 50).

Once a PSG label is activated, it will be available as a configurable attribute inside a Role as well
as inside the point's Security tab in the Developer Studio.

Note: Each Ovation network has its own set of 32 PSG labels and those labels are limited to the
individual network. When a Role is created in the Global scope, all active PSGs on each
Ovation network will be made available as a configurable attribute inside the role. This allows
the administrator to assign individual network PSGs to a role.

OW360_40 39
8.2 To edit a point security group

While using the Manage Point Security Groups task, the security administrator will be able to:
 Activate any of the 32 PSG labels, by attaching a custom name to it (see page 40).
 View the list of 32 PSG labels (see page 40).
 Disable any of the activated PSG labels (see page 40).

8.2 To edit a point security group

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Point Security Groups task button.
3. The names of the defined Point Security Groups in the various networks appear. Highlight the
desired PSG and select the ellipses (...) at the end of the line.
4. This displays the Point Security Group Editor dialog box. All the point security groups that are
currently defined appear in the box.
5. Edit as desired. Select OK.

Figure 24: Point Security Group Editor dialog box

40 OW360_40
 S E C T I O N 9

9 Managing Ovation roles

IN THIS SECTION

What are Ovation roles? ................................................................................................... 41

Defining roles at the local and remote console levels ....................................................... 43
To create a new role account ............................................................................................ 44
To duplicate a role account ............................................................................................... 44
To rename a role account ................................................................................................. 45
To delete a role account .................................................................................................... 45
What are the Ovation engineering security rules? ............................................................ 46
What are the Ovation operator security rules? ................................................................. 48
What are the Ovation point security group (PSG) rules? .................................................. 50
What is the Accounts tab? ................................................................................................ 51
What is the General tab? .................................................................................................. 53

9.1 What are Ovation roles?

Ovation roles consist of rules that determine what Ovation functions a user can perform or what
functions can be performed at an Ovation computer. Typically, the security administrator creates
roles and then assigns the roles to user and computer accounts.

Figure 25: Manage Ovation Roles task selected

OW360_40 41
9.1 What are Ovation roles?

When you first open the Ovation Security Manager tool, there are some pre-defined roles already
configured for your convenience. You can edit, delete, or modify these roles (see page 17).

Every user in a domain is initially assigned no role. This permits the user to log on and log off
from the system but not perform any Ovation functions until the security administrator assigns a
security role to the user.

Every computer in a domain is initially assigned no role. This means that the computer will not
provide any restrictions on any user that logs into the computer. However, once the security
administrator assigns a security role to the computer, then the computer applies the security
restrictions defined for that role to any user that logs into the computer.

By using the role concept, an administrator can quickly define the functions a user or computer
can perform without having to set permissions for each user or computer individually.

Roles are divided into two classes:

Global: A role defined as a Global role enforces the same set of rules for a user on all Ovation
networks without having to create individual roles on every network. There is only one Global
category for each domain. A Global role can be applied to all networks in a domain. This is used
to allow roles to be defined across multiple networks in a domain.

Private: A role defined as a Private role enforces rules for only the network where the role is
defined. There is only one Private category for each network. A Private role can be applied only to
the network where it was defined.

Note: If you have a single-network domain, it does not matter if you classify a role as Global or
Private. However, if you add networks later, then any role that you have defined as Global will
function on all the additional networks as well as the original network. Any role that you have
defined as Private will only function on the network where it was originally defined.

Each role will have the following set of properties that must be defined by the security
administrator.

Properties for role accounts

PROPERTY OR FIELD DESCRIPTION

Name Name of the role. Should be unique within its domain.

Description Description of the role.
Network Pull-down menu that defines if a role will be global or private. The menu displays
the current network (Private) where the role is being defined, plus the option
"None (Global scope)."

While using the Manage Roles task, the security administrator will be able to:
 Create new Private or Global roles (see page 44).
 Duplicate a role account (see page 44).
 Rename a role account (see page 45).
 Delete existing roles (see page 45).

42 OW360_40
 9.2 Defining roles at the local and remote console levels

 Use the Properties menu to:

 Define one or more Engineering rules for Local/Remote Console (see page 46).
 Define one or more Operator rules for Local/Remote Console (see page 48).
 Define one or more Point Security Groups for Local/Remote Console (see page 50).
 Refresh the screen.

9.2 Defining roles at the local and remote console levels

Security roles are set at two levels:

 For use with a local console.
 For use with a remote console.
The local console refers to the computer the user directly logs into while sitting in front of it. The
remote console refers to the computer the user logs into remotely from another computer. This
remote connection is managed through the use of the Windows Remote Desktop Service.

Note: If you want to provide for multiple remote desktop connections in your domain so that
multiple computers (clients) can remotely log on to an Ovation drop (server), you need to install
Microsoft Terminal Service licenses on the computers. (Refer to the Ovation Software
Installation Manual.)

You set local and remote levels by defining the rules in the Role Properties dialog boxes:
 If the Local Console box is checked for a rule, then that rule is enabled for use at a local
console. If the Local Console box is unchecked for a rule, then that rule is disabled at a local
console.
 If the Remote Console box is checked for a rule, then that rule is enabled for use at a remote
console. If the Remote Console box is unchecked for a rule, then that rule is disabled at a
remote console.
 If both the Local and Remote Console boxes are unchecked for a rule, then the rule is totally
disabled for use on both local and remote consoles.
The types of rules that are applicable for the local and remote consoles are:
 Engineering rules (see page 46).
 Operator rules (see page 48).
 Point Security Group rules (see page 50).

Note: Remote Console attributes are only valid when the role is assigned to a user account.
These attributes will have no effect when the role is assigned to a computer account and will be
ignored.

OW360_40 43
9.3 To create a new role account

9.3 To create a new role account

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Ovation Roles task button. The names of all the current roles (both
global and private) that are currently in the domain appear.
3. Select the New icon. The New Role dialog box appears:

Figure 26: New Role dialog box

4. Enter the desired information in the appropriate entry fields (see page 41).
5. Select the Network that will be applicable for the new role. If you want the role to be valid
across all networks, select Global. If you want the role to be only valid on one network, select
that network name. Select OK.
6. A new role will be created.

9.4 To duplicate a role account

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Ovation Roles task button. The names of all the current roles (both
global and private) that are currently in the domain appear.
3. Select a role listed in the Manage Roles window.
4. Select the Duplicate icon or right-click the role name and select Duplicate. The Duplicate
Role dialog box appears:

Figure 27: Duplicate Role dialog box

44 OW360_40
 9.5 To rename a role account

5. Enter the new name of the role and a description of the role. All the properties of the current
role will be duplicated in the new role.
6. Select OK and the duplicate role is created.

9.5 To rename a role account

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Ovation Roles task button. The names of all the current roles (both
global and private) that are currently in the domain appear.
3. Select a role listed in the Manage Roles window.
4. Select the Rename icon or right-click the role name and select Rename. The Rename Role
dialog box appears:

Figure 28: Rename Role dialog box

5. Enter the new name for the current role and select OK.

9.6 To delete a role account

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Ovation Roles task button. The names of all the current roles (both
global and private) that are currently in the domain appear.
3. Select a role listed in the Manage Roles window.
4. Select the Delete icon or right-click the role name and select Delete.
5. A message appears asking if you are sure you want to delete the role. If you select Yes, the
selected role will be deleted.

CAUTION: When a role is deleted, any user or computer that was assigned that role will now
be assigned the role of None. This means all the system functions will be disabled for the user
or computer.

OW360_40 45
9.7 What are the Ovation engineering security rules?

9.7 What are the Ovation engineering security rules?

In Ovation Windows systems, engineering functions are done through the Ovation Developer
Studio. These functions can be restricted by the Engineering rules that are enabled or disabled
through the Manage Roles function of the Security Manager (see page 46).

By default, any user has read-only access to all database objects in the Ovation Developer
Studio. Granting access to a particular type of object gives you the ability to perform Add, Modify,
Delete, Purge, and Move operations on the associated objects.

In terms of engineering rules, the Ovation Developer Studio is categorized into the following
functional sections:
 Control Sheets (Ovation Control Builder)
 Graphics/Macros (Ovation Graphics Builder)
 Ovation Points
 Hardware Items (including the ability to Engineer specific I/O Interfaces such as Foundation
Fieldbus and GE Genius I/O)
 Ovation Point Groups
 Holding Registers
 Historian Configuration Objects (applicable for the Ovation Process Historian)
 Configuration Items
 Security User Interfaces (administrator only)
Engineering rules provide access to the following Ovation Developer Studio operations:
 Load Drop
 Download Drop
 Reconcile
 Restore
 Clear Drop
 Reboot Drop
 Calculate Conversion Coefficients
 Map to Remote Ovation System
 Import (including the use of the command-line utility OvPtImport)
 Export (including the use of the command-line utility OvPtExport)
 Engineering audit
 Historian data annotation
 Historian data edit
 Configuration of Ovation Safety Instrumented System (SIS) functions
 Ovation Wireless configurations

9.7.1 To display and edit properties of a role account (Rules tab for engineering)
1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Ovation Roles task button. The names of all the current roles (both
global and private) that are currently in the domain appear.
3. Select a role listed in the Manage Roles window.

46 OW360_40
 9.7 What are the Ovation engineering security rules?

4. Select the Properties icon or right-click the role name and select Properties. The Role
Properties window displays all the properties of the roles and what rules are enabled or
disabled for the roles.
5. Select the Rules tab and then the Engineering tab. All the current rules for the Engineering
roles will be displayed (see page 46).

Note: Click a parameter and the parameter description appears in the bottom of the dialog.

6. Enable or disable a rule for a role by highlighting a rule and then use the check boxes to
enable the rule (check) or disable the rule (uncheck). When you select a rule, a description of
the rule appears in the bottom of the Properties window.
7. Select Apply or OK to enable or disable the selected rule.

Figure 29: Role Properties dialog box (engineering rules)

OW360_40 47
9.8 What are the Ovation operator security rules?

9.8 What are the Ovation operator security rules?

In Ovation Windows systems, operator functions are done through the Ovation Operator Station.
These functions can be restricted by the Operator rules that are enabled or disabled through the
Manage Roles function of the Security Manager (see page 48).

Operator rules provide access to the following Operator Station operations:

 Allow scan on-off
 Allow alarm check on-off
 Allow limit check on-off
 Allow value-clamping on-off
 Allow engineering range check on-off
 Allow reasonability check on-off
 Disable auto cutout
 Allow test mode on-off
 Allow modifying alarm limits
 Allow modifying UDA limits
 Allow changing default unit
 Allow overriding default unit
 Enable control functions
 Enable tuning functions
 Allow alarm acknowledgments
 Allow modifying alarm filters
 Enable enter value
 SIS - Allow test mode on-off
 SIS - Enable control functions
 SIS - Enable tuning functions
 SIS - Enable enter value
 Allow Modification of Alarm Window Properties
 Allow Modification of Ancilliary Data
 Allow alarm shelve on-off
 Allow highly managed alarm shelve on-off

9.8.1 To display and edit properties of a role account (Rules tab for operator)
1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Ovation Roles task button. The names of all the current roles (both
global and private) that are currently in the domain appear.
3. Select a role listed in the Manage Roles window.
4. Select the Properties icon or right-click the role name and select Properties. The Role
Properties window displays all the properties of the roles and what rules are enabled or
disabled for the roles.
5. Select the Rules tab and then the Operator tab. All the current rules for the Operator roles
will be displayed (see page 48).

48 OW360_40
 9.8 What are the Ovation operator security rules?

6. Enable or disable a rule for a role by highlighting a rule and then use the check boxes to
enable the rule (check) or disable the rule (uncheck). When you select a rule, a description of
the rule appears in the bottom of the Properties window.
7. Select Apply or OK to enable or disable the selected rule.

Figure 30: Role Properties dialog box (Operator rules)

OW360_40 49
9.9 What are the Ovation point security group (PSG) rules?

9.9 What are the Ovation point security group (PSG) rules?

An Ovation Point Security Group consists of a collection of Ovation points that typically share
some common properties. For example, points that belong to a "boiler22" security group would
typically be points associated with Boiler 22 processes. This is a logical grouping and has no
hard-coded meaning.

There are 32 possible point security groups in an Ovation system. A group is inactive until it is
activated by assigning a custom label or name to the group. Once a group is labeled and
activated, points can be assigned to the security group. During the point building process, every
Ovation point must be assigned to a security group.

After a point security group is defined and points are assigned to the group, the security group
can be assigned to a security role. Then the role will have access to all the points that belong to
that point security group. These point security groups are enabled or disabled through the
Manage Roles function of the Security Manager (see page 50).

Once a security group is activated, PSG rules provide the following uses for the security group
labels:
 Security group label can be used in a point's Security tab during the point building operation.
 Security group label can be used to assign the security group to a role so that anyone
assigned to that role will have access to all the points in the security group assigned to that
role.

9.9.1 To display and edit properties of a role account (PSG tab)

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Ovation Roles task button. The names of all the current roles (both
global and private) that are currently in the domain appear.
3. Select a role listed in the Manage Roles window.
4. Select the Properties icon or right-click the role name and select Properties. The Role
Properties window displays all the properties of the roles and what rules are enabled or
disabled for the roles.
5. Select the Point Security Groups. All the current status of the PSGs for the selected role (for
all networks) will display.
6. Enable or disable a point group by highlighting a group and then use the Setting check
boxes to enable the group (check) or disable the group (uncheck).

50 OW360_40
 9.10 What is the Accounts tab?

7. Select Apply or OK and the group will be enabled or disabled for the selected role. This
means that the role can only use the PSGs in a network where the point groups have been
enabled.

Figure 31: Role Properties dialog box (PSG status)

9.10 What is the Accounts tab?

The Accounts tab displays all the users or computers on each network that have been assigned
the role that you selected in the Manage Ovation Roles window (see page 41). This tab is Read
Only.

OW360_40 51
9.10 What is the Accounts tab?

9.10.1 To display properties of a role account (Accounts tab)

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Ovation Roles task button. The names of all the current roles (both
global and private) that are currently in the domain appear.
3. Select a role listed in the Manage Roles window.
4. Select the Properties icon or right-click the role name and select Properties. The Role
Properties window displays all the properties of the roles and what rules are enabled or
disabled for the roles.
5. Select the Accounts tab. This displays all the users or computers on each network that have
been assigned the role. This tab is Read Only.

Figure 32: Role Properties dialog box (Accounts tab)

52 OW360_40
 9.11 What is the General tab?

9.11 What is the General tab?

The General tab displays the current description of the role you selected in the in the Manage
Ovation Roles window (see page 41). You can edit this tab.

9.11.1 To display and edit properties of a role account (General tab)

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Ovation Roles task button. The names of all the current roles (both
global and private) that are currently in the domain appear.
3. Select a role listed in the Manage Roles window.
4. Select the Properties icon or right-click the role name and select Properties. The Role
Properties window displays all the properties of the roles and what rules are enabled or
disabled for the roles.
5. Select the General tab. The current description of the role appears. You can modify the
description, if desired. Select Apply to save the changes but not dismiss the window. Select
OK to save the changes and dismiss the window.

Note: Click a role and the role description appears in the bottom of the dialog.

Figure 33: Role Properties dialog box (General tab)

OW360_40 53
 S E C T I O N 10

10 Managing group policies

IN THIS SECTION

What are group policies? .................................................................................................. 55

How are group policies enforced?..................................................................................... 56
To create a new group policy ............................................................................................ 57
To duplicate a group policy ............................................................................................... 57
To rename a group policy ................................................................................................. 58
To delete a group policy .................................................................................................... 58
To display and edit properties of a group policy (Policy Rules tab) .................................. 58
To display properties of a group policy (Accounts tab) ..................................................... 63
To display and edit properties of a group policy (General tab) ......................................... 64

10.1 What are group policies?

Group policies consist of a collection of Windows system rules that can be assigned to user or
computer accounts to configure a custom desktop environment. Typically, group policies are only
assigned to user accounts. However, if needed, they can be applied to computer accounts.

When you first open the Ovation Security Manager tool, there are some pre-defined group
policies already configured for your convenience. You can edit, delete, or modify these group
policies (see page 17).

Figure 34: Manage Group Policies task selected

Group policies are set by defining the rules in the Policy Rules tab of the Group Policy Properties
dialog box.

OW360_40 55
10.2 How are group policies enforced?

There are two special group policies:

 Default policy: When you create a new user account, it is automatically assigned the Default
Group policy. If a user's role is deleted, the user will be assigned the Default policy. The
Default policy cannot be deleted from the list of group policies.
 Global policies: These policies are inherited by all other group policies unless specifically
overridden in the Policy Rules tab. Some Global policies cannot be overridden. A Global
policy cannot be deleted from the list of group policies.
Each group policy has the following set of properties that must be defined by the security
administrator:

Properties for group policies

PROPERTY OR FIELD DESCRIPTION

Name Name of the group policy.

Description Describes the policy.
Type of Policy Can be either a User or a Computer policy.

While using the Manage Group Policies task, the security administrator will be able to:
 Create new Group Policies (see page 57).
 Duplicate Group Policies (see page 57).
 Rename Group Policies (see page 58).
 Delete existing policies (see page 58).
 Refresh the screen.
 View Group Policy Properties (see page 58).

10.2 How are group policies enforced?

Group policies are collections of Windows system rules that determine the desktop and system
environment for a user or a computer. Every time a user logs onto a computer in an Ovation
domain, a sequence of group policies is applied to determine what group policy rules will be
enforced. The group policy settings in the first policy (Global User) are scanned and passed
through to each subsequent policy until a rule setting is changed (rule settings marked as Not
Configured are ignored during the scanning). The new rule setting is then passed through to the
next subsequent policy unless it is changed again.

The security group policies are applied in the following order:

1. Global User policy.

2. Assigned User policy.
3. Global Computer policy.
4. Assigned Computer policy.

For example, a user has permission through a Global User policy rule to access the A:\ drive. The
user logs onto a restricted computer where the Assigned Computer policy rule does not provide
access to the A:\ drive. Therefore, the user will not have access to the A:\ drive on the restricted
computer.

56 OW360_40
 10.3 To create a new group policy

10.3 To create a new group polic y

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Group Policies task button. The names of all the current group policies
that are currently in the domain appear.
3. Select the New icon. The New Group Policy dialog box appears.
4. Enter the desired information in the appropriate entry fields (see page 55).
5. Select OK.

Figure 35: New Group Policy dialog box

10.4 To duplicate a group polic y

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Group Policies task button. The names of all the current group policies
that are currently in the domain appear.
3. Select the policy you want to duplicate.
4. Select the Duplicate icon or right-click the policy name and select Duplicate. The Duplicate
Group Policy dialog box appears.
5. Enter the new name for the policy. All the properties of the current policy will be duplicated in
the new policy.
6. Select OK.

Figure 36: Duplicate Group Policy dialog box

OW360_40 57
10.5 To rename a group policy

10.5 To rename a group polic y

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Group Policies task button. The names of all the current group policies
(both user and computer) that are currently in the domain appear.
3. Select a policy listed in the Manage Group Policies window.
4. Select the Rename icon or right-click the policy name and select Rename. The Rename
Group Policy dialog box appears:

Figure 37: Rename Group Policy dialog box

5. Enter the new name for the current group policy and select OK.

10.6 To delete a group polic y

Note: Default and Global Group Policies cannot be deleted.

1. Access the Ovation Security Manager window (see page 19).

2. Select the Manage Group Policies task button. The names of all the current group policies
(both user and computer) that are currently in the domain appear.
3. Select a policy listed in the Manage Group Policies window.
4. Select the Delete icon or right-click the role name and select Delete.
5. A message appears asking if you are sure you want to delete the policy. If you select Yes, the
selected policy will be deleted.

Note: When a policy is deleted, any user or computer that is currently using that policy will be
assigned the Default user or computer roles.

10.7 To displa y and edit properties of a group polic y (Policy Rules

tab)
1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Group Policies task button. The names of all the current group policies
(both user and computer) that are currently in the domain appear.
3. Select a policy listed in the Manage Group Policies window.
4. Select the Properties icon or right-click the selected policy and select Properties.

58 OW360_40
 10.7 To display and edit properties of a group policy (Policy Rules tab)

5. Select the Policy Rules tab. The Policy Rules tab appears listing the policy rules (see page
60) that are set for the selected policy. A rule will control what settings a user or computer can
change. For example, you can specify screen saver settings for a computer.

Note: Click a rule and the rule description appears in the bottom of the dialog.

Figure 38: Group Policy Properties (Policy Rules tab)

6. Select a rule and then select the desired Value for the rule from the pull-down menu. Your
choices are reflected in the icon for the rule that displays in the left side of the window:
 A check box with an arrow means the rule is Not Configured.
 A red X in the check box means the rule is Disabled.
 A check mark in the check box typically means the rule is Enabled. The rule has a value
and it is applied.

Note: If you want to return to the Values that were set when you opened the window, select the
Reset button. All the rules will revert to their previous values.

7. Some policy rules for group policies require additional configuration when they are enabled. A
row with a text entry field might appear that you can directly modify or a "Click to Edit"
message might appear in the Value line.
8. If the Click to Edit message appears, click the line and an ellipses (...) appears.
Select the ellipses and the appropriate dialog box appears. Possible dialog boxes are as
follows:
 Select Users dialog box (see page 60): Selects users that will be affected by the rule
being enabled.
 Select Values dialog box (see page 61): Defines new values that will be affected by the
rule being enabled.
 Enter Text Value dialog box (see page 62): Enters text that will be used by the rule being
enabled.
9. Perform the desired changes in the dialog box and select Apply or OK to save the changes
to the policy rule.

OW360_40 59
10.7 To display and edit properties of a group policy (Policy Rules tab)

10.7.1 What are Ovation group security rules?

In Ovation Windows systems, group security rules can be used to configure a restricted desktop
environment for a computer. These rules are Windows rules that are enabled or disabled through
the Manage Group Policies function of the Security Manager (see page 58).

Following are some examples of the security rules for groups:

 Prevent access to the Windows command prompt.
 Prohibit access to properties of a LAN connection.
 Prohibit access to the Windows control panel.
 Hide Internet Explorer icon on desktop to prevent access to the Internet.
An XML-based template file that contains the initial set of group rules will be provided in the
Domain Controller as part of the standard release. This file can be modified by a system
administrator to fit the security needs of his Ovation system. Additional rules can be added or
deleted as needed.

10.7.2 What is the Select Users dialog box?

Some policy rules for group policies require additional configuration when they are enabled. If you
enable one of these complex rules that allow users to be added or removed, the Select Users
dialog box appears. Use this box to define what users will be affected by the rule being enabled.

Figure 39: Select Users dialog box

Other dialog boxes that may appear for configuring group policy rules are as follows:
 Select Values dialog box (see page 61): Defines new values that will be affected by the rule
being enabled.
 Enter Text Value dialog box (see page 62): Enters text that will be used by the rule being
enabled.

60 OW360_40
 10.7 To display and edit properties of a group policy (Policy Rules tab)

10.7.3 What is the Select Values dialog box?

Some policy rules for group policies require additional configuration when they are enabled. If you
enable one of these complex rules that allow values to be added or removed, the Select Values
dialog box appears. Use this box to define new values for the rule being enabled.

Figure 40: Select Values dialog box

Other dialog boxes that may appear for configuring group policy rules are as follows:
 Select Users dialog box (see page 60): Selects users that will be affected by the rule being
enabled.
 Enter Text Value dialog box (see page 62): Enters text that will be used by the rule being
enabled.

OW360_40 61
10.7 To display and edit properties of a group policy (Policy Rules tab)

10.7.4 What is the enter text Value field?

Some policy rules for group policies require additional configuration when they are enabled. If you
enable one of these complex rules that allow text to be edited for the rule, the enter text Value
entry field appears in the right pane of the Group Policy Properties window. Use this field to enter
text for the rule being enabled.

Note: Click a rule and the rule description appears in the bottom of the dialog.

Figure 41: Group Policy Properties window (Policy Rules tab with enter text Value field
selected)

Other dialog boxes that may appear for configuring group policy rules are as follows:
 Select Users dialog box (see page 60): Selects users that will be affected by the rule being
enabled.
 Select Values dialog box (see page 61): Defines new values that will be affected by the rule
being enabled.

62 OW360_40
 10.8 To display properties of a group policy (Accounts tab)

10.8 To displa y properties of a group policy (Accounts tab)

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Group Policies task button. The names of all the current group policies
(both user and computer) that are currently in the domain appear.
3. Select a policy listed in the Manage Group Policies window.
4. Select the Properties icon or right-click the selected policy.
5. Select the Accounts tab. The Accounts tab appears displaying the users and computers that
are currently assigned the policy you selected in the Manage Group Policies window. This is
for information only and cannot be edited.

Figure 42: Group Policy Properties (Accounts tab)

OW360_40 63
10.9 To display and edit properties of a group policy (General tab)

10.9 To displa y and edit properties of a group polic y (General tab)

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Group Policies task button. The names of all the current group policies
(both user and computer) that are currently in the domain appear.
3. Select a policy listed in the Manage Group Policies window.
4. Select the Properties icon or right-click the selected policy.
5. Select the General tab. The current description of the policy appears. If desired and if you
have the appropriate permissions, you can edit this description. Select OK.

Figure 43: Group Policy Properties (General tab)

64 OW360_40
 S E C T I O N 11

11 Managing domain policies

IN THIS SECTION

What are domain policies? ................................................................................................ 65

What are default domain policies? .................................................................................... 66
What are default Domain Controller policies? ................................................................... 67
To display properties of a domain policy ........................................................................... 67

11.1 What are domain policies?

Domain policies are top-level policies that control the desktop options and system for users and
computers.

Figure 44: Manage Domain Policies task selected

A domain policy consists of one or more policy rules that can only be set globally. That means
once a rule is defined, it will be applied to all computers in the domain. These types of rules do
not require computer account assignments.

These policies are set by defining the rules in the Policy Rules tab of the Default Domain Policies
dialog box.

Domain Policies are divided into two classes:

 Default Domain Policies (see page 66).
 Default Domain Controller Policies (see page 67).
Each Domain Policy has the following set of properties that must be defined by the security
administrator:

OW360_40 65
11.2 What are default domain policies?

Properties for Domain Policies

PROPERTY OR FIELD DESCRIPTION

Rule Name Name of the Domain policy.

State Options are:
 Not Configured: Use the system default value.
 Enabled: The rule is applied.
 Disabled: The rule is not applied.
Value This field is described in the bottom of the window.

While using the Manage Domain Policies task, the security administrator will be able to:
 Display properties of a domain policy (see page 67).

11.2 What are default domain policies?

Default domain policies are group policies that apply to the computers in a security domain, which
are domain members. These policies typically control account lockout and password policies. In
addition, you can select a power plan for the domain members.

The values for the rules are indicated by the following icons:
 A check box with an arrow means the rule is Not Configured.
 A red X in the check box means the rule is Disabled.
 A check mark in the check box typically means the rule is Enabled. The rule has a value and
it is applied.

Note: If you want to return to the values that were set when you opened the window, select the
Reset button. All the rules will revert to their previous values.

The following figure lists the default domain policies for the domain members.

Figure 45: Default Domain Policies

66 OW360_40
 11.3 What are default Domain Controller policies?

11.3 What are default Domain Controller policies?

Default Domain Controller policies are group policies that apply only to the computer in the
security domain that is the Domain Controller. The following figure lists the default domain
policies for the Domain Controller.

The values for the rules are indicated by the following icons:
 A check box with an arrow means the rule is Not Configured.
 A red X in the check box means the rule is Disabled.
 A check mark in the check box typically means the rule is Enabled. The rule has a value and
it is applied.

Note: If you want to return to the values that were set when you opened the window, select the
Reset button. All the rules will revert to their previous values.

Figure 46: Default Domain Controller Policies

11.4 To displa y properties of a domain polic y

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Domain Policies task button. The Domain Policies appear.
3. Select a policy listed in the Manage Domain Policy window.
4. Select the Properties icon or right-click the selected policy and select Properties.
5. Select the Policy Rules tab. The Domain Policy Properties window appears listing the
desktop options that are set for the selected policy. A policy will control what settings a user or
computer can change.
6. If you want to return to the values that were set when you opened the window, select the
Reset button. All the rules will revert to their previous values.

Note: Click a rule and the rule description appears in the bottom of the dialog.

OW360_40 67
 S E C T I O N 12

12 Managing administrators

IN THIS SECTION

What are administrators? .................................................................................................. 69

To assign administrative control ........................................................................................ 70
To remove administrative control ...................................................................................... 71

12.1 What are administrators?

Administrators are the people who have the authority to manage and configure the security for the
Ovation system.

Figure 47: Manage Administrators task selected

When an Ovation system is installed and initially started, there is only one administrator for
security in the system. This is the default setting so that when a system starts, there will be at
least one user who has permission to assign security roles to users and drops.

Note: The Administrator account can be renamed, but it cannot be deleted.

After the administrator has assigned roles so that functions can be performed throughout the
domain, there should be at least one more administrator defined for the domain to ensure the
continuation of security monitoring in case the original administrator is not available.

The administrator can assign a user to be a Security Administrator and can also remove a user
from being able to serve as a Security Administrator.

CAUTION: Changes to Administrative Control will take place only after a user has logged out
and then back in. If you remove control from a user or assign control to a user who is currently
logged on, the change will NOT occur until the user has logged out and then back in.

OW360_40 69
12.2 To assign administrative control

While using the Manage Administrators task, the security administrator will be able to:
 Assign (see page 70) a user account to be an administrator and have administrative control.
 Remove (see page 71) a user account from the Security Administrator position so it will no
longer be an administrator and will not have administrative control.

12.2 To assign administrative control

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Administrators task button. A list of all the current user accounts
appears.
3. To add a new user as administrator, click Add User.
4. The Select Users window appears. Select the name of the account to which you want to
assign administrative control.
5. Select the OK button. The selected user will now be able to function as a Security
Administrator.

CAUTION: Changes to Administrative Control will take place only after a user has logged out
and then back in. If you remove control from a user or assign control to a user who is currently
logged on, the change will NOT occur until the user has logged out and then back in.

Figure 48: Select Users for Manage Administrators dialog box

70 OW360_40
 12.3 To remove administrative control

12.3 To remove administrative control

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Administrators task button. A list of all the current user accounts
appears.
3. To remove administrator control from an existing user, select the name of the account from
which you want to remove administrative control. Then, click Remove User.
4. A confirmation message appears. Click Yes to remove administrative control from the user.

Figure 49: Remove confirmation message

5. Select the OK button. The selected user will no longer be able to function as a Security
Administrator.

CAUTION: Changes to Administrative Control will take place only after a user has logged out
and then back in. If you remove control from a user or assign control to a user who is currently
logged on, the change will NOT occur until the user has logged out and then back in.

OW360_40 71
 S E C T I O N 13

13 Managing database users

IN THIS SECTION

What is the Manage Database Users functionality? ......................................................... 73

To reset the database user password ............................................................................... 75

13.1 What is the Manage Data base Users functionality?

The Manage Database Users functionality in the Ovation Security Manager enables you to view a
list of users who can access the database and their status in a network.

A database user can have any one of the following status values:
 OPEN: Indicates that the user account is enabled and can be used to log on to the database.
 LOCKED: Indicates that the user account is enabled but locked to prevent it from logging on
to the database, even with the correct unexpired password.
 EXPIRED: Indicates that the password of the user account is expired, but the account is not
locked. The password may get expired due to various reasons, such as a user fails to adhere
to the password policy, which states that "Account password must be changed every 90
days."
 EXPIRED & LOCKED: Indicates that the password of the user account is expired, and the
account is also locked.

OW360_40 73
13.1 What is the Manage Database Users functionality?

To view a list of database users in a network, perform the following steps:

1. Open the Ovation Security Manager (see page 19).

2. Click Manage Database Users to display a list of all Ovation Users and Other Users in a
network. The users listed under the Ovation Users group are used by Ovation applications to
connect to the database. The users listed under the Other Users group are not required by
Ovation applications; and therefore, the status of these users, by default, is kept as EXPIRED
& LOCKED. The following window displays all database users and their status in the FE350
network.

Figure 50: Viewing the database users

3. To view the database users in other networks, click the corresponding network tab. For
example, in the above window, if you click the network tab FE350C, all database users in the
network FE350C are displayed.
4. Click Refresh to update the window.

74 OW360_40
 13.2 To reset the database user password

13.2 To reset the database user passw ord

The Manage Database Users functionality enables you to reset the password of a database user
in a network.

To reset the password of a database user in a network, perform the following steps:

1. Open the Ovation Security Manager (see page 19).

2. Click Manage Database Users to display a list of all database users in a network.
3. Select the database user in a network and click Reset Password. The following window
appears:

Figure 51: Resetting the database user password

4. Enter a new password in the Password Editor dialog box. Confirm the password, and click
OK.

Note: If you want to use special characters in the password, you can only use _, $, and #.
Using any other special characters in the password gives you an error.

OW360_40 75
 S E C T I O N 14

14 Examples of security configuration

IN THIS SECTION

Configuring security for a domain ..................................................................................... 77

Creating Ovation role OPERATOR-1 ................................................................................ 78
Creating Ovation role OPERATOR-2 ................................................................................ 79
Creating Ovation role DEMOPC ....................................................................................... 79
Creating an account for Joe .............................................................................................. 80
Creating an account for computer DROP199 ................................................................... 80
Logging in locally to a local network.................................................................................. 81
Logging in locally to a remote network .............................................................................. 81
Logging in remotely to a local network .............................................................................. 82
Logging in remotely to a remote network .......................................................................... 82
Logging in locally to a restricted drop................................................................................ 83
Logging in remotely to a restricted drop ............................................................................ 83

14.1 Configuring security for a domain

In this example of configuring security for a domain, assume the following:

 There is one Ovation user - Joe.
 There are two Ovation networks - NET1 and NET2. Joe is assigned to a different Ovation role
on each network.
 There are two database servers - one for each network.
 There is one Operator Station drop - DROP101, which is not assigned to any role.
 There is one restricted drop - DROP199, which is assigned to a DEMOPC role.
 Joe is assigned to the default Group Policy.
 DROP199 is assigned to the default Group Policy.
Before you can use the security, you must create Ovation roles for:
 OPERATOR1 (see page 78).
 OPERATOR2 (see page 79).
 DEMOPC (see page 79).
You must also create accounts for:
 Joe (see page 80).
 DROP199 (see page 80).

OW360_40 77
14.2 Creating Ovation role OPERATOR-1

In this domain, Joe will have different capabilities depending on where he logs on (DROP101 or
DROP199), how he logs on (locally at the drop or remotely to the drop through remote desktop)
and which network data he is accessing (NET1 or NET2). Examples are provided of Joe using
different login scenarios in his plant.

14.2 Creating Ovation role OPERATOR -1

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Roles task button. The names of all the current roles (both global and
private) that are currently in the domain appear.
3. Select the New icon. The New Role dialog box appears.
4. Enter OPERATOR-1 in the Name entry field.
5. Enter Operator on Net1 in the Description field.
6. Select NET1 for the network. Select OK. The Operator-1 role will be created. This will be a
Private role since you selected a specific network.
7. Return to the Ovation Security Manager main window and select the Manage Roles task
button.
8. Select the new OPERATOR-1 role.
9. Select the Properties icon. The Role Properties window displays all the properties of the
roles and what rules are enabled or disabled for the roles.
10. Select the Rules tab and then the Operator tab. All the current rules for the Operator roles
display (see page 48).
11. Highlight the Allow scan on/off rule and put a check in the Local Console box.
12. Highlight the Allow tuning functions rule and put checks in the Local and Remote Console
boxes.
13. Select OK to save the settings for the role.

78 OW360_40
 14.3 Creating Ovation role OPERATOR-2

14.3 Creating Ovation role OPERATOR -2

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Roles task button. The names of all the current roles (both global and
private) that are currently in the domain appear.
3. Select the New icon. The New Role dialog box appears.
4. Enter OPERATOR-2 in the Name entry field.
5. Enter Operator on Net2 in the Description field.
6. Select NET2 for the network. Select OK. The Operator-2 role will be created. This will be a
Private role since you selected a specific network.
7. Return to the Ovation Security Manager main window and select the Manage Roles task
button.
8. Select the new OPERATOR-2 role.
9. Select the Properties icon. The Role Properties window displays all the properties of the
roles and what rules are enabled or disabled for the roles.
10. Select the Rules tab and then the Operator tab. All the current rules for the Operator roles
display (see page 48).
11. Highlight the Allow scan on/off rule and remove the checks in the Local and Remote
Console boxes.
12. Highlight the Allow tuning functions rule and remove the checks in the Local and Remote
Console boxes.
13. Select OK to save the settings for the role.

14.4 Creating Ovation role DEMOPC

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Roles task button. The names of all the current roles (both global and
private) that are currently in the domain appear.
3. Select the New icon. The New Role dialog box appears.
4. Enter DEMOPC in the Name entry field.
5. Enter Restricted Computer on Net1 in the Description field.
6. Select Global for the network. Select OK. The DEMOPC role will be created. All computer
roles should be Global.
7. Return to the Ovation Security Manager main window and select the Manage Roles task
button.
8. Select the new DEMOPC role.
9. Select the Properties icon. The Role Properties window displays all the properties of the
roles and what rules are enabled or disabled for the roles.
10. Select the Rules tab and then the Operator tab. All the current rules for the Operator roles
display (see page 48).
11. Highlight the Allow scan on/off rule and remove the check in the Local Console box.
12. Highlight the Allow tuning functions rule and remove the check in the Local Console box.
13. Select OK to save the settings for the role.

OW360_40 79
14.5 Creating an account for Joe

14.5 Creating an account for Joe

1. Create a New User (see page 25) account for Joe and select OK.
2. Access the Ovation Security Manager window (see page 19).
3. Select the Manage Users task button.
4. The list of users appears in the Security Manager window. Select Joe's account.
5. Select the Properties icon or right-click the user name and select Properties from the pop-up
menu.
6. The User Properties dialog box appears displaying Joe's name. Since Joe is being assigned
to the default Group Policy, you do not have to select a group policy for him.
7. Highlight NET1 under Roles.
8. The Role Selection dialog box appears. From the list of roles, select OPERATOR-1.
9. Highlight NET2 under Roles.
10. The Role Selection dialog box appears. From the list of roles, select OPERATOR-2. Select
OK.
Joe now has two roles assigned to him. These roles define what he can do on two different
networks.

14.6 Creating an account for computer DROP199

1. Access the Ovation Security Manager window (see page 19).
2. Select the Manage Computers task button.
3. The names of all the workstations and their networks that are currently in the domain appear.
Select DROP199.
4. Select the Properties icon or right-click the computer name and select Properties from the
pop-up menu.
5. The Computer Properties dialog box appears displaying DROP199 in it. Since DROP199 is
being assigned to the default Group Policy, you do not have to select a group policy for it
6. Highlight Roles.
7. The Role Selection dialog box appears. From the list of roles, select the DEMOPC role that
you want to assign to the computer. Select OK.

80 OW360_40
 14.7 Logging in locally to a local network

14.7 Logging in locall y to a local netw ork

In this scenario, Joe is logged on locally at the computer DROP101 and accessing data from
NET1 (the network to which the drop belongs).

14.8 Logging in locall y to a remote network

In this scenario, Joe is logged on locally at the computer DROP101 and accessing data from
NET2 (which is a remote network to DROP101).

OW360_40 81
14.9 Logging in remotely to a local network

14.9 Logging in remotely to a local netw ork

In this scenario, Joe is logged on to the computer DROP101 remotely (through remote desktop
service) and accessing the data in NET1 (the network to which the logged-on drop belongs).

14.10 Logging in remotely to a remote netw ork

In this scenario, Joe is logged on to the computer DROP101 remotely (through remote desktop
service) and accessing the data in NET2 (which is a remote network to DROP101).

82 OW360_40
 14.11 Logging in locally to a restricted drop

14.11 Logging in locall y to a restricted drop

In this scenario, Joe is logged on locally at the computer DROP199 and accessing the data in
NET1 (the network to which the drop belongs). Since DROP199 is a restricted drop, Joe will
experience additional restrictions on the functions he can perform at that drop.

14.12 Logging in remotely to a restricted drop

In this scenario, Joe is logged on to the computer DROP199 remotely (through remote desktop
service) and accessing the data in NET1 (the network to which the logged-on drop belongs).
Since DROP199 is a restricted drop, Joe will experience additional restrictions on the functions he
can perform at that drop.

OW360_40 83
 S E C T I O N 15

15 Using DigitalPersona Pro 5.5 fingerprint readers

IN THIS SECTION

What is the DigitalPersona Pro fingerprint reader? ........................................................... 85

Why is multi-factor authentication so important? .............................................................. 85
How do you get started using DigitalPersona Pro fingerprint readers? ............................ 86
What are the system requirements? ................................................................................. 86
Overview of installing the DigitalPersona fingerprint reader software .............................. 86
Adding fingerprints .......................................................................................................... 109
Uninstalling the DigitalPersona Pro fingerprint reader software ..................................... 110

15.1 What is the DigitalPersona Pro fingerprint reader?

The DigitalPersona Pro fingerprint reader allows you to add fingerprint logon identification to your
workstation security. Your fingerprint is compared against the fingerprint that you initially
registered as part of the workgroup administrator's attended fingerprint registration. The
combination of password and biometric data creates multi-factor authentication (see page 85).

After you register your fingerprints, the fingerprints are stored locally on that workstation and sent
to the DigitalPersona Pro Server for secure storage. The fingerprints are transformed into highly
compressed and digitally encoded representations. The actual fingerprint scans are never saved.
By saving the compressed data rather than actual user fingerprints, DigitalPersona Pro ensures
the security of your employee information.

DigitalPersona Pro software uses the Microsoft Windows Active Directory services for its security
policies and settings. Active Directory is a software program that stores and organizes the
settings that you select for your workgroup's security. You can use Active Directory to push your
security choices out across your network.

Note: For more information about the DigitalPersona Pro 5.5 software or fingerprint reading
hardware, refer to the product help or the applicable DigitalPersona Pro Administrator Guide.

15.2 Why is multi -factor authenticat ion so important?

DigitalPersona Pro gives you multi-factor authentication from the users in your workgroup by
requiring biometric validation in the form of a fingerprint. Multi-factor authentication is not only a
recommended security practice, it is often required by oversight organizations (for example, the
NERC CIP requirements mandate that remote workstations enforce two-factor authentication).

Authentication involves three different types of data:

 Something a user knows (password).
 Something a user has (keycard).
 Something a user is (fingerprint).

OW360_40 85
15.3 How do you get started using DigitalPersona Pro fingerprint readers?

15.3 How do you get started using DigitalPersona Pro fingerprint

readers?

Contact your Emerson Projects representative to order a DigitalPersona Pro software CD. You
will also need the actual fingerprint readers (hardware) or a keyboard with the fingerprint reader
embedded in it.

15.4 What are the s ystem requirements?

The following table describes the minimum system requirements for installation of the
DigitalPersona Pro Enterprise Server and Workstation.

DigitalPersona system requirements

PRODUCT/COMPONENT MINIMUM REQUIREMENTS

DigitalPersona Pro  Windows Server 2008 R2 (32/64-bit) or Windows Server 2003 R2

Enterprise Server (32/64-bit) or Windows SBS 2003 SP2
 Active Directory
 12 MB disk space plus 5K per user
DigitalPersona Pro  Windows Server 2008 R2 (32/64-bit) or Windows Server 2003 SP2
Enterprise Workstation (32/64-bit) or Windows 7/Vista (32/64-bit).
 Home editions of Windows 7/Vista are not supported.
 30 MB disk space, 60 MB during installation.
 Microsoft Internet Explorer 6.9, Chrome 11+, or Firefox to create/use
1 2
Password Manager personal logons or use managed logons.
2
 Microsoft Internet Explorer 6.9 to create managed logons by using
Password Manager Pro.
1 Personal logons allow users to create an automated logon to programs, websites, and network
resources.
2 Managed logons have the same function but are created by an administrator and deployed to users.

15.5 Overview of installing the DigitalPersona fingerprint reader

softw are

Note: Install the DigitalPersona fingerprint reader software before installing an antivirus
software, such as Kaspersky, in your system.

The following steps provide an overview of installing the DigitalPersona fingerprint reader
software. Refer to the specific topics for detailed instructions.

1. Configure the domain server:

a) Extend the Active Directory schema (see page 87).
b) Configure each domain where you plan to install DigitalPersona Pro Server (see page
89).
c) Install the DigitalPersona Pro Server software on your Domain Controller (see page 90).
d) Install the Administration tools on the Domain Controller (see page 93).

86 OW360_40
 15.5 Overview of installing the DigitalPersona fingerprint reader software

e) Configure the group policy for the Domain Controller (see page 93).
f) Configure the group policy for users and workstations (see page 98).
g) Configure a shared workstation or kiosk (optional) (see page 105).
2. Install the License Activation Manager (see page 105).
3. Activate licenses for DigitalPersona Enterprise Server (see page 106).
4. Install the DigitalPersona Pro workstation software on each workstation (see page 107) where
you want to use a fingerprint reader.
5. Install the VeriSign Primary PCA Root Certificate if it is not present on your workstation (see
page 108). This certificate is required for successful installation of the DigitalPersona Pro
workstation software.

Note: You do not need to install any software on redundant Domain Controllers.

15.5.1 To extend the Active Directory schema

Use the following steps to extend the Active Directory schema:

1. Insert the DigitalPersona Pro Server software CD into your primary Domain Controller.
2. Open the CD and navigate to the Schema Extension folder as follows:
... \ProEnterpriseAuthentication5.5.0\Server\Pro Enterprise Server\Schema Extension
3. Double-click DPSchemaExt.exe. The Active Directory Schema Extension Wizard appears.
Click Next on the Welcome page.

Figure 52: DigitalPersona Pro for Active Directory Schema Extension Wizard

OW360_40 87
15.5 Overview of installing the DigitalPersona fingerprint reader software

4. The License Agreement page appears. Select the I accept the license agreement check
box and click Next.
5. The Confirmation page appears. Select the I accept that the Active Directory Schema will
be modified check box and click Next.

Figure 53: Active Directory Schema Extension Wizard confirmation page

6. Specify a file location and name for the log file generated by the Schema Extension Wizard in
the Save Log File As dialog box. Then, click Save.

Note: You will be prompted with a message if the schema is not writable and then you will be
prompted to make it writable. If this message appears, click Yes to make the schema writable
and perform the schema extension.

7. Click Next.
8. When the schema extension is complete, click Finish. You have now set the Active Directory
schema, which stores and organizes the security settings for your workgroup.

Note: If you have a backup Domain Controller, Emerson recommends that you wait 90 minutes
after setting the Active Directory schema to allow Active Directory replication before proceeding.

88 OW360_40
 15.5 Overview of installing the DigitalPersona fingerprint reader software

15.5.2 To configure each domain

CAUTION! It is important that you run this wizard only once on each domain where you want
to install the Pro Server software. Failing to follow this recommendation will result in corrupted
server data, and will make all Pro Servers in the domain unusable. If you are installing multiple
Pro Servers, it is important that you run this wizard only once during any replication period.
You must allow full replication to be completed before running the wizard on the next domain.

Use the following steps to configure the Active Directory domain where you plan to install
DigitalPersona Pro Server:

1. From your primary Domain Controller, insert the DigitalPersona Pro Server software CD.
2. Open the CD and navigate to the Domain Configuration folder as follows:
... \ProEnterpriseAuthentication5.5.0\Server\Pro Enterprise Server\Domain
Configuration
3. Double-click DPDomainConfig.exe. The Domain Configuration Wizard appears. Click Next
on the Welcome page.

Figure 54: DigitalPersona Pro Domain Configuration Wizard

4. The License Agreement page appears. Select the I accept the license agreement check
box and click Next.
5. Select the I accept that the domain will be configured check box and click Next.
6. Specify a file location and name for the log file, generated by the Domain Configuration
Wizard, in the Save Log File As dialog box. Then, click Save.
7. The Configuring the Domain page appears. Click Next.
8. When the configuration is complete, click Finish. You have now configured a domain. You
must follow this configuration task for each domain where you want to install the
DigitalPersona Pro Server software.

OW360_40 89
15.5 Overview of installing the DigitalPersona fingerprint reader software

15.5.3 To install the DigitalPersona Pro Server software on your Domain

Controller

Note: The DigitalPersona Pro Server enables you to administer your domain's workstations from
a central location. Steps 1 through 9 of the following procedure ensure that your firewalls do not
block communication between the DigitalPersona Pro server and your workstations.

Use the following steps to install the DigitalPersona Pro Server software on your Domain
Controller:

1. Navigate to Windows Start -> Settings -> Control panel -> Windows Firewall.
2. The Windows Firewall window appears. Select the Allow a program or feature through
Windows Firewall option.

Figure 55: Windows Firewall window

90 OW360_40
 15.5 Overview of installing the DigitalPersona fingerprint reader software

3. The Allow programs to communicate through Windows Firewall window appears. Click Allow
another program.

Figure 56: Allow programs to communicate through Windows Firewall window

4. The Add a Program dialog box appears. Click Browse.

Figure 57: Add a Program dialog box

5. Navigate to the DigitalPersona Bin directory (typically, C:\Program

Files\DigitalPersona\bin).
6. Select DPHostS.exe and click Open.

OW360_40 91
15.5 Overview of installing the DigitalPersona fingerprint reader software

7. The DigitalPersona application appears in the Add a Program dialog box. Click Add.
8. The DigitalPersona application appears in the Allow programs to communicate through
Windows Firewall window. Click OK to return to the Windows Firewall window.
9. Exit the window.
10. From the DigitalPersona Pro Server software CD, navigate to the Pro Enterprise Server
folder as follows:
... \ProEnterpriseAuthentication5.5.0\Server\Pro Enterprise Server
11. Double-click Setup.exe.
12. The DigitalPersona Pro Server Installation Wizard appears. Click Next on the Welcome page.

Figure 58: DigitalPersona Pro Server Installation Wizard

13. On the License Agreement page, select the I accept the license agreement check box and
click Next.
14. Specify the folder where you want to install the DigitalPersona Pro Server software.
OR
Select the default location, which is C:\Program Files\DigitalPersona\.
15. Click Next.
16. Click Install. The wizard installs the Pro Server software.
17. Click Finish.

92 OW360_40
 15.5 Overview of installing the DigitalPersona fingerprint reader software

15.5.4 To install the administration tools on the Domain Controller

When you install the administration tools on the Domain Controller, you add the group policy
objects and add changes to the Active Directory Users and Computers interface. You must install
the administration tools on every Domain Controller that has the DigitalPersona software installed.
If you do administration of Active Directory from your workstation, you also need to install this
utility.

Use the following steps to install the administration tools on the Domain Controller:

1. Insert the DigitalPersona Pro Server software CD into your primary Domain Controller.
2. Open the CD and navigate to the Pro Administration Tools folder as follows:
... \ProEnterpriseAuthentication5.5.0\Server\Administration\Pro Administration Tools
3. Double-click Setup.exe.
4. The Setup wizard appears. Click Next on the Welcome page.
5. The License Agreement page appears. Select the I accept the license agreement check
box and click Next.
6. Proceed through the wizard pages by accepting the default settings and clicking Next.
7. Click Finish when the installation completes.

15.5.5 To configure a group policy for Domain Controllers

Use the following steps to configure a group policy for Domain Controllers:

1. Navigate to Start -> Programs -> Group Policy Management. The Group Policy
Management window appears:

Figure 59: Group Policy Management window

OW360_40 93
15.5 Overview of installing the DigitalPersona fingerprint reader software

2. In the left pane, right-click Domain Controllers and click Create and Link a GPO Here.

Figure 60: Domain Controllers right-click menu

3. The New GPO dialog box appears:

Figure 61: New GPO dialog box

4. In the New GPO dialog box, enter the name for the new group policy, for example, DP Server
Policy. Click OK.

94 OW360_40
 15.5 Overview of installing the DigitalPersona fingerprint reader software

5. Return to the Group Policy Management window. Select the new group policy in the tree,
right-click, and select Edit. The Group Policy Management Editor window appears:

Figure 62: Group Policy Management Editor window

6. The following scenarios are possible:

 If you have the Windows 2008 operating system, no templates are required. Go to step 7.
 If you have configured a Central Store for your group policies in the Active Directory, you
may need to copy the ADMX files to your store location. The ADMX files are located at
the following path:
\ProEnterpriseAuthentication5.5.0\Server\Pro Enterprise Server\Server Tools\Policy
Templates

OW360_40 95
15.5 Overview of installing the DigitalPersona fingerprint reader software

 If you have the Windows 2003 operating system, add a template from the DigitalPersona
Pro Server by using the following steps and then go to step 7:
 In the left pane of the Group Policy Management Editor window, navigate to
Computer Configuration -> Administrative Templates.
 Right-click Administrative Templates and click Add/Remove Templates.

Figure 63: Add/Remove Templates option

 Click Add and add all templates from the following path:
\ProEnterpriseAuthentication5.5.0\Server\Pro Enterprise Server\Server
Tools\Policy Templates\en-US
7. Once the template is added, navigate to Computer Configuration -> Policies ->
Administrative Templates -> DigitalPersona Pro Enterprise Server.

Figure 64: DigitalPersona Pro Enterprise Server folder

8. Click Pro Enterprise Server DNS and configure by accepting default values, as shown in the
following figure.

Figure 65: Pro Enterprise Server DNS settings

96 OW360_40
 15.5 Overview of installing the DigitalPersona fingerprint reader software

9. Click Event logging and configure by accepting default values, as shown in the following
figure.

Figure 66: Event logging settings

10. Click Authentication Devices and configure by accepting default values, as shown in the
following figure.

Figure 67: Authentication Devices settings

Note: You do not need to configure the fingerprint verification lockout policies.

Figure 68: Fingerprint verification lockout policies -- not to configure

OW360_40 97
15.5 Overview of installing the DigitalPersona fingerprint reader software

11. Click Identification Server settings and select the Enabled option for Perform fingerprint
identification on server.

Figure 69: Identification Server settings

15.5.6 To configure group policy for users and workstations

Use the following steps to configure a group policy for users and workstations:

1. Navigate to Start -> Programs -> Group Policy Management. The Group Policy
Management window appears:

Figure 70: Group Policy Management window

2. Right-click your top-level domain and click Create and Link a GPO Here.

Note: You must create a policy at the top of the system tree so that it affects all users and
computers. However, the policy only applies to those workstations where the Digital Persona
software is installed. In an actual production environment, you can create the policy to affect
only certain organizational units.

98 OW360_40
 15.5 Overview of installing the DigitalPersona fingerprint reader software

3. The New GPO dialog box appears. Enter a name for the new group policy, for example, DP
Workstation Policy, in the Name entry field. Click OK.

Figure 71: New GPO dialog box

4. The policy appears in the left pane of the Group Policy Management window.

Figure 72: DP Workstation Policy

5. Right-click the newly created policy and click Edit. The Group Policy Management Editor
window appears:

Figure 73: Group Policy Management Editor window

OW360_40 99
15.5 Overview of installing the DigitalPersona fingerprint reader software

6. The following scenarios are possible:

 If you have the Windows 2008 operating system, no templates are required. Go to step 7.
 If you have configured Central Store for your group policies in the Active Directory, you
may need to copy the ADMX files to your store location. The ADMX files are located at
the following path:
\ProEnterpriseAuthentication5.5.0\Server\Pro Enterprise Server\Server Tools\Policy
Templates
 If you have the Windows 2003 operating system, add a template from the DigitalPersona
Pro Server by using the following steps and then go to step 7:
 In the left pane of the Group Policy Management Editor window, navigate to
Computer Configuration -> Administrative Templates.
 Right-click Administrative Templates and click Add/Remove Templates.

Figure 74: Add/Remove Templates option

 Click Add and add all templates located at the following path:
\ProEnterpriseAuthentication5.5.0\Server\Pro Enterprise Server\Server
Tools\Policy Templates\en-US
7. Once the template is added, navigate to Computer Configuration -> DigitalPersona Pro
Client -> Authentication Devices -> Fingerprints and enable all policies. Accept all the
default values.

Figure 75: Fingerprint settings

100 OW360_40
 15.5 Overview of installing the DigitalPersona fingerprint reader software

8. Configure Event logging as shown in the following figure.

Figure 76: Event logging settings

9. Configure Allow Pro client to use Pro Server Properties under DigitalPersona Pro Client
-> General Administration, as shown in the following figure.

Figure 77: Allow Pro client to use Pro Server settings

OW360_40 101
15.5 Overview of installing the DigitalPersona fingerprint reader software

10. (Optional) If you want to be able to register Self Password Recovery questions, enable the
group policy found under Security -> Settings.

Figure 78: Self Password Recovery settings

11. Expand the User Configuration option of the policy and select Digital Persona Pro Client.
12. Configure Managed applications:
a) For Managed logon, define a folder for the storage of application templates when you
configure Password Manager Pro. Ensure that the path is in the form of your domain
name and not the name of the particular Domain Controller.
b) Enable the policy Allow creation of Personal Logons. This policy allows you to create
personal, local-only templates for applications. These templates are only available to the
user that created them and are stored locally on their workstation. Once in a production
environment, disable this policy so that only centrally managed templates are allowed.

Figure 79: Managed applications settings

102 OW360_40
 15.5 Overview of installing the DigitalPersona fingerprint reader software

13. To configure the access and enrollment of credentials, navigate to Computer Configuration
-> Policies -> Software Settings -> DigitalPersona Pro Client -> Security ->
Authentication. You will see the following three policies:
 Logon Authentication Policy: This policy affects how users can log on to their
workstations and then add a fingerprint, password, or card, if appropriate. You can enable
two-factor authentication, but be aware that you must first register the users with the
credentials they need to log on.
 Session Authentication Policy: This policy is identical to the Logon Authentication
policy, but it affects how users can log on to their applications.
 Kiosk Session Authentication Policy: This policy affects how kiosk users log on to their
applications.

Figure 80: Authentication policies

You should allow password, fingerprint, or card as the top-level domain policy so as not to
restrict users. These policies only take effect if you have the workstation software installed
(see page 107). It does not affect any other workstations.

Figure 81: Logon Authentication Policy settings

OW360_40 103
15.5 Overview of installing the DigitalPersona fingerprint reader software

Figure 82: Session Authentication Policy settings

14. Under the Enrollment folder, configure the credentials that the users can enroll themselves.

Figure 83: Self Enrollment Policy settings

104 OW360_40
 15.5 Overview of installing the DigitalPersona fingerprint reader software

15.5.7 To configure a shared workstation or kiosk (optional)

Use the following steps to configure a shared workstation or kiosk:

1. Create a user account in Active Directory Users and Computers. This account would be the
one that will log on to the shared computer.
2. On the workstation group policy that you created (see page 98):
a) Navigate to Computer Configuration -> Software Settings -> DigitalPersona Pro
Client -> Kiosk Administration, and open Kiosk Workstation Shared Account
Settings.
b) Enter the user name, domain name, and password for the shared account.

Figure 84: Kiosk workstation settings

15.5.8 To install the License Activation Manager

Before you install DigitalPersona User Licenses, the DigitalPersona Pro Server software and
DigitalPersona License Activation Manager must be installed. The DigitalPersona License
Activation Manager is used to activate licenses for DigitalPersona Pro Enterprise Server,
Enterprise Packages, and Pro Enterprise clients, for versions 5.2 and above.

Use the following steps to install the License Activation Manager:

1. Navigate to Pro Enterprise Server\Pro Administration Tools, and run setup.exe.

2. Select Complete or Custom installation. To install only the License Activation Manager, select
Custom and deselect all other administration tools.
3. Click Next, and then click Install. Follow the onscreen instructions to complete the
installation.

OW360_40 105
15.5 Overview of installing the DigitalPersona fingerprint reader software

15.5.9 To activate licenses for DigitalPersona Enterprise Server

Use the following steps to configure licensing for DigitalPersona Enterprise Server:

Note: The Domain Controller should be connected to the Internet while performing this task.

1. Open the Domain Controller group policy (see page 93) in the Group Policy Management
Editor.
2. In the Group Policy Management Editor, navigate to Computer Configuration -> Policies ->
Software Settings -> DigitalPersona Pro Enterprise Server -> Licenses.
3. Right-click Licenses and click Add license.

Figure 85: Adding a license

4. The DigitalPersona Activation wizard appears. Click Next on the Welcome page.
5. Select the option I want to activate the software over the internet. Click Next.

Figure 86: DigitalPersona Activation Wizard

106 OW360_40
 15.5 Overview of installing the DigitalPersona fingerprint reader software

6. Browse to the license activation file, Pro Enterprise Authentication Solution.dplc, provided
with your purchase. Add the file to the screen shown below along with the password. Click
Next.

Figure 87: Adding the license activation file

7. Upon successful activation, a confirmation dialog box appears. Once the license is installed,
you can double-click it to see the number of available and used licenses.

Figure 88: License properties

15.5.10 To install the DigitalPersona workstation software

Note: For a successful installation, you must have a VeriSign Primary PCA Root Certificate (G5)
on your system. If you do not have this certificate, the installation fails. See To install the
VeriSign Primary PCA Root Certificate (see page 108) to install the certificate.

Use the following steps to install the DigitalPersona workstation software:

1. From a workstation, navigate to the root of the DigitalPersona Pro workstation software CD
and double-click Setup.exe.
2. The Workstation InstallShield Wizard appears. Click Next on the Welcome page.
3. Select the product to install. You can install only one of the following products:
 DigitalPersona Pro Workstation for Enterprise
 DigitalPersona Pro Kiosk for Enterprise

OW360_40 107
15.5 Overview of installing the DigitalPersona fingerprint reader software

4. If you need to install third-party drivers for fingerprint or card readers, click Third Party
Drivers and select the appropriate drivers for your hardware and operating system.
5. On the confirmation screen, you will see a list of items to be installed. Click Install to begin
the installation.
6. After installation is finished, you will need to restart the computer. After the restart, installation
of any third-party drivers will be started automatically.

15.5.11 To install the VeriSign Primary PCA Root Certificate

Note: This procedure is only required if the DigitalPersona Pro workstation software fails to
install due to the following error.

Figure 89: Error in installation of the workstation software

Use the following steps to install the VeriSign Primary PCA Root Certificate:

1. Go to http://www.verisign.com/support/roots.html and click the Download a root package

link.
2. Unzip the downloaded file and open the Generation 5 (G5) PCA folder.
3. Launch the file VeriSign Class 3 Public Primary Certification Authority - G5.cer.
4. Select Install Certificate.
5. In the Certificate Import Wizard, select Place all certificates in the following store, and
browse to the Trusted Root Certification Authorities store.
6. Click Next and then click Finish.

108 OW360_40
 15.6 Adding fingerprints

15.6 Adding fingerprints

To add your fingerprint, perform the following steps on your primary Domain Controller or domain
server:

1. Navigate to Start -> Programs -> Group Policy Management. The Group Policy
Management window appears:

Figure 90: Group Policy Management window

2. In the left pane of the Group Policy Management window, navigate to Forest -> Domains ->
<domain_name> -> Group Policy Objects -> <group_policy>.
3. Right-click the group policy that you created for the Domain Controller, and click Edit. The
Group Policy Management Editor window appears.
4. In the left pane of the Group Policy Management Editor window, navigate to Computer
Configuration -> Policies -> Software Settings -> DigitalPersona Pro Workstation
Enterprise Server -> Security -> Authentication.
5. Right-click Logon Authentication Policy and click Properties. Edit the existing login
credentials to accept both Windows password and fingerprint.
6. Right-click Session Authentication Policy and click Properties. Edit the existing login
credentials to accept both Windows password and fingerprint.

In addition, perform the following steps on the workstation:

1. Log on to a workstation by using only the Windows password.

2. On the workstation, open the command prompt window and type the following command:
gpupdate /force
This command forces the group policies to update.
3. Open the DigitalPersona software. From the home menu, click Manage Devices and then
click Configure the use of the fingerprint reader.

OW360_40 109
15.7 Uninstalling the DigitalPersona Pro fingerprint reader software

15.7 Uninstalling the DigitalPersona Pro fingerprint reader softw are

To completely uninstall DigitalPersona Pro fingerprint reader software, perform the following
steps:

1. Uninstall the DigitalPersona Pro server software (see page 110).

2. Run the DigitalPersona Pro-cleanup wizard (see page 110).
3. Uninstall the DigitalPersona Pro workstation software from each workstation (see page 111).

15.7.1 To uninstall the DigitalPersona Pro Server software

Use the following steps to uninstall the DigitalPersona Pro Server software:

1. Ensure that you have administrator privileges.

2. Navigate to the Windows Start -> Settings -> Control Panel -> Add/Remove Programs.
3. Select DigitalPersona Pro Server for Active Directory version x. The server software, the
published information, and the DNS Service Resource Records (SRV RRs) are removed.
However, user data, such as fingerprint credentials and secure application data, and global
domain data are not deleted until you run the cleanup wizard (see page 110).

15.7.2 To run the DigitalPersona Pro cleanup wizard

Note: The Windows Add/Remove Programs function only removes the DigitalPersona software.
The secure user data, such as fingerprint credentials, and the global domain data remain in
Active Directory. To remove this data, you must use the DigitalPersona Pro cleanup wizard. This
cleanup wizard provides full cleanup of all DigitalPersona data. Do not use the cleanup wizard if
you only want to delete information for a single user or group.

Use the following steps to run the DigitalPersona Pro cleanup wizard for removing the secure
user data and global domain data:

1. Insert the DigitalPersona Pro Server installation CD into your server machine.
2. Navigate to the Administration Tools folder.
3. Navigate to the AD Clean Up folder.
4. Double-click DPCleanup.exe to launch the cleanup wizard.
5. When prompted to choose which type of cleanup you want to perform, select one of the
following options:
 Delete DigitalPersona Pro user data only: This option removes all DigitalPersona data
that is associated with domain users, including fingerprint credentials and secure
application data.
 Clean up all DigitalPersona Pro data: This option removes all the data described
above, as well as global data.
6. Click Next.

110 OW360_40
 15.7 Uninstalling the DigitalPersona Pro fingerprint reader software

7. Select a file location and file name for the log file that is generated during the data removal
process. The wizard removes the specified data from your system.

Note: You must manually remove any DigitalPersona Group Policy Objects. The wizard does
not remove them. If you plan to reinstall DigitalPersona software after using the cleanup wizard,
ensure that you have allowed sufficient time for Active Directory to update itself before
proceeding with your installation.

8. Restart the workstation.

15.7.3 To uninstall the DigitalPersona Pro workstation software from each

workstation

Use the following steps to uninstall the DigitalPersona Pro workstation software from each
workstation:

1. Ensure that you have administrator privileges on the workstation.

2. Navigate to the Windows Start -> Settings -> Control Panel -> Add/Remove Programs.
3. Select DigitalPersona Pro Workstation for Active Directory version x. The server
software, the published information, and the DNS SRV RRs are removed.
4. After Windows finishes removing the program, restart the workstation.

OW360_40 111
 S E C T I O N 16

16 RADIUS Server

IN THIS SECTION

What is a RADIUS server? .............................................................................................. 113

Installing a RADIUS server ............................................................................................. 113
To access the Network Policy Server (NPS) window ..................................................... 115
Configuring a RADIUS server ......................................................................................... 116

16.1 What is a RADIUS server?

Remote Authentication Dial In User Service (RADIUS) is a client-server protocol and software
program that enables remote access clients to communicate with a central server to authenticate
dial-in users and authorize their access to the requested system or service. In Windows Server
2012, Network Policy Server (NPS) is the Microsoft implementation of the RADIUS server.

16.2 Installing a RADIUS server

NPS (RADIUS server) is automatically installed during the Ovation 3.5 (or later) installation on the
Primary Domain Controller. Refer to the Ovation Software Installation Manual for information on
Ovation installation procedures.

The following NPS installation steps are not automated and MUST be performed manually after
the Ovation 3.5 (or later) installation on the Primary Domain Controller is complete:

1. Access the Server Manager by clicking the Server Manager icon on the desktop taskbar. If
the Server Manager is not currently displayed, go to Start -> Server Manager.

OW360_40 113
16.2 Installing a RADIUS server

2. From the Tools menu, click Network Policy Server.

Figure 91: Server Manager window

3. The Network Policy Server window appears. From the left pane, right-click NPS (Local) and
click Register server in Active Directory.

Figure 92: Network Policy Server window

4. A message 'To enable NPS to authenticate users in Active Directory' appears. Click OK to
continue.

114 OW360_40
 16.3 To access the Network Policy Server (NPS) window

16.3 To access the Netw ork Policy Server (NPS) w indow

Use the following steps to access the Network Policy Server window:

1. Access the Server Manager by clicking the Server Manager icon on the desktop taskbar. If
the Server Manager is not currently displayed, go to Start -> Server Manager.
2. From the Tools menu, click Network Policy Server.

Figure 93: Server Manager window

OW360_40 115
16.4 Configuring a RADIUS server

3. The Network Policy Server window appears:

Figure 94: Network Policy Server window

16.4 Configuring a RADIUS server

After installation, the NPS (RADIUS server) requires some additional configuration. These
additions allow NPS to:
 Process connection requests from RADIUS clients, such as Controllers, routers, and so forth.
 Perform authentication and authorization against the Active Directory accounts.
By default, the NPS installation creates the following policies:
 A Connection Request Policy Use Windows authentication for all users.
 Two Network Policies Connections to Microsoft Routing and Remote Access server and
Connections to other access servers.
However, these default policies will not meet your requirements. Therefore, you must delete or
disable these policies (see page 117). This ensures that no conflict occurs while creating new
policies.

To make the proper changes, you must configure the following:

 Connection Request Policies: These policies are the conditions and settings that allow
administrators to specify where and how the incoming connection requests from RADIUS
clients must be processed. For example, this determines whether the connection request from
a RADIUS client must be processed locally or forwarded to a remote RADIUS server.
 Network Policies: These policies are the conditions, constraints, and settings that allow
administrators to designate who is authorized to connect and the circumstances under which
they can or cannot connect.
 RADIUS Clients: These clients allow the administrators to designate a set of network
devices, such as Controllers, routers, and so forth, whose connection requests must be
processed by the RADIUS server.

116 OW360_40
 16.4 Configuring a RADIUS server

To successfully configure the NPS as a RADIUS server that can accept, authenticate, and
authorize the connection requests from RADIUS clients, you must create at least one Connection
Request Policy for authentication (see page 119), one Network Policy for authorization (see page
131), and add all the Controllers to the list of RADIUS Clients (see page 142).

16.4.1 To disable or delete the default policies

Use the following steps to disable or delete the default policies that are created after NPS
installation:

1. Access the Network Policy Server (NPS) window (see page 115).
2. From the left pane of the NPS window:
a) Select the Connection Request Policies folder.
b) In the right pane, notice that the status of the default policy "Use Windows authentication
for all users" is Enabled.
c) Right-click the policy and click Disable or Delete to disable or delete the default policy,
respectively. The following figure shows the selection of the Disable option.

Figure 95: NPS window -- status of default Connection Request policy

OW360_40 117
16.4 Configuring a RADIUS server

3. The NPS window displays the status of the default Connection Request policy as Disabled, if
you selected the Disable option in Step 2 (see the following figure). If you selected the Delete
option, the policy is removed and does not appear on the window.

Figure 96: NPS window -- default Connection Request policy is disabled

118 OW360_40
 16.4 Configuring a RADIUS server

4. Similarly, you can select the Network Policies folder and disable or delete the default
Network policies. If you delete the policies, they are removed and do not appear on the
window. The following figure displays the disabled network policies.

Figure 97: NPS window -- default Network policies are disabled

16.4.2 To create a Connection Request policy

A Connection Request policy allows the RADIUS server running locally to process the connection
requests from RADIUS clients and authenticate the credentials against the Active Directory user
accounts.

Use the following steps to create a new Connection policy:

1. Access the Network Policy Server (NPS) window (see page 115).
2. In the left pane of the NPS window, navigate to:
NPS (Local) -> Policies
3. Select the Connection Request Policies folder. Disable or delete the default policy (see
page 117).

OW360_40 119
16.4 Configuring a RADIUS server

4. From the left pane of the NPS window, right-click the Connection Request Policies folder
and click New to create a new Connection Request policy.

Figure 98: NPS window -- creating a new Connection Request policy

120 OW360_40
 16.4 Configuring a RADIUS server

5. The New Connection Request Policy wizard appears with the Specify Connection Request
Policy Name and Connection Type page.
a) In the Policy name box, enter a name for the connection request policy.
b) In the Network connection method section, ensure that Unspecified is selected from the
Type of network access server list.
c) Click Next to continue.

Figure 99: New Connection Request Policy wizard -- Specify Connection Request Policy
Name and Connection Type page

OW360_40 121
16.4 Configuring a RADIUS server

6. The Specify Conditions page appears. On this page, click Add to add a condition.

Figure 100: Specify Conditions page

7. The Select condition dialog box appears.

a) Select the Day and Time Restrictions option.
b) Click Add.

Figure 101: Select condition dialog box

122 OW360_40
 16.4 Configuring a RADIUS server

8. The Day and time restrictions dialog box appears.

a) Select the Permitted option
b) Click OK.

Figure 102: Day and time restrictions dialog box

9. Return to the Specify Conditions page. The page displays the condition that you specified.
Click Next to continue.

Figure 103: Specify Conditions page -- condition specified

OW360_40 123
16.4 Configuring a RADIUS server

10. The Specify Connection Request Forwarding page appears.

a) Ensure that the Authenticate requests on this server option is selected.
b) Click Next to continue.

Figure 104: Specify Connection Request Forwarding page

124 OW360_40
 16.4 Configuring a RADIUS server

11. The Specify Authentication Methods page appears.

a) Ensure that the Override network policy authentication settings option is NOT
selected.
b) Click Next to continue.

Figure 105: Specify Authentication Methods page

OW360_40 125
16.4 Configuring a RADIUS server

12. The Configure Settings page appears:

a) In the left pane, under RADIUS Attributes, select Standard.
b) Click Add to add the RADIUS attributes.

Figure 106: Configure Settings page

126 OW360_40
 16.4 Configuring a RADIUS server

13. The Add Standard RADIUS Attribute dialog box appears.

a) Ensure that the All option is selected in the Access type list.
b) Select the Framed-Protocol attribute from the Attributes box.
c) Click Add.

Figure 107: Add Standard RADIUS Attribute dialog box

14. The Attribute Information dialog box appears.

a) Select PPP as the Attribute Value from the Commonly used for Dial-Up or VPN list.
b) Click OK.

Figure 108: Attribute Information dialog box

OW360_40 127
16.4 Configuring a RADIUS server

15. The Add Standard RADIUS Attribute dialog box reappears.

a) Ensure that the All option is selected in the Access type list.
b) Select the Service-Type attribute from the Attributes box.
c) Click Add to add another attribute.

Figure 109: Add Standard RADIUS Attribute dialog box

16. The Attribute Information dialog box appears.

a) Select Framed as the Attribute Value from the Commonly used for Dial-Up or VPN list.
b) Click OK.

Figure 110: Attribute Information dialog box

128 OW360_40
 16.4 Configuring a RADIUS server

17. Return to the Add Standard RADIUS Attribute dialog box. Click Close.

Figure 111: Add Standard RADIUS Attribute dialog box -- Close

18. Return to the Configure Settings page. Notice the added attributes and their values, as shown
in the following figure. Click Next to continue.

Figure 112: Configure Settings page -- attributes added

OW360_40 129
16.4 Configuring a RADIUS server

19. The Completing Connection Request Policy Wizard page appears. Click Finish to complete
the Connection Request Policy wizard.

Figure 113: New Connection Request Policy wizard -- Completing Connection Request
Policy Wizard page

130 OW360_40
 16.4 Configuring a RADIUS server

20. Return to the NPS window. The window displays the newly created Connection Request
policy.

Figure 114: NPS window -- new Connection Request policy created

16.4.3 To create a Network policy

A Network policy allows password-based authorization by using Active Directory user accounts.

Use the following steps to create a new Network policy:

1. Access the Network Policy Server (NPS) window (see page 115).
2. In the left pane of the NPS window, navigate to:
NPS (Local) -> Policies
3. Select the Network Policies folder. Disable or delete the default policy (see page 117).

OW360_40 131
16.4 Configuring a RADIUS server

4. From the left pane of the NPS window, right-click the Network Policies folder and click New
to create a new Network policy.

Figure 115: NPS window -- creating a new Network policy

132 OW360_40
 16.4 Configuring a RADIUS server

5. The New Network Policy wizard appears with the Specify Network Policy Name and
Connection Type page.
a) In the Policy name field, enter a name for the network policy.
b) In the Network connection method section, ensure that Unspecified is selected from the
Type of network access server list.
c) Click Next to continue.

Figure 116: New Network Policy wizard -- Specify Network Policy Name and Connection
Type page

OW360_40 133
16.4 Configuring a RADIUS server

6. The Specify Conditions page appears. Click Add to add a condition.

Figure 117: Specify Conditions page

7. The Select condition dialog box appears.

a) Select the User Groups option.
b) Click Add.

Figure 118: Select condition dialog box

134 OW360_40
 16.4 Configuring a RADIUS server

8. The User Groups dialog box appears. Click Add Groups to add a user group.

Figure 119: User Groups dialog box

9. The Select Group dialog box appears.

a) Add the Ovation Admins group.
b) Click OK.

Figure 120: Select Group dialog box

OW360_40 135
16.4 Configuring a RADIUS server

10. The User Groups dialog box appears with the selected group. Click OK.

Figure 121: User Groups dialog box

11. Return to the Specify Conditions page. Notice that the condition is added. Click Next to
continue.

Figure 122: Specify Conditions page -- condition added

136 OW360_40
 16.4 Configuring a RADIUS server

12. The Specify Access Permission page appears.

a) Ensure that the Access granted option is selected.
b) Click Next to continue.

Figure 123: Specify Access Permission page

OW360_40 137
16.4 Configuring a RADIUS server

13. The Configure Authentication Methods page appears.

a) Ensure that ONLY the Unencrypted authentication (PAP, SPAP) option is selected. All
other options must be unchecked.
b) Click Next to continue.

Figure 124: Configure Authentication Methods page

14. A warning message appears. Click No to continue.

Figure 125: Warning message

138 OW360_40
 16.4 Configuring a RADIUS server

15. The Configure Constraints page appears. Click Next to continue.

Figure 126: Configure Constraints page

OW360_40 139
16.4 Configuring a RADIUS server

16. The Configure Settings page appears.

a) Ensure that the following RADIUS Standard Attributes are added to the Attributes list:
 Framed-Protocol attribute with the value set to PPP.
 Service-Type attribute with the value set to Framed.
b) If these two attributes are not present, add these attributes and values by clicking the
Add button. See To create a Connection Request policy (see page 119) to add these
attributes.
c) Click Next to continue.

Figure 127: Configure Settings page

140 OW360_40
 16.4 Configuring a RADIUS server

17. The Completing New Network Policy page appears. Click Finish to complete the New
Network Policy wizard.

Figure 128: New Network Policy wizard -- Completing New Network Policy page

OW360_40 141
16.4 Configuring a RADIUS server

18. Return to the NPS window. The window displays the newly created Network policy.

Figure 129: NPS window -- new Network policy created

16.4.4 To add a Controller as a RADIUS client

Use the following steps to add a Controller as a RADIUS client:

1. Access the Network Policy Server (NPS) window (see page 115).
2. From the left pane of the NPS window:
a) Navigate to:
NPS (Local) -> RADIUS Clients and Servers -> RADIUS Clients
b) Right-click the RADIUS Clients folder, and click New to create a new RADIUS client.

Figure 130: NPS window -- creating a new RADIUS client

142 OW360_40
 16.4 Configuring a RADIUS server

3. The New RADIUS Client dialog box appears. Enter the following information in this dialog box
and then click OK.
a) Ensure that the Enable this RADIUS client check box is selected.
b) Enter a name that identifies the Controller in the Friendly name box.
c) Enter the IP address of the Controller in the Address (IP or DNS) box. Click Verify to
verify the IP or DNS address.
d) In the Shared Secret section, select the Manual option and then enter the password that
you have assigned to the Controller.

Figure 131: New RADIUS Client dialog box

OW360_40 143
16.4 Configuring a RADIUS server

4. Return to the NPS window. The window displays the new RADIUS client created.

Note: If you have more than one Controller, repeat the above steps to add all the Controllers to
the RADIUS Clients list.

Figure 132: NPS window -- RADIUS clients added

144 OW360_40
Index

A E
Accessing the Ovation Developer Engineering role account (display/edit
Studio • 19 properties) • 48
Adding fingerprints • 112 Engineering security rules • 48
Administrative control (assign) • 72 Enter Text Value field • 64
Administrative control (remove) • 73 Examples of security configuration • 79
Administrator definition • 71 External security (understanding) • 9
Administrators (managing) • 71 External security definition • 9
External security threats • 10
B External security threats (guard against) • 11
Best practices for establishing a secure
G
system • 18
General role account (display/edit
C properties) • 55
Computer account (create) • 35 Goup policies (managing) • 57
Computer account (definition) • 33 Goup policies definition • 57
Computer account (delete) • 36 Group policies (enforcing) • 58
Computer account (disable/enable) • 36 Group policy - Accounts tab (display
Computer account (display/edit properties) • 65
properties) • 36 Group policy (create) • 59
Computer accounts (managing) • 33 Group policy (delete) • 60
Configuring a RADIUS server • 118 Group policy (duplicate) • 59
Configuring security for a domain • 79 Group policy (policy rules tab) • 60
Copyright Notice • 2 Group policy (rename) • 60
Creating an account for computer Group security rules definition • 62
DROP199 • 82 I
Creating an account for Joe • 82
Creating Ovation role DEMOPC • 81 Installing a RADIUS server • 115
Creating Ovation role OPERATOR-1 • 80 Internal security (understanding) • 13
Creating Ovation role OPERATOR-2 • 81 Internal security definition • 13
Internal security threats • 13
D Internal security threats (guard against) • 13
Default domain Controller policies • 69 Introduction to Ovation security • 1
Default domain policies • 68 L
DigitalPersona Pro cleanup wizard
(to run) • 113 Logging in locally to a local network • 83
DigitalPersona Pro fingerprint reader • 87 Logging in locally to a remote network • 83
DigitalPersona Pro fingerprint reader (getting Logging in locally to a restricted drop • 85
started) • 88 Logging in remotely to a local network • 84
DigitalPersona Pro server software Logging in remotely to a remote network • 84
(uninstall) • 113 Logging in remotely to a restricted drop • 85
DigitalPersona Pro workstation software
(uninstall) • 114 M
Domain (to configure) • 91 Managing database users • 75
Domain definition • 2 Multi-factor authentication definition • 87
Domain policies (managing) • 67
Domain policies definition • 67 N
Domain policy (display properties) • 69
Network (create) • 38
Network account (delete) • 39

OW360_40 145
Index

To add a Controller as a RADIUS

O client • 144
Operator role account (display/edit To configure a group policy for Domain
properties) • 50 Controllers • 95
Operator security rules • 50 To configure a shared workstation or kiosk
Ovation roles (defining) • 45 (optional) • 108
Ovation roles (definition) • 43 To configure group policy for users and
Ovation roles (managing) • 43 workstations • 101
Ovation security (planning) • 15 To create a Connection Request policy • 121
Ovation security description • 1 To create a Network policy • 133
Overview of installing the DigitalPersona To disable or delete the default
fingerprint reader software • 88 policies • 119
To display and edit properties of a group
P policy (general tab) • 66
To extend the Active Directory schema • 89
Point security group (edit) • 42
To install the administration tools on the
Point security groups (PSG) (managing) • 41
Domain Controller • 95
Point security groups definition • 41
To install the DigitalPersona Pro Server
Pre-defined Group Policies • 17
software on your Domain Controller • 92
Pre-defined Ovation roles • 17
To install the DigitalPersona workstation
Primary domain controller failure • 3
software • 110
PSG role account (display/edit
To install the License Activation
properties) • 52
Manager • 108
R To install the VeriSign Primary PCA Root
Certificate • 111
RADIUS Server • 115 To reset the database user password • 77
Role account (create) • 46
Role account (delete) • 47 U
Role account (display properties) • 54
Uninstalling the DigitalPersona Pro
Role account (duplicate) • 46
fingerprint reader software • 113
Role account (rename) • 47
User account (create) • 25
S User account (delete) • 27
User account (disable/enable) • 28
Security (preparing) • 15 User account (display/edit) • 28
Security concerns for process control User account (rename) • 26
systems • 4 User accounts (managing) • 23
Security management process • 1 User accounts definition • 23
Security Manager (access) • 19 User password (reset) • 27
Security Manager (using) • 19 Using DigitalPersona Pro 5.5 fingerprint
Security Manager definition • 20 readers • 87
Security Manager functions • 21
Security Manager tasks • 20 V
Security plan (preparing) • 16
Virus protection for Ovation Windows
Security roles • 3
systems • 12
Security rules • 18
Security services from Emerson • 4 W
Security standards (setting) • 5
Security terminology • 5 What are the Ovation point security group
Select Users dialog box • 62 (PSG) rules? • 52
Select Values dialog box • 63 What are the system requirements? • 88
What is a RADIUS server? • 115
T What is the Accounts tab? • 53
What is the General tab? • 55
To access the Network Policy Server (NPS)
What is the Manage Database Users
window • 117
functionality? • 75
To activate licenses for DigitalPersona
Workgroup security versus domain
Enterprise Server • 109
security • 3

146 OW360_40