SECURITY Controlling Data Access with Weba Glance Copyright

SECURITY - Controlling Data Access with Web@a. Glance Copyright 2000 e. Mation

Overview – Web Security Issues § Publishing process data with a Web Server is a potential security problem, even when restricted to intranets § Allows wide access to process data among plant’s user community § General Web security issues: • User authentication • Data protection (encryption) • Access Control Copyright 2000 e. Mation

Web@a. Glance Security § 3 Aspects of Security • Authentication • Access Control • Data Protection § Web@a. Glance uses Web Server and NT security • no new administration tasks/tools • maps web server security domain to data server / control system domain Copyright 2000 e. Mation

Web Server Security Basics 1 § Authentication • Identifies browser via users/password login (once per session) • 3 levels for IIS Web Server • Anonymous access (no authentication) • Basic Authentication (Netscape and IE browsers) • NT Challenge/Response (IE only) • Browser user mapped to local web server NT account Copyright 2000 e. Mation

Web Server Security Basics 2 § Access Control • For IIS, protection via NTFS permissions • Can protect directories and individual files • Dynamic requests (CGI) run in context of local login account § Data Protection • Web@a. Glance does data exchange over http • Allows encryption via SSL (secure socket layer) • Built-in IIS feature Copyright 2000 e. Mation

Web@a. Glance Access Control Web Browser 1 Browser fetches protected animation web page and is required to log in. Protected Animation Screen Web Server 2 Animation starts a data request. Can access protected Automation Server which runs in the login context as a local user. Web. AAG CGI 3 Data Server Copyright 2000 e. Mation CGI connects as client to data server. Server checks whether client has permission to read specified tags.

Restricting Access by Domain IP Address and Domain Name filtering are available on IIS, but not on Personal Web server. Copyright 2000 e. Mation

IIS Access Control § § Read? Write? Run Scripts? Execute programs? § Applies to Everyone Copyright 2000 e. Mation

NTFS Access Control Applies to Each File In File Explorer, right click on C: /Inetpub/wwwroot then select the Security tab Copyright 2000 e. Mation

Web Server Security Basics 1 § Authentication • Identifies browser via users/password login (once per session) • 3 levels for IIS Web Server • Anonymous access (no authentication) • Basic Authentication (Netscape and IE browsers) • NT Challenge/Response (IE only) • Browser user mapped to local web server NT account Copyright 2000 e. Mation

IIS Authentication Choose a Method for Access Control that is Manageable and has Adequate Security Copyright 2000 e. Mation

Authentication for Each Virtual Directory Copyright 2000 e. Mation

Data Protection Data Can be Encrypted Between the Browser and the Web Server Copyright 2000 e. Mation

Controlling access a simple example § Restricting browser access to process data § 3 categories of browser users: • Those allowed to view (read) process data • Those allowed to view and change data values • Everyone else, who are allowed to do neither § For this example, we wish to give 3 users the following access to data: • Alice, read-only access • Bob, read and write access • Charlie, no access Copyright 2000 e. Mation

Example Users Alice Bob Charlie Read/Write Web Server Read Only No Access Data Server Copyright 2000 e. Mation

Permissions and the CGI § To control access to data, you use both built-in features of the Microsoft IIS Web Server and @a. Glance server permissions. § An @a. Glance server can identify the requesting client and determine if that client has permission to read or write process data. In this case the client task is the Web@a. Glance CGI – the Web Server backend process that is run to service a browser request. § By default, requests from different browsers run on the server in one guest account. In this case the @a. Glance server sees all clients running as the same user. Copyright 2000 e. Mation

Anonymous Guest Access Alice Bob Charlie Web Server Guest CGI Client Data Server Copyright 2000 e. Mation Guest CGI Client

Permissions and Authentication § You can turn off anonymous browser access for Web@a. Glance and Web. OPC. § This forces all browser users to log in to an account on the Web Server system. This can be a local account or an account in the same NT domain. § In this case the Web CGI process will run from the local account. The @a. Glance server can then identify each client user and apply separate permissions. Copyright 2000 e. Mation

Authenticated Access Alice Bob Charlie Web Server Alice’s CGI Client Bob’s CGI Client Data Server Copyright 2000 e. Mation Charlie’s CGI Client

Demonstration Setup § § The following demo shows how to control access for the 3 example users to a single Web animation page. The web page reads and writes data to the AAG demo server. Set up: • Add user accounts on the NT server • Create an animation web page in a separate folder • Disable anonymous access to the web page and the CGI • Enable permissions in the demo server • Map the user accounts to AAG proxy groups. • Grant permissions to the AAG proxy groups. Copyright 2000 e. Mation

Add NT User Accounts § This is done with the NT User Manager. § For this example, add accounts for Alice, Bob and Charlie Copyright 2000 e. Mation

Create an Animation Page § A simple animation page with several input controls and one output edit box is created in a separate folder as: § /protectedaccess/ readwrite. html Copyright 2000 e. Mation

1. Disable Anonymous Access – General § With IIS or PWS V 4, use the Internet Service Manager found in “Windows NT 4. 0 Option PackMicrosoft Personal Web Server” menu. Copyright 2000 e. Mation

Authentication Methods § IIS allows 3 types of Authentication for browser users: • Anonymous. No authentication, and all users run locally under the IIS guest account No browser login is required. • Basic Authentication. Account login is requested with a username / password prompt displayed in the browser. Users run locally in that account. This method works with both Navigator and IE browsers, but the password is exchanged in the clear. • NT Challenge/Response. User login is required. This method works only in IE browsers. The password is not sent across the network. If the browser and server systems are in the same NT domain the user is automatically authenticated – no login prompt is shown. § Normally, you would disable only Anonymous access. For this demo, we disable NT Challenge/Response as well to show the login taking place. Copyright 2000 e. Mation

Disable Anonymous Access to Page § Open the default web site and select the folder ‘protectedaccess’ § Right-click on the folder and choose ‘Properties’. § Select the ‘Directory Security’ tab in the dialog box and click on the button labeled ‘Edit’ in ‘Anonymous Access and Authentication Control’. § Clear the ‘Allow Anonymous’ and ‘NT Challenge/Response’ checkboxes. Copyright 2000 e. Mation

Disable Anonymous CGI Access § Open the default web site and select the CGI file ‘aagweb. exe’ from the ‘CGI-bin’ folder. § Right-click on the file and choose ‘Properties’. § Select the ‘File Security’ tab in the dialog box and click on the button labeled ‘Edit’ in ‘Anonymous Access and Authentication Control’. § Clear the ‘Allow Anonymous’ and ‘NT Challenge/Response’ checkboxes. Copyright 2000 e. Mation

1. Enable Demo Server Permissions § Set up the @a. Glance Demo Server permissions by editing the file ‘demoserv. ini’ in your AAG directory § Add the following lines to the ‘[Params]’ section: Read. Permission=DEMO_READ Write. Permission=DEMO_WRITE Copyright 2000 e. Mation

1. Map User Accounts to AAG Proxies § @a. Glance permissions can be assigned to individual users or to ‘proxy’ users. § A proxy is essentially a way of grouping clients as a single local user. You can then assign permissions to this single local user. Copyright 2000 e. Mation

Map User Accounts to AAG Proxies § Start the AAG administration tool from the “Web@a. Glance Administration” menu. Select the ‘Proxies’ tab. § Select the proxy type ‘One User on One Host’. § Add 2 proxies: • User ‘Alice’ on the local host as proxy ‘Reader’ • User ‘Bob’ on the local host as proxy ‘Reader. Writer’ Copyright 2000 e. Mation

1. Grant Permissions § In the @a. Glance Administration tool, select the ‘Permissions’ tab. § Choose the permission type ‘Local User’. § Add 3 permissions: • User ‘Reader’ with ‘DEMO_READ’ • User ‘Reader. Writer’ with ‘DEMO_WRITE’ Copyright 2000 e. Mation

Browsing with Read Access § Load the animation page in the browser. You will be prompted to login. § If you login as ‘Alice’ you can view the animation. § However if you attempt to enter a value in the edit box you will get an error message: Copyright 2000 e. Mation

Browsing with Read/Write Access § Once you login to a web site, you will not be prompted again for the duration of your browser session. § Restart the browser, navigate to the animation page and login as Bob. § Now you will be able to both view the animation and change the tag value. § Notice that demo server knows who the client is: Copyright 2000 e. Mation

Browsing with No Access § Restart the browser and log in as ‘Charlie’ § Attempt to navigate to the animation page. The page will load but no data values will be displayed: Copyright 2000 e. Mation

Alternative Protection Schemes § Instead of disabling Anonymous Access with the Internet Service Manager, you can also set up protection directly with NTFS file and directory permissions. § This can be done from File Explorer. § In order to do this, you must remove read access for ‘Everyone’, and add access for the NT groups that you wish to allow. Copyright 2000 e. Mation

For more details… § http: //www. microsoft. com/technet/iis/ Copyright 2000 e. Mation

End Security Copyright 2000 e. Mation