Controlling Data Access with Web@aGlance
Download
Report
Transcript Controlling Data Access with Web@aGlance
SECURITY - Controlling Data Access
with Web@aGlance
Copyright 2000 eMation
Overview – Web Security
Issues
Publishing process data with a Web Server is a
potential security problem, even when restricted to
intranets
Allows wide access to process data among plant’s
user community
General Web security issues:
• User authentication
• Data protection (encryption)
• Access Control
Copyright 2000 eMation
Web@aGlance Security
3 Aspects of Security
• Authentication
• Access Control
• Data Protection
Web@aGlance uses Web Server and NT
security
• no new administration tasks/tools
• maps web server security domain to data
server / control system domain
Copyright 2000 eMation
Web Server
Security Basics 1
Authentication
• Identifies browser via users/password
login
(once per session)
• 3 levels for IIS Web Server
• Anonymous access (no authentication)
• Basic Authentication (Netscape and IE browsers)
• NT Challenge/Response (IE only)
• Browser user mapped to local web server
NT account
Copyright 2000 eMation
Web Server
Security Basics 2
Access Control
• For IIS, protection via NTFS permissions
• Can protect directories and individual files
• Dynamic requests (CGI) run in context of local
login account
Data Protection
• Web@aGlance does data exchange over http
• Allows encryption via SSL (secure socket layer)
• Built-in IIS feature
Copyright 2000 eMation
Web@aGlance
Access Control
Web Browser
1
Browser fetches protected
animation web page and
is required to log in.
Protected
Animation
Screen
Web Server
2
Animation starts a data request.
Can access protected Automation
Server which runs in the
login context as a local user.
WebAAG CGI
3
Data Server
Copyright 2000 eMation
CGI connects as client to data
server. Server checks whether
client has permission to read
specified tags.
Restricting Access
by Domain
IP Address and Domain
Name filtering are available
on IIS, but not on Personal
Web server.
Copyright 2000 eMation
IIS Access Control
Read?
Write?
Run Scripts?
Execute
programs?
Applies to
Everyone
Copyright 2000 eMation
NTFS Access Control
Applies to Each File
In File Explorer, right click on C:/Inetpub/wwwroot
then select the Security tab
Copyright 2000 eMation
Web Server
Security Basics 1
Authentication
• Identifies browser via users/password
login
(once per session)
• 3 levels for IIS Web Server
• Anonymous access (no authentication)
• Basic Authentication (Netscape and IE browsers)
• NT Challenge/Response (IE only)
• Browser user mapped to local web server
NT account
Copyright 2000 eMation
IIS Authentication
Choose a Method for
Access Control that is
Manageable and has
Adequate Security
Copyright 2000 eMation
Authentication for Each
Virtual Directory
Copyright 2000 eMation
Data Protection
Data Can be Encrypted
Between the Browser and
the Web Server
Copyright 2000 eMation
Controlling access a simple example
Restricting browser access to process data
3 categories of browser users:
• Those allowed to view (read) process data
• Those allowed to view and change data values
• Everyone else, who are allowed to do neither
For this example, we wish to give 3 users the
following access to data:
• Alice, read-only access
• Bob, read and write access
• Charlie, no access
Copyright 2000 eMation
Example Users
Alice
Bob
Charlie
Read/Write
Web Server
Read Only
No Access
Data Server
Copyright 2000 eMation
Permissions and the CGI
To control access to data, you use both built-in
features of the Microsoft IIS Web Server and
@aGlance server permissions.
An @aGlance server can identify the requesting
client and determine if that client has permission to
read or write process data. In this case the client
task is the Web@aGlance CGI – the Web Server backend process that is run to service a browser request.
By default, requests from different browsers run on
the server in one guest account. In this case the
@aGlance server sees all clients running as the same
user.
Copyright 2000 eMation
Anonymous Guest Access
Alice
Bob
Charlie
Web Server
Guest CGI
Client
Guest CGI
Client
Data Server
Copyright 2000 eMation
Guest CGI
Client
Permissions and
Authentication
You can turn off anonymous browser access for
Web@aGlance and WebOPC.
This forces all browser users to log in to an account
on the Web Server system. This can be a local
account or an account in the same NT domain.
In this case the Web CGI process will run from the
local account. The @aGlance server can then
identify each client user and apply separate
permissions.
Copyright 2000 eMation
Authenticated Access
Alice
Bob
Charlie
Web Server
Alice’s CGI
Client
Bob’s CGI
Client
Data Server
Copyright 2000 eMation
Charlie’s
CGI Client
Demonstration Setup
The following demo shows how to control access for
the 3 example users to a single Web animation page.
The web page reads and writes data to the AAG
demo server.
Set up:
1. Add user accounts on the NT server
2. Create an animation web page in a separate folder
3. Disable anonymous access to the web page and
the CGI
4. Enable permissions in the demo server
5. Map the user accounts to AAG proxy groups.
6. Grant permissions to the AAG proxy groups.
Copyright 2000 eMation
Add NT User Accounts
This is done with the NT User Manager.
For this example, add accounts for
Alice, Bob and Charlie
Copyright 2000 eMation
Create an Animation Page
A simple animation page
with several input
controls and one output
edit box is created in a
separate folder as:
/protectedaccess/
readwrite.html
Copyright 2000 eMation
Disable Anonymous Access
– General
With IIS or PWS V4, use the Internet Service
Manager found in “Windows NT 4.0 Option
Pack\Microsoft Personal Web Server” menu.
Copyright 2000 eMation
Authentication Methods
IIS allows 3 types of Authentication for browser
users:
• Anonymous. No authentication, and all users run locally
under the IIS guest account No browser login is required.
• Basic Authentication. Account login is requested with a
username / password prompt displayed in the browser.
Users run locally in that account. This method works with
both Navigator and IE browsers, but the password is
exchanged in the clear.
• NT Challenge/Response. User login is required. This
method works only in IE browsers. The password is not sent
across the network. If the browser and server systems are in
the same NT domain then the user is automatically
authenticated – no login prompt is shown.
Normally, you would disable only Anonymous
access. For this demo, we disable NT
Challenge/Response
as well to show the login taking
Copyright 2000 eMation
Disable Anonymous Access
to Page
Open the default web site and select the folder
‘protectedaccess’
Right-click on the folder and choose ‘Properties’.
Select the ‘Directory Security’ tab in the dialog box and click on
the button labeled ‘Edit’ in ‘Anonymous Access and
Authentication Control’.
Clear the ‘Allow Anonymous’ and ‘NT Challenge/Response’
checkboxes.
Copyright 2000 eMation
Disable Anonymous CGI
Access
Open the default web site and select the CGI file ‘aagweb.exe’
from the ‘CGI-bin’ folder.
Right-click on the file and choose ‘Properties’.
Select the ‘File Security’ tab in the dialog box and click on the
button labeled ‘Edit’ in ‘Anonymous Access and Authentication
Control’.
Clear the ‘Allow Anonymous’ and ‘NT Challenge/Response’
checkboxes.
Copyright 2000 eMation
Enable Demo Server
Permissions
Set up the @aGlance Demo Server
permissions by editing the file
‘demoserv.ini’ in your AAG directory
Add the following lines to the ‘[Params]’
section:
ReadPermission=DEMO_READ
WritePermission=DEMO_WRITE
Copyright 2000 eMation
Map User Accounts to AAG
Proxies
@aGlance permissions can be assigned
to individual users or to ‘proxy’ users.
A proxy is essentially a way of grouping
clients as a single local user. You can
then assign permissions to this single
local user.
Copyright 2000 eMation
Map User Accounts to AAG
Proxies
Start the AAG administration
tool from the
“Web@aGlance \
Administration” menu.
Select the ‘Proxies’ tab.
Select the proxy type ‘One
User on One Host’.
Add 2 proxies:
• User ‘Alice’ on the local
host as proxy ‘Reader’
• User ‘Bob’ on the local
host as proxy
‘ReaderWriter’
Copyright 2000 eMation
Grant Permissions
In the @aGlance
Administration tool, select
the ‘Permissions’ tab.
Choose the permission
type ‘Local User’.
Add 3 permissions:
• User ‘Reader’ with
‘DEMO_READ’
• User ‘ReaderWriter’ with
‘DEMO_READ’
• User ‘ReaderWriter’ with
‘DEMO_WRITE’
Copyright 2000 eMation
Browsing with Read Access
Load the animation page
in the browser. You will
be prompted to login.
If you login as ‘Alice’ you
can view the animation.
However if you attempt
to enter a value in the
edit box you will get an
error message:
Copyright 2000 eMation
Browsing with Read/Write
Access
Once you login to a web site, you will not
be prompted again for the duration of
your browser session.
Restart the browser, navigate to the
animation page and login as Bob.
Now you will be able to both view the
animation and change the tag value.
Notice that demo server knows who the
client is:
Copyright 2000 eMation
Browsing with No Access
Restart the browser and log in as ‘Charlie’
Attempt to navigate to the animation page. The page
will load but no data values will be displayed:
Copyright 2000 eMation
Alternative Protection
Schemes
Instead of disabling Anonymous Access with
the Internet Service Manager, you can also
set up protection directly with NTFS file and
directory permissions.
This can be done from File Explorer.
In order to do this, you must remove read
access for ‘Everyone’, and add access for the
NT groups that you wish to allow.
Copyright 2000 eMation
For more details…
http://www.microsoft.com/technet/iis/
Copyright 2000 eMation
End Security
Copyright 2000 eMation