[Imported] Server logins and SCADA reset

sbeadle · ‎2019-11-06

>>Message imported from previous forum - Category:General Items<<
User: ROVSCADAENGINEER, originally posted: 2019-01-30 23:56:53 Id:356
I am wondering if on a RDC (Remote Desktop Server) server it is possible to program the server to respond differently when a new IP address logs in. for instance I want programs to reset when a new IP logs into the server, thus logging out any existing user that was previously on the (SCADA) server by resetting the program Xview. This is important for 2 reasons. It ensures accountability is not confused with new server logins using other users logins, and it prompts the new server user to login with his/her login.

This may well be beyond the SCOPE of SCADA programming, however it is interesting because it is something that becomes a security issue when users are logging into SCADA from different servers.

sbeadle · ‎2019-11-06

>>Responses imported from previous forum

Reply From User: BevanWeiss, posted: 2019-01-31 09:44:22
I think the important thing that you've failed to mention explicitly is that you're allowing multiple users to use a common shared user to log into the RDS server.
If the users are logging in with their own logins, then they will get separate RDS sessions (based upon their user accounts) and hence each will get their own ViewX process, which they will need to individually log into. Hence if RDS were used properly, you would get no such issue 😉

If you use a shared username, and it's just 'kicking off the other session', then it's actually technically the same Windows session, and hence there is no way of determining that a new IP is used for the session, all the applications within the Windows environment are unaware that the session has transferred from one remote client to another. I believe there is an API to get session information, which might include the client IP address, but you'd need to be calling this periodically to detect the change and action it.. not worth it in my opinion.

Reply From User: adamwoodland, posted: 2019-01-31 22:13:05
Could be, and this is an assumption, that they're wanting to using the two inherent admin remote access licences rather than buying remote access CALs for each concurrent user/device. If so, be aware of https://www.microsoft.com/en-us/licensing/product-licensing/products.aspx:

"Customer may allow access to server software running in any permitted OSE by two users without CALs solely for administrative purposes. Customer may also allow remote access to other Products solely for purposes of providing technical product support to Licensed Users or on Licensed Devices."

You could probably argue engineers doing administrative work on the database, such as start and stop of comms, etc, would count although I'm sure in that documented there is a clear definition of administrative purposes. Configuration staff and operators I doubt would count even at a stretch and would need their own remote access CALs to be compliant with the terms and conditions.

Remote access CALs aren't that much, around US$120 each last time I looked.

There is also the whole compliance with any cyber security standards such as IEC62443-3-3 to do with shared logins that may need to be considered.

Reply From User: ROVSCADAENGINEER, posted: 2019-02-01 01:02:59
that's actually a good suggestion! I ran that by the senior engineer but it seems to create new logins for every user on the 10 servers will take some time. So I may do some investigating into the API functionality. Thanks for your input Bevan!

Reply From User: ROVSCADAENGINEER, posted: 2019-02-01 01:16:50
nothing to do with licencing usage [at]adamwoodland said:
Could be, and this is an assumption, that they're wanting to using the two inherent admin remote access licences rather than buying remote access CALs for each concurrent user/device. If so, be aware of https://www.microsoft.com/en-us/licensing/product-licensing/products.aspx:

"Customer may allow access to server software running in any permitted OSE by two users without CALs solely for administrative purposes. Customer may also allow remote access to other Products solely for purposes of providing technical product support to Licensed Users or on Licensed Devices."

You could probably argue engineers doing administrative work on the database, such as start and stop of comms, etc, would count although I'm sure in that documented there is a clear definition of administrative purposes. Configuration staff and operators I doubt would count even at a stretch and would need their own remote access CALs to be compliant with the terms and conditions.

Remote access CALs aren't that much, around US$120 each last time I looked.

There is also the whole compliance with any cyber security standards such as IEC62443-3-3 to do with shared logins that may need to be considered.

Thankyou for bringing my attention to this adam!

See Answer In Context

sbeadle · ‎2019-11-06