Open topic with navigation

Define the Default Security Settings for New User Accounts

You can use the Server Configuration Tool to define the default level of system security. Users access the system with user accounts, and you can enforce several security settings for the user accounts that you manage directly in ClearSCADA (including minimum password length, password retries, and so on).

With user accounts that are associated with Windows or LDAP User Profiles, password management is performed via the relevant Windows domain or LDAP server.

To define the user account settings for your system:

  1. Display the Server Configuration Tool and log on if required.
  2. Expand the system node you require.
  3. Expand the System Configuration branch.
  4. Select the Security branch.
    ClearSCADA displays the security settings.
  5. Define the settings in the User Accounts section:

    Minimum Username Length

    Enter the least number of characters permitted in a user account name. We recommend a minimum password length of at least 6 characters for greater security. The ClearSCADA default value is 6 characters.

    Minimum Password Length

    Enter the least number of characters permitted in a user account password. We recommend a minimum password length of at least 6 characters for greater security. The ClearSCADA default value is 10 characters.

    The Minimum Password Length setting only applies to new accounts; it does not affect existing passwords.

    Minimum Password Strength

    Choose the strength for passwords. The strength determines what kinds of characters are required in a password. Choose from:

    • Any—The password can contain any characters. This is the ClearSCADA default.
    • Upper & Lower Case—The password has to contain a combination of upper and lower case characters.
    • As above plus Numbers—The password has to contain a combination of upper and lower case characters and digits.
    • As above plus Punctuation—The password has to contain a combination of upper and lower case characters, digits, and punctuation characters such as commas.

    The Minimum Password Strength setting only applies to new accounts; it does not affect existing passwords.

    Allowed Failed Logons

    Define the number of log on attempts that are permitted. If a user does not enter the correct Username and Password within the defined number of attempts, the system will disable the relevant user account. The user will be unable to log on via that account until a system administrator has re-enabled the user account by enabling the Security feature on the User Form (see Creating a User Account). The ClearSCADA default value is 0 attempts. That is, the feature is disabled.

    Delayed Lockout

    Select this check box to enable ClearSCADA to disable user accounts temporarily for a duration defined in Delayed Lockout Duration, if a user does not enter the correct Username and Password within the number of attempts defined in Delayed Lockout Logons. The default is for ClearSCADA to clear this check box. That is, Delayed Lockout is disabled.

    Delayed Lockout Logons

    Define the number of logon attempts that are permitted if the Delayed Lockout feature is enabled. If a user does not enter the correct Username and Password within the defined number of attempts, the system will disable the relevant user account for a duration defined in Delayed Lockout Duration. This value should be smaller than the value of the Allowed Failed Logons. The ClearSCADA default value is 10 attempts.

    Delayed Lockout Duration

    Define the duration of time (in seconds) that a user account is disabled if the Delayed Lockout feature is enabled. The ClearSCADA default value is 30 seconds.

    Password Dictionary Size

    Enter the number of passwords that are stored in the password dictionary for each user account by default.

    When a user creates a password, it is stored in the password dictionary. When the password expiry time has elapsed, the account user needs to enter a new password. The new password cannot be the same as any of the passwords in the password dictionary. The ClearSCADA default size is 10 passwords.

    For more information on the Password Dictionary, please refer to Creating a User Account.

    Users Must Have Passwords

    Select this check box to enforce passwords; every user account will require a password. If you clear this check box, passwords are not required and users will only need to enter a user name to log on. The default is for ClearSCADA to select this check box.

    Users Can Change Passwords

    Select this check box to allow users to change the passwords for their user accounts; clear it to stop users from being able to change their passwords. The default is for ClearSCADA to select this check box.

    Password is Pre-expired

    Select this check box to set ClearSCADA to prompt each new user to change their user account password the first time they log on; clear it to make each user log on using the password defined in their user account configuration (they are not prompted to change their password). The default is for ClearSCADA to select this check box. For more information on the Pre-expired feature, see Define the Password for a User.

    Passwords Expire After n Days

    Enter the default number of days that can elapse before a new password needs to be created for each user account. By setting a password expiry time, you increase system security as passwords are regularly changed so there is less chance of an unauthorized user accessing the system.

    The ClearSCADA default value is 0. That is, the feature is disabled.

    Example:

    If you set Password Expire After n Days to 10 days and a Password Dictionary Size of 3.

    Password Expiration Warning

    If the Password Expire After n Days option is enabled you should enter the default number of days that a user is informed in advance that their password is due to expire. Once this limit is reached or in the last 24 hours before the password expires, ClearSCADA displays the a password expiry warning whenever the user logs on.

    When you select OK the Change Password dialog is displayed, this can be ignored until the password expires. ClearSCADA also generates a diagnostic message, informing the user of the number of days that remain until their password expires. The diagnostic message appears in the Messages Window. The ClearSCADA default value is 14 days. If the passwords are set to not expire users will not be warned to change them regardless of this setting .

    If you logon using the WebX client you are not warned that your password is due to expire. When the password expires you will be prompted to change your password.

    Inactivity Logout

    Enter the number of minutes that can elapse before an inactive user is logged off. The default value is 15 minutes. This feature is designed to help protect your system from unauthorized users that may attempt to gain access via unmanned workstations. If a user is inactive for longer than the Inactivity Logout time, their user session will expire. When this happens, the ClearSCADA displays that are open on that ViewX client are hidden from view until the user confirms their password in order to continue their session (see Session Expiry due to User Inactivity).

    If the Logout on Inactivity option is also selected then the user is completely logged out of ViewX and the system defaults to the Guest user.

    The system does not logout automatically if there are any open documents with pending changes. If this occurs the system prompts you to log off when the system is inactive for the time configured in the default security settings. When you log off you are prompted to save any open document, see Log Off from ViewX.

    If Inactivity Shutdown is also configured the system will also shutdown after a set amount of time once the user has been logged off.

     

    This example illustrates the basic relationship between all the inactivity functions.

    Allow Per-User Configuration

    Use this check box to define whether individual user accounts can have different settings to the default settings you are applying via the Server Configuration Tool. If you select this check box, each user account will have the Security tab available—the Security tab settings allow the user account to have security settings that are different to the default settings you are defining via the Server Configuration Tool, (see Define the Security Settings for a User). If you clear the check box, every user account will use the default settings (so will have the same number of characters per password, same failed log in attempt limits and so on). The default is for ClearSCADA to clear this check box.

    The default settings that you specify on the Server Configuration Tool are put into effect automatically for every new user account. You can then use the User Form to adjust the settings for the individual user accounts as required (see Configure User Accounts Appropriately).

    Voicemail PIN Length

    If ClearSCADA is connected to a third-party telephony system with voicemail, this allows you to enter the number of characters required for PIN numbers. PIN numbers for voicemail are required to have the defined number of characters. For example, if you enter 7, voicemail PIN numbers require exactly 7 digits. The ClearSCADA default value is 4 characters.

    Reset to defaults

    Select this button if you want to set all of the fields in the User Accounts section to the ClearSCADA default values.

  6. Apply the changes to the server.
  7. Repeat steps 2 to 6 inclusive for each system as required.

Further Information

Configure the Super User Account.

Case Sensitive Usernames.

Disclaimer

ClearSCADA 2017 R2

© 2018 AVEVA Group Plc.  All Rights Reserved.

The Schneider Electric industrial software business and AVEVA have merged to trade as AVEVA Group plc, a UK listed company. The Schneider Electric and Life is On trademarks are owned by Schneider Electric and are being licensed to AVEVA by Schneider Electric.