Geo SCADA Expert Service Account
Following installation, Geo SCADA Expert runs, by default, under the Local System account. There are some functions that require the privileges that this account grants. The database server service must be run under either the Local System account or an Administrator account for it to be fully functional.
Server-side printing and MAPI emailing (required by Crystal Reports), System Calls from Logic or System Methods, built-in Backup and the SQL Export driver require the server to load a user profile, which can only be performed by an Administrator account.
Geo SCADA Expert enables you to change the service configuration to run the server under a different user or virtual account, which allows you to manage services as follows:
- The server gracefully handles the failures if these features are used and it is run under a limited user account such as a virtual account.
- Ancillary Geo SCADA Expert processes including the License Server for client licensing, Port Server, and AEPrinter services, will be configured to use a virtual account on installation.
When virtual accounts are used for ancillary processes such as those mentioned above, the 'NT SERVICE\ALL SERVICES' account has to be assigned the 'Log on as a service' user right. For details on how to do this, see https://technet.microsoft.com/en-us/library/cc794944(v=ws.10).aspx. With virtual accounts used for licensing services, you also need to grant permissions for the virtual user account to read the directory in which the license file is stored.
If the 'NT SERVICE\ALL SERVICES' account is not assigned the 'Log on as a service' user right, the virtual account will not work and an error will be shown in the system log files in Windows.
Providing Service Features
To provide the following features, Geo SCADA Expert has to interact with Windows via a Windows user account:
- System Calls
- Printing
- File Upload
- Performance Monitoring
- External Authentication (unless interacting with LDAP, rather than Active Directory, user accounts).
In Windows, access to these features requires the use of a Windows user account that has suitable permissions and in some cases, is part of a specific Windows user group. So, if Geo SCADA Expert is to make use of one or more of these features, it has to be running under a Windows user account that has the required Windows permissions. For example, in Geo SCADA Expert you can print a Mimic. But the Mimic will only print if the Geo SCADA Expert client is running on a PC that is currently logged on to Windows via a Windows user account that has the permission to print.
So when you are setting up Geo SCADA Expert servers and clients, you should consider the permissions that are allocated to the Windows user accounts under which Geo SCADA Expert will run.
For increased security, we recommend that you configure the Windows user accounts so that they only provide access to the programs, files, printers and PCs that are actually needed. For example, if you need Geo SCADA Expert users to be able to execute system calls on one specific program, use a Windows user account that only provides access to that program. This will mean that your Geo SCADA Expert server and clients can only access the programs, printers, files and PCs that are needed as part of your operational requirements.
On PCs where the system calls, printing, file upload and performance monitoring features will only be used locally, you can use a local Windows account. You will need to set the local Windows account to have suitable permissions in Windows.
On PCs where Geo SCADA Expert will use the system calls, printing, file upload and performance monitoring features over a network, you will need to use a domain Windows user account. You will need to set the Windows domain user account to have suitable permissions in Windows.
Using another user account in this way enables the Geo SCADA Expert server to access network resources to which it would otherwise not have access. The process of logging on under a different Windows user account is known as 'user impersonation'. For more information about how Geo SCADA Expert uses user impersonation,
On systems on which the External Authentication feature is used, each Geo SCADA Expert user account that is to be managed remotely using Active Directory or LDAP requires a corresponding Windows domain or LDAP user account. When Active Directory is used to manage the user accounts remotely, we recommend that the Windows domain user accounts are given minimal access rights on the Geo SCADA Expert server
For more information on configuring Windows user accounts and Windows user account permissions, please refer to your Windows documentation.
Server-Side Printing
The Geo SCADA Expert server runs as a Windows service and therefore does not have a Windows desktop. As such, you can only use server-side printing to print to 'real' printers (ones that print to paper and do not display a user interface during the printing process). You must not use server-side printing for printing to file (such as PDF) or that otherwise result in the printer driver displaying a user interface during the printing process (for example, in order to specify the filename). That user interface cannot be accessed, due to the Geo SCADA Expert server running as a Windows service.
Ensure that unsuitable printers are not added to the Windows user account that is used for server-side printing. Also check whether that user account has had any unsuitable printers added to it automatically, and remove them if so, to prevent attempts to print to unsuitable printers. For more information,
We recommend that you only use server-side printing for printing to paper via 'real' printers.
If server-side printing has been used to attempt to print to an unsuitable printer (one that displays a user interface), the software component (such as a driver) that is performing the printing will 'hang'. If this happens, you have to restart the driver. You will be unable to use server-side printing to print to file.
Client-side printing is unaffected by the above issue, as users can use the client interface to respond to any print dialog boxes that are displayed.
Access Restrictions to Geo SCADA Expert File Locations
With clean installations of Geo SCADA Expert 2019 onwards, access to the locations of some types of file used by Geo SCADA Expert is restricted to Windows Administrator accounts only. For a list of such file locations, see the tables in the Windows File Location topics referenced in
Set Access Restrictions on File Locations
If you upgrade your system from a ClearSCADA installation, the upgrade process WILL NOT apply the above-mentioned file location restrictions.
WARNINGpotential security breach
Folders that are used by the Geo SCADA Expert server should have their access restricted to the Local SYSTEM and Administrator accounts or groups, or to the account or group under which the Geo SCADA Expert service is set to run.
Folders that are used by ViewX should have their access limited to the account(s) under which the ViewX process runs.
Older installations and upgrades might use common folders for server and ViewX for logging. These locations should be moved to allow separate ACLs to be configured. For a list of recommended file locations, see the tables in the Windows File Location topics referenced in
In both server and ViewX cases, you may need to consider allowing access for backup, and note also that the Server Icon and Server Status tools have menus that permit the viewing of log files. The users of these two applications need to be granted read access to the relevant folder(s) if they are to be able to display these log files.
User Account for Virtual ViewX
A user account, VVXLocalUser, is created automatically in Windows on the Virtual ViewX server machine when you install Virtual ViewX. The user account is required to run the ViewX processes that are created on that server machine. It is important that this user account is not deleted, nor its password changed, otherwise Virtual ViewX will be unable to operate.