Use Appropriate Windows User Accounts
ClearSCADA Service Account
Following installation ClearSCADA runs, by default, under the Local System account. There are some functions that require the privileges that this account grants. The database server service must be run under either the Local System account or an Administrator account for it to be fully functional.
Server side printing and MAPI emailing (required by Crystal Reports), System Calls from Logic or System Methods, built-in Backup and the SQL Export driver require the server to load a user profile, which can only be performed by an Administrator account.
ClearSCADA 2017 R1 onwards, allows you to change the service configuration to run the server under a different user or virtual account, which allows you to manage services as follows:
- The server gracefully handles the failures if these features are used and it is run under a limited user account such as a virtual account.
- Ancillary ClearSCADA processes including the License Server will be configured to use a virtual account on installation.
Providing service features
To provide the following features, ClearSCADA has to interact with Windows via a Windows user account:
- System Calls
- Printing
- File Upload
- Performance Monitoring
- External Authentication (unless interacting with LDAP, rather than Active Directory, user accounts).
In Windows, access to these features requires the use of a Windows user account that has suitable permissions and in some cases, is part of a specific Windows user group. So, if ClearSCADA is to make use of one or more of these features, it has to be running under a Windows user account that has the required Windows permissions. For example, in ClearSCADA you can print a Mimic. But the Mimic will only print if the ClearSCADA client is running on a PC that is currently logged on to Windows via a Windows user account that has the permission to print.
So when you are setting up ClearSCADA servers and clients, you should consider the permissions that are allocated to the Windows user accounts under which ClearSCADA will run.
For maximum security, we recommend that you configure the Windows user accounts so that they only provide access to the programs, files, printers and PCs that are actually needed. For example, if you need ClearSCADA users to be able to execute system calls on one specific program, use a Windows user account that only provides access to that program. This will mean that your ClearSCADA server and clients can only access the programs, printers, files and PCs that are needed as part of your operational requirements.
On PCs where the system calls, printing, file upload and performance monitoring features will only be used locally, you can use a local Windows account. You will need to set the local Windows account to have suitable permissions in Windows.
On PCs where ClearSCADA will use the system calls, printing, file upload and performance monitoring features over a network, you will need to use a domain Windows user account. You will need to set the Windows domain user account to have suitable permissions in Windows.
On systems on which the External Authentication feature is used, each ClearSCADA user account that is to be managed remotely using Active Directory or LDAP requires a corresponding Windows domain or LDAP user account. When Active Directory is used to manage the user accounts remotely, we recommend that the Windows domain user accounts are given minimal access rights on the ClearSCADA server
For more information on configuring Windows user accounts and Windows user account permissions, please refer to your Windows documentation.