Define the Default Security Settings for New User Accounts

You can use the Server Configuration Tool to define the default level of system security. Users access the system with user accounts, and you can enforce several security settings for the user accounts that you manage directly in ClearSCADA (including minimum password length, password retries, and so on).

With user accounts that are associated with Windows or LDAP User Profiles, password management is performed via the relevant Windows domain or LDAP server.

To define the user account settings for your system:

  1. Display the Server Configuration Tool and log on if required.
  2. Expand the system node you require.
  3. Expand the System Configuration branch.
  4. Select the Security branch.
    ClearSCADA displays the security settings.
  5. Define the settings in the User Accounts section:

    Minimum Username Length

    Enter the least number of characters permitted in a user account name. We recommend a minimum password length of at least 6 characters for greater security. The ClearSCADA default value is 6 characters.

    Minimum Password Length

    Enter the least number of characters permitted in a user account password. We recommend a minimum password length of at least 6 characters for greater security. The ClearSCADA default value is 10 characters.

    If you reduce the Minimum Password Length, the revised value will only apply immediately to new user accounts; it will not affect the password length of existing user accounts until their current passwords expire.

    If you increase the Minimum Password Length, a dialog box is displayed asking whether you want to reset the passwords of existing user accounts, to align those accounts with the revised default user security policy. Use the dialog box to specify whether you want to enforce the new more stringent rules immediately with existing users, or you are willing to wait until the passwords of existing users expire before enforcing the new more stringent rules with those users. If you select Yes, the passwords of existing users will be reset; the next time that the users log on, they will be asked to provide a new password that meets the required criteria, including the revised minimum password length. If you select No, the passwords of existing users remain valid until they expire, even if they are shorter than the revised Minimum Password Length. However, when the current passwords expire, the new passwords will have to adhere to the Minimum Password Length that is in force at the time that those new passwords are created.

    Minimum Password Strength

    Choose the strength for passwords. The strength determines what kinds of characters are required in a password. Choose from:

    • Any—The password can contain any characters. This is the ClearSCADA default.
    • Upper & Lower Case—The password has to contain a combination of upper and lower case characters.
    • As above plus Numbers—The password has to contain a combination of upper and lower case characters and digits.
    • As above plus Punctuation—The password has to contain a combination of upper and lower case characters, digits, and punctuation characters such as commas.

    The Minimum Password Strength setting only applies to new accounts; it does not affect existing passwords.

    Allowed Failed Logons

    Define the number of log on attempts that are permitted. If a user does not enter the correct Username and Password within the defined number of attempts, the system will disable the relevant user account. The user will be unable to log on via that account until a system administrator has re-enabled the user account by enabling the Security feature on the User Form (see Creating a User Account). The ClearSCADA default value is 0 attempts. That is, the feature is disabled.

    Delayed Lockout

    Select this check box to enable ClearSCADA to disable user accounts temporarily for a duration defined in Delayed Lockout Duration, if a user does not enter the correct Username and Password within the number of attempts defined in Delayed Lockout Logons. The default is for ClearSCADA to clear this check box. That is, Delayed Lockout is disabled.

    Delayed Lockout Logons

    Define the number of logon attempts that are permitted if the Delayed Lockout feature is enabled. If a user does not enter the correct Username and Password within the defined number of attempts, the system will disable the relevant user account for a duration defined in Delayed Lockout Duration. This value should be smaller than the value of the Allowed Failed Logons. The ClearSCADA default value is 10 attempts.

    Delayed Lockout Duration

    Define the duration of time (in seconds) that a user account is disabled if the Delayed Lockout feature is enabled. The ClearSCADA default value is 30 seconds.

    Password Dictionary Size

    Enter the number of passwords that are stored in the password dictionary for each user account by default.

    When a user creates a password, it is stored in the password dictionary. When the password expiry time has elapsed, the account user needs to enter a new password. The new password cannot be the same as any of the passwords in the password dictionary. The ClearSCADA default size is 10 passwords.

    For more information on the Password Dictionary, please refer to Creating a User Account.

    Users Must Have Passwords

    Select this check box to enforce passwords; every user account will require a password. If you clear this check box, passwords are not required and users will only need to enter a user name to log on. The default is for ClearSCADA to select this check box.

    Users Can Change Passwords

    Select this check box to allow users to change the passwords for their user accounts; clear it to stop users from being able to change their passwords. The default is for ClearSCADA to select this check box.

    Password is Pre-expired

    Select this check box to set ClearSCADA to prompt each new user to change their user account password the first time they log on; clear it to make each user log on using the password defined in their user account configuration (they are not prompted to change their password). The default is for ClearSCADA to select this check box. For more information on the Pre-expired feature, see Define the Password for a User.

    Passwords Expire After n Days

    Enter the default number of days that can elapse before a new password needs to be created for each user account. By setting a password expiry time, you increase system security as passwords are regularly changed so there is less chance of an unauthorized user accessing the system.

    The ClearSCADA default value is 0. That is, the feature is disabled.

    Example:

    If you set Password Expire After n Days to 10 days and a Password Dictionary Size of 3.

    Password Expiration Warning

    If the Password Expire After n Days option is enabled you should enter the default number of days that a user is informed in advance that their password is due to expire. Once this limit is reached or in the last 24 hours before the password expires, ClearSCADA displays the a password expiry warning whenever the user logs on.

    When you select OK the Change Password dialog is displayed, this can be ignored until the password expires. ClearSCADA also generates a diagnostic message, informing the user of the number of days that remain until their password expires. The diagnostic message appears in the Messages Window. The ClearSCADA default value is 14 days. If the passwords are set to not expire users will not be warned to change them regardless of this setting .

    If you logon using the WebX client you are not warned that your password is due to expire. When the password expires you will be prompted to change your password.

    Inactivity Logout

    Enter the number of minutes that can elapse before an inactive user is logged off. The default value is 15 minutes. This feature is designed to help protect your system from unauthorized users that may attempt to gain access via unmanned workstations. If a user is inactive for longer than the Inactivity Logout time, their user session will expire. When this happens, the ClearSCADA displays that are open on that ViewX client are hidden from view until the user confirms their password in order to continue their session (see Session Expiry due to User Inactivity). WebX users are logged out of their sessions and returned to the login page.

    If the Logout on Inactivity option is also selected then the user is completely logged out of ViewX and the system defaults to the Guest user. WebX users are logged out of all browser sessions on the system.

    The system does not logout automatically if there are any open documents with pending changes. If this occurs the system prompts you to log off when the system is inactive for the time configured in the default security settings. When you log off you are prompted to save any open document (see Log Off from ViewX).

    If Inactivity Shutdown is also configured, the system will also shutdown after a set amount of time once the user has been logged off.

    If the Allow Per-User Configuration check box (see below) is clear, the Inactivity Logout period specified here will apply to both new and existing User Accounts that access the system via this ClearSCADA server (other than the Guest User). The Inactivity Logout period will also apply to both new and existing User Patterns (User Patterns only apply to systems on which ClearSCADA can create new User accounts automatically as part of an External Authentication process. For more information, see Create User Accounts from a User Pattern.). (With the Guest User, you can specify an Inactivity Shutdown period.)

     

    This example illustrates the basic relationship between all the inactivity functions.

    Allow Per-User Configuration

    Use this check box to define whether individual user accounts can have different settings to the default settings that you are applying via the Server Configuration Tool.

    If you select this check box, each user account will have the Security tab available—the Security tab settings allow the user account to have security settings that are different to the default settings that you are defining via the Server Configuration Tool (see Define the Security Settings for a User). The default settings that you specify on the Server Configuration Tool are put into effect automatically for every new user account. You can then use the User Form to adjust the settings for the individual user accounts as required (see Configure User Accounts Appropriately).

    Additionally, when the Allow Per-User Configuration check box is selected, each User Pattern Form will also have the Security tab available. However, only the Enabled and Inactivity Logout properties will be available for use on the tab on those Forms, as the rest of the security settings are handled outside of ClearSCADA for externally authenticated users.

    If you clear the Allow Per-User Configuration check box, User Forms will not include a Security tab. The Forms of user accounts that are managed directly in ClearSCADA will inherit the default settings that are specified at the server (so will have the same number of characters per password, same failed log in attempt limits and so on).

    Additionally, when the Allow Per-User Configuration check box is cleared, any User Pattern Forms will not include a Security tab. The majority of settings on the tab on User Pattern Forms are handled outside of ClearSCADA. The Inactivity Logout period with be inherited from the default that is specified at the server.

    The default is for ClearSCADA to clear the Allow Per-User Configuration check box.

    Voicemail PIN Length

    If ClearSCADA is connected to a third-party telephony system with voicemail, this allows you to enter the number of characters required for PIN numbers. PIN numbers for voicemail are required to have the defined number of characters. For example, if you enter 7, voicemail PIN numbers require exactly 7 digits. The ClearSCADA default value is 4 characters.

    Reset to defaults

    Select this button if you want to set all of the fields in the User Accounts section to the ClearSCADA default values.

  6. Apply the changes to the server.
  7. Repeat steps 2 to 6 inclusive for each system as required.

Further Information

Configure the Super User Account.

Case Sensitive Usernames.

Create User Accounts from a User Pattern.


Disclaimer

ClearSCADA 2017 R3