Follow Us.
Become a Fan! 
Here is another question that we were asked recently that we have heard before - so we decided to pass it on in case it turns out to be useful to others. The original question:
Last year we switched all our Wonderware stations to run on a Thin Client configuration. We are running two Windows 2000 Servers and fifteen ACP Thin Clients. The installation works fine and is very flexible. However we are experiencing some problems with security. Because the Thin Client needs to run with administrative rights, our operators have figured out how to use task manager to access other programs on the server. This causes a serious problem because if we loose our servers we will be down plant wide. We need to somehow be able to disable the CNTL+ALT+DEL keys to prevent unnecessary access to the servers. The Wonderware KeyTrapSet seems to only work at the server level, and we were still able to gain access at the Thin Client level. Do you know of a way of disabling the keystrokes without having to install strict policies?
1) The Wonderware users do not need to be administrators if the Windows 2000 Terminal Server is setup with NT 4.0 permissions. You can check this by going to Start>Programs>Administrative Tools>Terminal Services Configuration and looking at the setting named "Permission Compatibility". It should have the attribute "Compatible with NT 4.0 Users" - if not, you can change it by double clicking.
The selection process during the install says that the W2K permissions may prevent some legacy apps from running. This is because 2000 security prevents access to the C:\WINNT folder, the registry, and *.INIs (unless you are an administrator), all things that Wonderware requires in order to run. Using NT 4.0 Permissions allow access to those areas.
2) The InTouch For Terminal Services Deployment Guide, installed as a *pdf in the Books folder of FactorySuite, gives Wonderware's recommendation on this very security issue.
On page 58, section 3-12, Defining Security gives details on setting up 3 new groups, WW_Admins, WW_Users, and WW_Users_RC and configuring the Terminal Connection Permissions to allow users to access everything Wonderware needs, without them having the administrative powers to mess things up. They may be using RDP as an example, but it applies to ICA also.
For more information on ACP Industrial Thin Client computers, please visit our web site at http://www.thinmanager.com
To sign up for the E-mail newsletter go here: ACP newsletter signup
For an archive of past newsletter articles go to: ACP Newsletter Archive
Copyright © Automation Control Products, Inc. All rights reserved.
