Re: [foxboro] Fwd: Windows based I/A Foxview user name & password




Ed,

All our WP operator stations are configured with task bar disabled and the
Windows environment is locked out from the operators, but our AW's and
Batch Historian server are not.  We normally put the AW in LOCK mode before
we leave the control room.  However, to UNLOCK, we need to enter  IAuser /
IApassword.  I occasionally work on the WP remotely from the PC in my
office, in order to stay out of the way of the operators.  After I log off,
the WP will be in LOCK mode.  Then some one has to enter IAuser /
IApassword to unlock the WP.  Since it is unwise to give out the sacred
IAuser / IApassword to operators, the alternative is to walk to the control
room to unlock the WP.  Some time I wish there is a button I can press to
shock the Foxboro engineers who design this Windows I/A system, for every
time I walk to the control room just to enter a password to unlock the WP.
: )


Daniel




                                                                                
                                                        
                      "Larsen, Ed"                                              
                                                        
                      <ed.larsen@xxxxxx        To:       foxboro@xxxxxxxxxxxxx  
                                                        
                      vensys.com>              cc:                              
                                                        
                      Sent by:                 Subject:  Re: [foxboro] Fwd: 
Windows based I/A Foxview user name & password              
                      foxboro-bounce@fr                                         
                                                        
                      eelists.org                                               
                                                        
                                                                                
                                                        
                                                                                
                                                        
                      01/27/2006 09:47                                          
                                                        
                      AM                                                        
                                                        
                      Please respond to                                         
                                                        
                      foxboro                                                   
                                                        
                                                                                
                                                        




Daniel

Do you run your Operator stations with the Task Bar disabled? If not I
would
suggest that you turn it off. In the Foxboro applet in the control panel,
pick Autologon, No taskbar. Then reboot. Once you do that, there will be no
task bar. If they pick ctrl-alt-del, they get 3 options, Shutdown,
Shutdown/reboot, cancel. We also have a View Only environment which has
OMSETS disabled. If they are going to be out of the control room for a
period of time as in Turnaround or if it is a remote workstation in a
seldom
used area, they put it in View Only. For things an Engineer or Technician
would need to use regularly, we put shortcuts in SFTMNT menu pick in
Process
Engineer environment. At the site I spend all my time at, we have some 50
or
so Operator stations running this way. Most are WP70, but approx 10 are
AW70. We also have the stations set to reboot into Operator or View Only
depending on station location with an overview display fullscreen,etc.

Hope this helps a little.

Ed

-----Original Message-----
From: foxboro-bounce@xxxxxxxxxxxxx [mailto:foxboro-bounce@xxxxxxxxxxxxx] On
Behalf Of Daniel Wu
Sent: Friday, January 27, 2006 8:42 AM
To: foxboro@xxxxxxxxxxxxx
Subject: Re: [foxboro] Fwd: Windows based I/A Foxview user name & password





Corey,

I am not familiar with the steps to change user/password on each service.
Does it involve changing Windows registry or just modifying some encrypted
I/A application files?  Would very much appreciate any documentation or
tips how to proceed!

Daniel Wu






                      Corey R Clingo

                      <clingoc@basf-cor        To:
foxboro@xxxxxxxxxxxxx

                      p.com>                   cc:

                      Sent by:                 Subject:  Re: [foxboro] Fwd:
Windows based I/A Foxview user name & password
                      foxboro-bounce@fr

                      eelists.org





                      01/26/2006 10:20

                      PM

                      Please respond to

                      foxboro







Yes, we saw the same problem here.  They make all the I/A services run as
the "IA" user (name changed to mildly protect us hapless customers) rather
than LocalSystem, so you are screwed if you want to change passwords.   I
suppose you could go change the user/pass on each service, and it might
work, but I never had time to try it; I punted and changed the password
back to the default, and instead spent time tightening my firewall rules.

I too comically observed that this was from a company that also sold
"security services" (which, from reading the white papers, I roughly
interpreted as, "we build a mock-up of your system, and turn stuff off
until it breaks".  Gee...so much for leveraging design knowledge of their
system).  Reminds me of ol' Jimmy Swaggart from when I grew up in Baton
Rouge.  I had wondered where he ended up...  :)


I only bought an XP box because I had to (as an OPC gateway).  I hope to
be able to stay away from Win I/A as best I can until Foxboro at the least
makes their Windows offering "native" to the platform (rather than a hasty
port of their Unix codebase), and offers improved functionality and value
over the Unix version -- at least enough to offset the drawbacks of
running on Windows.


Corey






"Duc M Do" <duc@xxxxxxxxxx>
Sent by: foxboro-bounce@xxxxxxxxxxxxx
01/26/2006 02:55 PM
Please respond to
foxboro@xxxxxxxxxxxxx


To
foxboro@xxxxxxxxxxxxx
cc

Subject
[foxboro] Fwd: Windows based I/A Foxview user name & password






This note was sent to the webmaster@xxxxxxxxxxxxxxxxxxxxxxx address, but
I think it's meant for the list.

Yes, when we first got our XP workstation and ran across this same
issue, we could only shake our head and wonder aloud, "How can they *do*
that?"

Duc



On Thu, 26 Jan 2006 12:39:35 -0600, "Daniel Wu" <Daniel_Wu@xxxxxxxxxxxx>
wrote:
>
>
>
>
> Greetings to every one:
>
> My apology for a long e-mail!!
>
> We have several Solaris based I/A systems on site and have recently
> installed a separate Window-XP based I/A in another area.  On a Solaris
> based AW, we connect our network PC and servers to the AW using the user
> name "root".  Periodically, we change the "root" password  to follow our
> IT policy.  Foxview environment passwords are used to limit access for
> different groups of Foxview users on AW and WP.   One cannot log into
the
> SHELL environment with correct root/password .  The security works well
> for us.
>
> On our newly installed Window XP based AW and WPs, we use the Foxboro
> provided Window user name (let's say it is IAuser / IApassword) to log
in
> the AW's to make changes to IACC, sequence codes, recipes and graphics.
> Generally, we log into the AW's via our plant network.  Same user name
> and password combination applies to all AWs and WPs.  WP's are setup to
> be in lockdown mode while on AW, any authorized user has full access to
> all files.
>
> One day, I changed "IApassword" to something that followed our IT policy
> on the AW.  After that, I could not bring up Foxview. I consulted
Foxboro
> engineers about the problem. Foxboro's comment was that I/A was built
> with the user name IAuser and IApassword, I had to use the same user
name
> and password combination to log into the AW (or WP).  Otherwise, Foxview
> will not come up.  This applies to all WP operator consoles.  That means
> we cannot change the password on a Windows based I/A WP or AW --- ever.
> This was a surprise to me --- considering Foxboro is selling their
network
> security services.  Username/password authentication is the only means
we
> have to stop unauthorized access to the DCS.  It will a tough sale to
our
> IT folks that we can change passwords on our DCS user accounts.  Another
> problem is that if a WP goes into "lock" mode for whatever reason
> (different than a screen save mode).  The operator must know the
username
> "IAuser" and password "IApassword" to unlock the WP to use Foxview.
>
> There are two problems for us:  1. Current I/A architecture prohibits us
> from following our IT password policy -- change passwords periodically.
> It is a big security problem. 2. If an operator, with pure luck gets the
WP
> into "lock" mode, I (with my luck, it is most likely to be 2 AM in the
> morning or hours away from the plant) need to drive back to the plant to
> enter the password "IApassword" to unlock the WP.  If I give out the
> password to the operators, they can log into the AWs with full access to
> all files on the AWs.  I had several discussion with Foxboro engineers.
> Their response was that was way I/A was built and no solution was
> provided.
>
> Do any Window based I/A users have same experience?  Any suggestion on
> how to resolve or get around the problems.
>
> Thanks for your attention!
>
> Daniel Wu
> Huntsman Corporation


_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html

foxboro mailing list:             http://www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave






_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html

foxboro mailing list:             http://www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave





_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html

foxboro mailing list:             http://www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave




_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html

foxboro mailing list:             http://www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave



 
 
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
 
foxboro mailing list:             http://www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave

Other related posts: