Yes, we saw the same problem here. They make all the I/A services run as the "IA" user (name changed to mildly protect us hapless customers) rather than LocalSystem, so you are screwed if you want to change passwords. I suppose you could go change the user/pass on each service, and it might work, but I never had time to try it; I punted and changed the password back to the default, and instead spent time tightening my firewall rules. I too comically observed that this was from a company that also sold "security services" (which, from reading the white papers, I roughly interpreted as, "we build a mock-up of your system, and turn stuff off until it breaks". Gee...so much for leveraging design knowledge of their system). Reminds me of ol' Jimmy Swaggart from when I grew up in Baton Rouge. I had wondered where he ended up... :) I only bought an XP box because I had to (as an OPC gateway). I hope to be able to stay away from Win I/A as best I can until Foxboro at the least makes their Windows offering "native" to the platform (rather than a hasty port of their Unix codebase), and offers improved functionality and value over the Unix version -- at least enough to offset the drawbacks of running on Windows. Corey "Duc M Do" <duc@xxxxxxxxxx> Sent by: foxboro-bounce@xxxxxxxxxxxxx 01/26/2006 02:55 PM Please respond to foxboro@xxxxxxxxxxxxx To foxboro@xxxxxxxxxxxxx cc Subject [foxboro] Fwd: Windows based I/A Foxview user name & password This note was sent to the webmaster@xxxxxxxxxxxxxxxxxxxxxxx address, but I think it's meant for the list. Yes, when we first got our XP workstation and ran across this same issue, we could only shake our head and wonder aloud, "How can they *do* that?" Duc On Thu, 26 Jan 2006 12:39:35 -0600, "Daniel Wu" <Daniel_Wu@xxxxxxxxxxxx> wrote: > > > > > Greetings to every one: > > My apology for a long e-mail!! > > We have several Solaris based I/A systems on site and have recently > installed a separate Window-XP based I/A in another area. On a Solaris > based AW, we connect our network PC and servers to the AW using the user > name "root". Periodically, we change the "root" password to follow our > IT policy. Foxview environment passwords are used to limit access for > different groups of Foxview users on AW and WP. One cannot log into the > SHELL environment with correct root/password . The security works well > for us. > > On our newly installed Window XP based AW and WPs, we use the Foxboro > provided Window user name (let's say it is IAuser / IApassword) to log in > the AW's to make changes to IACC, sequence codes, recipes and graphics. > Generally, we log into the AW's via our plant network. Same user name > and password combination applies to all AWs and WPs. WP's are setup to > be in lockdown mode while on AW, any authorized user has full access to > all files. > > One day, I changed "IApassword" to something that followed our IT policy > on the AW. After that, I could not bring up Foxview. I consulted Foxboro > engineers about the problem. Foxboro's comment was that I/A was built > with the user name IAuser and IApassword, I had to use the same user name > and password combination to log into the AW (or WP). Otherwise, Foxview > will not come up. This applies to all WP operator consoles. That means > we cannot change the password on a Windows based I/A WP or AW --- ever. > This was a surprise to me --- considering Foxboro is selling their network > security services. Username/password authentication is the only means we > have to stop unauthorized access to the DCS. It will a tough sale to our > IT folks that we can change passwords on our DCS user accounts. Another > problem is that if a WP goes into "lock" mode for whatever reason > (different than a screen save mode). The operator must know the username > "IAuser" and password "IApassword" to unlock the WP to use Foxview. > > There are two problems for us: 1. Current I/A architecture prohibits us > from following our IT password policy -- change passwords periodically. > It is a big security problem. 2. If an operator, with pure luck gets the WP > into "lock" mode, I (with my luck, it is most likely to be 2 AM in the > morning or hours away from the plant) need to drive back to the plant to > enter the password "IApassword" to unlock the WP. If I give out the > password to the operators, they can log into the AWs with full access to > all files on the AWs. I had several discussion with Foxboro engineers. > Their response was that was way I/A was built and no solution was > provided. > > Do any Window based I/A users have same experience? Any suggestion on > how to resolve or get around the problems. > > Thanks for your attention! > > Daniel Wu > Huntsman Corporation _______________________________________________________________________ This mailing list is neither sponsored nor endorsed by Invensys Process Systems (formerly The Foxboro Company). Use the info you obtain here at your own risks. Read http://www.thecassandraproject.org/disclaimer.html foxboro mailing list: //www.freelists.org/list/foxboro to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave _______________________________________________________________________ This mailing list is neither sponsored nor endorsed by Invensys Process Systems (formerly The Foxboro Company). Use the info you obtain here at your own risks. Read http://www.thecassandraproject.org/disclaimer.html foxboro mailing list: //www.freelists.org/list/foxboro to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave