Re: [foxboro] Remote access
- From: "Toecker, Michael" <mtoecker@xxxxxxxxxxxx>
- To: <foxboro@xxxxxxxxxxxxx>
- Date: Tue, 14 Oct 2008 13:52:04 -0500
Jack,
Fully agree with you on the licenses, you want the user licenses not the
device licenses Thom.
I have to disagree with you on the way Terminal Services would be
configured however. Using the IA account for all the users would not be
a secure method of restricting access to these systems. Conceivably
anyone could connect to your systems using the IA account and you would
never know it. *Especially* since the default password to IA accounts
is a well known secret in the community.
Assuming this is to allow remote access from corporate or the internet,
I'd recommend configuring a unique user account for each person who
needs to access the system remotely, and require them to log in using
that account. The user license allows any 5 concurrent users access to
the system, so unless you are leaving these sessions open it shouldn't
interfere with your needs. Additionally, you should disable the IA
account from being used as a Terminal services capable account, which is
easily done in Windows configuration.
Am I missing anything everyone? I can't for the life of me remember if
Foxboro requires the IA account, or if it will run under a similar
privileges account.
Sincerely,
Michael Toecker
Control Systems Security Designer
Compliance & Infrastructure Protection
Burns & McDonnell Engineering
-----Original Message-----
From: foxboro-bounce@xxxxxxxxxxxxx [mailto:foxboro-bounce@xxxxxxxxxxxxx]
On Behalf Of Jack.Easley@xxxxxxxxxxxx
Sent: Tuesday, October 14, 2008 1:21 PM
To: foxboro@xxxxxxxxxxxxx
Subject: Re: [foxboro] Remote access
I can tell you from experience that Terminal Server "device" (the
default) licenses will not work for you as you describe, as only the
first 5 PCs to login will be allowed to use the licenses, even if one or
more of the first 5 PCs have logged off.
I can also tell you that if you make the mistake of installing the
Terminal server licenses as device licenses, you can remove them and
reinstall them as user licenses without making an additional purchase.
You just select "user" instead of "device" on the re-install and use the
same code file provided by Microsoft initially.
The number of sessions and users are probably limited to the number of
licenses you purchase. Since you will probably use ia as the username
for all sessions, you are good on number of users. There is a setting in
Terminal Server Configuration or Terminal Server Management on the
Windows 2003 Server which must be checked to allow multiple sessions for
the same user. I cannot remember if it checked as a default after
install.
Actually, Terminal Server User license allocation is based on the honor
system according to Microsoft, whereas the device license allocation is
controlled. Go figure!
Jack Easley
Sr. I&C Technician
Luminant Power, Martin Lake Plant
Phone 903.836.6241
jack.easley@xxxxxxxxxxxx
-----Original Message-----
From: foxboro-bounce@xxxxxxxxxxxxx [mailto:foxboro-bounce@xxxxxxxxxxxxx]
On Behalf Of Chaiket, Thom
Sent: Tuesday, October 14, 2008 11:44 AM
To: foxboro@xxxxxxxxxxxxx
Subject: [foxboro] Remote access
Had a question for all.
We recently upgraded to the MESH network and opted for remote connection
to our historian (Windows Server 2003). Due to local government laws,
we have to obtain required licenses (5-pack Terminal Services Client
Access Licenses) separately. There are two different versions and we
are not sure which one to purchase. There are User-based licenses or
Device-based licenses.
We want up to any 5 people to simultaneously access the TS, but these 5
come from a much larger set of users and computers all over our network.
It sounds like the Device-based license will allow up to 5 people to use
the TS without regard to what computers they come in from or what their
user logins are. Is this correct?
Thanks!
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
foxboro mailing list: //www.freelists.org/list/foxboro
to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
Confidentiality Notice: This email message, including any attachments,
contains or may contain confidential information intended only for the
addressee. If you are not an intended recipient of this message, be
advised that any reading, dissemination, forwarding, printing, copying
or other use of this message or its attachments is strictly prohibited.
If
you have received this message in error, please notify the sender
immediately by reply message and delete this email message and any
attachments from your system.
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
foxboro mailing list: //www.freelists.org/list/foxboro
to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
foxboro mailing list: //www.freelists.org/list/foxboro
to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
Other related posts:
