Securing a VTScada Thin Client Server
Before configuring the Thin Client Server, you must understand the relevant security issues.
Access to the VTScada Thin Client Server is protected by the account name and password credentials held for each application by the Security Manager. This is the sole protection that is afforded to a VTScada Thin Client Server from unauthorized access. Therefore, these credentials must be guarded.
When credentials are transmitted between the client and the server, the account name and the password are both transmitted using Base64-encoding. The encoding is public knowledge and is entirely reversible, therefore the name and password can be easily extracted.
Credentials are secured by using Transport Layer Security (TLS). This establishes an encrypted communications connection that is secure against decryption, replay attacks and many other hacking attempts.
It is strongly recommended that all systems that allow connections from the Internet use TLS to secure their communication.
To use TLS on a VTScada Thin Client Server, you must purchase and install an X.509 certificate. Instructions are provided in the Security chapter: Internet Security (TLS, X.509, SSL).
Security involves the server providing an X.509-compliant digital certificate to the client, permitting the client machine software (web browser) to positively validate that the server is truly genuine, and not a fake, before engaging in encrypted communication with the server. Only a Certifying Authority (CA) can issue an X.509 certificate that a web browser or VIC will accept without warning you that the certificate cannot be properly validated. This means that you may use a "test" certificate (available from most CAs), but will receive conspicuous warnings by both your web browser and VIC, ensuring that you cannot be accidentally "fooled" by a fake certificate. Only a properly issued certificate for the correct host and domain name will be accepted silently. The domain name must usually be registered to your company and will be verified to be so by the CA.
The asymmetric keys used by TLS ensure that your VIC (only your VIC - no other VIC or other program) can decrypt the communication stream from the server. The keys also ensure that only the server to which you are talking can decrypt any communication from your VIC. Only after secure communication has been established are your authentication credentials supplied to the server.
In addition to securing the line of communication, you must address several additional security issues related to your VTScada Thin Client Server:
- Remote users must have a valid user account within the VTScada applications they wish to access remotely using a thin client.
- User accounts of clients wishing to access VTScada applications remotely on a thin client must have the "Thin Client" security privilege, which allows the user to remotely view the application.
- You should consider whether you wish some pages within a standard VTScada application to be protected from specific users, through the use of custom privileges.
- If security realms have been enabled, then users in a security realm can connect only to a VTScada Thin Client Server realm with a name that matches.
- If the VTScada Thin Client Server is a workstation that has been configured for read-only access (Read-Only Workstation), then all thin client connections to that server will have read-only access.
HTTP access to files and folders is restricted to those listed in the [HTTP-Unauthenticated] section of your Setup.INI file. Application folders do not need to be added to this list to run those applications on a thin client. ([HTTP-Unauthenticated] Section)
For publicly-accessible kiosks or demonstration applications where access should be open, use one of the following options:
- Create an account with a carefully selected (restricted) set of privileges, then provide the username and password to that account in the disclaimer banner. You can find an example of a thin client disclaimer (ThinClientDisclaimer) in ..\Examples\ExampleThinClientDisclaimer.html
Note that the thin client disclaimer is shown to connections using the Anywhere client and the VIC client, but not the Mobile client. - If a VTSX client connection is possible (Connect Using the VTSX ProgramConnect Using the VTSX Program) use the Save Password option of the ActiveX client and save a shortcut that includes the password to the workstation's desktop.
- If using the Anywhere client, set a long duration for credential storage using the RememberLoginDuration setting, then have an authorized user sign in as needed (using the carefully restricted public account) before leaving the workstation available for public access.
Files with one of the supported MIME type extensions, (.HTML, .HTM, .JS and .XML) are not served without authentication unless added to the [HTTP-Unauthenticated] section of your Setup.INI file.
Regardless of that protection, use care if storing sensitive information in a file having one of the listed extensions.
Privileges Related to Thin Client Servers
VTScada has several security privileges that enables users of a VIC to view and perform limited configuration operations to VTScada applications running on a VTScada Thin Client Server.
Thin Client Access privilege
Must be granted before any account or process can access the server.
Thin Client Monitor Access privilege
Must be granted for users to open the thin client monitor page.
Thin Client Monitor Admin privilege
Required for users to enable or disable connections via the Thin Client Monitor page.
Remote Data Access Privilege
Required for remote users to connect to VTScada data via ODBC (REST) or OPC .