Promotic
WikipediaLinkedInYoutubeTwitterFacebook

Configuration of the PC and OS Windows for secure operation of applications

HW requirements of PROMOTIC system:

Any PC that runs OS Windows 10/8/7/Vista/XP/XPe/2003-12Server smoothly, see PROMOTIC system news.

The PC performacne must also match the requirements of the SCADA application itself.


We highly recommend separating the hard drive for the PROMOTIC system: it allows to reinstall the system easily without data loss
- Separate the disk at least into two sections (partitions):
1) hard drive system area (C:\) - the section used for OS and programs installation
2) hard drive data area (D:\) - the section used for storing all application data
- Use the NTFS file system (i.e. do not use the FAT system) for both system and data disc sections (it prevents file corruption on power loss).

Touch screen:

If the touch screen is used, then it is advisable to include calling the software keyboard that enables the user to enter values without the real keyboard into the PROMOTIC application. See: How to use screen keyboard for setting values by mouse (touchscreen).


Virtual computers:

Running the applcation on a virtual computer see PROMOTIC system and virtual computers.


Windows remote desktop:

Running the application using remote desktop see PROMOTIC system and Windows remote desktop.


Windows Embedded:

See: OS Windows XP Embedded and PROMOTIC.


SafeOper:

If it is required not to enable the operator to get into the OS Windows (i.e. for example, he couldn't delete files, play games, etc.), it is advisable to install and use the SafeOper PROMOTIC component.


Automatic user login:

Next suitable setting in the OS Windows is the automatic user login into the OS Windows. Then on this setting, for example, on the start (restart) the computer doesn't prompt for entering the user and the specified user is automatically set without any dialog. This setting is implemented for OS Windows 7/Vista/XP/XPe/2003-12Server as follows:

In the Windows registers (where you can get, for example, by the regedit.exe program) in the [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] section set (optionally create) the following values of the REG_SZ type:

- AutoAdminLogon=1
- DefaultPassword=UserPassword
- DefaultUserName=UserName
- DefaultDomainName=UserDomain (don't set if you don't work with the NT Domain security)

After setting, reset the computer.


Starting the application under a Windows user that isn't an administrator:

From the security point of view it is reasonable to start the application in a non-administrator mode. It means to:

- Install the PROMOTIC system under the user Administrator.
- Create a new Windows user (e.g. with the name Promotic) and locate it, for example, into the group Power User.
- Set the automatic logon of this user when starting OS Windows - see the instructions above.
- Edit the application in the PROMOTIC development environment under the user Administrator.

Because the application is installed under the user Administrator but operated under the user Promotic, all files and folders of the application must be accessible to the user Promotic for read and write. This is accomplished in the file system FAT32 where it isn't possible to set rights for files and folders but in NTFS this condition must be ensured (it wouldn't be accomplished by default).

If the OS Windows is installed on a stand-alone computer (outside a domain), then the Windows use simplified security model. Then it isn't possible to set manually the user access rights for files and folders but a shared Windows folder exists (C:\Documents and Settings\All Users\Documents) that has preset rights so that folders and files stored in it are accessible to all Windows users for read and write. From this reason it is suitable to place the application, including the folder with the application data files, into the shared folder.

If the OS Windows is located in a domain, then the application can be installed in any location but it is necessary to allow the Promotic user to read and write into the folders and files of the application and also to read from the PROMOTIC system folder (C:/Pm) including all subfolders. If necessary, the simplified security model of sharing files in the OS Windows that are not in the domain, can be switched off in 'Local security settings' of the computer.

All this points aren't connected with the PROMOTIC application. It goes only about the OS Windows setting. The PROMOTIC application needn't be changed.


OS Windows without the desktop:

In the OS Windows it is also possible not to activate the desktop at all and instead of it to start the PROMOTIC application. But on this setting the OS Windows cannot be used in a normal way any longer and this system is "degraded" only to running the PROMOTIC application. This setting can be made as follows:

- In the Windows registers (where you can get, for example, by the regedit.exe program) in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon section set (eventually create) the value RunLogonScriptSync=1
- Create the file, for example logon.bat in the WindowsNT\System32\Repl\Import\Scripts folder (if the folders don't exist, it is necessary to create them)
- The content of the logon.bat, for example:
@ echo off
C:
cd C:\PmProj\Test
C:\Pm\Promotic.exe C:\PmProj\Test\Test.pra
- In the properties of the automatic logged-in user set the profile property to logon.bat

© MICROSYS, spol. s r. o.Tavičská 845/21 703 00 Ostrava-Vítkovice