Configuration of the computer and Windows OS for secure operation of the PROMOTIC application

HW requirements of the PROMOTIC system:
Any computer that runs Windows OS 11/10/8/7/Vista/XP/Embedded/2003-22Server smoothly (for supported Windows versions see PROMOTIC system news).
The computer performance must also match the requirements of the SCADA application itself.
The PROMOTIC system itself has no practical requirements regarding memory size, CPU performance, disk size etc. The required performance depends on the specific developed PROMOTIC application.
We highly recommend separating the hard drive for the PROMOTIC system: it allows to reinstall the Windows OS easily without data loss
- Separate the disk at least into two sections (partitions):
1) hard drive system area (C:\) - the area used for the Windows operating system and programs installation
2) hard drive data area (D:\) - the area used for storing all application data
- Use the NTFS file system (i.e. do not use the FAT system) for both system and data disk sections (it prevents file corruption on power loss).

Touch screen:
If the touch screen is used, then it is advisable to include calling the software keyboard that allows the user to enter values without the real keyboard into the PROMOTIC application.
See: How to use screen keyboard for setting values by mouse (touchscreen).
Virtual computers:
Running the application on a virtual computer see PROMOTIC system and virtual computers.
Windows remote desktop:
Running the application using remote desktop see PROMOTIC system and Windows remote desktop (RDP).
Updates of the Windows OS:
PROMOTIC applications are usually designed for continuous runtime, and it is not desirable for Windows OS to update themselves during operation. This is very problematic in Windows OS 11/10.
See: Updates of the Windows OS - setting.
Windows OS Embedded:
See: Windows OS Embedded and PROMOTIC.
If it is required not to enable the user to get on the Windows OS desktop (i.e. for example to delete files, play games, etc.), then it is advisable to configure the system as described in SafeOper.
Automatic user login:
Next suitable setting in Windows OS is the automatic user login into the Windows OS. Then on this setting, for example, on the start (restart) the computer doesn't prompt for entering the user and the specified user is set without any dialog. This setting is implemented as follows:
In the Windows registers (where you can get, for example, by the regedit.exe program) in the [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] section set (eventually create) the following values of the REG_SZ type:
- AutoAdminLogon=1
- DefaultPassword=User password
- DefaultUserName=User name
- DefaultDomainName=UserDomain (don't set if you don't work with the NT Domain security)

After setting, reset the computer.
Starting the application under a Windows user that isn't an administrator:
From the security point of view it is reasonable to start the application in a non-administrator mode. It means to:
- Install the PROMOTIC system under the user Administrator.
- Create a new Windows user (e.g. named "Promotic") and locate it, for example, into the group Power User.
- Set the automatic logon of this user when starting Windows OS - see the instructions above.
- Edit the application in the development environment PROMOTIC under the user Administrator.

Because the application is installed under the user Administrator but operated under the user Promotic, all files and folders of the application must be accessible to the user Promotic for read and write. This is accomplished in the file system FAT32 where it isn't possible to set rights for files and folders but in NTFS this condition must be ensured (it wouldn't be accomplished by default).
If the Windows OS is installed on a stand-alone computer (outside a domain), then the Windows OS use simplified security model. Then it isn't possible to set manually the user access rights for files and folders but a shared Windows folder exists (C:\Documents and Settings\All Users\Documents) that has preset rights so that folders and files stored in it are accessible to all Windows users for read and write. From this reason it is suitable to place the application, including the folder with the application data files, into the shared folder.
If the Windows OS is located in a domain, then the application can be installed in any location but it is necessary to allow the Promotic user to read and write into the folders and files of the application and also to read only from the PROMOTIC system folder (\Promotic) including all subfolders. If necessary, the simplified security model of sharing files in Windows OS that are not in the domain, can be switched off by means of 'Local security settings' of the computer.
All this points aren't connected with the PROMOTIC application. It goes only about the Windows OS setting. The PROMOTIC application need not be changed.
Windows OS without the desktop:
It is also possible not to activate the Windows desktop at all in Windows OS and instead of it to start the PROMOTIC application. But on this setting the Windows OS cannot be used in a normal way any longer and this system is "degraded" only for running the PROMOTIC application. This setting can be made as follows:
- In the Windows registers (where you can get, for example, by the regedit.exe program) in the [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] section set (eventually create) the value RunLogonScriptSync=1
- Create the logon.bat file in the "WindowsNT\System32\Repl\Import\Scripts" folder (if the folders don't exist, then it is necessary to create them)
- The contents of the logon.bat file, for example:
- In the properties of the automatic logged-in user set the profile property to logon.bat

PROMOTIC 9.0.27 SCADA system documentation MICROSYS, spol. s r.o.

Send page remarkContact responsible person
© MICROSYS, spol. s r.o.