Monday, June 28, 2010

Remote Terminal, V11, the ProPlus, and Server 2008

Back from vacation (they are never long enough) and I was checking out a new video from Emerson on Human Centered Design in version 11 of DetlaV starring Juan Carlos Bravo.  I wanted to look at one of the features he mentioned (friendly names for modules), so I fired up a remote terminal session to our V11 ProPlus and noticed we didn't have any terminal server sessions defined.

No big deal, I just went back to my .rdp icon on my PC, right clicked, then selected edit.  At the end of the IP address, I dropped in a /admin qualifier so I could take over the box.  Ran the modified .rdp and guess what?  The /admin doesn't work with Server 2008!

So this in an important to note - I know we have customers in our territory who use the /admin to gain remote access to their ProPlus instead of having a extra Pro license and TCAL's.  When migrating to V11, you're going to have to plan for an alternative.  Make sure that's part of your upgrade stratagy.

Here's a link to another blog going into detail about the change in Server 2008.  Thanks, Scott.

And I just had to share a snapshot from my vacation:

Friday, June 11, 2010

Securing IE for Alarm Response Procedures

I got a very thoughtful call the other day from David Stokes at Eli Lilly. Dave had found my Alarm Response Procedure video out on my YouTube channel. Eli Lilly is a big user of the DCA (Document Control and Archiving) module of Syncade and they had talked about going down the same sort of path, utilizing the kiosk mode of DCA for direct call up of effective documents right from DeltaV.

The potential roadblock they hit was a security risk. If you look at the IE window that the PDF appears in, you’ll notice the menu bar is present.

The risk is if someone were to click on the File menu, then click on Save As… - they could start dropping html files all over the DeltaV system. Just as critical is having the toolbar buttons or the address bar along the top.

Turns out there is a lot of chatter on the Internet on how to secure IE. I found registry hacks and even tweak programs. The easiest (and safest, IMHO) way to get rid of the menu bar is by making a Group Policy change.

Click on Start, then Run… and type gpedit.msc – drill in to User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer. Then look for a Setting named “Turn on menu bar by default”. Double click on it and change it to Disabled. That gets rid of the menu bar.

You can get rid of toolbars by drilling down into the Toolbars and enabling some policies:

The address bar is trickier, it’s a registry change. Go figure. You need to go into:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions\

You’ll have to add a DWORD – NoNavBar with a value of 0x00000001.

This technique would be used to secure your operator stations and all assumes you’re logged into Windows as the administrator. There could be other scenarios depending on your exact setup. When all is said and done, your final IE window will look something like this: