Page 1 of 2 NiagaraAX Security Best Practices Jul 03, 2012 Tech Tip: NiagaraAX Security Best Practices Date: Product: Revision: Jul 03, 2012 NiagaraAX All Revisions Best Practices Disable the Guest User A station's UserService is designed so that whenever the built-in user "guest" is enabled, someone attempting to access the station will automatically be signed into the station as the Guest user--whether there is a password set for the Guest user or not. What that person is then capable of doing once inside the station is dependent on what permissions are assigned to user "guest". If the user attempts to do something that the Guest user does not have permissions to do, the user is then prompted to sign in as a different user, who does have the correct permissions. By default, the "guest" user is disabled. We recommend keeping the "guest" user disabled. Then no one can access the station that wasn't given their own login credentials. Use Strong Passwords The stronger the password, the harder it will be for someone to hack into your station. From the property sheet of the UserService, you can configure to require strong passwords for all station users. See the "UserService properties" subsection in the "About Security" section of the NiagaraAX User Guide for more details. Use the Lock Out Feature Use the "Lock Out" feature in the UserService, enabled and configured from the service's property sheet. Then if someone is trying to "hack" into the station by constantly retrying different passwords for a user, and the specified number of incorrect login attempts occur in a set time period, that user is "locked out" for the specified time period. See the "Lockout notes" subsection in the "About Security" section of the NiagaraAX User Guide for more details. Limit User Permissions Only allow users access to the specific things that they need to do their jobs. This is especially important when it comes to the file system. If you give a user access to the entire file system, you have potentially given that user access to the entire station configuration. Specifically, the config.bog file, located in the station's root directory, can be a security risk. Security should be configured to limit access permissions of the user to only folders the user is required to access such as px, images, and nav folders. To setup, create a new category using the Category Manager. Using the Category Browser assign only file folders that you need users to access such as file:^px, file:^nav, etc. to the newly created category. Setup the user permissions to only include file permissions of the newly created file category. Keep in mind that by default all objects are assigned to category index 1 (Category1, or whatever the first Category component is named). Page 1 of 2 Publication Jul 03, 2012 Page 2 of 2 Example Category Browser view NiagaraAX Security Best Practices Jul 03, 2012 You should also be careful about which Services you allow your users access to. Specifically the UserService and CategoryService provide security risks if allowed to be accessed by all users. For more information about the UserService, Users, Categories, and properties/permissions, see the "About Security" section in NiagaraAX Users Guide. Note a subsection "UserService security notes" explains a special permissions scheme for a station's UserService. Legal Information and/or specifications published here are current as of the date of publication of this document. Tridium, Inc. reserves the right to change or modify specifications without prior notice. The latest product specifications can be found by contacting our corporate headquarters, Richmond, Virginia. Products or features contained herein are covered by one or more U.S. or foreign patents. This document may be copied by parties who are authorized to distribute Tridium products in connection with distribution of those products, subject to the contracts that authorize such distribution. It may not otherwise, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form without prior written consent from Tridium, Inc. Complete confidentiality, trademark, copyright and patent notifications can be found at: http://www.tridium.com/galleries/SignUp/Confidentiality.pdf JACE, Niagara Framework, Niagara AX Framework and the Sedona Framework are trademarks of Tridium, Inc. (c)Copyright 2012 Tridium Inc. All Rights Reserved 3951 Westerre Parkway, Suite 350 Richmond, VA 23233 Phone: 804.747.4771 Fax: 804.747.5204 Page 2 of 2 Publication Jul 03, 2012