Prevent Lockout of Essential Users
Users who are responsible for maintaining the high availability of the system must have
continuous access to the control system. You must protect essential users from the potential
of being locked for any reason, including the following examples:
- The deployment of a misconfigured security policy or security settings can lock out essential users.
- An essential user can forget their password.
- A workstation withCIP Security™can become inaccessible.
To protect access to the system, we recommend the following:
- Create backup user accounts and make sure that sign in credentials are recoverable forMicrosoft Windows®Active Directory andFactoryTalk®Directory.
- Do not use password expiration or password lockout options for essential users in eitherWindows®Active Directory orFactoryTalk® Securitysoftware.
- Allocate at least two, but preferably several,FactoryTalk® Linxworkstations in theFactoryTalk® Policy Managersecurity policy zone for backup access to the redundancy chassis pair.
- InFactoryTalk® Securitysoftware, make sure that essential user accounts cannot be locked out of theFactoryTalk® LinxRedundancy Module Configuration Tool (RMCT) or theStudio 5000 Logix Designer®application.
- Identify and protect access to any interfaces that allow intervention during the operation of high availability systems, such as HMI or physical buttons. For example, if a user account is associated with an HMI that is used to access the system, you must protect that user account from lockout.
- Make sure that essential users having physical access to reset devices to their factory default settings for system recovery.
IMPORTANT:
For Logix SIS, essential users must be able to access and repair the system within your mean repair time (MRT) to support SIL 3 safety functions.
Guidance for Active Directory Environments
To ensure uninterrupted access to critical accounts in your Active Directory environment,
configure Fine-Grained Password Policies (FGPP), available in Windows Server 2012 or higher.
This feature allows you to apply different password and lockout settings to specific groups
of users, such as essential accounts used for system recovery or high availability
operations.
By default, Active Directory applies one password policy per domain. Fine-Grained Password
Policies enable more granular control to prevent lockouts of accounts that are vital for
system recovery and maintenance.
We recommend that you take the following actions:
- Identify accounts that perform essential functions and must remain accessible during recovery scenarios.
- Create a security group for these accounts.
- Apply a Fine-Grained Password Policy to this group with appropriate lockout settings.
For detailed steps, refer to
Microsoft®
documentation:Provide Feedback