Prevent Lockout of Essential Users

Users who are responsible for maintaining the high availability of the system must have continuous access to the control system. You must protect essential users from the potential of being locked for any reason, including the following examples:
  • The deployment of a misconfigured security policy or security settings can lock out essential users.
  • An essential user can forget their password.
  • A workstation with
    CIP Security
    can become inaccessible.
To protect access to the system, we recommend the following:
  • Create backup user accounts and make sure that sign in credentials are recoverable for
    Microsoft Windows®
    Active Directory and
    FactoryTalk®
    Directory.
  • Do not use password expiration or password lockout options for essential users in either
    Windows®
    Active Directory or
    FactoryTalk® Security
    software.
  • Allocate at least two, but preferably several,
    FactoryTalk® Linx
    workstations in the
    FactoryTalk® Policy Manager
    security policy zone for backup access to the redundancy chassis pair.
  • In
    FactoryTalk® Security
    software, make sure that essential user accounts cannot be locked out of the
    FactoryTalk® Linx
    Redundancy Module Configuration Tool (RMCT) or the
    Studio 5000 Logix Designer®
    application.
  • Identify and protect access to any interfaces that allow intervention during the operation of high availability systems, such as HMI or physical buttons. For example, if a user account is associated with an HMI that is used to access the system, you must protect that user account from lockout.
  • Make sure that essential users having physical access to reset devices to their factory default settings for system recovery.
IMPORTANT:
For Logix SIS, essential users must be able to access and repair the system within your mean repair time (MRT) to support SIL 3 safety functions.

Guidance for Active Directory Environments

To ensure uninterrupted access to critical accounts in your Active Directory environment, configure Fine-Grained Password Policies (FGPP), available in Windows Server 2012 or higher. This feature allows you to apply different password and lockout settings to specific groups of users, such as essential accounts used for system recovery or high availability operations.
By default, Active Directory applies one password policy per domain. Fine-Grained Password Policies enable more granular control to prevent lockouts of accounts that are vital for system recovery and maintenance.
We recommend that you take the following actions:
  • Identify accounts that perform essential functions and must remain accessible during recovery scenarios.
  • Create a security group for these accounts.
  • Apply a Fine-Grained Password Policy to this group with appropriate lockout settings.
For detailed steps, refer to
Microsoft®
documentation:
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal