LHC Section Meeting 1.eLogbook 2.LHC Controls Security Panel.

Slides:

Advertisements

Similar presentations

Enabling Secure Internet Access with ISA Server

Advertisements

Lecture 10 Sharing Resources. Basics of File Sharing The core component of any server is its ability to share files. In fact, the Server service in all.

IP ADDRESS MANAGEMENT [IPAM]

File Server Organization and Best Practices IT Partners June, 02, 2010.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Lesson 17: Configuring Security Policies

15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.

Intervention Priority Management This talk will show the CERN priority list, the corresponding check list and the tools used by operators to diagnose a.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

15.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

Slide 1 of 28 Welcome to GSA’s Vendor and Customer Self Service (VCSS) course Section 2: VCSS Account Registration & Requesting Access This presentation.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

TE/MPE/MI OP section meeting 29 th September 2009 HCC 2009 Frequently Asked Questions 0v1 M. Zerlauth.

4-1 PSe_4Konf.503 EAGLE Getting Started and Configuration.

Leading at Every Turn. 1)Make sure you have your Trusted Sites configured properly in Internet Explorer 2)Store your credentials on your PC so you.

Industrial Control Engineering UNICOS-PVSS evolution Hervé Milcent EN/ICE/SCD 07/10/

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Working with Workgroups and Domains

Corso referenti S.I.R.A. – Modulo 2 07 – Group Policy 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.

W. Sliwinski – eLTC – 7March08 1 LSA & Safety – Integration of RBAC and MCS in the LHC control system.

Managing User Accounts, Passwords and Logon Chapter 5 powered by dj.

User Manager for Domains.  Manages the user accounts in a domain  It is located in the PDC  While User Manager exists in each NT machine, but it is.

5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam Microsoft® Windows® 2000 Directory Services Infrastructure Goals 

With Windows XP, you can share files and documents with other users on your computer and with other users on a network. There is a new user interface.

C HAPTER 6 NTFS PERMISSIONS & SECURITY SETTING. INTRODUCTION NTFS provides performance, security, reliability & advanced features that are not found in.

1 A pattern language for security models Eduardo B. Fernandez and Rouyi Pan Presented by Liping Cai 03/15/2006.

Microsoft DirectAccess & Work Folders NICHOLAS A. HAY MONROE COUNTY ISD

0Gold 11 0Gold 11 LapLink Gold 11 Firewall Service How Connections are Created A Detailed Overview for the IT Manager.

Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.

8.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning.

Windows Vista Inside Out Chapter 22 - Monitoring System Activities with Event Viewer Last modified am.

Peter Chochula ALICE DCS Workshop, October 6,2005 DCS Computing policies and rules.

Project Server 2003: DC340: Security (Part 1 of 2): How to securely deploy Project Server in an enterprise environment Pradeep GanapathyRaj (PM), Karthik.

Module 14 Configuring Security for SQL Server Agent.

Introduction to Microsoft Management Console (MMC) MMC is a common console framework for management applications. MMC provides a common environment for.

CP-a Emergency call stage 2 requirements - A presentation of the requirements from 3GPP TS Keith Drage.

Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.

Information Security Training for People who Supervise Computer Users.

Christophe Mugnier, on behalf AB/PO Group ATC-ABOC days, 23 January 2008 AB/PO equipment review and Stand-by service description for the power converter.

Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.

Wojciech Sliwinski BE/CO for the RBAC team 25/04/2013.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.

Lesson 12: Configuring Remote Management

Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.

RBAC Content: LHC Operational Mode Piquet Roles RBAC Strict LHC Operational mode and CMW Acknowledgements: Pierre C., Wojtek S., Stephen P., Lars J., Verena.

Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.

Privilege Management Chapter 22.

R. Krempaska, October, 2013 Wir schaffen Wissen – heute für morgen Controls Security at PSI Current Status R. Krempaska, A. Bertrand, C. Higgs, R. Kapeller,

Module 7: Designing Security for Accounts and Services.

4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.

Computer Security Sample security policy Dr Alexei Vernitski.

AA207: Designing a Security Policy in Laserfiche 8 Connie Anderson, Technical Writer.

Grid Deployment Technical Working Groups: Middleware selection AAA,security Resource scheduling Operations User Support GDB Grid Deployment Resource planning,

AB-CO Exploitation 2006 & Beyond Presented at AB/CO Review 20Sept05 C.H.Sicard (based on the work of Exploitation WG)

Configuring the User and Computer Environment Using Group Policy Lesson 8.

H2LC The Hitchhiker's guide to LSA Core Rule #1 Don’t panic.

Introduction to RBAC Wojciech Sliwinski BE/CO for the CMW/RBAC team

Control system network security issues and recommendations

Computing infrastructure for accelerator controls and security-related aspects BE/CO Day – 22.June.2010 The first part of this talk gives an overview of.

To Join the Teleconference

Unit 27: Network Operating Systems

Administering Your Network

SharePoint Online Authentication Patterns

To the ETS – Accounts Setup and Preferences Online Training Course

Designing IIS Security (IIS – Internet Information Service)

Presentation transcript:

LHC Section Meeting 1.eLogbook 2.LHC Controls Security Panel

eLogbook Where should it be? –Now: COMPLEX AB-BT AB-PO AT-VAC HISTORY LHC CRYO LHC HC LHC MPP LHC PM LHC QPS PS Complex SERVICES SHUTDOWN SL Complex TEST SPS LHC NArefs (CPS) (CO EXPL)

LHC Controls Security Panel The LHC Controls Security Panel has been mandated in the ABMB of Monday 14th January The panel will have to address all the technical and non-technical issues from CNIC* and RBAC concerning AB security for Controls The main scope/objectives of the panel are : –Produce a Security Policy Document and have it agreed by ABMB Define the scope of the RBAC deployment Define the default behavior of RBAC –Take responsibility for the RBAC data (ROLES and RULES) Ensure all critical parts of the machine are protected –Take responsibility for the CNIC actions (reduction of Trusted list, change of operational account passwords,...) –Give the 'green' light for LHC beam operation Proposed schedule –Security Policy Document endorsed by April'08 –Password changed NOW –Trusted list reduced after CPS/SPS startup –RBAC operational usage for first LHC operation * Computing and Network Infrastructure for ControlsComputing and Network Infrastructure for Controls

RBAC Policy (Ref. EDMS doc ) -Question 1: Policy for “Access from home or from offices or from local control rooms (outside CCC)” -Question 2: Domain of validity of the operational account (LHCOP only inside CCC?) –Doc. Answer: access rights are restricted when acting from home or a remote control room. Imagine that an EIC logs from home (or office or remote CC) into a terminal server (for the last two cases you don’t need to go through a terminal server), using his personal credentials (generic group logins like LHCOP, SPSOP, etc are only allowed within the CCC according to the document). From the terminal server he can log into a machine used in the CCC, then he will be given a role, likely LHC Operator. If he tries to modify a setting in the equipment, then the location will reveal that he is not in the CCC and hence the request will be rejected. He will be able to monitor, but not to modify settings. –If one doesn’t have a particular role, like LHC Operator, then one can still have the so called Remote User, but those are not authorize to change settings, and likely not even to monitor… but for this I’m not sure, not specified in the document. –A person that is not registered as Remote User and tries to log in, then it is assigned the role of Outsider, and he cannot even log in.

RBAC Policy (Ref. EDMS doc ) However, an expert may be called by the EIC on shift because of a problem in the machine, and needs to log in from home and change settings. In this case the EIC has to grant explicit permission for a given role (e.g. RF expert) during PHYSICS mode in order the expert to be able to have write permissions from a REMOTE location. During ACCESS mode this should not be necessary. - Question 3: identification of the person in front of the keyboard. And in the case of a generic account, how could we make some individual accounting. - In the CCC we use the generic group login to log in the CCC consoles, and from there we can launch any application without the need of further login. Except if one has to access a critical application, like the trim application that implies settings changes. In this case a login window will pop-up and then the person has to login with his personal user and password. Only if (s)he has the appropriate role, i.e. authorization to change settings, (s)he will be able to do so.

RBAC Policy (Ref. EDMS doc ) Question 4: What’s the policy for critical settings? –Only Critical Settings Experts are allowed to change critical settings using her/his personal user and password. When they do so they get the role of “XXX Critical Settings Expert”. Then the person opening the relevant application will see only the critical settings (s)he is authorized to change and “if and only if” the accelerator mode implies no beam in the machine. If the accelerator mode implies beam in the machine, then the person won’t even see the critical settings. I have a further question here. Can we change critical settings during, for example, PROTON PHYSICS mode (accelerator mode) when we are at SETUP mode (beam mode), which means no beam in the machine?

Other questions to answer (not in the document) Do we allow individual PCs to access the equipment, as it is the case now? Or do we push to have a set of terminal severs which are trusted and only through them we can access the equipment from home or from the office? With which frequency do we want to change the password in the CCC consoles for LHCOperator user?