Security Expander

When you first start-up SMC, SMC automatically creates the system key (containing the key pair, that has the private and the public key) in the Windows Key store on the server. For working with multiple computers supporting various deployment types and securing the sensitive data, you might use the same system key (private key). You can do this using the Security expander for Server and FEP deployments.

For server and FEP deployments, the Security expander displays in SMC, when you select the Systems node in the SMC tree.

Security Expander on Server SMC

On the SMC server, the Security expander allows you to do the following:

  • Export and import the Windows key file (containing the key pair, that is, the private and the public key).
  • Protect System key by securing it with password.

Security Expander Details

Item

Description

Import key

Select this option to import the same key file (.key) which is available on the disk of the server, FEP or any other system from which you want to restore, secure and sensitive data. For example, if you are restoring a project backup of System A to System B, then you must import the same key from System A to System B so that you can use the same credentials set for System A. You must import the key before starting the project.

Export key

Only on the SMC server.
When clicked, it enables additional fields. This allows you to export the system key as a file to a location on the server.
You can use this exported file to import it on the FEP or any other machine on which you want to restore secure and sensitive data.

Key file name

Type in the Key file name, for example Server1KeyFile.
The name must not contain blanks or special characters (/,\,?,<, >,*,|,").

Key path

Browse for the location to store the key file on the server.

Password

Enter the password of the key file adhering to the Windows local password policy and confirm.
NOTE: You must provide the same password while importing the key.

The Security Policy section displays the password and account lockout policies and allows you to do the following:

  • Modify values of password and account lockout policies and save the new values.
  • Revert back to the existing password and account lockout policy values. You can do this by using the Get Windows Policy button.

Security Policy

Item

Description

Maximum password age

Time period (in days) during which a password can be used before the system requires you to change it.
If the Maximum password age limit is reached, then you need to change the system password at next logon.
For example, if you specify 30 days as the Maximum password age, then you must change the password after 30 days.

Default value = 180 days
Valid range = 1 to 365
If the values are beyond of the valid range, then the default values display.

Minimum password length

Minimum number of characters required for a password.
Valid range = 4 to128 characters
If the values are beyond the valid range, then the default values display.
Default value = 12 characters

Account lockout threshold

Number of failed sign-in attempts that will cause the user account to be locked.
A locked account can be used only after it is reset or after the number of minutes specified in Account lockout duration expires. For more information, refer User Administration Workspace > Logon/ Logoff Settings in User Administration.
For example, if you specify the Account lockout threshold as 5, then your account will be automatically locked on providing incorrect credentials 5 times.
Valid range =1 to 999
Default value = 5
If the values are beyond the valid range, then the default values display.

Reset account lockout count after

The number of minutes that must elapse from the time you fail to log on before the failed logon attempt counter is reset to 0.
If Account lockout threshold is set to a number greater than zero, this reset time must be less than or equal to the value of Account lockout duration.

Valid range = 1 to 99,999 minutes
Default value = 30 minutes
If the values are beyond the valid range, then the default values display.

Account lockout duration

Time duration (in minutes) that a locked-out account remains locked out before it is automatically unlocked.
For example, if you specify 30 minutes as the Account lockout duration, then your account will be locked for 30 minutes.

Valid range = 1 to 99,999 minutes
Default value = 30 minutes
If the values are beyond the valid range, then the default values display.

Reminder for password expiration

Time duration (in days) that warns you that your passwords are about to expire.
For example, if you specify 15 days, then a password expiration reminder message will pop up 15 days prior to your password expiration date.

Default range = 14 days
Valid range = 14 to 30 days
If the values are beyond the valid range, then the default values display.

Configuration Type

Type Name

Description

Windows

Security policies with values as per the Windows registry

Default

Security policies without any corresponding Windows values. These policies either have negative values, values with a zero, or NA as values. Such policies have default values assigned to them

Manual

Security policies that are defined by the user.
If you overwrite the Windows policy values manually, then there will be a difference of behaviour between the Windows and Desigo CC account lockout policies.

You can ensure that the password meets the complexity requirements provided by Windows by selecting the Password must meet complexity requirements check box. For more information on password and account policies, refer to the Microsoft help.

On selecting the Password must meet complexity requirements check box, the following fields related to password complexity display. The password must have one of each of the following:

  • Minimum number of special characters ($,#,…) – . Any one of the following special characters ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/
  • Minimum number of digits (0-9) – 1 digit in the range of 0 to 9
  • Minimum number of upper-case letters (A-Z) – 1 upper case letter
  • Minimum number of lower case letters (a-z) – 1 lower case letter

In addition to these fields, the password must have the number of characters specified in the Minimum password length security policy when the Password must meet complexity requirements check box is selected.

NOTE:
In case of Client and FEP installations, the password and account lockout policies defined on the Server are considered.
In case of distributed systems, for global user the password and account lockout policies defined on the master system are considered.

Security Expander on FEP SMC

When starting up SMC on FEP, no system key is automatically created. This is indicated by the Import Key displaying in red. If the FEP is connected to a server, you must import the key pair available on the server, into the Windows key store of the FEP. The same key is needed on the FEP so that it can decrypt the passwords which it has to use for authentication of the subsystem devices. This way a network can get reassigned to a driver on a different machine without having to reconfigure the password.

You can do this using the Security expander. You must import the same Windows key file by providing the correct password so that the key file gets decrypted and the key is imported into the Windows key store. For importing the same key that was created on the server, you must make it available on the disk of the FEP.

Once it is imported, the Pmon user gets the Read access to the key. By default, the SYSTEM and Administrator users have full access to the Windows key file.
When you change the Pmon user, for example as Domain user, SMC automatically provides Read permission to the system key.

The key stays in the Windows Key store even when you uninstall Desigo CC . Therefore, you do not need to export and re-import the key while upgrading Desigo CC .

This key is used to secure sensitive data in all deployments supported by Desigo CC (including Stand-alone, server with remote FEP, remote clients), as well as securing sensitive data on distributed systems.

In addition to importing the Windows key, you can also view and modify the password and account lockout policies in the Security Policy section of the Security expander.