System security for the ADS/ADX - Metasys - LIT-1201645 - MS-ADSxxx-x - MS-ADXxxx-x - Server - ADS Server - ADX Server - 12.0

ADS/ADX Commissioning Guide

Product
Building Automation Systems > Databases and Data Servers > ADS Server
Building Automation Systems > Application Servers > ADX Server
Document type
Commissioning Guide
Document number
LIT-1201645
Version
12.0
Revision date
2022-09-22
Product status
Active

The Security Administration System protects access to the ADS/ADX and requires users to enter a user ID and complex password when logging in to the ADS/ADX . For details, refer to the Security Administrator System Technical Bulletin (LIT-1201528) or the Change Password topic in Metasys SMP Help (LIT-1201793).

Metasys system complex passwords must meet the complexity requirements.

Table 1. Metasys System Password Rules
Supported Language_Locale Enforced Password Rules
English (en_us)
  • The password must include a minimum of 8 characters and a maximum of 50 characters.
  • The password cannot include spaces or include a word or phrase that is in the Blocked Words list.
  • The password and the username cannot share the same three consecutive characters.
  • The password must meet the four following conditions:
    • Include at least one number (0–9)
    • Include at least one special character (-, ., @, #, !, ?, $, %)
      Note: Only the special characters listed above can be used; all other special characters are invalid.
    • Include at least one uppercase character
    • Include at least one lowercase character
Czech (cs_cz)

German (de_de)

Spanish (es_es)

French (fr_fr)

Hungarian (hu_hu)

Italian (it_it)

Norwegian (nb_no)

Dutch (nl_nl)

Polish (pl_pl)

Portuguese (Brazilian) (pt_br)

Russian (ru_ru)

Swedish (sv_se)

Turkish (tr_tr)

  • The password must include a minimum of 8 characters and a maximum of 50 characters.
  • The password cannot include spaces or include a word or phrase that is in the Blocked Words list.
  • The password and the username cannot share the same three consecutive characters.
  • The password must meet three of the following conditions:
    • Include at least one number (0–9)
    • Include at least one special character (-, ., @, #, !, ?, $, %)
    • Include at least one uppercase character
    • Include at least one lowercase character
    • Include at least one Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase
Chinese Simplified (zh_cn)

Chinese Traditional (zh_tw)

Japanese (ja_jp)

Korean (ko_kr)

  • The password must include a minimum of 8 characters and a maximum of 50 characters.
  • The password cannot include spaces or include a word or phrase that is in the Blocked Words list.
  • The password and the username cannot share the same three consecutive characters.
  • The password must meet two of the following conditions:
    • Include at least one number (0–9)
    • Include at least one special character (-, ., @, #, !, ?, $, %)
    • Include at least one uppercase character
    • Include at least one lowercase character
    • Include at least one Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase

A user with the Administrator Role can edit the security database by adding users, modifying user IDs and passwords, and assigning object category-based privileges and system access privileges.

When the ADS/ADX is the Site Director, its Security Administration System function controls access to the entire site. The assigned object category-based privileges and system access privileges affect the permissions granted for the user logged in to the Site Director.

The ADS/ADX also allows you to log in using the Microsoft Active Directory® service. At Release 8.1 and later, the User Principal Name (UPN) authentication support for the Metasys system is now in compliance with Microsoft Office 365 authentication. For details, refer to the Security Administrator System Technical Bulletin (LIT-1201528).

When the ADS/ADX is not the Site Director (used only as a repository for data storage), its local Security Administration System function is used for user authentication for direct access to this ADS/ADX. The assigned system access privileges affect the permissions granted for the user who is directly logged in to this ADS/ADX. The Site Director, where users normally log in to the system, provides the effective Security Administration System function for site-wide access. On sites with multiple ADS/ADX devices, the Site Director security database must be copied to all of the other ADS/ADX devices to support the latest alarm and event features. For information on backing up and copying security databases, refer to the Metasys® SCT Help (LIT-12011964).

Note: The ADS-Lite cannot be the Site Director for other ADS or ADX servers.

The Security database can only be viewed and modified in the online system at the Site Director by a user with the Administrator Role. If you want to maintain the same Security database for all ADS/ADX devices, back up the archive database (which includes the Security database) of the Site Director with the SCT and then copy this Security database to all ADS/ADX devices on the site.

For more information on System Security, including setting up roles and users, refer to the Security Administrator System Technical Bulletin (LIT-1201528).

We recommend that you implement trusted security certificates for improved protection of user passwords when using the Metasys Advanced Reporting System. Refer to the Network and IT Guidance Technical Bulletin (LIT-12011279) for details on how to implement SSL security.

Note: Make sure that you enable and configure proper certificate revocation, such as Online Certificate Status Protocol (OCSP) stapling. For more information about OCSP configuration refer to https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ocsp/5792b4c4-c6ba-439a-9c2a-52867d12fb66.