• State Not Answered
  • Replies 2 replies
  • Subscribers 583 subscribers
  • Views 75 views
  • Users 0 members are here
Options
Related

Locking down Plant SCADA Access Anywhere client

abeba

I am coming from using the old ActiveX web client to now using Access Anywhere (Plant SCADA 2023 R2, Windows Server 2022), and since the latter now creates an RDP session to the server, users now have access to the file system, for example, from save/open dialogues.

We are exploring GPOs to lock down these sessions but some scenarios are tricky. The biggest issue is that all users (even view-only) need read/write access to certain Plant SCADA folders (such as C:\ProgramData\AVEVA Plant SCADA 2023 R2\Data), for the runtime to function properly. But this also means they can delete these files if they get access to the File Explorer or other dialogues.

Has anyone solved this security? I can't imagine I'm the only one running into this. Maybe I'm missing something in my configuration, or maybe there is a known workaround. Any help would be greatly appreciated!

  • 0

    Hi  ,

    It would be interesting to better understand how the user is accessing the file system or parts of the operating system they are not authorized to access. Is it via a specific popup (e.g. to save a process analyst file)? 

    When I've tested with Plant SCADA Access Anywhere, I wasn't able to access the desktop of the VM or any other program, it appears to be running in a shell already. Shutting down Plant SCADA logs me out automatically.

    I'd recommend reaching out to AVEVA Technical Support to have a closer look at your project configuration and give you some more tips with regards to security hardening on your system.

    Kind regards

    Olivier

  • 0 in reply to Olivier

    Hi Olivier,
    Yes, through the Process Analyst page is one way. If they use the "Copy to File" button, this allows them access to the complete file system with restrictions, except for the Plant SCADA files, which (I believe) need to be set to read-write. Also anywhere with a Windows "Help" or "Print" dialogue would allow the user to get to the File Explorer some way or another. Our runtime does run as a shell, however this does not prevent other programs from opening. Another issue I ran into the other day was a Windows notification popped up, and I was able to click it and open Settings. I am going to reach out to support again about this issue but I wanted to see if others are also experiencing this dilemma and how it is usually handled.

© 2025 AVEVA Group Limited or its subsidiaries. All Rights Reserved.