KEPServerEX 6.7 Changes: Why Does the kep Desktop Shortcut Look Different?
KEPServerEX version 6.7 was released on June 27 with new device connectivity for the Torque Tool driver, updates to the Configuration API, and new OPC UA security features. There is still time to register for the release webinar if you haven't already.
If you've already had the chance to download the latest version and test it out, you will likely notice what appears to be a minor change: there is now an UAC shield icon on the KEPServerEX desktop shortcut. You'll notice this shield icon if you are logged into your machine as an "Administrator" user. This is a result of a broader change we've made to improve the application security of KEPServerEX. But before we dive in too deep, let's cover some definitions of Windows security terms. This will lay the foundation for understanding the changes we've made.
First, note that all of the security features we're about to cover relate to the Windows User Account Control (UAC) framework, which helps prevent unwanted system-wide changes and limits the effect of malware. Within that framework, there are different types of users. For the purposes of this post, we'll focus on Administrator users and Standard users. These are users in the context of Windows, not KEPServerEX users that you would define in the KEPServerEX user manager.
Administrator users have the ability to install software and make system-level changes to the OS. However, with UAC fully enabled, these users typically run as "protected administrators," meaning they run with least user privileges until they try to perform an administrative task. To perform that task, they can give explicit consent to become "elevated administrators." In our conversations with Kepware customers, we've found that most are using their host OSs as Administrator users
Standard users do not have the ability to install software or make system-level changes. If they need to perform these tasks, they need an Administrator user to do it for them
So how does this impact KEPServerEX? As many of you know, we've taken steps in the past few releases to protect KEPServerEX configuration information, such as encrypting project files by default. This is important due to the sensitive nature of the information in the KEPServerEX configuration: device IP addresses, device user names and passwords, and more.
Because KEPServerEX may be installed on a machine with multiple users, we feel it's important that only users who need to be able to access the KEPServerEX configuration and important program files are able to. With that in mind, we've made two important changes in 6.7:
For new installs of KEPServerEX 6.7 or higher, Windows Standard users are not able to access the KEPServerEX configuration or the Application Data Directory by default
We've also added instructions in section 5 of the KEPServerEX Secure Deployment Guide on how to grant access for specific Standard users
As a side effect of these changes, Administrator users will need to self-elevate when opening the KEPServerEX configuration, and the UAC sheild shows up on the desktop shortcut as a result. As stated earlier, we've found that most users of KEPServerEX run as Windows Administrator users, so this will likely be the change that most users see. That said, if you run as a Windows Standard user, or you have engineers that need to use KEPServerEX as a Standard user, be sure to check section 5 of the Secure Deployment Guide to have an Administrator explicitly enable those users.
Kepware and PTC are fully committed to the Shared Responsibility Model and to doing our part to ensure operational environments remain secure. As you can now see, the UAC icon on the KEPServerEX desktop shortcut is representative of our continued investment in application security. To learn more about Kepware's security stance and security features you can read the Shared Responsibility: IoT Cyber Safety & Security white paper or view many of our recent webinars with a security focus.