Today is...
Wednesday, August 23, 2017
Welcome to Control.com, the global online
community of automation professionals.
Featured Video...
Featured Video
Watch an animation of a conveyor stacking operation demonstrating the use of a move on a gear command.
Our Advertisers
Help keep our servers running...
Patronize our advertisers!
Visit our Post Archive
WinNT Real time performance
Recently I got a new company supplied laptop. PIII/128Mram/450Mhz. A real screamer. For those of you who are not convinced of the need for some kind of real time extensions, try the following experiment. ...
By R A Peterson on 11 February, 2000 - 2:54 pm

Recently I got a new company supplied laptop. PIII/128Mram/450Mhz. A real screamer.

For those of you who are not convinced of the need for some kind of real time extensions, try the following experiment.

1. Download real audio player.

2. goto www.rushlimbaugh.com and click on the "listen live" button.

3. start the pinball game that comes with win nt.

As long as I don't use either flipper on the pinball game, the rush show comes through fine. but everytime i use the flippers, realaudio cuts out for a brief period of time.

I'm not so sure whats happening but its mildly disconcerting that a relatively simple game could eat so much resources that it could stop another
process dead. Maybe a good reason not to load games on your WinNT control system.

By Glass, Philip on 14 February, 2000 - 11:48 am

I'm glad I read that post.
I was on the verge of requesting a new high-powered laptop for work but if I can't listen to Howard Stern and play Doom at the same time, forget it! I have my priorities.

In my opinion, Win NT should be reasonable for soft real time, only if you are careful how you configure the system. You must test and avoid any hardware drivers or software that causes excess latencies.

I have also heard that NT is also very fussy about hardware, you must use a proven
combination for best results. It would be interesting to find an on-line resource that rates hardware for NT in terms of overall perfomance.

If it is used for soft real time, I think that NT should be considered to be a closed system.

Bill Sturm

By Rod Doolittle on 14 February, 2000 - 3:48 pm

I'm not so sure what's happening but its mildly disconcerting that a relatively simple game could eat so much resources that it could stop another process dead. Maybe a good reason not to load games on your WinNT control system.

< SNIP >

What you are not seeing about the performance of your machine is this. In your Real Audio Player, you can setup how much of your processing time you
want it to consume. There is also a setting in your System Properties applet under the performance tab that you can set for how much performance boost for the application running in the foreground to have. I believe that out of the box NT workstation sets the slider to maximum
boost and Real Audio sets itself to run with maximum boost also. Now then, you have Real Audio running minimized taking most of your resources and you have your game trying to get all of the processing time also. WNNT and Real Audio are now fighting for resources. This is why the game is running like a pooch. This would happen with most any application that you would run under these circumstances.


Rod

By Davis Gentry on 15 February, 2000 - 9:08 am

So who out there is setting up RealAudio on their
control pcs???

And with NT you can with a minimum of care be sure
that the operators cannot load it on there for you.

Before the flames start, I am not suggesting that NT is a hard realtime system. It is, however, often adequate for many needs if properly set up.

Davis Gentry
Carpenter Company

By Mark Blunier on 15 February, 2000 - 4:07 pm

> And with NT you can with a minimum of care be sure that the operators cannot load it on there for you. <

How?

Mark Blunier
The opinions espressed in this message are not necessarily those of the company.

By Ranjan Acharya on 16 February, 2000 - 2:53 pm

How indeed!

There are several methods to protect your Windows NT systems from unscrupulous operators. The most reliable method is a tight physical lock-down by removing the floppy disk drive and CD drive. This gives you your first level of protection.

Next, set up your system policy to only allow certain applications to run (such as your "soft controller", SCADA application ... certainly not
setup.exe or anything like that). At this time you can also severely restrict the desktop -- no shutdown, save on exit, no "My Computer", no
"Network Neighbourhood", no dial-up, fixed artwork and so on. They will not even be able to right mouse button on the desktop and change the screen properties. The only hole in this is that they can change things via on-line help -- next time they log in, it is back to your standard desktop. The policy data is saved on the server and cached on the workstation.

Finally, set up your machine on a restricted intranet so that they cannot even see other machines to do any damage. Use either programmed switches or dedicated wiring via standard switches and hubs.

One thing I did was to make the accessible hard disk as small as possible so that if anyone did get through the security they had one more hassle.

You may want to consider a full security implementation with timed log-in and so on and also changing the Administrator passwords once a week / month / six months / day :-)

Always remember that NT (and even Unix) are not very secure. Linux is not secure at all from what I read. One good method of security with NT is a touch screen display with no way out in run-time.

RJ

Ranjan Acharya 905-634-0844 x 238 (V)
Team Leader - Systems Group 905-634-9548 (F)
Grantek Control Systems http://www.grantek.com/
Ranjan.Acharya@grantek.com
Ranjan.Acharya@ieee.org

By Guido Urdaneta on 18 February, 2000 - 3:13 pm

Linux is not only more secure than Windows NT, but much more secure. It may not be as secure as, say, OS/390, but is certainly more secure than
Windows NT. The simple fact that in Windows NT (AFAIK) you cannot make a program run with the privileges of a specific user (Set UID) makes the platform less secure than Linux or Unix. Add to this, that Windows NT defaults to insecure settings.

An example of a system that is not secure at all is DOS/Windows 95/98. BTW, I would like to know the reasons why what you have read states that
Linux is not secure at all. Could you provide a http link or some kind of reference?

Regards,
Guido Urdaneta

P.S.: If I am wrong and Windows NT can make ordinary programs be marked to run with the privileges of a specific user, please let me know, because I have not been able to find this feature (despite the supposed ease of use of Windows NT) and have had to incorporate Linux or UNIX software in several systems for security reasons, not to mention stability.

By Davis Gentry on 22 February, 2000 - 4:43 pm

--- Vegeta <vegeta@CUAIMA.ICA.LUZ.VE> wrote:
> Linux is not only more secure than Windows NT, but
> much more secure. It may not be as secure as, say,
>OS/390, but is certainly more secure than Windows NT.

btw - At the MS Developer's Conference last year they set up several stock Windows NT 4.0 machines and asked the developers to try to break the security of the machines. Everything was locked out in the OS for a fully secure anonymous login. To the best of my knowledge, no one even managed to crash any of the machines, much less break the security. And this was a vast crew of administrators and hard core windows developer types - major nerd heads.

It all comes back to what I said in an earlier email - if you know what you are doing, NT is a VERY secure environment. If you do not know what you are doing, it is not, but then again, I bet I could manage to thoroughly hose a Linux installation - and I've got training and experience with HP-UX and Solaris administration as well as with NT (not that I am a true expert at ANY of them).

Controls engineers are certainly required to maintain a dismayingly broad front of knowledge, eh? Oh well, guess that's why they pay us the big bucks.

Davis Gentry
Controls Project Engineer
Carpenter Company

By R A Peterson on 24 February, 2000 - 9:18 am

My guess is they are not experts at breaking security though.

Besides, the most common way security is broken is from an inside job. Passwords are not changed. Passwords are written down. Easily guessed passwords are used.

Administrators use the same password on 100 different machines, that is known by 10-15 people in the IS dept. Difficult, near impossible to maintain security in that environment and still be able to use the computer.

By Paul Tolsma on 25 February, 2000 - 3:43 pm

Last weekend, a friend of mine was talking about his new job. He was given a small "egg" that
is somehow synched to his PC. The "egg" is on his keychain, and every *30 seconds* it generates a new PW for his PC. That is, his password changes randomly every 30 seconds... every minute... every hour... every day... all year... etc. I have never even heard of this before, but it seems to be pretty major security. Does anyone know more about this or how it works?

Paul T

By Ranjan Acharya on 5 March, 2000 - 1:44 pm

Network Computing magazine had an article on it a few months ago.

RJ

Ranjan Acharya 905-634-0844 x 238 (V)
Team Leader - Systems Group 905-634-9548 (F)
Grantek Control Systems http://www.grantek.com/
Ranjan.Acharya@grantek.com
Ranjan.Acharya@ieee.org

By Russell Magee on 21 March, 2000 - 6:12 pm

We used a system of this type from Security Dynamics for NT. When you purchase the system you basically get the security software for a server and a backup server as well as client licenses for each user that will be using it.

There is one license per key fob (easter egg) and each key fob is tied to the licensee by a 8 digit serial number. The key fobs produce a (pseudo) random number every 60 seconds which is synchronized with the server. The initial synchronization is done from the server before the key fob is given to the user. A user group is then set up on the NT domain and any user
in that group is challenged by the security software when they log on to the system.

Each user on the system also has a unique password that is set up and administered from the security software. This is a static password with an expiry date and format restrictions established by the server. Each user then has a total of three passwords:
- a standard NT domain password
- a static password for the security software
- a six digit random number from the key fob.

Therefore, they key fob by itself is useless. The system will disable an account if the user fails to log in three times in a row. It also logs which password the user failed to authenticate on so you could track a lost or
stolen key fob.

Another feature is that it checks the six digit password against the three previous passwords and the next three. If the use password is found to be one of these, the system asks the user to enter in the next password generated by the key fob before authenticating them.

Russ Magee
Tarco Engineering
Calgary, Canada

By Vitor Finkel on 5 March, 2000 - 1:47 pm

I have no idea, but I wonder: What happens when the "egg" battery dies. batteries don't die suddenly, their voltage grows smaller and smaller till the device stops working or starts to work erratically.

Please ask your friend to do a "scientific experiment", replacing the "egg" battery with one quite used, and let us know what happens.


Vitor Finkel vfinkel@attglobal.net
P.O. Box 16061 tel (+55) 21 285-5641
22222.970 Rio de Janeiro Brazil fax (+55) 21 205-3339

By West Francus on 5 March, 2000 - 2:14 pm

it is called secureid, from security dynamics.

http://www.securitydynamics.com/

Regards,

West Francus
west.francus@gefalbany.ge.com

By Michael Griffin on 6 March, 2000 - 2:34 pm

I saw one of these a few years ago. It was the size of a small card, and fairly thin. The LCD display on the front of it generated a new password on a regular basis. I was told that the way it works (and it seems fairly obvious) is that it has an accurate clock which is synchronised with a base unit which remains connected to the system you wish to log into. It may be possible that the base and portable units need to have their clocks re-synchronised occasionally though.

Both units generate a complex numerical series based on a common algorithm and seed (the seed is selected when the device is issued). At the start of each time interval, a new result is calculated. Since both devices execute a common algorithm, and since they were both initialised with the same seed, both will calculate the same result. The mathematical series is complex enough that it is not realistic to try to derive the original seed from a sample of calculated results. Passwords are unique to each device
pair, because of the different initialisation times and seeds.

These systems are supposedly very secure (at least the password is) - provided you don't lose the password generator. Unlike some systems, they
don't require any special hardware connection to the user's computer since the password is entered manually.

The cost and administration problems with this method seem to limit its use to applications where security concerns are higher than average.
They may have a use though where it is desirable to allow regular remote log-in to a plant control system (e.g. via the internet), but where security
problems could be serious.

**********************
Michael Griffin
London, Ont. Canada
mgriffin@odyssey.on.ca
**********************

By Anthony Kerstens on 8 March, 2000 - 6:09 pm

One question about this "egg". Is it not something that could easily be stolen or lost? And if so, what's to prevent unauthorized users from making inappropriate use of it?

Anthony Kerstens P.Eng.

By Michael Griffin on 10 March, 2000 - 3:10 pm

Yes it could be stolen or lost, just like your house keys could be stolen or lost. That's not a reason to not lock your house when you go to
work in the morning though.

If the device was lost or stolen, you could have the system administrator cancel that series of passwords. The device would then become useless until it was initialised again and synchronised with a matching base station. At least unlike a conventional fixed password you wouldn't have to
worry about this thing being posted on a hacker web site.

I believe that this system is particularly intended to defeat "cracking" systems which work on the principle of capturing passwords off the network or via a virus or trojan horse program on your computer (this one is a trick which goes back to mainframe days). An even more basic
security hole is when someone watches you over your shoulder while you log in over the internet on your laptop in a public place. It doesn't prevent the password from being captured, but it does prevent someone from taking advantage of it since the password will have changed before the hacker would have gotten around to trying to use it.

This may not be as secure as a retina scanner, but it doesn't require any special hardware to be installed in the computer either. It probably isn't worth while for most applications. However, suppose you wanted to use the internet to monitor and adjust set points at a remote site while you were anywhere in the world. You might not want to allow this if all you had to protect it was a simple log-in and a password which you change once a month (or never). If you had better security though, you might decide the reduced risk was worth the benefits.


**********************
Michael Griffin
London, Ont. Canada
mgriffin@odyssey.on.ca
**********************

By R A Peterson on 8 March, 2000 - 6:10 pm

until the guy looses the damn thing and now your secret password that changes all the time is known to the guy that found it.

changing your password is really not that great of a security measure except for accounts that are used by multiple people. my personal opinion is that all in all requiring chaining passwords on a regular basis for accounts that are only used by one person is counterproductive. its not all that easy to remember them sometimes and this leads to people writing them down, a major
problem. this is why i do not like passwords that are not easy to remember. people have to write them down or they forget, and this leads to security breaches.

By Davis Gentry on 10 March, 2000 - 10:55 am

Not really. I used one of these for dial up security a couple of years ago. Works great. You have to have both your standard password and the code from your code generator card. Plus, if you are talking dial up, besides your standard login id and password they also have to know the phone number, all the correct network settings, etc. It may not be Fort Knox, but it is very good security.

Davis Gentry
Carpenter Company

By Tony G Smith on 14 March, 2000 - 9:40 am

Losing a SecurID card does not compromise it. The card has its own password. The user inputs the password into the SecurID card and it generates another password that is used to log in to the system. An observer who sees the password that
is used to log in can not use that password later, since it becomes obsolete in a couple of minutes. For someone to gain access to the system, they must have the user's SecurID card and the SecurID card's password.

Tony Smith

P.S. I'm not advocating the use of this system, just clarifying how it functions (from a user's viewpoint).

By Johan Bengtsson on 10 March, 2000 - 3:06 pm

Ok, the overhead is per I/O tag, stupid design if I say my private opinion.


/Johan Bengtsson

----------------------------------------
P&L, the Academy of Automation
Box 252, S-281 23 H{ssleholm SWEDEN
Tel: +46 451 49 460, Fax: +46 451 89 833
E-mail: johan.bengtsson@pol.se
Internet: http://www.pol.se/
----------------------------------------

By Dave Wafford on 8 March, 2000 - 6:12 pm

Sounds like the SecureID token system. Here is the link on it:
http://www.oga.co.th/syncom/securid/Security/tokens.html

By RufusVS@aol.com on 21 March, 2000 - 11:33 am

I'd be willing to bet it is not actually random, but rather algorithmic based on the time of day. I'm sure the password is not being changed on the
computer each time, the egg is only to give the human user the current password at a given time.

What is to prevent someone taking your egg?

I think a password kept in your head is more secure.

The optimum would be if the system outputs a variable prompt, perhaps including the time of day, and the human user, based on that prompt and his own mental algorithm, typed the correct password.

Then even someone looking over your shoulder can't reuse your password. Unless you use a pen and pad to figure it out...

I agree with you in that Windows NT does provide security. That level of security maybe all what you need. But I do not think that the level of security that NT can provide is higher than what can be provided by Linux. In both environments you can set up access permissions for files,
directories and executables. But Linux systems let you mark an executable to run with the
priviledges of the owner (and not of the user) and that can help a lot to implement custom security schemes. AFAIK, the only executables in NT that run with priviledges different that those of the user are Services (NT version of Unix daemons). If you know of a way to mark an ordinary executable in NT to run with the owner priviledges (regardless of the actual user) please let me know, because I have not found a way to do it. According to an earlier post, Linux has no security at all, and all I am trying to do is to prove that such a statement is false because
Linux has more security features than NT. I am still waiting for a reference to the publication that states that Linux has no security at all.

Regards,
Guido Urdaneta

P.S. Sorry for my bad english, but my native tongue is spanish.

By Roger Irwin on 28 February, 2000 - 9:20 am

Vegeta wrote:

> In both environments you can set up access permissions for files,
> directories and executables.

But irrespective of what you can set, Linux and all the other POSIX compliant OS's, allow Superuser access as well. The lack of this in NT means that one is often using an Administrator login when a user with occasional su would be
more appropriate, this is not so much a security issue as a failsafe one, it is easier to do damage with administrator rights!

Anyway, AFAIK, the new NT has fixed this limitation, but having never seen such a machine I was wondering how the NT5 'su' compares with 'nix, for example what degree of control do I have?

By Davis Gentry on 22 February, 2000 - 4:46 pm

--- Vegeta <vegeta@CUAIMA.ICA.LUZ.VE> wrote:
> The simple fact that in Windows NT (AFAIK) you
> cannot make a program run
> with the privileges of a specific user (Set UID)

This is not a fact of any kind, much less simple.
There are two ways to do what you describe. First and easiest, using poledit.exe from the Windows NT 4.0 Resource Kit set the user or group permissions on any executable, or set it up so that they can run ONLY those executables which are specified.

If your boss won't spring for the Resource Kit, then the simple fact is that you can right click on the .exe file in the Windows Explorer window, click 'properties', then click on the 'security' tab. Once in the security window, click on the 'permissions' button, and for a user or group that you do not want to have permissions of any kind, click on "no access" and add user or user group. This is of course somewhat tedious to do for every .exe file on an NT machine, so you can do the same thing for directories.

If you do this to the WINNT directory you need to
watch out for two pitfalls: 1) Make sure that
everyone who you want to allow to print is given
read/write access to the \winnt\system32\spool
directory and subdirectories. 2) Make sure that none of the executables you have the operators running want to write to the winnt directory using the operator's login id.

Davis Gentry
Controls Project Engineer
Carpenter Company

By David Gwinup on 24 February, 2000 - 9:16 am

It takes only a few minutes to use winnt's policy editor to restrict user rights. However, it takes several hours to several days of planning to
decide HOW you are going to restrict these rights. For instance--I set up my operator stations so that when the users log in they see a completely blank desktop and empty start menu, except for the one program they are to run. Further, they can not run any applications I have not added to the "allowed run list." There are LOTS of other restrictions I added to lock down the machine entirely, but these are the main ones.

That said, vegeta@CUAIMA.ICA.LUZ.VE is correct when he says that you can't make a program run with different user priveleges. This is a different issue entirely than simply restricting access using Policy Editor. When a user logs in he is assigned a security ID. Whenever a task is performed (application run, file opened, network action) the security ID is checked against the ACL (access control list) to see if that user has the appropriate permission.

Thus, logging in under my personal account would not allow me to access objects requiring administrator access because any activities performed during my login session are associated with my security ID. Conversely, when logged in as Administrator, I obtain the Administrator security ID and can then access objects restricted to the Administrator--but I can NOT
access objects that are restricted for use by my personal login account.

However, under Windows 2000, presumably I would be able to log in on my personal account and access objects using the security ID of another user. This is an instance of accessing objects/running programs with the priveleges of another user. I haven't seen this firsthand so I don't know how well it is implemented.

I think that you do not understand what I am trying to say.
I was not asking if in NT you can set user and/or group permisions on executables.
The security scheme that I have been unable to reproduce in NT is the following:
User A has access to file F
User B does not have access of any kind to file F
Program P is set to run with priviledges of user A
User B is allowed to run program P
User B can read or write to file F only by means of program P because the program, not the user, has access to file F.

I do not know how to do this in NT. I think it cannot be done. This is
what I was asking and if somebody knows how to do it, please tell me.

Thanks in advance,
Guido Urdaneta

By Vladimir Bunyakin on 24 February, 2000 - 4:11 pm

Did you try to use the function CreateProcessAsUser?

--
Sincerely yours,
Vladimir Bunyakin.

By Davis Gentry on 25 February, 2000 - 3:40 pm

davis_gentry@YAHOO.COM
> From: "Gwinup, David" <PDGwinup@uop.com>
>it takes several hours to several days of planning to decide HOW you are going to restrict these rights.<

Good point.

> That said, vegeta@CUAIMA.ICA.LUZ.VE is correct when he says that you can't make a program run with different user priveleges.<
....clip...
> This is an instance of accessing objects/running
programs with the priveleges of another user.<

Ok - seems that I misunderstood the question. Having grown up with Windows -> WinNT I have never had that capability, and never used it under any of the UNIX systems I've used. That being said - why would this be done? It seems to me that this is simply going around all of the security that you have spent such time planning and implementing. If a user needs access to an executable, why not simply assign accessin the policy to his id or group?

Davis Gentry
Controls Project Engineer
Carpenter Company

By David Gwinup on 25 February, 2000 - 4:07 pm

Over the past year or two I've come up with several situations where I'd like to set up an operator account to run with another user's privileges, though I can't recall what those situations were at the moment. But here's one example of how I would use this feature from day to day.

I am usually logged into my NT machine on my desktop using my regular domain account. However, I often have to do things such as adding a user to the domain using usrmgr.exe or tweaking a policy on a remote machine using poledit.exe. Since my regular user account does not have admin priveleges, I would either have to shut down all my running applications, log out of my machine & back in as Administrator, or else go up to the server room to run the apropriate programs from one of the servers. If, however, I could tell
poledit.exe and usrmgr.exe to run with the priveleges of the domain administrator, I could just run them from my own account without much extra work (though I might want to set it up so it would still ask me for the admin password before running).

And BTW, I do realize that I could add my regular domain account to the Domain Administrators group on the Domain Controller. However, this is a
very dangerous approach since I frequently walk away from my computer at various times during the day and don't always remember to lock it up.
That's not so bad with my regular domain account, but would be very risky leaving an unattended machine logged in as Domain Admin.

By Roger Irwin on 28 February, 2000 - 9:39 am

Davis Gentry wrote:

>If a user needs access to an executable, why not simply assign access
in the policy to his id or group?

A user can develop/install software that is available to him, or just his group, without requiring the intervention of somebody with
Administrator level priviledges. The advantage of this is only really appreciated on large systems however, not your typical NT setup, I certainly think it is a non issue for control apps.

By R A Peterson on 5 March, 2000 - 1:37 pm

<<
>If a user needs access to an executable, why not simply assign access in the policy to his id or group?

A user can develop/install software that is available to him, or just his group, without requiring the intervention of somebody with
Administrator level priviledges. The advantage of this is only really appreciated on large systems however, not your typical NT setup, I
certinaly think it is a non issue for control apps. >>

This is not generally so. most software requires registry changes which a typical user cannot do. i got so tired of having installs die on me that I
changed my normal login to be an admin as well. its too much hassle to have to keep logging off to install a piece of software.

By Roger Irwin on 5 March, 2000 - 1:58 pm

I think we are at cross purposes, I was pointing out why the individual permissions of POSIX like systems may be preffered over the poledit limitations of NT4.

'nix users always have thier home dierectory, which is the default place for their personal config data, not a common registry.

Actually I have often wondered why NT users cannot have their own 'home', complete with a personal registry.

By Johan Bengtsson on 5 March, 2000 - 2:17 pm

Actually they do have that.

The registry is composed of several files called hives. One of these files is personal and located in
%systemroot%\profiles\<user>
and called ntuser.dat
where %systemroot% is the instalaltion directory NT, typically c:\winnt

The things stored here is what you find in the registry under
HKEY_CURRENT_USER\...
personal data is preferably stored here:
HKEY_CURRENT_USER\Software\<company name>\<software name>\...

equivalent of user home directory:
%systemroot%\profiles\<user>\Personal\...
each users part of the desktop:
%systemroot%\profiles\<user>\Desktop\...


/Johan Bengtsson

----------------------------------------
P&L, the Academy of Automation
Box 252, S-281 23 H{ssleholm SWEDEN
Tel: +46 451 49 460, Fax: +46 451 89 833
E-mail: johan.bengtsson@pol.se
Internet: http://www.pol.se/
----------------------------------------

By roger Irwin on 8 March, 2000 - 5:53 pm

> Actually thay do have that

Yes they do don't they. You are right, but it is not obvious. Partly because they are 'seperate', but I think mostly because apps just do not tend to use things that way 'by default'.

By roger Irwin on 22 February, 2000 - 4:52 pm

Under X11 (Unix/Linux) it is very easy to control what the user does with the display. One very usefull technique is to simply not launch a window manager at all, and just have the underlying X engine. That means that the only controls available to the user are those offered by the application program.

I have seen this condition on NT boxes, but only when they are malfunctioning. After log in you just get the background, no icons or task bars etc. Ctrl-Alt-Del brings up the little box which allows you to launch new tasks using the task manager. I could not help wondering if there was any 'correct' way to achieve this state?

This discussion has led me to re-think the whole windows in automation issue. I have recently returned to the automation field after a long absence in which I have had a lot of exposure to 'nix systems, and I have built up a great respect for them. But returning to automation I find the field dominated by windows, and have thrown myself wholeheartedly into the windows concept. Yet the deeper I go the more allarmed I am becoming. The windows philosophy seems to encourage exaggerated systems, bloated code, and
a complexity way in excess of what is required by the task. This inevitably leads to misconfigured
systems and broken code, and often results in overly complicated solutions to simple problems that can be difficult to document and hence modified by others at a later date.

I also rufute the 'ease of use issue' as a very dangerous misconception. I have been using computers for 25 years, and yet I find NT difficult to configure correctly, unless I need the default configuration for everything, but that his hardly likely in the automation sector. Instead we find that maintenaince personel and others who think they 'know windows' because they can set up thier W95 box at home, fearlessly modify NT configurations oblivious to the fact that the 2 OS's are completely different under
the cover.

Looking at the whole picture of real time, it is worth remembering that real-time extensions to standard operating systems are not really extensions at all. What happens is that the machine is primarily governed by the RTOS which handles all the scheduled code, and then runs the 'host' OS as a background task. Leastways this is how it works with the NT extensions and the real-time linux extensions, I have not seen extensions for other OS's, allthougth AFAIK QNX basically works along the same lines (normal tasks are launched by a regular scheduler that runs as a background task of the hard scheduler).

This means that the RT performance and stability are primarily issues of the RTOS code, and not the host OS. This thread appears to have blurred this distinction.

But there is another issue. If we take an automation system, our mission critical core code will be under RTOS control, the host OS is used for the user interface, communications with the rest of the world, and general system housekeeping.

Frankly, having used GUI builder software to make UI's on a variety of systems ('nix, windows and MAC), I find that there is no fundamental difference to the platform being used, i.e. they are all pretty much the same. As for general system housekeeping and communications, the success of 'nix, and in particular Linux and FreeBSD, as internet server platforms and general file/print servers would suggest they have
much to offer in this area. Indeed in IT circles Linux enthusiasm seems to have reached epidemic
proportions, with the W2K launch being somewhat obscured by the latest Linux kernels with features such as journaling file systems that W2K, for all its montrosity, simply does not have, not to mention that Linux is allready up and running in full 64-bit mode on the new Merced processor (the porting, which was done in-house by Intel, was made easy by the fact that Linux has been running as a 64-bit system for several years on.Alpha and Sparc platforms).

So now I find myself burning up the midnight oil polishing my windows skills to deploy NT in automation, and yet I do not understand WHY I am doing this (other than the rather stupid reason 'it is what everybody else is doing'). I had expected (hoped?) that as I delved more deeply into windows it's advantages would rub off on me, but the reverse is happening.

Here IMHO, are some of the advantages Linux would appear to offer over NT in the automation sector:
Linux tends to take the simplest and most straightforward approach, rather than trying to package thinks into complex proprietry 'technology packs'. This makes it smaller and more efficient (less hardware required), and more stable as there is less to go wrong or be incorrectly configured.

Linux systems, kernel included, are very easy to customise to make minimal systems, or high powered
systems, or whatever. There are also many Linux distributors who supply systems pre-customised for
specific application sectors (BTW, Zenotropic do a Linux distro with Real-Time extensions ready to go, as do Hard HAt Linux, whose distro is designed for Compact PCI systems).

The loadable kernel modules feature of Linux allows dynamic re-configuration, i.e. no re-boots. It also makes a higher degree of driver optimization possible. Used in conjunction with the Plug-and-play support, it allows risorse overloading, which is especially usefull on development systems.

Kernel modules (device drivers and other) are very easy to develop, so easy that application developers can easily learn how to develop their own. As a device driver can handle interupts, this can in many cases alleviate the need for real time scheduling. For instance, if you need to support a tricky time critical serial protocol, you can implement it as a kernel module. I also believe that the simplicity of
writing modules/drivers for Linux is a key to it's stability, after all, device drivers are often blamed as the cause of NT instability.

The unified tree approach to the filesystem layout allows a consistent approach. I s ther really no way to mount partions on the root tree under NT? Is there really no equivalent of symbolic links? Apart from helping a neat layout of the system, I also know a lot of usefull tricks that can be done with symlinks.

Linux configuration is generally done by means of ASCII files. These may contain 'help text' inline, and also allows you to add your own comments and leave previous configurations commented out. So if you change the configuration you comment the previous line(s) modify a copied version, and add a comment so you and others no about the change and what the prevoius settings have been. This may sound silly, but I think this is far better than the registry. People tell me the registry is so good, but never give me a
valid reason why. After all, I can parse and write ASCII files with just about any software, I can use Find/Replace and macro tools in a text editor to manipulate them (not to mention the power of SED), and I can easily cut and paste snippets of configurations from one file to another (for example on another machine).

Linux distros come with a wide range of tools ready to use and free. The reality of this struck me the other day when I wanted to take a photo CD image, manipulate it, and save it as a jpeg. I went and opened the paintbrush program under NT and found it had basicaly not changed scince Win3.1. I could not even find a program to read the photo CD format. A collegue suggested I use Photoshop. That may be a valid answer if I were a graphic artist, but all I wanted to do was a splashscreen. While it is true that a full time C++ programmer would likely want to a full blown commercial package with hotline support such
as the Cygnus kit, it is ALSO nice to be able to knock up little programs, in just about any language, using simple tools supplied with the OS. I can extend NT with add-ons (invariably nag-ware), but then things become inconsistent. I can grep a compressed file on any linux system, on windows I need a shareware package just to de-compress the file, and when working on a system in the field it is likely that these tools are not present.

Linux runs on a vast range of hardware, from flash based credit card sized computers based on low power ARM processors througth to IBM 390 mainframes. The latter point is interesting, these mainframes are designed for processing huge volumes of transactions, and can handle multiple OS's running at the same time in much the same way as our RTOS can schedule a host OS to run as a background task. IBM offer Linux on these platforms as an auxilliary OS, to do general housekeeping, provide user interfaces, and
communicate with the rest of the world, deja vu.

In Linux Open means......open. When you get that obscure error message, you really can trace back the problem to it's source and fix it. Ever had a program that could do what you wanted but did not allow you to change a silly little configuration, or was missing a stupid feature?

Remote administration, headless operation, remote terminals (text and graphic). These things are standard and very easy under Linux. They are also very useful in automation applications. Under NT they are add-ons, and messy, and IMHO limited (well, can I run QUAKE from a remote terminal? I can on Linux using the standard software and configuration ;-) ).

Multiple window manager/GUI options, which I can use concurrently, so I can have the 'application' on one desktop setup, and toggle to another, completely different type of desktop, for administration purposes, particularly usefull if the app desktop has no general controls, as we mentioned at the start.

A command line that works, including cut and paste with the mouse.

TCP/IP communications under Linux are robust and standard. I have found that TCP/IP under NT has many quirks. For example RPC's do not appear to work with anything other than themselves, which rather ruins the whole concept of them. The NT ftp server seems to put a lot of client software in difficulty. The telnet is beserk, almost unusable, and has been like that for years. Does nobody ever fix things at Microsoft? Speaking of Telnet, how do you Telnet into an NT machine?

Filesharing (exporting files) using SMB (the default windows protocoll) appears (ironicaly) easier to administer and more flexible under Linux than it is on it's native platform. I particularly like the fact that I can configure the whole setup from a single ASCII file. I can do configurations that do not seem possible under NT. For example, I can export to the net to appear as a W95 machine in a peer network, and
yet each user who access's sees the shares I say they will see, and of course they read and write and access with thier own permissions on the filesystem, as if they were on an NT server. This gives the protection of NT server without the hassle of domain admistration, which is more trouble than it is worth on small networks.

Oh I could go on, but lets stop there. I AM NOT TRYING TO START AN OS HOLY WAR, so please not get into the silly comments domain. I am hoping that people will tell me ways I can do these things on NT, or if not, why I am better off using it. I seem to be condemmed to use it at the moment 'just becuase everybody else does'.Somebody please give a better reason than that.

By Davis Gentry on 24 February, 2000 - 9:35 am

--- roger Irwin <irwin@MAIL.COM> wrote:
lots of pro Linux stuff...

Great stuff, Roger. Sounds like you have a mirror
image of my experience - mine is mostly NT with a fair bit of HP-UX and Solaris thrown in (and a tiny smidgen of QNX).

I agree with a great deal of what you have to say.

A couple of points:

I think there are only two real reasons to use NT over (your favorite OS here). 1)Everyone has Windows at home - NT looks the same as Win9x, so the users are not as intimidated by it. This is also a major disadvantage because, as you pointed out, they are often more willing to go in and monkey with stuff than they would be on a command line nix machine.
2)Everyone is using Microsoft Office. And for getting data from the factory floor to the accounting office in a hurry (or orders in the other direction) it is awfully easy to set up a SQL database that takes data from your Windows application in the factory and feeds it to the Windows application on the cpa's desktop. Getting data to and from the factory is one of our next big jobs in this field. If you are not already
doing it you will be soon.

If you use Embedded NT you can get the exact same
scalability in terms of OS size and complexity that you get with Linux. The big disadvantage is that it is very expensive. The big advantage is that even part time administrators like most of us controls engineers are can use the GUI configuration to build a kernal with an absolute minimum of consulting the book to remember the exact syntax for setting up the driver. And yes, I fully agree that Windows (any version) is the worst collection of code bloat found on the planet.

You can get that bare green screen on startup by using the policy editor found in the Windows NT Resource Kit (poledit.exe).

You can mount partitions (or directories for that
matter) simply by sharing that partition or directory, then mounting the share name from your remote computer. The default share for any partition is the administrative share, which is the partition letter followed by '$', so for c:\ the admin share is \\computer name\c$ - anyone who has admin privileges can grab it at any time.

I do true system administration/configuration tasks at most a couple of times a week. Heavy duty hard core configuration/administration - maybe once a month. When I was working with HP-UX and Solarix in a similar amount whenever I had to do any heavy duty work I spent half my time going through books to remember the correct syntax for that command line stuff (yes, HP-UX has a gui sys admin utility group, but half of the important stuff you can't do through it, and the other
half is faster and cleaner if you do it command line, even counting the book time). NT is a true gui driven OS - so it is a matter of remembering basically where I need to go, recognizing the cues that I am given once I get there, and digging in. Which is a good thing, since 99% of the books out there are aimed at IS types who rarely want to set up systems the way we do.

The ASCII file configuration certainly sounds really good.

MS Image Composer can edit/import/export your photos. No idea where I got it from - probably a WinNT disk.

If I fully understand symbolic links then there is a way to do this with NT. In the Control Panel>System utility, Environment tab, define a variable. For example, say that you are hitting a UNIX server and want to link to a path - define variable name UNIX_PATH, value \usr\bin Then you can call this link elsewhere by the syntax %UNIX_PATH% wherever you need to insert that link.

Davis Gentry
Controls Project Engineer
Carpenter Company

By Roger Irwin on 5 March, 2000 - 1:35 pm

> 2)Everyone is using Microsoft Office. And for getting data from the factory floor to the accounting office in a hurry (or orders in the other direction) it is awfully easy to set up a SQL database that takes data from your Windows application in the factory and feeds it to the Windows application on the cpa's desktop. Getting data to and from the factory is one of our next big jobs in this field. If you are not already
doing it you will be soon.<

This is exactly the sort of thing I am doing, currently I am using Borland C++Builder, but there is nothing here that could not be done on
'nix in the same way. Actually I could do it more easily, but perhaps this is because I know 'nix better. Come to think of it, the Inprise SQL
server you get with C++ builder also runs under Linux, so I could do it the SAME way, with the remote access advantages thrown in for free, but
I am trying to convince myself that windows is somehow better at this.


> If you use Embedded NT you can get the exact same scalability in terms of OS size and complexity that you get with Linux. The big disadvantage is that it is very expensive. The big advantage is that even part time administrators like most of us controls engineers are can use the GUI configuration to build a kernal with an absolute minimum of consulting the book to remember the exact syntax for setting up the driver.<

Can you compile an NT kernel and dynamically configure it with modules? This sounds great, I would love to cut NT down to size, not to mention
eliminate all those reboots. How do you do it.

> You can get that bare green screen on startup by using the policy editor found in the Windows NT Resource Kit (poledit.exe).<

Poledit from the Windows NT resource kit seems to be proposed as a solution to so many problems that I would expect to see it pole position on the Start Menu. Instead, I cannot find it at all. I carfully checked the 'custom'options on the install menu, and no mention of it. Is it in a service pack or something?

> You can mount partitions (or directories for that matter) simply by sharing that partition or directory, then mounting the share name from your remote computer. The default share for any partition is the administrative share, which is the partition letter followed by '$', so for c:\ the admin share is \\computer name\c$ - anyone who has admin privileges can grab it at any time.<

Thats a clever work around, is there any performance hit? Also, what about sec. issues. I assume that any user who will use such links must
have network access to the machine, i.e. an operators login can be used to access a machine remotely.

> The ASCII file configuration certainly sounds really good.
>
> MS Image Composer can edit/import/export your photos. No idea where I got it from - probably a WinNT disk.<

Not mine. Do US distributions of NT have software that the Italian ones do not? Allthougth I have always been using NT workstation, perhaps a lot of commands people keep talking about are only on NT server.

> If I fully understand symbolic links then there is a way to do this with NT. In the Control Panel>System utility, Environment tab, define a variable. For example, say that you are hitting a UNIX server and want to link to a path - define variable name UNIX_PATH, value \usr\bin Then you can call this link elsewhere by the syntax %UNIX_PATH% wherever you need to insert that link.<

Not quite the same thougth is it. For example one use for symlinks is for dealing with programs that have thier own ideas about where files/directories should be. Another is for extending space on a full disk by moving chunks to another linked area. Sometimes you can get away
with NT 'graX-Mozilla-Status: 0009s will not be fooled by this.

By Davis Gentry on 5 March, 2000 - 2:02 pm

> Can you compile an NT kernel and dynamicly configure
> it with modules? clip... How do you do it.

Yes - but you have to buy the Embedded NT toolkit from MS, plus the licenses. Not cheap, but reasonably painless to learn and use.

> Poledit from the Windows NT resource kit seems to be
> proposed ...

You have to buy the NT Resource Kit - it is a separate CD with utilities, etc. Been a while since I bought it - maybe $200??? Check with CDW.

> Thats a clever work around, is there any performance
> hit?

No more so than anything else done across the network - very dependent on traffic.

>Also, what
> about sec. issues. I assume that any user who will
> use such links must have network access to the
machine, i.e. an
> operators login can be used to access a machine
remotely.

Just set permissions under the security tab for the directory/drive when you set up the share. The user has to belong to a group which has permissions, or has to be specifically allowed to access the share.

Davis Gentry
Controls Engineer
Carpenter Company

By Johan Bengtsson on 5 March, 2000 - 2:12 pm

>> You can get that bare green screen on startup by using the policy editor found in the Windows NT Resource Kit (poledit.exe). <<
>
>Poledit from the Windows NT resource kit seems to be proposed as a
>solution to so many problems that I would expect to see it pole position
>on the Start Menu. Instead, I cannot find it at all. I carfully checked
>the 'custom'options on the install menu, and no mention of it. Is it in
>a service pack or something?

It is a program that comes with "Windows NT Resource Kit", something you have to get separately.


>> You can mount partitions (or directories for that matter) simply by sharing that partition or directory, then mounting the share name from your remote computer. ...<clip> <<
>
>Thats a clever work around, is there any performance hit? Also, what
>about sec. issues. I assume that any user who will use such links must
>have network access to the machine, i.e. an operators login can be used
>to access a machine remotely.

Everyone with a username and password that passes for an administrator on that particular computer can access these shares. The security for each file and directory is then added to this. (an administrator do probably have access to most files). What passes as an administrator on the comouter is anyone present in the local administrators group. This normally includes all domain administrators. Performance: same as for all other network shares.


>> If I fully understand symbolic links then there is a way to do this with NT. ...<clip> <<
>
>Not quite the same thougth is it. For example one use for symlinks is
>for dealing with programs that have thier own ideas about where
>files/directories should be. Another is for extending space on a full
>disk by moving chunks to another linked area. Sometimes you can get away
>with NT 'graX-Mozilla-Status: 0009s will not be fooled by this.

A symbolic link in *nix (as far as I have understood it) is what the windows .lnk file tries to provide (it don't succeed). It is a reference to something else but in *nix is is handled by the OS in a much more transparent way and can refere to a directory as well as to a file.


/Johan Bengtsson

----------------------------------------
P&L, the Academy of Automation
Box 252, S-281 23 H{ssleholm SWEDEN
Tel: +46 451 49 460, Fax: +46 451 89 833
E-mail: johan.bengtsson@pol.se
Internet: http://www.pol.se/
----------------------------------------

By Al Pawlowski, PE on 24 February, 2000 - 4:16 pm

When you try to change the herd's direction you often get some growling; sometimes you get stomped.

Even though they are seldom optimal for any particular task, MS products overwhelmingly have the momemtum right now. Given our nature, they may
well have it a while longer.

For now, I plan to go along enough to minimize the stomping and smile back at the growls.

By Anthony Kerstens on 25 February, 2000 - 3:45 pm

Yet another decision made. I understand this because the end user should always be consulted as to his requirements. That said, that conversation with the end user is a prime opportunity to be nice, smile, and argue your point of view.

You can't make an omelet without breaking a few eggs. The trick is which eggs get broken.

Also, don't forget that the herd mentality gave MS a foothold in the first place, at the expense of other companies who had superior products.

Anthony Kerstens P.Eng.

By Pierre Desrochers on 25 February, 2000 - 9:12 am

Roger - We are using NT because we can pickup the phone and talk to dozens of people for solutions when something does not work ... for Linux it's not the case ... but will be soon and then we will switch our area of expertize and integrate our apps to Linux... but then everybody will be doing the same ... and then someone will build a better mouse trap... Application running on Linux will multiply... diversify... We will get them from everywhere in the world ... and then Linux will start experiencing the same problem as NT.
A typicall PC as suffered the installation of dozens and more software packages with poorly writen drivers. Some of them left behind traces of codes... these are the most likely responsible for 80% of our problems... the next 10% comes from bad configuration and the last 10% does not exist (ask Bill he'll tell you...)

I strongly beleive that since NT is more widely spread, the result is more bad programmers are influencing its development, this will be the same with Linux...

We have just found the origin of a memory leak in an NT loaded with a SCADA app. How would Linux differ from NT in this case... the Software package was just not good ...

Pierre -

By David Gwinup on 25 February, 2000 - 4:02 pm

What you fail to take into account is the issue of open-source versus non open-source. Linux is open-source, which means that ANYONE can go in and
fix a bug with the system. In fact, by the time you discover a bug, it's likely that someone has already patched it. Compare this to Windows NT
where there are quite a number of known issues/bugs but nobody can fix them except Microsoft. There are plenty of known bugs in Windows NT 4.0 that Microsoft has stated they don't plan to fix. The solution is upgrading to
Windows2000, and of course paying Microsoft the appropriate license fees to do so. If such problems were encountered under an open OS such as Linux, you could fix the bugs yourself.

This is also true for drivers. Have a buggy driver in Linux? Fix it yourself. Have a buggy driver in NT? Live with it.

How many applications do you install/de-install on a PC that is intended for process control anyway? I would hope that only the minimum required software is installed. Anything more and you're asking for trouble--on any OS.

By R A Peterson on 5 March, 2000 - 1:49 pm

Reportedly there is a list of > 35,000 known bugs in Windows 2000 in the released version.

By Mark Blunier on 28 February, 2000 - 9:25 am

Unfortunately, you seem to be the exception. I find it is much easier to find both people and documentation describing how to do things under Linux, which under NT I can't. For instance, I
would like to set up a system that will allow someone make a ppp connection by dialing into the plant to initiate the connection, but then have the plant hang up the phone and dial back to
complete the connection. I did it under Linux, unfortunately, the program that I want to run on the remote system only runs under NT. I've searched Microsofts knowledge base, done newsgroup searches, and web searches, but I haven't found any documents describing how to do it under NT.

Mark Blunier
Any opinions expressed in this message are not necessarily those of the company.

By Davis Gentry on 5 March, 2000 - 2:07 pm

>I would like to set up a system that will allow
someone make a ppp connection by dialing into the plant to initiate the connection, but then have the plant hang up the phone and dial back to
> complete the connection. I did it under Linux,
unfortunately, the program that I want to run on the remote system only runs under NT. I've search Microsofts knowledge base, done newsgroup searches, and web searches, but I haven't found any documents describing how to do it under NT.<

I'm out of town right now, but this seems kind of
interesting - I'm going to check it out when I get
back - maybe there is something on TechNet to describe it - when setting up a dial-up-networking connection you have the option to set it up as dial-up, or dial-up and call back. If it as set up as dial-up and call back you have to configure your RAS server to call back after authentication - but I just looked on my laptop running NTW 4.0 - RAS doesn't have anything
about call back - maybe it's just an NTS feature???

Davis Gentry
Controls Project Engineer
Carpenter Company

By Roger Irwin on 28 February, 2000 - 2:54 pm

Pierre Desrochers wrote:

> .. and then Linux will start experiencing the same problem as NT.
> A typicall PC as suffered the installation of dozens and more software
> packages with poorly writen drivers.

No, things are a bit different with open source. Also, the Linux philosophy is to ingtegrate and re-use and simplify, rather than to compete by adding on more. Some wit recently remarked that the Linux user base is growing at about the same
rate as NT source code. I think that sums it up really.

You see allthougth Linux is now distributed and supported by commercial companies, these companies do not get to define how the core stuff evolves, development is led by users and programming purists, not marketing focus groups.
There is a difference.

Have you ever looked at the Linux kernel source code, it is suprisingly readable code. For me it has served as an inspiration to how I write my own software. Not too spartan, not too complex. Clear and straightforward. BTW, in the guides
section of the LDP (www.ldp.org) there are several documents that will help you understand the big picture.

> We have just found the origin of a memory leak in an NT loaded with a SCADA
> app. How would Linux differ from NT in this case... the Software package
> was just not good ...

Linux is simpler than NT, it is easier to get it right. It is also easier to understand what your code should be doing when you can see what your app is calling (and trace into it with a debugger).

By Ranjan Acharya on 5 March, 2000 - 1:42 pm

Just to add my two-pence worth since this has turned into the semi-annual Linux versus Windows NT debate.

1. Which flavour of Linux are you talking about? Not as badly fragmented as Unix yet, but getting there.

2. Do you have time to go into the source code of Linux and fix bugs. I do not. Many service calls are at obscene hours in out of the way locations, I cannot imagine wanting to spend extra time there investigating problems with the OS source code or a driver source code.

3. If you did fix a bug (for free, whose customer is going to pay for the time you spend playing with Linux?), who is going to pay for the additional time to go out and report it and so on.

4. Does Linux have the depth of support in the marketplace that NT has?

5. In "normal" installations of Windows NT, how many problems are people really having. We have installed several SCADA packages under the NT
umbrella -- Wonderware, RSView, FactoryLink, Intellution and so on. They all work fine. We have also installed AB's NT-engined PLC, it works fine too. From personal experience, if you use a good-quality well-engineered PLC with off-the-shelf standard parts, then you should be fine. The downside of NT is when you stray from the norm -- big trouble.

6. Straight Windows NT is not real time. Nor is straight Linux.

I still personally prefer a sealed automation solution where the operating system is irrelevant.

Ranjan Acharya 905-634-0844 x 238 (V)
Team Leader - Systems Group 905-634-9548 (F)
Grantek Control Systems http://www.grantek.com/
Ranjan.Acharya@grantek.com
Ranjan.Acharya@ieee.org

By R A Peterson on 5 March, 2000 - 2:00 pm

> 4. Does Linux have the depth of support in the marketplace that NT has? <

A better question might be to ask does NT have the depth of support you think it has? My experience with NT is that when it works it's great. When it has problems its a big time problem that often has no easily determined solution.

For example: my nice new laptop came with NT. I also have a nice new PC card modem/ethernet card. When I insert the PCCard and power up, NT locks up and I cannot even get the logon screen (I do get the message that says ctrl-alt-del to logon). All our NT experts and various tech supports at dell and 3com are baffled. So am I. I have reloaded various pieces of software and relaoded and removed so many drivers I am about sick.

By C. Thomas Wiesen on 7 March, 2000 - 9:32 am

I'm not expert, but I would agree. I think that there are a huge number of people with moderate "NT" experience but very few REAL experts that can identify particular driver problems and actually solve them (not band-aid patches or workarounds). I suspect that since Linux is open,
there are as many or more REAL experts that can identify and actually solve the weird hardware and software problems. Since NT is closed, only the author can help you fix a core code problem. With Linux, the code is usually available for you (or resident expert) to look at and debug.

--
C. Thomas Wiesen
Kukulu Automation

By Pravin Fatnani on 15 March, 2000 - 4:54 pm

I faced a very similar problem recently......
wanted to try the old Creative SB16, 1a 6 bit sound blaster card(which came with only drivers for Win95 & 3.1) on a PII NT4.0 machine hoping to download and install an NT driver for the same. But the NT refused to behave properly - the explorer did not start and the desktop remained blank. Did not try any further with that.

Pravin Fatnani

By Sam Moore on 5 March, 2000 - 1:53 pm

Right. And the 60's were all about peace and love.

Competent people with good experience with just about any operating system can make them do what they need. This type of talk should go somewhere else. Can someone please create a new mailing list for this type of discussion - maybe it could be called: operating-system-religious-fundamentalism.

By Phil Covington on 25 February, 2000 - 9:26 am

Roger,

If you like Unix/Linux better than NT then use it! Reading your message has left me wondering who you are trying to convince... us or yourself? Or is this just a troll?

If you are really not "TRYING TO START AN IS HOLY WAR" then I would suggest you try not referring to Windows 2000 as a "monstrosity" and refrain from comments such as being "condemned" to use NT.

No one is forcing you to use NT. Unfortunately, not everyone shares your lovely vision of Linux/Unix as the cure for all human suffering...

I use both Windows and Linux; there are things that I both like and dislike in each operating system. But I don't worship Saint Linus... or /Saint Bill.

Regards,

Phil Covington

By Curt Wuollet on 5 March, 2000 - 1:52 pm

roger Irwin wrote:

>...<clip>
> Oh I could go on, but lets stop there. I AM NOT TRYING TO START AN OS HOLY WAR, so please not get into the silly comments domain. I am hoping that people will tell me ways I can do these things on NT, or if not, why I am better off using it. I seem to be condemmed to use it at the moment 'just becuase everybody else does'.Somebody please give a better reason than that.<

Hi Roger,

You don't have to start an OS holy war. The automation market is like those last remote places in China where they never heard, didn't want to hear and didn't believe there was a war once they heard. The last stronghold where proprietary is a good thing, customer lock-in is to be admired and communication and interoperability are dangers to the state. The world that you and I know, where people use the same standards so we can cooperate and build on the work of others is a foreign fantasy, a big lie spread to corrupt and destroy this orderly
fuedal state. It is officially discredited by waves of propaganda telling the people they are already free and everything is already "open". What possible good could come from a common language or protocol?. No, the only good things are controlled by large companies that can prevent any that interoperability nonsense. The feudal lords all pay homage to the King and swear their allegiance in return for his favor. That's the way of things and you should be severely chastised for disloyalty and treason. Why that could start a mutiny or even rebellion.

Regards

Curt Wuollet, Owner
Wide Open Technologies.

By Ranjan Acharya on 22 February, 2000 - 4:55 pm

Sorry to get the Linux people upset, I was not comparing Linux to Windows NT but Linux to Unix -- and this is not my opinion -- hence "from what I read"! I personally think that NT is not secure at all.

RJ

Ranjan Acharya 905-634-0844 x 238 (V)
Team Leader - Systems Group 905-634-9548 (F)
Grantek Control Systems http://www.grantek.com/
Ranjan.Acharya@grantek.com
Ranjan.Acharya@ieee.org

By Anthony Kerstens on 24 February, 2000 - 9:07 am

This is all very interesting. However, one thing that sticks in my mind is that there is not a thing made by Man that cannot be broken into or disable by some ingenious character.

I might come off as a fatalist, but the best anyone can truly hope for is to decide from a range of options and pray it is good enough. That's where risk analysis comes in.

Anthony Kerstens P.Eng.

By Richard Dewees on 16 February, 2000 - 3:10 pm

Use system policies that allow them to run only specified windows programs

By Davis Gentry on 17 February, 2000 - 9:34 am

Give them user ids with absolutely minimal
permissions. Get rid of the "run" button from the
startup bar. Allow them write access only to
directories which absolutely require it. Do not allow them access to Windows Explorer or the internet unless required.

Most importantly - once you have the security set up, USE IT. Use auto login so that no one complains about forgotten passwords. Hand out the admin password to a VERY small group of people, and make sure that the ones you hand it to are both trusted and capable. Then keep backups (we use ghost.exe to keep a base image on a cd for every machine in every plant we have) handy so that the plant can quickly and easily
restore the hard drive to its original state. As a part of this, make sure your recipes are regularly backed up, preferably across the network to a server.

All of this can be set up fairly rapidly, and saves you LOTS of time trying to figure out why your controls .exe stopped working when an operator either deleted a critical file, or moved it, or loaded something else which overwrote the .dll which is being called by your .exe. This is not necessarily to imply that your (or our) operators would do this deliberately, but I have seen MANY people move files using Windows Explorer by drag and drop without realizing that they did it.

Basically, when used like this, NT is set up just like a UNIX box. How often have you had problems with people loading DOOM! onto your HP-UX or Solaris box? And how often have users complained because they can't load DOOM! onto that SCO box? People think that because Windows is so ubiquitous both at home and at work that they can do anything on it. This attitude can be seen both in users and in IS people (and though I hate to say it, in engineers as well). It doesn't
often occur that a relative neophyte is made system administrator for a Solaris box, but as Windows is seen as being easy to use it can frequently happen that full sys admin privileges are given to far too many users on an NT box.

Ok, rant.mode=FALSE

Davis Gentry
Controls Project Engineer
Carpenter Company

By Steve McAlpin on 18 February, 2000 - 11:12 am

Hi Davis,

I totally agree with you and am trying to do the same on my nt system. Could you help me out with something though I have looked at all the Microsoft documentation and can't find anywhere where it says how to remove the run an for that fact everything off the start button on windows. I would also like to disable the right click button on the start button so my operators can't
get to explorer. If you know where I can get this information or can e-mail me the information I would appreciate it. Thanks.

Steve McAlpin
Controls Supervisor
Calleguas MWD

Have you tries using the policy editor, (poledit.exe, I think). It may only come with NT Server however. Maybe it could be obtained from Microsofts web site.

Bill Sturm

By Davis Gentry on 22 February, 2000 - 11:05 am

Best thing to do is buy the Windows NT Resource Kit. It has a utility called poledit.exe, which allows you to build policies for users and usergroups. It gives you a gui that you can learn in about 10 minutes if you already have sys admin experience. Most of the stuff you need can be found under the "System->Restrictions" and "Shell->Restrictions" directories. Also go through the profile under the \winnt\profiles directory and make sure that everything you want the user NOT to see is not in the Desktop or Start Menu directories.

Davis Gentry
Controls Engineer
Carpenter Company

By Anthony Kerstens on 15 February, 2000 - 12:15 pm

Software programs have their own priorities!!!!

I had a similar problem playing MP3's. Every time I typed or used the mouse, the music would chirp or cut out entirely. However, I checked through the options and found some settings that allowed the player to take higher priority. Don't ask me what they are since I don't have that particular machine anymore. However, it did make it work.

Anthony Kerstens P.Eng.

Hi Mark

There are a number of tools that allow an administrator to control exactly what, if anything, can be run on an NT machine. For example, Microsoft supplies ZAK (Zero Administration Kit) which can force a PC to be a single task machine and NOT let an operator to run Control Panel, Explorer, etc. There are also some better 3rd party products that we have used, but their name escapes me at the moment.

Regards
Eric Byres
Artemis Industrial Networking

I have only found one reliable way to secure a computer running an operator interface from being broken by an operator, that is to lock out the all access to the operating system. On NT, this
means installing a keyboard trap to prevent ctrl-esc, alt-tab, ctrl-alt-del, etc. The operator interface application has to be made full-screen so that the desktop and taskbar are inaccessible.

Until recently I have been adamant about doing this for two reasons. First, like I would tell the operators during training, that may look and smell like a computer but it is really a piece of plant equipment with the specific purpose of controlling and monitoring the plant's operation, so treat it like that. Second, when I didn't
lock down the system, I would get calls at all hours from operators telling me the computer screen went "crazy" on them. This was usually caused by someone dragging a window almost completely off the desktop or running 114 copies of Solitaire.

Lately, I've been re-thinking this. Most operators that I have worked with in the last two years already know Windows, have a computer at home, and don't make the mistakes that operators
have in the past. There is some added value, in terms of flexibility, that a windowed application has over a full screen application.


Jay Kirsch
Macro Automatics
2985 E. Hillcrest Drive, Ste 101
Thousand Oaks, CA 91362
jkirsch@macroautomatics.com