I have done some tests around security with ipisql.exe.
Even by restricting the rights to the maximum on my server (disable api trusts), i can still access the data.How to secure this point ?
Hello bertrand SAVOURNIN,
When you modified the security slider did you restart the PI Bases subsystem? This needs to be done for the new security policies to take affect. In PI SMT > Operation > Network Manager Statistics you can view how the application is authenticating and modify that trust.
The ipisql.exe utility communicates with the PI SQL Subsystem which is used by only two things: the PI ODBC Driver Version 1.3 and the GetPointsSQL call in the PI SDK. The latest version of the PI ODBC Driver is 2015 and does not use the PI SQL Subsystem. If you are not using the PI SDK's GetPointsSQL either, you could use the Windows Services applet to disable the PI SQL Subsystem completely. The PI Data Archive will run just fine without it.
The Advanced Search tab in Tag Search (available in SMT, About-PISDK, older versions of PI Datalink and PI ProcessBook) uses the GetPointsSQL call so it will also be unavailable if you disable the PI SQL Subsystem on the PI Data Archive machine.
You can also disable the service by opening an administrative command prompt and running net stop pisqlss.
net stop pisqlss will only stop the service, but it won't change the service to be disabled. If you would like to do this via administrative CMD, after stopping the service (e.g. with net stop pisqlss), the SC utility can be used:
sc config pisqlss start=disabled
Or, as Ray said, just use the services applet.
Also, generally speaking, if you are looking to 'block' a connection, there are multiple ways you could do this:
In this case with ipisql, it is most likely running locally on the PI Data Archive server. Are you not aware of and able to stop what is running it? It's probably authentication using the loopback trust, so another viable option if you do not want it connecting anymore is to deny execute permissions on the ipisql.exe itself (or to stop whatever's running it if you can). This way you do not need to disable pisqlss, in the case that you need to use it (for whatever reason).
As Kristian stated, you need to restart PI Base Subsystem for the slider bar (Server_AuthenticationPolicy parameter) to take effect; but also if the application is still connected, you will need to disconnect it and only upon reconnection will you see it blocked. Also a word of caution: disabling API trusts disables the main authentication method which most PI interfaces depend on. Please be careful that you do not block out your interfaces and cause unintentional data loss.
Oh, the subtle mistakes I make...Thanks for the correction!
Retrieving data ...