The NT Service Edition's security model was structured around presuming restricted access for the tasks AutoMate™ launches. This means that, unless told otherwise through the use of a LOGIN step or by means of the default user profile, AutoMate™ will not launch a task through the service module. This is because, by default, all services run in the context of a "SYSTEM" account, which has access to sensitive areas of the NT environment. Without establishing a security or user context for a task to operate in, AutoMate™ would present itself as security hole to the NT Operating System. Rather than risk a breach of security, AutoMate™ puts the onus on the user to establish the correct security context for the task before the task starts executing.
Setting up a security context is usually best achieved by selecting a user that has just enough access rights to perform the actions required by the task, and logging them onto the system by using the "LOGIN" step from the Step Builder . This should be the first step of your task. It will allow the task to have access privileges identical to that of the user you selected, including file privileges and network access. The last step of your task should be a LOGOUT step , which will cleanly log the user out. Note that using these steps will not affect a user that is currently logged onto the workstation, if there is one; only the task and the steps contained within are affected by any LOGIN and LOGOUT steps.
Alternatively, you can set up a default user profile in the Preferences window of the Settings program. If a "LOGIN" step is not found as the first step of a task, AutoMate™ will default to this default user and attempt to log them in. If successful, the task will continue in the context of the default user. If unsuccessful, the task will fail, and the reason for the failure will output to the Log File (viewable by clicking on the "View Log" button on the Settings screen).
In the Step Builder itself, LOGIN steps cannot be copied or pasted between tasks. While this may be inconvenient, it prevents an unauthorized user from gaining access to an administrator task, for example, copying out their LOGIN line, and pasting it into their own, thus creating a task with admin privileges that does what they want. LOGIN steps must therefore be entered manually, with the correct password, with each use.
AutoMate™ has also added some general security enhancements to all versions to increase security.
There are, however, a few other security issues of which you should be aware. Although AutoMate™ can create desktops and launch interactive tasks on logged out workstations, doing so should be done very carefully. If a user were to walk by a workstation that was performing an automated task that was logged in with powerful privileges (an admin account, for example), they could take over control from AutoMate™ and gain access to the system with the same privileges that AutoMate™ had. Careful selection of your user accounts, as well as proper use of the "Lock Keyboard" and "Lock Mouse" actions minimize the chances of this happening. Also, be aware that the only reliable way to launch a task on a logged out workstation is by a schedule, and that the only way to disable a scheduled task is to log in to the workstation and either pause or terminate the AutoMate™ service.
See Also