Technical Information

Technical Information TI 50A01A10-01EN FAST/TOOLS System Hardening Windows XP SP3/ Windows 2003 SP1 TI 50A01A10-01EN Copyright May. 2009 (YK) 1st Edition May. 2009 (YK)

Blank Page

i Introduction About This Document This manual describes System Hardening Windows XP SP3/ Windows 2003 SP1. All Rights Reserved. Copyright 2009, Yokogawa Electric Corporation

Blank Page

iii FAST/TOOLS System Hardening Windows XP SP3/ Windows 2003 SP1 CONTENTS TI 50A01A10-01EN Introduction...i CONTENTS...iii 1. Introduction...1 1.1 Purpose... 1 1.2 Validity... 1 1.3 Definitions, Abbreviations and Acronyms... 1 1.4 References... 1 2. General...3 3. Windows Firewall...5 4. Service packs and security updates...7 5. User account considerations...9 6. Antivirus...11 7. Installed services...13 Revision Information...i

Blank Page

<1. Introduction> 1 1. Introduction 1.1 Purpose 1.2 Validity In order to protect systems from network related security vulnerabilities, it is important to harden the operating system on which the application is running. This document describes the hardening procedure to be followed for FAST/TOOLS systems running Microsoft operating systems. This document is primarily intended for internal Yokogawa use when engineering projects that use FAST/TOOLS on Microsoft operating systems. 1.3 Definitions, Abbreviations and Acronyms YEF-SCE : Yokogawa System Center Europe B.V. AV : Antivirus software. 1.4 References 1. McAfee VirusScan Enterprise version 8.7i, YHQ recommended antivirus software. 2. OPC Configuration White Paper, YEF-SCE procedure for setting up OPC communications on Windows 2003 and Windows XP machines.

Blank Page

<2. General> 3 2. General This document describes the steps that should be taken for hardening the Windows systems used in your project. The hardening process consists of the following steps: 1. Windows Firewall 2. applications 3. Service packs 4. Account considerations 5. Antivirus 6. Remote network access 7. Installed services TIP This document is specifically related to operating system and network configuration for a Windows machine. However it may be useful to read the Security White Paper first to get a broader idea of the security aspects associated with SCADA systems in general.

Blank Page

<3. Windows Firewall> 5 3. Windows Firewall The Microsoft firewall must be activated on each system. All ports and application exceptions must be blocked expect for those described in this section or any specifically required by project applications. Exceptions are required when using: OPC ODBC A redundant server configuration and the high-availability (HAC) software Remote desktop services TCP/IP based equipment managers The table below describes which ports should be configured as exceptions where necessary. Table Set-TABLE-TITLE Port number Protocol Description When and where used 3389 TCP Remote desktop connection Only if VNC is required for this machine. 1099 UDP FAST/TOOLS DURM connection On each machine with a DURM connection. Make exceptions for the port number used for each DURM line. For example if you are using a dual redundant network connection, you must do this twice, once for each line. 10101 TCP FAST/TOOLS DURR line 101 Only on the server machines of a redundant 10102 TCP FAST/TOOLS DURR line 102 server configuration, in case HAC is used. Only make exceptions for the number of lines you are 10103 TCP FAST/TOOLS DURR line 103 using. For example a dual network connection 10104 TCP FAST/TOOLS DURR line 104 will only require lines 101 and 102. 11000 UDP HAC GUI commands On the servers and all HMI machines, only when using a redundant server configuration and the HAC software. 11001 UDP HAC logger On the servers and all HMI machines, only when using a redundant server configuration and the HAC software. 11004 UDP HAC watchdog On the servers machines, only when using a redundant server configuration and the HAC software. 135 TCP DCOM Only when the machine is used as OPC server or client. 1538 TCP SimbaServer Only on the server machine and only when using the ODBC interface of ACCESS/FAST Allow incoming echo request is enabled. This allows network pings which are useful for troubleshooting network configurations. When using TCP/IP based equipment managers, then eqp should be configured as an application exception in the firewall. When using OPC connections the following applications should be defined as application exceptions in the firewall. These settings are not required if you are using the OPC DCOM tunneler because the tunneler uses the DURM connection for this purpose. - OPC server (OPC server machine only) - OPC client (OPC client machine only) - Microsoft Management Console (located in C:\Windows\Systems32\mmc.exe) (both client and

<3. Windows Firewall> 6 - server machines) - OPCEnum (OPC server machine only) - Print and file sharing (tick box) If using OPC or File and Printer Sharing is enabled, the scope of the following ports 139 & 145 TCP and 137 & 138 UDP should be changed to Any. TIP - When using OPC, please refer to the OPC Configuration White Paper (ref[2]). - If you are using a virus scanner then you may want to open the port for automatic updates. It is advisable to use a managed machine with an internet connection to download new pattern files and deploy them on the machines rather than having a direct connection to the internet. applications The following applications should be disabled or uninstalled on all the systems: - Netmeeting (uninstalled) - Windows Messenger (uninstalled) - Windows Movie Maker (disabled) - Windows Update (disabled) - Windows Media Player (uninstalled) - All games (uninstalled) - Outlook express (uninstalled) - MSN Explorer (uninstalled)

<4. Service packs and security updates> 7 4. Service packs and security updates Microsoft regularly releases operating system updates and security patches. As a result, it is not practical to include a list of all updates that need to be installed on the project machine. The practice for installing Windows updates is as follows: - Connect the machine to the internet - Visit http://www.update.microsoft.com using Internet Explorer - Download the Windows Genuine Advantage program if requested to confirm the authenticity of your Windows installation - Install all latest fixes via the online update wizard In addition to the latest operating system updates, Yokogawa maintains a list of security updates that have been tested and evaluated (e.g. for Centum). After updating your system through Windows updates, obtain this list from YHQ or your nearest Yokogawa center of excellence. - Open Add/Remove programs from the Control Panel - Check the option Show updates - The updates are shown in numerical order. Scroll down the list in the Add/Remove programs dialog and find the last Windows update that is also included in the Yokogawa list. - If there are more updates in the Yokogawa list that come after this one then install only the latest updates that come afterwards. Do not install older updates that come before since these changes may have been overruled by Windows hot fixes. TIP FAST/TOOLS should be installed and tested on a define patch level for the project. If for example the customer feels the need for additional updates at a later date or critical fixes are released, then Yokogawa must first determine the relevance of such a fix and test FAST/TOOLS on the patched system to check that functionality is not adversely affected.

Blank Page

<5. User account considerations> 9 5. User account considerations The following table shows the recommended user definitions. Table Set-TABLE-TITLE Name Password Description Administrator Xxx System Administrator password. This user has no limitations for system administration. This user is defined for the system custodian. FT Xxx The FT user has administrator rights and is only used to startup the FAST/TOOLS service. FTUSER Xxx The FTUSER has normal USER privileges. The FAST/TOOLS configuration tools and operator mimics run under this account. TIP - If the HMI station is configured to automatically logon with the FTUSER account, then the USER/FAST software must be started as the OS Shell. This will automatically disable the Windows Explorer functions like the task bar, desktop and the Windows function keys. Other functions like, Lock computer, System Shutdown, Change password and Task manager are also disabled for the FTUSER account. - If you use remote access software such as VNC then make sure that access can only be acquired via the Administrator user account and that it is used for maintenance purposes only.

Blank Page

<6. Antivirus> 11 6. Antivirus Antivirus software should be installed on all systems. The recommended antivirus software used by YHQ is described in ref[1], though the customer may have standardized on other software. The antivirus should be configured so that realtime scanning is enabled. If the virus scanner permits exceptions, then the following FAST/TOOLS directories should be configured as exceptions to the anti virus software: C:\Program Files\Yokogawa\FAST TOOLS\TLS\DAT C:\Program Files\Yokogawa\FAST TOOLS\TLS\SAV C:\Program Files\Yokogawa\FAST TOOLS\TLS\HIS TIP Virus pattern updates should be downloaded via a separate machine. They should be applied either manually or through automatic updates from a controlled system, preferably from within a demilitarized zone in the network (DMZ), in order to prevent direct internet access.

Blank Page

<7. Installed services> 13 7. Installed services The following table lists the services that should be activated on disabled for both services and HMI stations. NB: If you wish to configure DCOM for OPC, then you must set the Distributed Transaction Coordinator service as. Otherwise it is not possible to run the DCOM configuration tool. Table Set-TABLE-TITLE Service Description Windows XP Windows 2003.NET Runtime Microsoft.NET Framework NGEN N/A Optimization Service v2.0.50727_x86 Alerter Notifies selected users and computers of administrative alerts. APC PBE Agent APC PowerChute Business Edition Agent Only installed on a machine if directly connected to a ups with an USB cable Log On: administrator APC PBE Server APC PowerChute Business Edition Server Only installed on a machine if directly connected to a ups with an USB cable Log On: administrator Application Experience Lookup Service Processes application compatibility lookup requests for applications as they are launched. N/A Application Layer Gateway service Application Management ASP.NET State Service Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall. Provides software installation services such as Assign, Publish, and Remove. Provides support for out-of-process session states for ASP.NET. ATI Hotkey Poller N/A Updates Enables the download and installation of critical Windows updates. Background Transfers data between clients and servers in the intelligent transfer service background. ClipBook Enables ClipBook Viewer to store information and share it with remote computers. COM+ Event System COM+ system application Computer Browser Cryptographic Services DCOM Server process launcher Supports System Event Notification service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. Manages the configuration and tracking of Component Object Model (COM)+-based components. Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. Provides three management services: Catalogue Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. Provides launch functionality for DCOM services. N/A

<7. Installed services> 14 Table Set-TABLE-TITLE DHCP Client Service Description Windows XP Windows 2003 Distributed File System Distributed Link Tracking Server Distributed Link Tracking Client Distributed Transaction Coordinator DNS Client DVWebViews Service Error Reporting Service Event Log Fast User Switching Compatibility File Replication Help and Support HTTP SSL Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service Manages network configuration by registering and updating IP addresses and DNS names. Integrates disparate file shares into a single, logical N/A namespace and manages these logical volumes distributed across a local or wide area network Enables client programs to track linked files that are N/A moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer. Maintains links between NTFS files within a computer or across computers in a network domain. Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. Allows error reporting for services and applications running in non-standard environments. Enables event log messages issued by Windowsbased programs and components to be viewed in Event Viewer. Provides management for applications that require assistance in a multiple user environment. Allows files to be automatically copied and maintained simultaneously on multiple servers. Enables Help and Support Center to run on this computer. This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language. N/A N/A Intel NCS Netservice Supports Intel(R) PROSet for Wired Connections. N/A Intersite messaging Enables messages to be exchanged between N/A computers running Windows Server sites. IPSEC Services Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver. Kerberos Key On domain controllers this service enables users to N/A Distribution Center log on to the network using the Kerberos authentication protocol License Logging Monitors and records client access licensing for portions of the operating system (such as IIS, Terminal Server and File/Print) as well as products that aren't a part of the OS, like SQL and Exchange Server. N/A

<7. Installed services> 15 Table Set-TABLE-TITLE Service Description Windows XP Windows 2003 Logical Disk Manager Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. Logical Disk Manager Configures hard disk drives and volumes. The service Administrative only runs for configuration processes and then stops. Service Messenger Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. MS Software Shadow Copy Provider Net Logon NetMeeting Remote Desktop Sharing Manages software-based volume shadow copies taken by the Volume Shadow Copy service. Supports pass-through authentication of account logon events for computers in a domain. Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. Network Connections Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections. Network DDE Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. Network DDE DSDM Manages Dynamic Data Exchange (DDE) network shares. Network Location Awareness (NLA) Network Provisioning Service NT LM Security Support Provider Collects and stores network configuration and location information, and notifies applications when this information changes. Manages XML configuration files on a domain basis for automatic network provisioning. Provides security to remote procedure call (RPC) programs that use transports other than named pipes. OpcEnum Performance Logs Collects performance data from local or remote and Alerts computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. Plug and Play Enables a computer to recognize and adapt to hardware changes with little or no user input. Portable Media Serial Number Retrieves the serial number of any portable music player connected to your computer. Print Spooler Loads files to memory for later printing. Protected Storage Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users. QoS RSVP Provides network signaling and local traffic control N/A setup functionality for QoS-aware programs and control applets. Remote Access Auto Creates a connection to a remote network whenever Connection Manager a program references a remote DNS or NetBIOS name or address. Remote Access Connection Manager Creates a network connection.

<7. Installed services> 16 Table Set-TABLE-TITLE Service Description Windows XP Windows 2003 Remote Desktop Help Session Manager Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box. Remote Procedure Call (RPC) Remote Procedure Call (RPC) Locator Remote Registry Provides the endpoint mapper and other miscellaneous RPC services. Manages the RPC name service database. Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. Removable Storage Used for managing removable media. Resultant Setup Policy Provider Routing and Remote Access Secondary Logon Security Accounts Manager Enables a user to connect to a remote computer, access the Windows Management Instrumentation database for that computer, and either verify the current Group Policy settings made for the computer or check settings before they are applied. N/A Offers routing services to businesses in local area and wide area network environments. Enables starting processes under alternate credentials. Stores security information for local user accounts. Security Center Monitors system security settings and configurations. N/A Server Supports file, print, and named-pipe sharing over the network for this computer. Shell Hardware Provides notifications for AutoPlay hardware events. Detection Smart Card Manages access to smart cards read by this computer. Special Administrator Allows administrators to remotely access a command N/A Console Helper prompt using Emergency Management Services. SSDP Discovery Service Enables discovery of UPnP devices on your home network. Start Fasttools LOG On: FT System Event Notification Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events. System Restore Service Task Scheduler TCP/IP NetBIOS Helper Telephony Telnet Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer, Properties, System Restore tab. Enables a user to configure and schedule automated tasks on this computer. Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service. Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. N/A N/A N/A

<7. Installed services> 17 Table Set-TABLE-TITLE Service Description Windows XP Windows 2003 Terminal Services Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server. Terminal Services Enables a user connection request to be routed to the N/A Session Directory appropriate terminal server in a cluster. Themes Provides user experience theme management. Uninterruptible Power Supply Universal Plug and Play Device Host Upload Manager Manages an uninterruptible power supply (UPS) connected to the computer. Provides support to host Universal Plug and Play devices. Manages synchronous and asynchronous file transfers between clients and servers on the network. Virtual Disk Services Provides software volume and hardware volume management service. Volume Shadow Copy WebClient WinHTTP Web Proxy Auto-Discovery Service Windows Audio Windows Firewall/internet connection sharing(ics) Windows Image Acquisition (WIA) Windows Installer Windows Management Instrumentation Windows Management Instrumentation Driver Extensions Windows Time Windows User mode driver framework Wireless Zero Configuration Wireless Configuration WMI Performance Adapter Workstation Manages and implements Volume Shadow Copies used for backup and other purposes. Enables Windows-based programs to create, access, and modify Internet-based files. Implements the Web Proxy Auto-Discovery (WPAD) protocol for Windows HTTP Services (WinHTTP). WPAD is a protocol to enable an HTTP client to automatically discover a proxy configuration. Manages audio devices for Windows-based programs. Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. Provides image acquisition services for scanners and cameras. Installs repairs and removes software according to instructions contained in.msi files. Provides a common interface and object model to access management information about operating system, devices, applications and services. Provides systems management information to and from drivers. N/A N/A N/A N/A Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. Enables Windows user mode drivers. Provides automatic configuration for the 802.11 adapters. Enables automatic configuration for IEEE 802.11 adapters. Provides performance library information from WMI HiPerf providers. Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Very important service. N/A N/A

Blank Page

i Revision Information Title No. : FAST/TOOLS System Hardening Windows XP SP3/Windows 2003 SP1 : TI 50A01A10-01EN May. 2009/1st Edition Newly published Written by Open System Department Industrial Automation Systems Business Center Yokogawa Electric Corporation Published by Yokogawa Electric Corporation 2-9-32 Nakacho, Musashino-shi, Tokyo 180-8750, Japan Subject to change without notice.