Sei sulla pagina 1di 25

Technical

Information

TI 50A01A10-01EN

Technical Information TI 50A01A10-01EN FAST/TOOLS System Hardening Windows XP SP3/ Windows 2003 SP1 TI 50A01A10-01EN

FAST/TOOLS System Hardening Windows XP SP3/ Windows 2003 SP1

System Hardening Windows XP SP3/ Windows 2003 SP1 TI 50A01A10-01EN ©Copyright May. 2009 (YK) 1st Edition

TI 50A01A10-01EN ©Copyright May. 2009 (YK) 1st Edition May. 2009 (YK)

Blank Page

i

Introduction

About This Document

This manual describes System Hardening Windows XP SP3/ Windows 2003 SP1.

Blank Page

iii

FAST/TOOLS System Hardening Windows XP SP3/ Windows 2003 SP1

TI 50A01A10-01EN

CONTENTS

Introduction

i

CONTENTS

iii

1. Introduction

1

1.1 Purpose

1

1.2 Validity

1

1.3 Definitions, Abbreviations and Acronyms

1

1.4 References

1

2. General

3

3. Windows Firewall

5

4. Service packs and security updates

7

5. User account considerations

9

6. Antivirus

11

7. Installed services

13

Revision Information

i

Blank Page

<1. Introduction>

1

1.

Introduction

1.1 Purpose

In order to protect systems from network related security vulnerabilities, it is important to harden the operating system on which the application is running. This document describes the hardening procedure to be followed for FAST/TOOLS systems running Microsoft operating systems.

1.2 Validity

This document is primarily intended for internal Yokogawa use when engineering projects that use FAST/TOOLS on Microsoft operating systems.

1.3 Definitions, Abbreviations and Acronyms

YEF-SCE

:

Yokogawa System Center Europe B.V.

AV

:

Antivirus software.

1.4 References

1. McAfee VirusScan Enterprise version 8.7i, YHQ recommended antivirus software.

2. OPC Configuration White Paper, YEF-SCE procedure for setting up OPC communications on Windows 2003 and Windows XP machines.

Blank Page

<2. General>

3

2.

General

This document describes the steps that should be taken for hardening the Windows systems used in your project. The hardening process consists of the following steps:

1.

Windows Firewall

2.

Disabled applications

3.

Service packs

4.

Account considerations

5.

Antivirus

6.

Remote network access

7.

Installed services

TIP

This document is specifically related to operating system and network configuration for a Windows machine. However it may be useful to read the Security White Paper first to get a broader idea of the security aspects associated with SCADA systems in general.

Blank Page

<3. Windows Firewall>

5

3. Windows Firewall

The Microsoft firewall must be activated on each system. All ports and application exceptions must be blocked expect for those described in this section or any specifically required by project applications. Exceptions are required when using:

OPC

ODBC

A redundant server configuration and the high-availability (HAC) software

Remote desktop services

TCP/IP based equipment managers

The table below describes which ports should be configured as exceptions where necessary.

Table Set-TABLE-TITLE

Port number

Protocol

Description

When and where used

3389

TCP

Remote desktop connection

Only if VNC is required for this machine.

1099

UDP

FAST/TOOLS DURM connection

On each machine with a DURM connection. Make exceptions for the port number used for each DURM line. For example if you are using a dual redundant network connection, you must do this twice, once for each line.

10101

TCP

FAST/TOOLS DURR line 101

Only on the server machines of a redundant server configuration, in case HAC is used. Only make exceptions for the number of lines you are using. For example a dual network connection will only require lines 101 and 102.

10102

TCP

FAST/TOOLS DURR line 102

10103

TCP

FAST/TOOLS DURR line 103

10104

TCP

FAST/TOOLS DURR line 104

11000

UDP

HAC GUI commands

On the servers and all HMI machines, only when using a redundant server configuration and the HAC software.

11001

UDP

HAC logger

On the servers and all HMI machines, only when using a redundant server configuration and the HAC software.

11004

UDP

HAC watchdog

On the servers machines, only when using a redundant server configuration and the HAC software.

135

TCP

DCOM

Only when the machine is used as OPC server or client.

1538

TCP

SimbaServer

Only on the server machine and only when using the ODBC interface of ACCESS/FAST

Allow incoming echo request is enabled. This allows network pings which are useful for troubleshooting network configurations. When using TCP/IP based equipment managers, then eqp should be configured as an application exception in the firewall. When using OPC connections the following applications should be defined as application exceptions in the firewall. These settings are not required if you are using the OPC DCOM tunneler because the tunneler uses the DURM connection for this purpose.

- OPC server (OPC server machine only)

- OPC client (OPC client machine only)

- Microsoft Management Console (located in C:\Windows\Systems32\mmc.exe) (both client and

<3. Windows Firewall>

6

- server machines)

- OPCEnum (OPC server machine only)

- Print and file sharing (tick box)

If using OPC or File and Printer Sharing is enabled, the scope of the following ports 139 & 145 TCP and 137 & 138 UDP should be changed to “Any”.

TIP

- When using OPC, please refer to the OPC Configuration White Paper (ref[2]).

- If you are using a virus scanner then you may want to open the port for automatic updates. It is advisable to use a managed machine with an internet connection to download new pattern files and deploy them on the machines rather than having a direct connection to the internet.

Disabled applications

The following applications should be disabled or uninstalled on all the systems:

- Netmeeting (uninstalled)

- Windows Messenger (uninstalled)

- Windows Movie Maker (disabled)

- Windows Update (disabled)

- Windows Media Player (uninstalled)

- All games (uninstalled)

- Outlook express (uninstalled)

- MSN Explorer (uninstalled)

<4. Service packs and security updates>

7

4. Service packs and security updates

Microsoft regularly releases operating system updates and security patches. As a result, it is not practical to include a list of all updates that need to be installed on the project machine. The practice for installing Windows updates is as follows:

- Connect the machine to the internet

- Visit http://www.update.microsoft.com using Internet Explorer

- Download the Windows Genuine Advantage program if requested to confirm the authenticity of your Windows installation

- Install all latest fixes via the online update wizard

In addition to the latest operating system updates, Yokogawa maintains a list of security updates that have been tested and evaluated (e.g. for Centum). After updating your system through Windows updates, obtain this list from YHQ or your nearest Yokogawa center of excellence.

- Open Add/Remove programs from the Control Panel

- Check the option “Show updates”

- The updates are shown in numerical order. Scroll down the list in the Add/Remove programs dialog and find the last Windows update that is also included in the Yokogawa list.

- If there are more updates in the Yokogawa list that come after this one then install only the latest updates that come afterwards. Do not install older updates that come before since these changes may have been overruled by Windows hot fixes.

TIP

FAST/TOOLS should be installed and tested on a define patch level for the project. If for example the customer feels the need for additional updates at a later date or critical fixes are released, then Yokogawa must first determine the relevance of such a fix and test FAST/TOOLS on the patched system to check that functionality is not adversely affected.

Blank Page

<5. User account considerations>

9

5. User account considerations

The following table shows the recommended user definitions.

Table Set-TABLE-TITLE

Name

Password

Description

Administrator

Xxx

System Administrator password. This user has no limitations for system administration. This user is defined for the system custodian.

FT

Xxx

The FT user has administrator rights and is only used to startup the FAST/TOOLS service.

FTUSER

Xxx

The FTUSER has normal USER privileges. The FAST/TOOLS configuration tools and operator mimics run under this account.

TIP

- If the HMI station is configured to automatically logon with the FTUSER account, then the USER/FAST software must be started as the OS Shell. This will automatically disable the Windows Explorer functions like the task bar, desktop and the Windows function keys. Other functions like, Lock computer, System Shutdown, Change password and Task manager are also disabled for the FTUSER account.

- If you use remote access software such as VNC then make sure that access can only be acquired via the Administrator user account and that it is used for maintenance purposes only.

Blank Page

<6. Antivirus>

11

6.

Antivirus

Antivirus software should be installed on all systems. The recommended antivirus software used by YHQ is described in ref[1], though the customer may have standardized on other software. The antivirus should be configured so that real- time scanning is enabled.

If the virus scanner permits exceptions, then the following FAST/TOOLS directories should be configured as exceptions to the anti virus software:

C:\Program Files\Yokogawa\FAST TOOLS\TLS\DAT C:\Program Files\Yokogawa\FAST TOOLS\TLS\SAV C:\Program Files\Yokogawa\FAST TOOLS\TLS\HIS

TIP

Virus pattern updates should be downloaded via a separate machine. They should be applied either manually or through automatic updates from a controlled system, preferably from within a demilitarized zone in the network (DMZ), in order to prevent direct internet access.

Blank Page

<7. Installed services>

13

7. Installed services

The following table lists the services that should be activated on disabled for both services and HMI stations.

NB: If you wish to configure DCOM for OPC, then you must set the “Distributed Transaction Coordinator” service as Automatic. Otherwise it is not possible to run the DCOM configuration tool.

Table Set-TABLE-TITLE

Service

Description

Windows XP

Windows 2003

.NET Runtime

Microsoft .NET Framework NGEN

Disabled

N/A

Optimization Service

v2.0.50727_X86

Alerter

Notifies selected users and computers of administrative alerts.

Disabled

Disabled

APC PBE Agent

APC PowerChute Business Edition Agent Only installed on a machine if directly connected to a ups with an USB cable Log On: administrator

Automatic

Automatic

APC PBE Server

APC PowerChute Business Edition Server Only installed on a machine if directly connected to a ups with an USB cable Log On: administrator

Automatic

Automatic

Application

Processes application compatibility lookup requests for applications as they are launched.

N/A

Automatic

Experience Lookup

Service

 

Application Layer

Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall.

Manual

Manual

Gateway service

Application

Provides software installation services such as Assign, Publish, and Remove.

Manual

Manual

Management

ASP.NET State

Provides support for out-of-process session states for ASP.NET.

Disabled

N/A

Service

ATI Hotkey Poller

 

N/A

Disabled

Automatic Updates

Enables the download and installation of critical Windows updates.

Disabled

Disabled

Background

Transfers data between clients and servers in the background.

Manual

Manual

intelligent transfer

service

 

ClipBook

Enables ClipBook Viewer to store information and share it with remote computers.

Disabled

Disabled

COM+

Supports System Event Notification service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components.

Manual

Manual

Event System

COM+ system

Manages the configuration and tracking of Component Object Model (COM)+-based components.

Manual

Manual

application

Computer Browser

Maintains an updated list of computers on the network and supplies this list to computers designated as browsers.

Disabled

Disabled

Cryptographic

Provides three management services: Catalogue Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates.

Automatic

Automatic

Services

DCOM Server

Provides launch functionality for DCOM services.

Automatic

Automatic

process launcher

<7. Installed services>

14

Table Set-TABLE-TITLE

Service

Description

Windows XP

Windows 2003

DHCP Client

Manages network configuration by registering and updating IP addresses and DNS names.

Disabled

Disabled

Distributed File

Integrates disparate file shares into a single, logical namespace and manages these logical volumes distributed across a local or wide area network

N/A

Manual

System

Distributed Link

Enables client programs to track linked files that are moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer.

N/A

Automatic

Tracking Server

Distributed Link

Maintains links between NTFS files within a computer or across computers in a network domain.

Disabled

Disabled

Tracking Client

Distributed

Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems.

Disabled

Disabled

Transaction

Coordinator

DNS Client

Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers.

Automatic

Automatic

DVWebViews

 

Manual

Manual

Service

Error Reporting

Allows error reporting for services and applications running in non-standard environments.

Disabled

Disabled

Service

Event Log

Enables event log messages issued by Windows- based programs and components to be viewed in Event Viewer.

Automatic

Automatic

Fast User Switching Compatibility

Provides management for applications that require assistance in a multiple user environment.

Automatic

N/A

File Replication

Allows files to be automatically copied and maintained simultaneously on multiple servers.

N/A

Manual

Help and Support

Enables Help and Support Center to run on this computer.

Disabled

Disabled

HTTP SSL

This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL).

Manual

Manual

Human Interface

Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices.

Disabled

Disabled

Device Access

IMAPI

Manages CD recording using Image Mastering Applications Programming Interface (IMAPI).

Disabled

Disabled

CD-Burning COM

Service

 

Indexing Service

Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.

Disabled

Disabled

Intel NCS Netservice

Supports Intel(R) PROSet for Wired Connections.

N/A

Manual

Intersite messaging

Enables messages to be exchanged between computers running Windows Server sites.

N/A

Disabled

IPSEC Services

Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.

Disabled

Disabled

Kerberos Key

On domain controllers this service enables users to log on to the network using the Kerberos authentication protocol

N/A

Disabled

Distribution Center

License Logging

Monitors and records client access licensing for portions of the operating system (such as IIS, Terminal Server and File/Print) as well as products that aren't a part of the OS, like SQL and Exchange Server.

N/A

Disabled

<7. Installed services>

15

Table Set-TABLE-TITLE

Service

Description

Windows XP

Windows 2003

Logical Disk Manager

Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration.

Manual

Manual

Logical Disk Manager Administrative Service

Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.

Manual

Manual

Messenger

Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger.

Disabled

Disabled

MS Software Shadow Copy Provider

Manages software-based volume shadow copies taken by the Volume Shadow Copy service.

Disabled

Disabled

Net Logon

Supports pass-through authentication of account logon events for computers in a domain.

Disabled

Disabled

NetMeeting Remote

Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet.

Disabled

Disabled

Desktop Sharing

Network Connections

Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.

Automatic

Automatic

Network DDE

Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers.

Disabled

Disabled

Network DDE DSDM

Manages Dynamic Data Exchange (DDE) network shares.

Disabled

Disabled

Network Location

Collects and stores network configuration and location information, and notifies applications when this information changes.

Disabled

Disabled

Awareness (NLA)

Network Provisioning

Manages XML configuration files on a domain basis for automatic network provisioning.

Manual

Manual

Service

NT LM Security Support Provider

Provides security to remote procedure call (RPC) programs that use transports other than named pipes.

Disabled

Disabled

OpcEnum

 

Manual

Manual

Performance Logs

Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert.

Disabled

Disabled

and Alerts

Plug and Play

Enables a computer to recognize and adapt to hardware changes with little or no user input.

Automatic

Automatic

Portable Media Serial Number

Retrieves the serial number of any portable music player connected to your computer.

Disabled

Disabled

Print Spooler

Loads files to memory for later printing.

Automatic

Automatic

Protected Storage

Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.

Automatic

Automatic

QoS RSVP

Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.

Disabled

N/A

Remote Access Auto Connection Manager

Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.

Disabled

Disabled

Remote Access

Creates a network connection.

Disabled

Disabled

Connection Manager

<7. Installed services>

16

Table Set-TABLE-TITLE

Service

Description

Windows XP

Windows 2003

Remote Desktop

Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box.

Disabled

Disabled

Help Session

Manager

Remote Procedure

Provides the endpoint mapper and other miscellaneous RPC services.

Automatic

Automatic

Call (RPC)

Remote Procedure Call (RPC) Locator

Manages the RPC name service database.

Manual

Manual

Remote Registry

Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer.

Automatic

Automatic

Removable Storage

Used for managing removable media.

Manual

Manual

Resultant Setup

Enables a user to connect to a remote computer, access the Windows Management Instrumentation database for that computer, and either verify the current Group Policy settings made for the computer or check settings before they are applied.

N/A

Manual

Policy Provider

Routing and Remote Access

Offers routing services to businesses in local area and wide area network environments.

Disabled

Disabled

Secondary Logon

Enables starting processes under alternate credentials.

Automatic

Automatic

Security Accounts

Stores security information for local user accounts.

Automatic

Automatic

Manager

Security Center

Monitors system security settings and configurations.

Manual

N/A

Server

Supports file, print, and named-pipe sharing over the network for this computer.

Automatic

Automatic

Shell Hardware

Provides notifications for AutoPlay hardware events.

Automatic

Automatic

Detection

Smart Card

Manages access to smart cards read by this computer.

Disabled

Disabled

Special Administrator

Allows administrators to remotely access a command prompt using Emergency Management Services.

N/A

Manual

Console Helper

SSDP Discovery

Enables discovery of UPnP devices on your home network.

Disabled

N/A

Service

Start Fasttools

LOG On: FT

Manual

Manual

System Event

Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.

Automatic

Automatic

Notification

System Restore

Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer, Properties, System Restore tab.

Disabled

N/A

Service

Task Scheduler

Enables a user to configure and schedule automated tasks on this computer.

Automatic

Automatic

TCP/IP NetBIOS

Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.

Automatic

Automatic

Helper

Telephony

Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.

Disabled

Disabled

Telnet

Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers.

Disabled

N/A

<7. Installed services>

17

Table Set-TABLE-TITLE

Service

Description

Windows XP

Windows 2003

Terminal Services

Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.

Manual

Manual

Terminal Services

Enables a user connection request to be routed to the appropriate terminal server in a cluster.

N/A

Disabled

Session Directory

Themes

Provides user experience theme management.

Disabled

Disabled

Uninterruptible Power Supply

Manages an uninterruptible power supply (UPS) connected to the computer.

Disabled

Disabled

Universal Plug and Play Device Host

Provides support to host Universal Plug and Play devices.

Disabled

N/A

Upload Manager

Manages synchronous and asynchronous file transfers between clients and servers on the network.

Disabled

N/A

Virtual Disk Services

Provides software volume and hardware volume management service.

N/A

Manual

Volume Shadow

Manages and implements Volume Shadow Copies used for backup and other purposes.

Disabled

Disabled

Copy

WebClient

Enables Windows-based programs to create, access, and modify Internet-based files.

Disabled

Disabled

WinHTTP Web Proxy Auto-Discovery Service

Implements the Web Proxy Auto-Discovery (WPAD) protocol for Windows HTTP Services (WinHTTP). WPAD is a protocol to enable an HTTP client to automatically discover a proxy configuration.

N/A

Manual

Windows Audio

Manages audio devices for Windows-based programs.

Automatic

Automatic

Windows

Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.

Automatic

Automatic

Firewall/internet

connection

sharing(ICS)

 

Windows Image

Provides image acquisition services for scanners and cameras.

Disabled

Disabled

Acquisition (WIA)

Windows Installer

Installs repairs and removes software according to instructions contained in .MSI files.

Manual

Manual

Windows

Provides a common interface and object model to access management information about operating system, devices, applications and services.

Automatic

Automatic

Management

Instrumentation

Windows

Provides systems management information to and from drivers.

Manual

Manual

Management

Instrumentation

 

Driver Extensions

Windows Time

Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable.

Disabled

Disabled

Windows User mode driver framework

Enables Windows user mode drivers.

Automatic

Automatic

Wireless Zero

Provides automatic configuration for the 802.11 adapters.

Disabled

N/A

Configuration

Wireless

Enables automatic configuration for IEEE 802.11 adapters.

N/A

Disabled

Configuration

WMI Performance

Provides performance library information from WMI HiPerf providers.

Manual

Manual

Adapter

Workstation

Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Very important service.

Automatic

Automatic

Blank Page

i

Revision Information

Title

:

FAST/TOOLS System Hardening Windows XP SP3/Windows 2003 SP1

Manual No.

:

TI 50A01A10-01EN

May. 2009/1st Edition Newly published

Written by

Open System Department

Published by

Industrial Automation Systems Business Center Yokogawa Electric Corporation Yokogawa Electric Corporation 2-9-32 Nakacho, Musashino-shi, Tokyo 180-8750, Japan