Technical Information

Technical FAST/TOOLS Windows Information IT Security Guide

TI 50A01A10-04EN

Yokogawa Electric Corporation TI 50A01A10-04EN 2-9-32, Nakacho, Musashino-shi, Tokyo, 180-8750 Japan ©Copyright Sep. 2019 (YK) 2nd Edition Nov. 29, 2019 (YK) Blank Page i Introduction The FAST/TOOLS Windows Security Guide describes the detailed security settings when implementing IT security on a computer with FAST/TOOLS R10.04. IT security protects YOKOGAWA products from existing and future security threats. This FAST/TOOLS Windows Security Guide consists of the following sections: • Overview • Security models and user management types • Details of security measures • Precautions on operations • Working with the IT Security Tool • Other utility programs • Connecting other Yokogawa products • Optional IT security settings

 Target audience The intended readers of the FAST/TOOLS Windows Security Guide are FAST/TOOLS engineers who want to strengthen the IT security for FAST/TOOLS R10.04 systems running on Microsoft operating systems.

All Rights Reserved Copyright © 2019, Yokogawa Electric Corporation TI 50A01A10-04EN Nov. 29, 2019-00 ii Safety Precautions n Safety, Protection, and Modification of the Product • In order to protect the system controlled by the product and the product itself and ensure safe operation, observe the safety precautions described in this Technical Information. We assume no liability for safety if users fail to observe these instructions when operating the product. • If this product is used in a manner not specified in this Technical Information, the protection provided by this product may be impaired. • If any protection or safety circuit is required for the system controlled by the product or for the product itself, prepare it separately. • Be sure to use the spare parts approved by Yokogawa Electric Corporation (hereafter simply referred to as YOKOGAWA) when replacing parts or consumables. • Do not use the accessories (Power supply cord set, etc.) that came with the product for any other products. • Modification of the product is strictly prohibited. • The following symbols are used in the product and instruction manual to indicate that there are precautions for safety:

Indicates that caution is required. This symbol for the Product indicates the possibility of dangers such as electric shock on personnel and equipment, and also indicates that the user must refer to the User’s Manuals for necessary actions. In the User’s Manuals, this symbol is used together with a word “CAUTION” or “WARNING” at the locations where precautions for avoiding dangers are described. Indicates that caution is required for hot surface. Note that the devices with this symbol become hot. The risk of burn injury or some damages exists if the devices are touched or contacted.

Identifies a protective conductor terminal. Before using the Product, you must ground the protective conductor terminal to avoid electric shock.

Identifies a functional grounding terminal. A terminal marked “FG” also has the same function. This terminal is used for grounding other than protective grounding. Before using the Product, you must ground this terminal.

Indicates an AC supply.

Indicates a DC supply.

Indicates the ON state. The state of a power on/off switch and others is indicated.

Indicates the OFF state. The state of a power on/off switch and others is indicated.

TI 50A01A10-04EN Nov. 29, 2019-00 iii Documentation conventions n Symbol Marks of Installation Guidance Throughout this Technical Information, you will find several different types of symbols are used to identify different sections of text. This section describes these icons.

WARNING

Identifies important information required to understand operations or functions.

CAUTION Identifies instructions that must be observed in order to avoid physical injury and electric shock or death to the operator.

IMPORTANT Identifies important information required to understand operations or functions.

TIP Identifies additional information.

SEE ALSO Identifies a source to be referred to. n Drawing Conventions Some drawings may be partially emphasized, simplified, or omitted, for the convenience of description. Some screen images depicted in the user’s manual may have different display positions or character types (e.g., the upper / lower case). Also note that some of the images contained in this user’s manual are display examples.

TI 50A01A10-04EN Nov. 29, 2019-00 iv n Typographical Conventions The following typographical conventions are used throughout the user’s manuals:

 Commonly used conventions throughout user’s manuals: Character string to be entered: The characters that must be entered are shown in monospace font as follows: Example: FIC100.SV=50.0

 Conventions used to show key or button operations: Characters enclosed by brackets ([ ]): Characters enclosed by brackets within any description on a key or button operation, indicate either a key on the HIS (Human Interface Station) keyboard, a key on the operation keyboard, a button name on a window, or an item displayed on a window. Example: To alter the function, press the [ESC] key.

 Conventions used in command syntax or program statements: The following conventions are used within a command syntax or program statement format: Characters enclosed by angle-brackets: Indicate character strings that user can specify freely according to certain guidelines. Example: #define

“...” Mark Indicates that the previous command or argument may be repeated. Example: Imax (arg1, arg2, ...)

Characters enclosed by brackets ([ ]): Indicate those character strings that can be omitted. Example: sysalarm format_string [output_value ...]

Characters enclosed by separators (| |): Indicate those character strings that can be selected from more than one option. Example:

opeguide [, ...] OG,

TI 50A01A10-04EN Nov. 29, 2019-00 v n Trademark The names of corporations, organizations, products and logos herein are either registered trademarks or trademarks of Yokogawa Electric Corporation and their respective holders.

TI 50A01A10-04EN Nov. 29, 2019-00 Blank Page Toc-1 FAST/TOOLS Windows IT Security Guide

TI 50A01A10-04EN 2nd Edition

CONTENTS 1 Overview...... 1-1 1.1 Security threats...... 1-3 1.2 Security measures...... 1-4 1.3 Scope of IT security settings...... 1-9 1.4 Positioning of IT security settings...... 1-10 2. Security models and user management types...... 2-1 2.1 Security models...... 2-1 2.2 Windows user and group management types...... 2-7 2.2.1 Created users and groups...... 2-8 3. Details of security measures...... 3-1 3.1 Access Control...... 3-1 3.1.1 Access Control for files and folders...... 3-1 3.1.2 Access Control for product registry...... 3-5 3.1.3 Access Control for DCOM (OPC) objects...... 3-6 3.2 Personal firewall tuning...... 3-8 3.3 Stopping unused Windows services...... 3-12 3.4 OPC configuration...... 3-13 3.5 IT environment settings...... 3-14 3.5.1 NetBIOS over TCP/IP...... 3-14 3.5.2 Hard disk password...... 3-14 3.6 Group Policy settings...... 3-15 3.6.1 Password policies...... 3-15 3.6.2 Account lockout policies...... 3-15 3.6.3 Security Options...... 3-16 3.6.4 Software restriction policies...... 3-18 3.6.5 Advanced Audit Policy Configuration...... 3-19 3.6.6 Administrative Templates...... 3-22 4. Precautions on operations updates...... 4-1 4.1 When running FAST/TOOLS Server...... 4-1 4.2 When running the FAST/TOOLS OPC Server...... 4-1 4.3 When disabling NetBIOS over TCP/IP...... 4-1 4.4 When setting the display language...... 4-1

TI 50A01A10-02EN Nov. 29, 2019-00 Toc-2

4.5 When changing the display language...... 4-2 4.6 When using Remote Desktop Connection (RDC)...... 4-3 4.7 When using the Start menu on Windows 10 and Windows Server 2016..... 4-3 5. Working with the IT Security Tool...... 5-1 5.1 Configuring IT security settings...... 5-1 5.2 Saving IT security settings...... 5-4 5.3 Restoring IT security settings...... 5-5 5.4 Changing the security setting file password (Encryption Key)...... 5-6 5.5 Exporting and importing the IT security setting file...... 5-7 5.6 Viewing the summary of IT security settings...... 5-8 5.7 Reapplying IT security settings...... 5-9 5.7.1 For FAST/TOOLS Server and Remote Connect...... 5-9 5.7.2 For Mobile Client and Domain Controller...... 5-9 5.8 Changing the FAST/TOOLS user account...... 5-11 6. Other utility programs...... 6-1 6.1 CreateFasttoolsProcess utility...... 6-1 6.2 StorageDeviceCTL utility...... 6-2 6.3 ITSecuritySettingItemExport utility...... 6-3 7. Connecting YOKOGAWA products...... 7-1 7.1 FAST/TOOLS and STARDOM...... 7-1 7.1.1 Coexistence...... 7-1 7.1.2 Collaboration...... 7-2 7.2 FAST/TOOLS and ProSafe-RS...... 7-3 7.2.1 Collaboration...... 7-3 7.3 FAST/TOOLS and Matrikon OPC Server...... 7-4 7.3.1 Collaboration...... 7-4 7.4 FAST/TOOLS and Exaquantum...... 7-6 7.4.1 Collaboration...... 7-6 7.5 Coexistence with FAST/TOOLS Client and other products...... 7-8 8. Optional IT security settings...... 8-1 8.1 Security measures for Windows 10 and Windows Server 2016...... 8-1 8.2 Disabled Windows applications...... 8-1 8.3 Audit policies...... 8-3 8.3.1 Applying Audit Policy settings...... 8-3 8.3.2 Defining maximum event log size...... 8-4 8.4 Disabling recovery console...... 8-5 8.5 Setting user rights for internal system objects...... 8-5 8.6 Verifying user rights assignments...... 8-6 8.7 Disabling the Guest account...... 8-7 8.8 Restricting access to audit logs...... 8-7

TI 50A01A10-02EN Nov. 29, 2019-00 Toc-3

8.9 Configuring advanced audit policy settings...... 8-8 8.10 Restricting access to removable media...... 8-8 8.11 Making the screen saver password protection immediate...... 8-9 8.12 Configuring the SNMP service settings...... 8-9 8.13 Configuring SSL registry settings...... 8-10 8.14 Configuring TLS registry settings...... 8-11 8.15 Securing registry keys for programs that run during startup...... 8-12 8.16 Securing AllowedPaths and AllowedExactPaths registry keys...... 8-13 8.17 Disabling “Everyone” group permissions for anonymous users...... 8-14 8.18 Removing unwanted network protocols...... 8-14 8.19 Deploying TCP/IP protocol settings...... 8-15 8.20 Enabling safe DLL search order...... 8-15 8.21 Using NTFS on all non-removable partitions...... 8-15 8.22 Enforcing password protection for third- party SMB Servers...... 8-16 8.23 Setting unique password for each Administrator account...... 8-16 8.24 Setting up advanced personal firewall...... 8-17

Appendix 1. IT security setting items...... App.1-1 Appendix 1.1 Security setting items in FAST/TOOLS computer...... App.1-1 Appendix 1.2 Security setting items in Domain Controller...... App.1-9 Appendix 2. Additional information...... App.2-1 Appendix 2.1 Notes on security packs and security updates...... App.2-1 Appendix 2.2 User account management when security model is changed...App.2-2 Appendix 2.3 Tools for defining local policies...... App.2-3 Appendix 2.4 Stopping Windows services before configuring IT security settings...... App.2-3 Appendix 2.5 Options for running the IT Security Tool...... App.2-4

TI 50A01A10-02EN Nov. 29, 2019-00 Blank Page <1. Overview> 1-1 1 Overview To protect FAST/TOOLS systems from existing and future security threats, it is necessary to implement IT security settings. The FAST/TOOLS Windows Security Guide describes the detailed security settings for implementing the IT security in the system.

 Glossary The following table describes the security-related terms and abbreviations that are used in this manual.

Table 1-1 Glossary (1/2) Term Description A firewall operating on computer and domain controllers, including firewalls other Firewall than the Windows firewall. Business network An intranet that does not include PCN. A type of proxy server that retrieves resources on behalf of a client from one or Reverse Proxy more servers. An abbreviation of Process Control Network, which is a network built for ICS PCN (Industrial Control System). An abbreviation of Control Server Network, which is used by the SCADA system CSN and connected devices. ASN An abbreviation of Asset Server Network, which is for asset management. An abbreviation of De-Militarized Zone, which is an intermediate network isolated DMZ from both external and internal networks. An abbreviation of Supervisory Control And Data Acquisition. The SCADA Server is the core processing unit of the system. Within a distributed configuration, SCADA Server it manages sets of data such as control objects (tags) and collects data from the attached equipment and SCADA servers in distributed or standalone configuration. A Web HMI Server provides an operation and monitoring window (HMI) for Web Web HMI Server HMI Client to visualize the data or information that is collected and processed by SCADA Servers. A Web HMI Client accesses a Web HMI Server to display process mimics, trends, alarms and events, and other operating data. Moreover, each Web HMI client accommodates a full functional application engineering environment for Web HMI Client both database and display configuration. A Web HMI Client can run on the same computer installed with its Web HMI Server or on a different computer across LAN/WAN networks. An arrangement in which FAST/TOOLS and any other Yokogawa product are Coexistence installed on the same computer. An arrangement in which FAST/TOOLS and any other Yokogawa product are Collaboration installed on separate computers but they communicate with each other over a network. F/T FAST/TOOLS IT Security Tool A tool for configuring IT security settings on Windows. At the corporate level, all KPIs and other process data of all the business units CORPORATION LEVEL are collected and aggregated to provide a holistic view of the performance of the enterprise and its operational groups down to process level in real time. The business unit level is typically responsible for all areas within the business unit. The business unit contains a FAST/TOOLS Server node that exchanges BUSINESS LEVEL KPIs and other process data with the area level systems. At the business unit level, users are expected to have access to data that can help in optimizing production of individual as well as inter- related assets.

TI 50A01A10-02EN Sep. 18, 2019-00 <1. Overview> 1-2

Table 1-1 Glossary (2/2) Term Description At the area level, it is possible to supervise and control all processes within a graphical area. It contains a FAST/TOOLS Server node that is connected to all AREA LEVEL DCS and/or SCADA systems at the process level. A typical application at this level is to control the total amount of production within the area, and to determine production KPIs. At the process level, local DCS/SCADA/PLC systems or other automation control and monitoring equipments directly interact with the process. For example, in a PROCESS LEVEL typical gas production platform where process level systems are controlled by a DCS system, the process information is exchanged between process level and area level.

TI 50A01A10-02EN Sep. 18, 2019-00 <1. Overview> 1-3 1.1 Security threats The following security threats may harm your computer that is installed with FAST/TOOLS: • Attacks over network Threats from people who do not have rights to access the FAST/TOOLS system through networks such as intranet. This results in the leakage of important data from the FAST/TOOLS system. • Direct attack while operating a computer Threats from unauthorized individuals who operate on a computer that affects the system and steal important data. • Theft of a computer Threats when a computer stored with critical data of the FAST/TOOLS system is stolen. The following figure shows the security threats that can harm your computer that is installed with FAST/TOOLS.

Business network

Reverse proxy

DMZ Firewall

Attack over a network

CSN Hub ASN Web HMI Server

Web HMI Client

Hub PCN

SCADA Server

Direct attack by operating a terminal SCADA Server

Theft of a computer stored with critical data Control Bus

Controller Controller F010101E.ai

Figure 1.1-1 Security threats

TI 50A01A10-02EN Sep. 18, 2019-00 <1. Overview> 1-4 1.2 Security measures You must implement security measures to protect your computer and the FAST/TOOLS system from security threats. The security measures that you can apply are categorized into the following types: • Access control Restricts access to files, folders, registries, and programs. • Personal firewall tuning Controls communication among computers on your network. • Stopping unused Windows services Stops unused programs and services that are vulnerable to security threats. • Changing IT environment settings Enables additional Windows security measures for strict security. • Applying group policy settings Enables centralized management of security policies for computers connected to the same domain.

 Security measures and handled threats The following table shows the security measures and the threats that each measure handles.

Table 1.2-1 Security measures and handled threats (1/5) Threat handled Security measure Network Direct system Computer attacks attacks and data theft Password Policy-[Minimum password length] Yes Yes No Password Policy-[Minimum password age] Yes Yes No Password Policy-[Maximum password age] Yes Yes No Password Policy-[Enforce password history] Yes Yes No Disable ‘Password Policy-[Store passwords using Yes Yes No reversible encryption]’ Password Policy-[Password must meet complexity Yes Yes No requirements] Access Control for files and folders Yes Yes No Access Control for product registry Yes Yes No Access Control for DCOM (OPC) objects Yes Yes No Personal Firewall tuning Yes No No Disable ‘Personal Firewall-[Allow unicast response]’ Yes No No Stopping unused Windows services Yes No No Account Lockout Policy-[Account lockout threshold] Yes Yes No Account Lockout Policy-[Reset account lockout counter Yes Yes No after] Account Lockout Policy-[Account lockout duration] Yes Yes No User Rights Assignment-[Allow log on locally] No Yes No User Rights Assignment-[Deny log on locally] No Yes No Security Options-[Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy Yes Yes No category settings] Security Options-[Devices: Prevent users from installing No Yes No printer drivers]

TI 50A01A10-02EN Sep. 18, 2019-00 <1. Overview> 1-5

Table 1.2-1 Security measures and handled threats (2/5)

Threat handled Security measure Network Direct system Computer attacks attacks and data theft Security Options-[Devices: Restrict CD-ROM access to Yes No No locally logged-on user only] Security Options-[Devices: Restrict floppy access to locally Yes No No logged-on user only] Security Options-[Domain member: Require strong Yes No No (Windows 2000 or later) session key] Security Options-[Set 'Security Options-[Interactive logon: Display user information when the session is locked]' to 'Do No Yes No not display user information’] Security Options-[Interactive logon: Do not display last user No Yes No name] Disable 'Security Options-[Interactive logon: Do not require No Yes No CTRL+ALT+DEL]’ Security Options-[Interactive logon: Prompt user to change Yes Yes No password before expiration] Security Options-[Microsoft network Server: Digitally sign Yes No No communications (if Client agrees)] Security Options-[Microsoft network Server: Server SPN Yes No No target name validation level] Security Options-[Network access: Do not allow Yes No No anonymous enumeration of SAM accounts] Security Options-[Network access: Do not allow Yes No No anonymous enumeration of SAM accounts and shares] Security Options-[Network access: Do not allow storage of Yes No No passwords and credentials for network authentication] Security Options-[Network security: Allow Local System to Yes No No use computer identity for NTLM] Disable 'Security Options-[Network security: Allow Yes No No LocalSystem NULL session fallback]’ Security Options-[Network security: LAN Manager Yes No No authentication level] Security Options-[Network security: Minimum session security for NTLM SSP based (including secure RPC) Yes No No Clients] Security Options-[Network security: Minimum session security for NTLM SSP based (including secure RPC) Yes No No Servers] Disable 'Security Options-[Shutdown: Allow system to be No Yes No shut down without having to log on]' Security Options-[User Account Control: Admin Approval No Yes No Mode for the Built-in Administrator account] Security Options-[User Account Control: Behavior of the elevation prompt for administrators in Admin Approval No Yes No Mode] Advanced Audit Policy Configuration-[Audit Credential Yes Yes No Validation] Advanced Audit Policy Configuration-[Audit Computer Yes Yes No Account Management] Advanced Audit Policy Configuration-[Audit Other Account Yes Yes No Management Events]

TI 50A01A10-02EN Sep. 18, 2019-00 <1. Overview> 1-6

Table 1.2-1 Security measures and handled threats (3/5)

Threat handled Security measure Network Direct system Computer attacks attacks and data theft Advanced Audit Policy Configuration-[Audit Security Group Yes Yes No Management] Advanced Audit Policy Configuration-[Audit User Account Yes Yes No Management] Advanced Audit Policy Configuration-[Audit Process Yes Yes No Creation] Advanced Audit Policy Configuration-[Audit Account Yes Yes No Lockout] Advanced Audit Policy Configuration-[Audit Logoff] Yes Yes No Advanced Audit Policy Configuration-[Audit Logon] Yes Yes No Advanced Audit Policy Configuration-[Audit Other Logon/ Yes Yes No Logoff Events] Advanced Audit Policy Configuration-[Audit Special Logon] Yes Yes No Advanced Audit Policy Configuration-[Audit Removable Yes Yes No Storage] Advanced Audit Policy Configuration-[Audit Policy Change] Yes Yes No Advanced Audit Policy Configuration-[Audit Authentication Yes Yes No Policy Change] Advanced Audit Policy Configuration-[Audit Filtering Yes Yes No Platform Policy Change] Advanced Audit Policy Configuration-[Audit MPSSVC Yes Yes No Rule-Level Policy Change] Advanced Audit Policy Configuration-[Audit Other Policy Yes Yes No Change Events] Advanced Audit Policy Configuration-[Audit Sensitive Yes Yes No Privilege Use] Advanced Audit Policy Configuration-[Audit Other System Yes Yes No Events] Advanced Audit Policy Configuration-[Audit Security State Yes Yes No Change] Advanced Audit Policy Configuration-[Audit Security Yes Yes No System Extension] Advanced Audit Policy Configuration-[Audit System Yes Yes No Integrity] Personalization-[Prevent enabling lock screen camera] No Yes No Personalization-[Prevent enabling lock screen slide show] No Yes No WLAN Settings-[Allow Windows to automatically connect to suggested open hotspots, to networks shared by Yes No No contacts, and to hotspots offering paid services] SCM-[Enable LSA Protection] Yes Yes No SCM-[Lsass.exe audit mode] Yes Yes No [MSS: (DisableIPSourceRouting) IP source routing Yes No No protection level (protects against packet spoofing)] Disable [MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could Yes No No lead to DoS)] [MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 Yes No No is default)]

TI 50A01A10-02EN Sep. 18, 2019-00 <1. Overview> 1-7

Table 1.2-1 Security measures and handled threats (4/5)

Threat handled Security measure Network Direct system Computer attacks attacks and data theft Apply the StorageDevicePolicies function No Yes Yes Disable USB storage devices No Yes Yes Apply the Software Restriction Policies Yes Yes No Disable NetBIOS over TCP/IP Yes No No Group Policy-[Configure registry policy processing] Yes Yes No Mitigation Options-[Untrusted Font Blocking] Yes Yes No Remote Procedure Call-[Enable RPC Endpoint Mapper Yes Yes No Client Authentication] User Profiles-[Turn off the advertising ID] Yes No No App runtime-[Block launching Windows Store apps with Yes No No Windows Runtime API access from hosted content] File Explorer-[Turn off heap termination on corruption] No Yes No HomeGroup-[Prevent the computer from joining a Yes No No homegroup] Remote Desktop Connection Client-[Do not allow Yes No No passwords to be saved] Device and Resource Redirection-[Do not allow drive Yes No No redirection] Security-[Require secure RPC communication] Yes No No Security-[Require user authentication for remote Yes No No connections by using Network Level Authentication] Sync your settings-[Do not sync Apps] Yes No No Sync your settings-[Do not sync start settings] Yes No No Disable 'Windows Error Reporting-[Automatically send Yes No No memory dumps for OS-generated error reports]' Disable 'Windows Logon Options-[Sign-in last interactive No Yes No user automatically after a system-initiated restart]' Notifications-[Turn off toast notifications on the lock screen] No Yes No Disabling the built-in Administrator account or changing its Yes Yes No user name HDD password function by BIOS No No Yes Internet Communication Settings-[Turn off downloading of Yes No No print drivers over HTTP] Internet Communication Settings-[Turn off Event Viewer Yes No No Events.asp links] Internet Communication Settings-[Turn off Internet Yes No No download for Web publishing and online ordering wizards] Internet Communication Settings-[Turn off printing over Yes No No HTTP] Internet Communication Settings-[Turn off Search Yes No No Companion content file updates] Internet Communication Settings-[Turn off the Publish to Yes No No Web task for files and folders] Internet Communication Settings-[Turn off the Windows Yes No No Customer Experience Improvement Program] Internet Communication Settings-[Turn off the Windows Yes No No Messenger Customer Experience Improvement Program] Logon-[Do not display network selection UI] Yes Yes No

TI 50A01A10-02EN Sep. 18, 2019-00 <1. Overview> 1-8

Table 1.2-1 Security measures and handled threats (5/5)

Threat handled Security measure Network Direct system Computer attacks attacks and data theft Logon-[Do not enumerate connected users on domain- No Yes No joined computers] Logon-[Do not process the legacy run list] No Yes No Logon-[Do not process the run once list] No Yes No Disable 'Logon-[Enumerate local users on domain- joined No Yes No computers]' Logon-[Turn off app notifications on the lock screen] No Yes No App Privacy-[Let Windows apps access account Yes No No information] App Privacy-[Let Windows apps access call history] Yes No No App Privacy-[Let Windows apps access contacts] Yes No No App Privacy-[Let Windows apps access email] Yes No No App Privacy-[Let Windows apps access location] Yes No No App Privacy-[Let Windows apps access messaging] Yes No No App Privacy-[Let Windows apps access motion] Yes No No App Privacy-[Let Windows apps access the calendar] Yes No No App Privacy-[Let Windows apps access the camera] Yes No No App Privacy-[Let Windows apps access the microphone] Yes No No App Privacy-[Let Windows apps access trusted devices] Yes No No App Privacy-[Let Windows apps control radios] Yes No No App Privacy-[Let Windows apps sync with devices] Yes No No AutoPlay Policies-[Turn off Autoplay] No Yes No AutoPlay Policies-[Disallow Autoplay for non-volume No Yes No devices] Data Collection and Preview Builds-[Allow Telemetry] Yes No No Data Collection and Preview Builds-[Do not show feedback Yes No No notifications] Event Log Service (Application)-[Specify the maximum log Yes Yes No file size (KB)] Event Log Service (Security)-[Specify the maximum log file Yes Yes No size (KB)] Event Log Service (System)-[Specify the maximum log file Yes Yes No size (KB)] OneDrive-[Prevent the usage of OneDrive for file storage] Yes No No OneDrive-[Save documents to OneDrive by default] (Save Yes No No documents to the local PC by default)

TI 50A01A10-02EN Sep. 18, 2019-00 <1. Overview> 1-9 1.3 Scope of IT security settings The following figure indicates the scope of IT security settings in each installation environment.

CORPORATE LEVEL FAST/TOOLS Corporate Server

BUSINESS LEVEL FAST/TOOLS Business Unit Server Other Business Units

AREA LEVEL FAST/TOOLS Area Server Other Areas

PROCESS LEVEL

Other Process FAST/TOOLS Areas ENGHIS RGS Process Server Scope of IT security settings Scope of IT

SCS FCS RTU PLC

F010301.ai Figure 1.3-1 Scope of IT security settings

Note: • Security settings should follow the security policy of the corresponding installation environment for BUSINESS LEVEL and CORPORATE LEVEL. • IT security settings much be applied for AREA LEVEL and PROCESS LEVEL.

TI 50A01A10-02EN Sep. 18, 2019-00 <1. Overview> 1-10 1.4 Positioning of IT security settings The R10.04 IT security settings cover R10.03 IT security settings along with general and optional IT security settings for FAST/TOOLS. Note: The optional IT security settings for FAST/TOOLS can be applied to computers on which only FAST/TOOLS Server/Client is installed. The following figure shows the positioning of IT security settings.

R10.04 IT security settings

Optional IT security IT security settings settings for FAST/TOOLS

R10.03 IT security settings

F010401.ai Figure 1.4-1 Positioning of IT security settings

TI 50A01A10-02EN Sep. 18, 2019-00 <2. Security models and user management types> 2-1 2. Security models and user management types This section describes the security models and the methods for managing users and groups.

2.1 Security models The security models are categorized into the following types based on their security strength: • Standard model This model places importance on operation of the product and collaboration with other systems (Exaopc, ProSafe-RS, and so on) to guard against "attacks over the network" and "direct attack on a FAST/TOOLS terminal". The Standard model does not guard against "physical theft of terminals or theft of data". • Strengthened model This model has a higher level of security than the Standard model against network attacks, direct system attacks, and computer theft. However, this model may affect normal computer operations because of the high level of protection. When applying this model, ensure that the settings match your plant operation and security requirements.

Note: If you want to implement the Strengthened model, contact YOKOGAWA.

 Security models and security measures The following table shows the security measures that are supported by different security models. It also shows whether the domain group policy settings are prioritized over local settings for each security measure.

Table 2.1-1 Security models and security measures (1/6)

Security model Group Security measure Standard Strengthened policies model model take priority Password Policy-[Minimum password length] Not applied Applied Yes Password Policy-[Minimum password age] Not applied Applied Yes Password Policy-[Maximum password age] Not applied Applied Yes Password Policy-[Enforce password history] Not applied Applied Yes Disable ‘Password Policy-[Store passwords using reversible Not applied Applied Yes encryption]' Password Policy-[Password must meet complexity Not applied Applied Yes requirements] Access Control for files and folders (*1) Applied Applied No Access Control for product registry (*1) Applied Applied No Access Control for DCOM (OPC) objects (*1) Applied Applied No Personal Firewall tuning (*2) Applied Applied No Disable 'Personal Firewall-[Allow unicast response]' Applied Applied No Stopping Unused Window Services (*2) Not applied Applied No Account Lockout Policy-[Account lockout threshold] Not applied Applied Yes Account Lockout Policy-[Reset account lockout counter after] Not applied Applied Yes Account Lockout Policy-[Account lockout duration] Not applied Applied Yes

TI 50A01A10-04EN Sep. 18, 2019-00 <2. Security models and user management types> 2-2

Table 2.1-1 Security models and security measures (2/6)

Security model Group Security measure Standard Strengthened policies model model take priority Disabling NetBIOS over TCP/IP (*1) Applied Applied No Applying the StorageDevicePolicies function Applied Applied Yes Disabling USB storage devices Applied Applied Yes Applying the Software Restriction Policies Applied Applied Yes User Rights Assignment-[Access this computer from the Applied Applied No network] (*3) User Rights Assignment-[Add workstations to domain] (*3) Applied Applied No User Rights Assignment-[Allow log on locally] Not applied Applied Yes User Rights Assignment-[Deny log on locally] Applied Applied Yes Security Options-[Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy Applied Applied Yes category settings] Security Options-[Devices: Prevent users from installing Applied Applied Yes printer drivers] Security Options-[Devices: Restrict CD-ROM access to Applied Applied Yes locally logged-on user only] Security Options-[Devices: Restrict floppy access to locally Applied Applied Yes logged-on user only] Disable 'Security Options-[Domain Controller: Allow Server Applied Applied No operators to schedule tasks]’ (*3) Disable 'Security Options-[Domain Controller: Refuse Applied Applied No machine account password changes]’ (*3) Security Options-[Domain member: Require strong (Windows Applied Applied Yes 2000 or later) session key] Set 'Security Options-[Interactive logon: Display user information when the session is locked]' to 'Do not display Not applied Applied Yes user information’ Security Options-[Interactive logon: Do not display last user Applied Applied Yes name] Disable 'Security Options-[Interactive logon: Do not require Applied Applied Yes CTRL+ALT+DEL]’ Security Options-[Interactive logon: Prompt user to change Applied Applied Yes password before expiration] Security Options-[Microsoft network Server: Digitally sign Applied Applied Yes communications (if Client agrees)] Security Options-[Microsoft network Server: Server SPN Applied Applied Yes target name validation level] [MSS: (DisableIPSourceRouting) IP source routing protection Applied Applied Yes level (protects against packet spoofing)] Disable [MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead Applied Applied Yes to DoS)] [MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is Applied Applied Yes default)] Security Options-[Network access: Do not allow anonymous Applied Applied Yes enumeration of SAM accounts] Security Options-[Network access: Do not allow anonymous Applied Applied Yes enumeration of SAM accounts and shares]

TI 50A01A10-04EN Sep. 18, 2019-00 <2. Security models and user management types> 2-3

Table 2.1-1 Security models and security measures (3/6)

Security model Group Security measure Standard Strengthened policies model model take priority Security Options-[Network access: Do not allow storage of Applied Applied Yes passwords and credentials for network authentication] Security Options-[Network security: Allow Local System to Applied Applied Yes use computer identity for NTLM] Disable 'Security Options-[Network security: Allow Local Applied Applied Yes System NULL session fallback]’ Security Options-[Network security: LAN Manager Applied Applied Yes authentication level] Security Options-[Network security: Minimum session security for NTLM SSP based (including secure RPC) Applied Applied Yes Clients] Security Options-[Network security: Minimum session security for NTLM SSP based (including secure RPC) Applied Applied Yes Servers] Disable 'Security Options-[Shutdown: Allow system to be shut Applied Applied Yes down without having to log on]' Security Options-[User Account Control: Admin Approval Applied Applied Yes Mode for the Built-in Administrator account] Security Options-[User Account Control: Behavior of the Applied Applied Yes elevation prompt for administrators in Admin Approval Mode] Advanced Audit Policy Configuration-[Audit Credential Applied Applied Yes Validation] Advanced Audit Policy Configuration-[Audit Computer Applied Applied Yes Account Management] Advanced Audit Policy Configuration-[Audit Other Account Applied Applied Yes Management Events] Advanced Audit Policy Configuration-[Audit Security Group Applied Applied Yes Management] Advanced Audit Policy Configuration-[Audit User Account Applied Applied Yes Management] Advanced Audit Policy Configuration-[Audit Process Applied Applied Yes Creation] Advanced Audit Policy Configuration-[Audit Directory Service Applied Applied Yes Access] (*3) Advanced Audit Policy Configuration-[Audit Directory Service Applied Applied Yes Changes] (*3) Advanced Audit Policy Configuration-[Audit Account Applied Applied Yes Lock- out] Advanced Audit Policy Configuration-[Audit Logoff] Applied Applied Yes Advanced Audit Policy Configuration-[Audit Logon] Applied Applied Yes Advanced Audit Policy Configuration-[Audit Other Logon/ Applied Applied Yes Logoff Events] Advanced Audit Policy Configuration-[Audit Special Logon] Applied Applied Yes Advanced Audit Policy Configuration-[Audit Removable Applied Applied Yes Storage] Advanced Audit Policy Configuration-[Audit Audit Policy Applied Applied Yes Change] Advanced Audit Policy Configuration-[Audit Authentication Applied Applied Yes Policy Change]

TI 50A01A10-04EN Sep. 18, 2019-00 <2. Security models and user management types> 2-4

Table 2.1-1 Security models and security measures (4/6)

Security model Group Security measure Standard Strengthened policies model model take priority Advanced Audit Policy Configuration-[Audit Filtering Platform Applied Applied Yes Policy Change] Advanced Audit Policy Configuration-[Audit MPSSVC Rule- Applied Applied Yes Level Policy Change] Advanced Audit Policy Configuration-[Audit Other Policy Applied Applied Yes Change Events] Advanced Audit Policy Configuration-[Audit Sensitive Applied Applied Yes Privilege Use] Advanced Audit Policy Configuration-[Audit IPsec Driver] (*3) Applied Applied Yes Advanced Audit Policy Configuration-[Audit Other System Applied Applied Yes Events] Advanced Audit Policy Configuration-[Audit Security State Applied Applied Yes Change] Advanced Audit Policy Configuration-[Audit Security System Applied Applied Yes Extension] Advanced Audit Policy Configuration-[Audit System Integrity] Applied Applied Yes Personalization-[Prevent enabling lock screen camera] Applied Applied Yes Personalization-[Prevent enabling lock screen slide show] Applied Applied Yes WLAN Settings-[Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, Applied Applied Yes and to hotspots offering paid services] SCM-[Enable LSA Protection] Not applied Applied Yes SCM-[Lsass.exe audit mode] Not applied Applied Yes Group Policy-[Configure registry policy processing] Applied Applied Yes Internet Communication settings-[Turn off downloading of Applied Applied Yes print drivers over HTTP] Internet Communication settings-[Turn off Event Viewer Applied Applied Yes Events.asp links] Internet Communication settings-[Turn off Internet download Applied Applied Yes for Web publishing and online ordering wizards] Internet Communication settings-[Turn off printing over Applied Applied Yes HTTP] Internet Communication settings-[Turn off Search Applied Applied Yes Companion content file updates] Internet Communication settings-[Turn off the Publish to Web Applied Applied Yes task for files and folders] Internet Communication settings-[Turn off the Windows Applied Applied Yes Customer Experience Improvement Program] Internet Communication settings-[Turn off the Windows Applied Applied Yes Messenger Customer Experience Improvement Program] Logon-[Do not display network selection UI] Applied Applied Yes Logon-[Do not enumerate connected users on domain- Applied Applied Yes joined computers] Logon-[Do not process the legacy run list] Not applied Applied Yes Logon-[ Do not process the run once list] Not applied Applied Yes Disable 'Logon-[Enumerate local users on domain-joined Applied Applied Yes computers]' Logon-[Turn off app notifications on the lock screen] Applied Applied Yes Mitigation Options-[Untrusted Font Blocking] Applied Applied Yes

TI 50A01A10-04EN Sep. 18, 2019-00 <2. Security models and user management types> 2-5

Table 2.1-1 Security models and security measures (5/6)

Security model Group Security measure Standard Strengthened policies model model take priority Remote Procedure Call-[Enable RPC Endpoint Mapper Not applied Applied Yes Client Authentication] User Profiles-[Turn off the advertising ID] Applied Applied Yes App Privacy-[Let Windows apps access account information] Applied Applied Yes App Privacy-[Let Windows apps access call history] Applied Applied Yes App Privacy-[Let Windows apps access contacts] Applied Applied Yes App Privacy-[Let Windows apps access email] Applied Applied Yes App Privacy-[Let Windows apps access location] Applied Applied Yes App Privacy-[Let Windows apps access messaging] Applied Applied Yes App Privacy-[Let Windows apps access motion] Applied Applied Yes App Privacy-[Let Windows apps access the calendar] Applied Applied Yes App Privacy-[Let Windows apps access the camera] Applied Applied Yes App Privacy-[Let Windows apps access the microphone] Applied Applied Yes App Privacy-[Let Windows apps access trusted devices] Applied Applied Yes App Privacy-[Let Windows apps control radios] Applied Applied Yes App Privacy-[Let Windows apps sync with devices] Applied Applied Yes App runtime-[Block launching Windows Store apps with Applied Applied Yes Windows Runtime API access from hosted content.] AutoPlay Policies-[Turn off Autoplay] Applied Applied Yes AutoPlay Policies-[Disallow Autoplay for non-volume devices] Applied Applied Yes Data Collection and Preview Builds-[Allow Telemetry] Applied Applied Yes Data Collection and Preview Builds-[Do not show feedback Applied Applied Yes notifications] Event Log Service(application)-[Specify the maximum log file Applied Applied Yes size (KB)] Event Log Service(security)-[Specify the maximum log file Applied Applied Yes size (KB)] Event Log Service(system)-[Specify the maximum log file Applied Applied Yes size (KB)] File Explorer-[Turn off heap termination on corruption] Applied Applied Yes HomeGroup-[Prevent the computer from joining a Applied Applied Yes homegroup] OneDrive-[Prevent the usage of OneDrive for file storage] Applied Applied Yes OneDrive-[Save documents to OneDrive by default](Save Applied Applied Yes documents to the local PC by default) Remote Desktop Connection Client-[Do not allow passwords Applied Applied Yes to be saved] Device and Resource Redirection-[Do not allow drive Applied Applied Yes redirection] Security-[Require secure RPC communication] Applied Applied Yes Security-[Require user authentication for remote connections Applied Applied Yes by using Network Level Authentication] Sync your settings-[Do not sync Apps] Applied Applied Yes Sync your settings-[Do not sync start settings] Applied Applied Yes Disable 'Windows Error Reporting-[Automatically send Applied Applied Yes memory dumps for OS-generated error reports]'

TI 50A01A10-04EN Sep. 18, 2019-00 <2. Security models and user management types> 2-6

Table 2.1-1 Security models and security measures (6/6)

Security model Group Security measure Standard Strengthened policies model model take priority Disable 'Windows Logon Options-[Sign-in last interactive Applied Applied Yes user automatically after a system-initiated restart]' Notifications-[Turn off toast notifications on the lock screen] Applied Applied Yes Disabling the built-in Administrator account or changing its Not applied Applied (*4) Yes user name HDD password function by BIOS Not applied Applied (*4) No User Rights Assignment-[Log on as a batch job] (*5) Applied Applied Yes User Rights Assignment-[Log on as a service] (*5) Applied Applied Yes [MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure Applied Applied Yes environments)] (*5) Advanced Audit Policy Configuration-[Audit RPC Events] (*5) Applied Applied Yes Advanced Audit Policy Configuration-[Audit Application Applied Applied Yes Generated] (*5) Audit Process Creation-[Include command line in process Applied Applied Yes creation events] (*5) Internet Communication settings-[Turn off access to the Applied Applied Yes Store] (*5) Video and Display Settings-[Turn Off the Display (On Applied Applied Yes Battery)] (*5) Video and Display Settings-[Turn Off the Display (Plugged Applied Applied Yes In)] (*5) Cloud Content-[Do not show Windows Tips] (*5) Applied Applied Yes Cloud Content-[Turn off Microsoft consumer experiences] Applied Applied Yes (*5) Data Collection and Preview Builds-[Disable pre-release Applied Applied Yes features or settings] (*5) Data Collection and Preview Builds-[Toggle user control over Applied Applied Yes Insider builds] (*5) Disable ‘Search-[Allow Cortana]’ (*5) Applied Applied Yes Search-[Don't search the web or display web results in Applied Applied Yes Search] (*5) Search-[Don't search the web or display web results in Applied Applied Yes Search over metered connections] (*5) Software Protection Platform-[Turn off KMS Client Online Applied Applied Yes AVS Validation] (*5) Store-[Turn off Automatic Download and Install of updates] Applied Applied Yes (*5) Store-[Turn off Automatic Download of updates on Win8 Applied Applied Yes machines] (*5) Store-[Turn off the offer to update to the latest version of Applied Applied Yes Windows] (*5) Store-[Turn off the Store application] (*5) Applied Applied Yes Windows Defender-[Turn off Windows Defender] (*5) Applied Applied Yes

*1: This setting is not controlled by group policies. *2: This setting can be controlled by group policies but can also be configured for each computer by using the IT Security Tool. *3: This setting is for Domain Controllers. *4: This setting is not available in the IT Security Tool. You must configure it manually. *5: This setting is used to match the product specification rather than to be used as a security measure.

TI 50A01A10-04EN Sep. 18, 2019-00 <2. Security models and user management types> 2-7 2.2 Windows user and group management types Windows provides two methods of managing users: Standalone management and Domain management. It also supports a user management method called Combination management that combines Standalone management and Domain management. The following table describes the user and group management types in Windows.

Table 2.2-1 User and group management types Management type Operation Feature • Suitable for systems that do not require a centralized user management • Not suitable for large-scale systems because Operated by registering user accounts must be maintained for each Standalone management user accounts on the computer separately computers • Administrative rights for using the computer and maintenance rights to the product cannot be granted separately • Suitable for systems that require a centralized Operated by registering user management Domain management user accounts on the • Administrative rights for using the computer Domain Controller and maintenance rights to the product can be granted separately • Suitable for systems that require a centralized user management with the flexibility to enable Operated the same way as Combination management certain users to manage their local computers Domain management in (*1) (*2) • Administrative rights for using the computer and normal operations maintenance rights to the product cannot be granted separately

*1: With Combination management, users are usually managed by Domain management. When required, users can be managed by Standalone management. For example, in normal operation, user creation is centralized at an administrative section by using Domain management. However, the person in charge at the site can grant the required rights to users for accessing certain computers. *2: If Domain management type is applied for user management, and ‘Number of cache at the latest logon which is applied at Domain Controller fail’ is specified as 0, Combination management type is applied.

TI 50A01A10-04EN Sep. 18, 2019-00 <2. Security models and user management types> 2-8 2.2.1 Created users and groups After running the IT Security Tool, Windows users and groups are automatically created for the following combinations of security models and user management types: • Type 1: Standard or Strengthened model - Standalone management • Type 2: Standard or Strengthened model - Domain management • Type 3: Standard or Strengthened model - Combination management Note: All the user accounts that use FAST/TOOLS features must belong to the Administrators group on the FAST/TOOLS Server. In addition, the user accounts must belong to the groups described in this section according to their roles respectively.

 Type 1: Standard or Strengthened model - Standalone management The following table describes the users and groups for the Standard or Strengthened model that applies Standalone management.

Table 2.2.1-1 Type 1: Standard or Strengthened model - Standalone management users and groups User name/group Type Created location Member of Description name Users Group of users who use FTS_OPERATOR Group Local computer Administrators (*1) FAST/TOOLS for operation. Group of users who perform FAST/TOOLS system Users FTS_ENGINEER Group Local computer engineering by using the Administrators (*1) Engineering Module, Edit Module, and so on. Group of users who perform FTS_MAINTE- Users Group Local computer FAST/TOOLS installation and NANCE Administrators maintenance. Group of users who configure and manage OPC Users FTS_OPC Group Local computer communication between Administrators (*1) FAST/TOOLS and other systems. User account for users who execute FAST/TOOLS Users FTS_PROCESS User Local computer processes (Windows services) Administrators without using Windows authentication. User account for users who RDC_PROCESS execute PRC processes User Local computer Users (*2) (Windows services) without using Windows authentication.

*1: Administrative privileges are required on the FAST/TOOLS Server computer. *2: This user account is created only on a dual-redundant platform.

Note: • Use these user accounts and user groups only for FAST/TOOLS. • When you change the security model, existing user groups may be deleted or their names may be modified without confirmation.

TI 50A01A10-04EN Sep. 18, 2019-00 <2. Security models and user management types> 2-9

 Type 2: Standard or Strengthened model - Domain management The following table describes the users and groups for the Standard or Strengthened model that applies Domain management.

Table 2.2.1-2 Type 2: Standard or Strengthened model - Domain management users and groups User name/group Type Created location Member of Description name Domain users Group of users who use FTS_OPERATOR Group Local computer Administrators (*1) FAST/TOOLS for operation. Group of users who perform FAST/TOOLS system Domain users FTS_ENGINEER Group Local computer engineering by using the Administrators (*1) Engineering Module, Edit Module, and so on. Group of users who perform FTS_MAINTE- Domain users Group Local computer FAST/TOOLS installation and NANCE Administrators maintenance. Supplementary group of users with the same rights as FTS_MAINTENANCE. This group is not used in normal operations but is used FTS_MAINTE- only for emergency situations Group Local computer Administrators NANCE_LCL when the domain environment is abnormal. You must manually add the user accounts that belong to this group to the Administrators group on each computer. Group of users who configure and manage OPC Users FTS_OPC Group Local computer communication between Administrators (*1) FAST/TOOLS and other systems. User account for users who execute FAST/TOOLS Users FTS_PROCESS User Local computer processes (Windows services) Administrators without using Windows authentication. User account for users who RDC_PROCESS execute PRC processes User Local computer Users (*2) (Windows services) without using Windows authentication.

*1: Administrative privileges are required on the FAST/TOOLS Server computer. *2: This user account is created only on a dual-redundant platform.

Note: • Use these user accounts and user groups only for FAST/TOOLS. • When you change the security model, existing user groups may be deleted or their names may be modified without confirmation.

TI 50A01A10-04EN Sep. 18, 2019-00 <2. Security models and user management types> 2-10

 Type 3: Standard or Strengthened model - Combination management The following table describes the users and groups for the Standard or Strengthened model that applies Combination management.

Table 2.2.1-3 Type 3: Standard or Strengthened model - Combination management users and groups User name/group Type Created location Member of Description name Domain Domain users Group of users who use FTS_OPERATOR Group Controller Administrators (*1) FAST/TOOLS for operation. Supplementary group of users FTS_ Users Group Local computer with the same rights as FTS_ OPERATOR_LCL Administrators (*1) OPERATOR. (*2) Group of users who perform FAST/TOOLS system Domain Domain users FTS_ENGINEER Group engineering by using the Controller Administrators (*1) Engineering Module, Edit Module, and so on. Supplementary group of users FTS_ENGI- Users Group Local computer with the same rights as FTS_ NEER_LCL Administrators (*1) ENGINEER. (*2) Domain users Group of users who perform FTS_MAINTE- Domain Group Domain FAST/TOOLS installation and NANCE Controller administrators maintenance. Supplementary group of users FTS_MAINTE- Group Local computer Administrators with the same rights as FTS_ NANCE_LCL MAINTENANCE. (*2) Group of users who configure and manage OPC Domain Domain users FTS_OPC Group communication between Controller Administrators (*1) FAST/TOOLS and other systems. Supplementary group of users Users FTS_OPC_LCL Group Local computer with the same rights as FTS_ Administrators (*1) OPC. (*2) User account for users who execute FAST/TOOLS Users FTS_PROCESS User Local computer processes (Windows services) Administrators without using Windows authentication. User account for users who RDC_PROCESS execute PRC processes User Local computer Users (*3) (Windows services) without using Windows authentication.

*1: Administrative privileges are required on the FAST/TOOLS Server computer. *2: This group is not used in normal operations but is used only for emergency situations when the domain environment is abnormal. You must manually add the user accounts that belong to this group to the Administrators group on each computer. *3: This user account is created only on a dual-redundant platform.

Note: • Use these user accounts and user groups only for FAST/TOOLS. • When you change the security model, existing user groups may be deleted or their names may be modified without confirmation.

TI 50A01A10-04EN Sep. 18, 2019-00 <3. Details of security measures> 3-1 3. Details of security measures This section describes the details of the security measures that can be applied on your computer.

3.1 Access Control The Windows Access Control function controls permissions for files, folders, registry keys, and programs. You can use this function to prevent unauthorized access, leakage, tampering, and destruction of important data in the product. Access Control is performed separately for each user group. User accounts inherit the permissions that are granted to the user group to which they belong. 3.1.1 Access Control for files and folders You can control permissions for files and folders to prevent unauthorized access to the data and program files in the system.

 Target folders The following table describes the target folders with controlled access.

Table 3.1.1-1 Target folders Target folder Description The top folder in which the FAST/TOOLS program files are installed. This folder is specified during installation. The default folder is: \Yokogawa\FAST TOOLS The top folder in which the FAST/TOOLS data files are saved. User data such as graphic files or historian data is saved in this folder. The default folder is: \Yokogawa \Yokogawa\IA\iPCS\ The folder in which utility programs such as IT Security Tool Platform\SECUR ITY are installed. \Yokogawa\IA\iPCS\ The folder in which the PRC Management Tool is installed. Platform\PC-Redundancy\Tool \Yokogawa\IA\iPCS\ The folder in which programs related to PRC are installed on Platform\PC-Redundancy\Agent 32-bit operating systems. \Yokogawa\IA\iPCS\ The folder in which programs related to PRC are installed on Platform\PC-Redundancy\Agent 64-bit operating systems. \Yokogawa\IA\iPCS\ The folder in which configuration data related to PRC is Platform\PC-Redu ndancy\Agent saved. :\ The folders in which Vnet/IP interface package related files and data are stored. \Yokogawa\IA\iPCS\ The folder in which IT security setting files are saved. Platform\Security

TI 50A01A10-04EN Sep. 18, 2019-00 <3. Details of security measures> 3-2

 Permissions for files and folders The following table describes the permissions that each user group needs to access FAST/TOOLS files and folders.

Table 3.1.1-2 Permissions for files and folders User or group Folder [1] [2] [3] [4] [5] [6] [7] RX FFFF-F ├ tls │├ com │├ exe │├ hlp │├ inc │├ jre RX FFFF-F │├ lib │├ qld │├ src │├ sup │├ tpl │└ upg ├ jsp RX FFFF-F ├ utility -FFF--F ├ uninst.exe --FF--F RX FFFF-F ├ tls RX FFFF-F │├ dat │├ doc RWDX FFFF-F │└ his │├ log RW FFFF-F │├ lst │├ pki RWDX FFFF-F │├ sav │└ wap ├ utility -FFF--F (*1) \Yokogawa\FAST/TOOLS RWDX RWDX F RWDX --F Excel Add-in\ ├ log RW FFFF-F \Yokogawa\ RX RX FF RX RX F IA\iPC S\Platform\Security \Yokogawa\ IA\iPC S\Platform\ (*2) (*2) (*2) (*2) (*2) (*2) (*2) PC-Redundancy\Tool \Yokogawa\ IA\iPC S\Platform\ -- RWD P RWDP -- RWDX PC-Redundancy\Agent \Yokogawa\ IA\iPC S\Platform\ -- RWD P RWDP -- RWD PC-Redundancy\Agent \Yokogawa\IA\ RR RWD RWD -- RWD iPCS\Products\Platform \Yokogawa\IA\ RX RX FF RX RX F iPCS\Platform\Security \Yokogawa\IA\ iPCS\Platform\PC-Redundancy\ RR RWD P RWDP -- RWD Agent

TI 50A01A10-04EN Sep. 18, 2019-00 <3. Details of security measures> 3-3

*1: • For 32-bit Microsoft Excel: \Yokogawa\FASTTOOLS Excel Add-in • For 64-bit Microsoft Excel: \Yokogawa\FASTTOOLS Excel Add-in *2: It follows the access permission of the folder. Legend: User or group

[1] : FTS_OPERATOR or FTS_OPERATOR_LCL [2] : FTS_ENGINEER or FTS_ENGINEER_LCL [3] : FTS_MAINTENANCE or FTS_MAINTENANCE_LCL [4] : FTS_OPC or FTS_OPC_LCL [5] : FTS_PROCESS [6] : RDC_PROCESS [7] : Local system account (a local Windows system account)

Permission Types

F : Full access control R : Read and view folder contents X : Read and execute W : Write D : Delete P : Permission to set and change access permission for files and registry - : No permission

 Permissions for programs The following table describes the permissions that each user group needs to run FAST/TOOLS programs. Note: If you start a FAST/TOOLS program from the Start menu without having the permission to run programs, an error message appears, indicating that Windows cannot access the specified device, path, or file because you may not have the appropriate permission. Table 3.1.1-3 Permissions for FAST/TOOLS programs

Started from the User or group Program Start menu [1] [2] [3] Alarm System Performance Analysis (*1) Yes Allowed Allowed Allowed Edit Module (Enterprise) Yes Not allowed Allowed Allowed Edit Module Yes Not allowed Allowed Allowed Engineering Module Yes Not allowed Allowed Allowed FASTTOOLS Documentation Yes Allowed Allowed Allowed Item search Yes Not allowed Allowed Allowed Licence Authorization Wizard (*1) Yes Not allowed Allowed Allowed Licence Request Wizard (*1) Yes Not allowed Allowed Allowed Message-Log (*1) Yes Allowed Allowed Allowed Operator Interface Yes Allowed Allowed Allowed Performance Monitor (*1) Yes Not allowed Allowed Allowed Playback Viewer (*1) Yes Not allowed Allowed Allowed Setup File Editor (*1) Yes Not allowed Allowed Allowed Remote Connect Setting (*2) Yes Allowed Allowed Allowed Start FAST TOOLS (*1) Yes Allowed Allowed Allowed Stop FAST TOOLS (*1) Yes Allowed Allowed Allowed Not IT Security Tool Yes Not allowed Allowed allowed Redundancy Management Tool Yes (*3) (*3) (*3)

*1: It is only displayed in the FAST/TOOLS Server. *2: It is only displayed in the FAST/TOOLS remote computer. *3: It follows the access permission for the folder and is executable.

Legend: [1] : FTS_OPERATOR or FTS_OPERATOR_LCL [2] : FTS_ENGINEER or FTS_ENGINEER_LCL [3] : FTS_MAINTENANCE or FTS_MAINTENANCE_LCL

TI 50A01A10-04EN Sep. 18, 2019-00 <3. Details of security measures> 3-4

 Permissions for Windows system commands The permissions to run the following Windows programs are granted to users with local administrative rights or domain administrative rights. Note: Windows programs are saved in the :\Windows\System32 folder.

• ARP.EXE • finger.exe • ftp.exe • HOSTNAME.EXE • ipconfig.exe • nbtstat.exe • NETSTAT.EXE • nslookup.exe • PATHPING.EXE • PING.EXE • rcp.exe • rexec.exe • ROUTE.EXE • rsh.exe • tftp.exe • TRACERT.EXE • bootcfg.exe • net.exe • net1.exe • netsh.exe • telnet.exe • netsh.exe • telnet.exe

TI 50A01A10-04EN Sep. 18, 2019-00 <3. Details of security measures> 3-5 3.1.2 Access Control for product registry You can control permissions for the product-related registry keys to prevent unauthorized access to these keys.

 Permissions for registry key The access to the registry key of the installed FAST/TOOLS package is controlled on a user- group basis. The following table describes the permissions that each user group needs to access the registry key.

Table 3.1.2-1 Permissions for FAST/TOOLS-related registry key User or group Registry name [1] [2] [3] [4] [5] [6] [7] VHFD Registry(*1) FFFFFFR

*1: The VHFD registry key is [HKLM\SOFTWARE\YOKOGAWA\VHFD]

Legend: User or group

Permission Type

F : Full access control R : Read

TI 50A01A10-04EN Sep. 18, 2019-00 <3. Details of security measures> 3-6 3.1.3 Access Control for DCOM (OPC) objects Distributed Component Object Model (DCOM) enables software components referred to as COM objects to communicate over a network and exchange data and processing requests. You can configure the DCOM authentication level, port allocation, and permissions to protect the product from unauthorized access of data. By default, this setting item is selected for all security models and you cannot modify this selection. The following table describes the DCOM (OPC) object settings that are configured on your computer when this setting item is applied.

Table 3.1.3-1 DCOM (OPC) object settings Setting Value Enable Distributed COM on this computer Selected Default Authentication Level Connect Default Impersonation Level Identify

Note: Access permissions, and Launch and Activation permissions are granted to the following users/groups: • FTS_OPC • FTS_PROCESS • ANONYMOUS LOGON • SYSTEM • INTERACTIVE • NETWORK

 Permission for DCOM Servers The following DCOM Servers are used by FAST/TOOLS: • OPC Enum • FAST/TOOLS OPC DA Server • FAST/TOOLS OPC AE Server

 Access Control for OPC Enum Server The following table describes the Access Control for OPC Enum Server.

Table 3.1.3-2 Access Control for OPC Enum Server Setting Value General/Authentication Level Default Location Run application on this computer. Security/Access Use default Security/Launch and Activation Use default Security/Configuration Customize Identity The system account (services only)

TI 50A01A10-04EN Nov. 29, 2019-00 <3. Details of security measures> 3-7

 Access Control for FAST/TOOLS OPC DA Server The following table describes the Access Control for FAST/TOOLS OPC DA Server.

Table 3.1.3-3 Access Control for FAST/TOOLS OPC DA Server Setting Value General/Authentication Level Default Location Run application on this computer. Security/Access Use default Security/Launch and Activation Use default Security/Configuration Customize Identity The system account (services only)

 Access Control for FAST/TOOLS OPC AE Server The following table describes the Access Control for FAST/TOOLS OPC AE Server.

Table 3.1.3-4 Access Control for FAST/TOOLS OPC AE Server Setting Value General/Authentication Level Default Location Run application on this computer. Security/Access Use default Security/Launch and Activation Use default Security/Configuration Customize Identity This user (FTS_PROCESS)

TI 50A01A10-04EN Nov. 29, 2019-00 <3. Details of security measures> 3-8 3.2 Personal firewall tuning The personal firewall restricts communication among computers on your network and prevents attacks from unknown areas. Therefore, the Windows firewall must be turned on. All ports and programs must be blocked except for those that are required by the FAST/TOOLS system.

 Firewall port exceptions The following table describes the ports that should be added to the exception list for personal firewall tuning.

Table 3.2-1 Firewall port exceptions Program or service Port When and where used Only if VNC is required for this machine. If Remote desktop connection TCP: 3389 VNC is required for particular users, restrict access to those users only On Web-HMI Client and Web-HMI Server for Web communication TCP: 8080/80 rendering HTML5 graphics On Web-HMI Client and Web-HMI Server for Secure communication TCP: 8443/443 rendering HTML5 graphics On each machine with a DURM connection. Make exceptions for the port number used for each DURM line. For example, if you are using a dual redundant network connection, FAST/TOOLS DURM connection UDP: 17001,17101 you must do this twice, once for each line. When you connect a FAST/TOOLS terminal such as Web HMI Server, additional port exceptions are required. (Recommended ports: 20000-20499) FAST/TOOLS system logging collection SMDMON configuration UDP: 18002 program

Note: Additional exceptions are required when using the following programs or services: • A redundant Server configuration and high-availability (HAC) software • ODBC • Alarm to e-mail • Windows domain • NTP • Antivirus • OPC • TCP/IP based equipments

TI 50A01A10-04EN Sep. 18, 2019-00 <3. Details of security measures> 3-9

 HAC firewall exceptions The following table describes the programs that should be defined as exceptions in the firewall when FAST/TOOLS works on HAC (manual engineering is required).

Table 3.2-2 HAC firewall port exceptions Program or service Port When and where used GUI port for HAC UDP: 16000 Logger port for HAC UDP: 16001 Mirror port for HAC UDP: 16002 On the Servers and all HMI machines, only Recovery port for HAC UDP: 16003 when using a redundant Server configuration and the HAC software Watchdog for HAC UDP: 16004 HACWITM for setting items UDP: 16005 HACMIR for data UDP: 16006 If multiple HACW_HMI windows are required HAC Server to HACW_HMI UDP:16010-16041 on the same machine

Note: • Ports 16000-16001 can be set from hac.sup and jhacProperties\application.properties. • Ports 16002-16006 can be set from hac.sup. • Ports 16010-16041 can be set from jhacProperties\application.properties.

 ODBC The following table describes the program that should be defined as exception in the firewall when FAST/TOOLS works on ODBC (manual engineering is required).

Table 3.2-3 ODBC firewall port exceptions Program or service Port When and where used Only on the Server machine and only when SimbaServer TCP: 1583 using the ODBC interface of ACCESS/FAST

 Alarm to e-mail The following table describes the program that should be defined as exception in the firewall when Alarm to e-mail is used.

Table 3.2-4 Alarm to e-mail firewall port exceptions Program or service Port When and where used Only used when alarm to e-mail is used and SMTP TCP: 25 only from the machine sending messages to the e-mail Server

TI 50A01A10-04EN Sep. 18, 2019-00 <3. Details of security measures> 3-10

 Windows domain The following table describes the programs that should be defined as exceptions in the firewall when FAST/TOOLS runs on Windows domain.

Table 3.2-5 Windows domain firewall port exceptions Program or service Port When and where used TCP: 53 DNS UDP: 53 TCP: 88 Kerberos Authentication UDP: 88 TCP: 389 LDAP UDP: 389 Direct Hosting TCP: 445 Global Catalogue TCP: 3268 SCADA Server and Web HMI Client/Server Global Catalogue SSL TCP: 3269 DHCP UDP: 67 UDP: 137, 138, 1900, 3702, and Network Discovery 5355 TCP: 2869, 5357, and 5358 MADCAP UDP: 2535 Web HMI Client (for DHCP) SOAP TCP: 9389 Active Directory Web service

 Time synchronization The following table describes the program that should be defined as exception in the firewall when using Windows time service.

Table 3.2-6 Time synchronization firewall port exceptions Program or service Port When and where used NTP/SNTP TCP/UDP: 123 SCADA Server and Web HMI Client/Server

Note: You need not configure this setting if you use ecutl or Vnet/IP.

 OPC The following table describes the programs that should be added to the exception list when using OPC connections.

Table 3.2-7 OPC firewall port exceptions Program or service Port When and where used RPC/DCOM TCP: 135 OPC Client and OPC Server NetBIOS Session Service TCP: 139 OPC Client and OPC Server TCP: DCOM (*1) OPC Client and OPC Server 20500-20550 NetBIOS Name Resolution UDP: 137 OPC Client and OPC Server NetBIOS Datagram Service UDP: 138 OPC Client and OPC Server OPC-UA Discovery Port UDP: 4840 OPC-UA Server OPC-UA Communication Port Customizable OPC-UA Server

*1: This can be customized.

TI 50A01A10-04EN Nov. 29, 2019-00 <3. Details of security measures> 3-11

 Vnet equipment The following table describes the program that should be defined as exception in the firewall when using Vnet equipments.

Table 3.2-8 Vnet equipments firewall port exceptions Program or service Port When and where used odeq.exe TCP: 44818 SCADA Server or RGS Server

 TCP/IP based equipment The following table describes the programs that should be added to the exception list for each TCP/IP based equipment.

Table 3.2-9 TCP/IP based equipment firewall port exceptions Program or service Port When and where used Rockwell CIP TCP: 44818 Line and station definition forms PLC5 via CIP TCP: 44818 Line and station definition forms TCP: 34260 and DAQ station Line and station definition forms 34434 DNP3 TCP: 20000 Line and station definition forms FAM3 TCP: 12289 Line and station definition forms Fisher ROC TCP: 44818 Line and station definition forms IEC 60870-5-104 TCP: 2404 Line and station definition forms IEC 61850 TCP: 102 Line and station definition forms MELSEC (*1) (*1) MeTro TCP: 7075 Line and station definition forms MODBUS TCP: 502 Line and station definition forms MODBUS SLAVE (*2) Siemens S7 (*1) (*1) Stardom FCX TCP: 1090 Line and station definition forms

*1: Refer to System Integrator’s Manual EQUIPMENT/FAST *2: The port for MODBUS SLAVE can be changed by using Command Prompt. ( EQPMDCSLVTCP)

 PRC The following table describes the programs that should be added to the exception list when using the PRC platform.

Table 3.2-10 PRC firewall port exceptions Program or service Port When and where used Relay Server (*1) TCP: 34486 PRC platform TCP: 34480 and Mirrored Disk Server (*1) PRC platform 34483 Virtualization and Equalization TCP: 34484 PRC platform Server (*1) Maintenance Server TCP: 34485 PRC platform DELL Open Manage Server UDP: 1311 PRC platform Administrator

*1: Used to access data from a computer through a paired computer.

TI 50A01A10-04EN Sep. 18, 2019-00 <3. Details of security measures> 3-12

 Internet Control Message Protocol (ICMP) settings ICMP is a Windows service that uses IP addresses to send messages among computers in a network. When the Standard model is applied and the firewall is turned on, the File and Printer Sharing (Echo Request - ICMPv4-IN) ICMP setting is allowed to go through the firewall.

3.3 Stopping unused Windows services Unused Windows services are vulnerable to attacks from unknown areas. You can stop these unnecessary services to reinforce security on your computer and the system.

 Unused Windows services The unused Windows services are as follows: • Delivery Optimization • DHCP Client • Diagnostic Policy Service • Connected User Experience and Telemetry • dmwappushsvc • Downloaded Maps Manager • IP Helper • IPsec Policy Agent • Offline Files • Plug and Play • Program Compatibility Assistant Service • Remote Registry • Shell Hardware Detection • WebClient • Windows Error Reporting Service • Windows Push Notifications System Service • WinHTTP Web Proxy Auto-Discovery Service

Note: Depending on the operating system, some services may not be available.

TI 50A01A10-04EN Sep. 18, 2019-00 <3. Details of security measures> 3-13 3.4 OPC configuration The following settings must be configured to connect to the OPC Server:

 Local security policy The following table describes the local security policy that must be defined for OPC configuration.

Table 3.4-1 Local security policy for OPC configuration Standalone Policy Domain management management • Local/FTS_PROCESS • FTS_OPC Create permanent Shared Object • Local/FTS_OPC_LCL • FTS_PROCESS • Domain/FTS_OPC_LCS Classic - local users Network Access: Sharing and Classic - local users authenticate as authenticate as security settings for local Accounts themselves themselves

 DCOM protocols DCOM is used by assigning the dynamic port of Remote Procedure Call (RPC). This setting controls port assignment to incoming communication of DCOM that is assigned by RPC. The following table describes the DCOM port range settings for OPC configuration.

Table 3.4-2 DCOM protocols for OPC configuration Policy Domain management TCP/IP Port Ranges 2500-20550

Note: In addition to the above settings, you must also define DCOM settings and personal firewall exceptions.

TI 50A01A10-04EN Sep. 18, 2019-00 <3. Details of security measures> 3-14 3.5 IT environment settings This section describes the Windows security functions that are applicable to the FAST/TOOLS system. There are cases where it is not possible to implement certain security functions depending on the conditions of each system. Therefore, before implementing the security functions, analyze whether it is possible to implement the security function to the FAST/TOOLS system. 3.5.1 NetBIOS over TCP/IP You can disable NetBIOS over TCP/IP to prevent attackers from obtaining a list of network users and services that are running on a computer on your network. Note: The computer name must be resolved by the DNS or HOSTS file. 3.5.2 Hard disk password A password can be used to protect access to hard disk data using Advanced Technology Attachment (ATA) commands. Without the password, access to the hard disk is restricted. You cannot access the hard disk even if you remove it and connect it to another computer. This prevents leakage of important data even if the computer is stolen. If this function is enabled, you need to provide the hard disk password every time you start the computer. Losing the password makes it impossible to access the hard disk data. Contact your computer vendor if this function is available and ask them on how to enable this function.

TI 50A01A10-04EN Sep. 18, 2019-00 <3. Details of security measures> 3-15 3.6 Group Policy settings Group Policy settings are configured to control and maintain security policies collectively in a domain environment. The settings enable centralized management of the security settings for the computers that are connected to the same domain.

Note: In a domain environment, Group Policy settings take precedence over the settings that are configured locally. 3.6.1 Password policies You can apply the password policies when creating passwords to ensure that user authentication is secure. The following table describes the details of the password policies.

Table 3.6.1-1 Password policies Policy Setting Minimum password length 12 characters Minimum password age 1 day Validity period of password 70 days Enforce password history 2 passwords Password must meet complexity Enabled requirements Store password using reversible Disabled encryption

Setup location: [Local Computer Policy] > [Computer Configuration] > [Windows Settings] > [Security Settings] > [Account Policies] > [Password Policy] Note: If you apply password policies, the effort required for managing passwords increases for both users and operation administrators.

3.6.2 Account lockout policies You can apply the account lockout policies to disable user accounts when incorrect passwords are entered at a specific number of instances. This policy protects the system from unauthorized attacks such as online cracking and direct system attacks. The following table describes the details of the account lockout policies.

Table 3.6.2-1 Account lockout policies Policy Setting Account lockout threshold 10 invalid logon attempts Reset account lockout counter after 15 minutes (*1) Account lockout duration 15 minutes

*1: If you fail to log on repeatedly, logging on to that user account will be disabled until the time set for “Reset account lockout counter after” elapses. Setup location: [Local Computer Policy] > [Computer Configuration] > [Windows Settings] > [Security Settings] > [Account Policies] > [Account Lockout Policy] Note: When the account lockout policies are applied, you may not be able to log on if a lockout occurs due to unintended actions or operations.

TI 50A01A10-04EN Sep. 18, 2019-00 <3. Details of security measures> 3-16 3.6.3 Security Options The following table shows the security settings that are enabled or disabled.

Table 3.6.3-1 Settings (1/2) Policy Setting Audit: Force audit policy subcategory settings (Windows Vista or Enabled later) to override audit policy category settings Devices: Prevent users from installing printer drivers Enabled Devices: Restrict CD-ROM access to locally logged- on user Enabled only Devices: Restrict floppy access to locally logged-on user only Enabled Domain Controller: Allow Server operators to schedule tasks (*1) Disabled Domain Controller: Refuse machine account password changes Disabled (*1) Domain member: Require strong (Windows 2000 or later) Enabled session key Interactive logon: Display user information when the session is User display name, domain and user locked names Interactive logon: Do not display last user name Enabled Interactive logon: Do not require CTRL+ALT+DEL Disabled Interactive logon: Prompt user to change password before Enabled expiration 14 days Microsoft network Server: Digitally sign communications (if Client Enabled agrees) Microsoft network Server: Server SPN target name validation Enabled level Accept if provided by Client MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure Disabled environments) Enabled MSS: (DisableIPSourceRouting) IP source routing protection Highest protection, source routing is level (protects against packet spoofing) completely disabled MSS: (PerformRouterDiscovery) Allow IRDP to detect and Disabled configure Default Gateway addresses (could lead to DoS) MSS: (TcpMaxDataRetransmissions) How many times Enabled unacknowledged data is retransmitted (3 recommended, 5 is 3 default) Network access: Do not allow anonymous enumeration of SAM Enabled accounts Network access: Do not allow anonymous enumeration of SAM Enabled accounts and shares Network access: Do not allow storage of passwords and Enabled credentials for network authentication Network security: Allow Local System to use computer identity Enabled for NTLM Network security: Force logoff when logon hours expire (*1) Enabled Network security: Allow LocalSystem NULL session fallback Disabled Enabled Network security: LAN Manager authentication level Send NTLMv2 response only Enabled Network security: Minimum session security for NTLM SSP • Require NTLMv2 session security based (including secure RPC) Clients • Require 128-bit encryption Both check boxes are selected.

TI 50A01A10-04EN Sep. 18, 2019-00 <3. Details of security measures> 3-17

Table 3.6.3-1 Settings (2/2)

Policy Setting Enabled Network security: Minimum session security for NTLM SSP • Require NTLMv2 session security based (including secure RPC) Servers • Require 128-bit encryption Both check boxes are selected. Shutdown: Allow system to be shut down without having to log Disabled on User Account Control: Admin Approval Mode for the Built'-in Enabled Administrator account User Account Control: Behavior of the elevation prompt for Enabled administrators in Admin Approval Mode Prompt for consent on the secure desktop

*1: This setting is for Domain Controllers only.

Setup location: [Local Computer Policy] > [Computer Configuration] > [Windows Settings] > [Security Settings] > [Local Policies] > [Security Options] Note: On Windows Server 2008 or later, the four setting items beginning with “MSS:” that are set as Security Options do not appear in the Local Group Policy Management Editor. However, you can use the gpresult command to check if they are applied.

TI 50A01A10-04EN Sep. 18, 2019-00 <3. Details of security measures> 3-18 3.6.4 Software restriction policies The software restriction policies prevent harmful programs from being executed even if they are copied to a temporary directory. By applying the rules of path restriction, unverified programs can be prevented from being executed. The following table describes the details of the software restriction policies.

Table 3.6.4-1 Software restriction policies Policy Setting Security Levels Disallowed The following file types are removed: Designated File Types • *.lnk • *.mdb The software restriction policies prevent the use of programs that are not located on recognized paths. The following paths are recognized: • %ALLUSERSPROFILE%\Templates • %ALLUSERSPROFILE%\Microsoft\WIndows\Templates • %ProgramFiles% • %ProgramFiles(x86)% (*1) Additional Rules • %ProgramW6432% (*1) • %ProgramFiles%YOKOGAWA\iPCS\Platform\Security\PROG RAM • %ProgramFiles(x86)%YOKOGAWA\iPCS\Platform\Security \ PROGRAM (*1) • %SystemRoot% • %localappdata%\Microsoft\OneDrive\*\FileSyncConfig .exe(*2) •

*1: Applicable to Windows 7, Windows 10, Windows Server 2012 R2, and Windows Server 2016 *2: Applicable to Windows 10 only Setup location: [Local Computer Policy] > [Computer Configuration] > [Windows Settings] > [Security Settings] > [Software Restriction Policies]

TI 50A01A10-04EN Sep. 18, 2019-00 <3. Details of security measures> 3-19 3.6.5 Advanced Audit Policy Configuration Collected account logon conditions and events related to security serve as data useful in detecting abnormal system conditions in early stages and tracing the causes of security-related problems. Detailed audit policies can be configured for each setting item.

 Account Logon The following table shows the setting.

Table 3.6.5-1 Setting Policy Setting Audit Credential Validation Both the Success and Failure check boxes are selected.

 Account Management The following table shows the setting.

Table 3.6.5-2 Setting Policy Setting Audit Computer Account Management The Success check box is selected. Audit Other Account Management Both the Success and Failure check boxes are selected. Events Audit Security Group Management Both the Success and Failure check boxes are selected. Audit User Account Management Both the Success and Failure check boxes are selected.

 Detailed Tracking The following table shows the setting.

Table 3.6.5-3 Setting Policy Setting Audit Process Creation The Success check box is selected. Audit RPC events (*1) Both the Success and Failure check boxes are cleared.

*1: Performed by Domain Controllers only.

 DS Access The following table shows the setting.

Table 3.6.5-4 Setting Policy Setting Audit Directory Service Access Both the Success and Failure check boxes are selected. Audit Directory Service Changes Both the Success and Failure check boxes are selected.

Note: These settings are applicable for Domain Controllers only.

TI 50A01A10-04EN Sep. 18, 2019-00 <3. Details of security measures> 3-20

 Logon/Logoff The following table shows the setting.

Table 3.6.5-5 Setting Policy Setting Audit Account Lockout The Success check box is selected. Audit Logoff The Success check box is selected. Audit Logon Both the Success and Failure check boxes are selected. Audit Other Logon/Logoff Events Both the Success and Failure check boxes are selected. Audit Special Logon The Success check box is selected.

 Object Access The following table shows the setting.

Table 3.6.5-6 Setting Policy Setting Audit Application Generated (*1) Both the Success and Failure check boxes are selected. Audit Removable Storage Both the Success and Failure check boxes are selected.

*1: Applicable to Domain Controllers and File Servers.

 Policy Change The following table shows the setting.

Table 3.6.5-7 Setting Policy Setting Audit Policy Change Both the Success and Failure check boxes are selected. Audit Authentication Policy Change Both the Success and Failure check boxes are selected. Audit Filtering Platform Policy Change Both the Success and Failure check boxes are selected. Audit MPSSVC Rule-Level Policy Both the Success and Failure check boxes are selected. Change Audit Other Policy Change Events Both the Success and Failure check boxes are selected.

 Privilege Use The following table shows the setting.

Table 3.6.5-8 Setting Policy Setting Audit Sensitive Privilege Use Both the Success and Failure check boxes are selected.

TI 50A01A10-04EN Sep. 18, 2019-00 <3. Details of security measures> 3-21

 System The following table shows the setting.

Table 3.6.5-9 Setting Policy Setting Audit Other System Events Both the Success and Failure check boxes are selected. Audit Security State Change Both the Success and Failure check boxes are selected. Audit Security System Extension Both the Success and Failure check boxes are selected. Audit System Integrity Both the Success and Failure check boxes are selected. Audit IPsec Driver (*1) Both the Success and Failure check boxes are selected.

*1: Applicable to Domain Controllers only.

Setup location: [Local Computer Policy] > [Computer Configuration] > [Windows Settings] > [Security Settings] > [Advanced Audit Policy Configuration] > [System Audit Policies - Local Group Policy Object]

TI 50A01A10-04EN Sep. 18, 2019-00 <3. Details of security measures> 3-22 3.6.6 Administrative Templates This section describes the administrative settings that are defined to strengthen the IT security.

 Personalization (Control Panel) The following table shows the setting.

Table 3.6.6-1 Setting Policy Setting Prevent enabling lock screen camera Enabled Prevent enabling lock screen slide show Enabled

Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [Control Panel] > [Personalization]

 WLAN Settings (Network) The following table shows the setting.

Table 3.6.6-2 Setting Policy Setting Allow Windows to automatically connect to suggested open hotspots, to networks shared by Disabled contacts, and to hotspots offering paid services

Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [Network] > [WLAN Services] > [WLAN Settings]

 Audit Process Creation (System) The following table shows the setting.

Table 3.6.6-3 Setting Policy Setting Include command line in process creation events Disabled

Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [System] > [Audit Process Creation]

Note: If this option is enabled, the command line information of each process will be recorded to the security event log in text format as part of the Audit Process Creation event 4688, “A new process has been created.” For example, if you set a password by using the CreateFASTTOOLSProcess tool, the password specified as an argument is recorded in the event log.

TI 50A01A10-04EN Sep. 18, 2019-00 <3. Details of security measures> 3-23

 Group Policy (System) The following table shows the setting.

Table 3.6.6-4 Setting Policy Setting Enabled Configure registry policy processing The check box of Process even if the Group Policy objects have not changed is selected.

Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Tem- plates] > [System] > [Group Policy]

 Internet Communication Management (System) The following table shows the setting.

Table 3.6.6-5 Setting Policy Setting Turn off access to the Store Enabled Turn off downloading of print drivers over HTTP Enabled Turn off Event Viewer Events.asp links Enabled Turn off Internet download for Web publishing and Enabled online ordering wizards Turn off printing over HTTP Enabled Turn off Search Companion content file updates Enabled Turn off the Publish to Web task for files and folders Enabled Turn off the Windows Customer Experience Enabled Improvement Program Turn off the Windows Messenger Customer Enabled Experience Improvement Program

Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Tem- plates] > [System] > [Internet Communication Management] > [Internet Communication Settings]

TI 50A01A10-04EN Sep. 18, 2019-00 <3. Details of security measures> 3-24

 Logon (System) The following table shows the setting.

Table 3.6.6-6 Setting Policy Setting Do not display network selection UI Enabled Do not enumerate connected users on domain joined Enabled computers Enumerate local users on domain-joined computers Disabled Turn off app notifications on the lock screen Enabled

Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [System] > [Logon]

 Mitigation Options (System) The following table shows the setting.

Table 3.6.6-7 Setting Policy Setting Enabled Untrusted Font Blocking Block untrusted fonts and log events

Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [System] > [Mitigation Options]

Note: If this setting is enabled, fonts that are not installed in %Windir%\Font (typically, C:\Windows\Font) cannot be used. In that case, install the fonts to be used in the above folder. You can install fonts by right-clicking the font and selecting [Install].

 Power Management (System) The following table shows the setting.

Table 3.6.6-8 Setting Policy Setting Turn Off the Display (On Battery) Enabled 0 Turn Off the Display (Plugged In) Enabled 0

Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [System] > [Power Management] > [Video and Display Settings]

 Remote Procedure Call (System) The following table shows the setting.

Table 3.6.6-9 Setting Policy Setting Enable RPC Endpoint Mapper Client Authentication Not configured

Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [System] > [Remote Procedure Call]

TI 50A01A10-04EN Sep. 18, 2019-00 <3. Details of security measures> 3-25

 User Profile (System) The following table shows the setting.

Table 3.6.6-10 Setting Policy Setting Turn off the advertising ID Enabled

Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [System] > [User Profiles]

 App Privacy (Windows Component) The following table shows the setting.

Table 3.6.6-11 Setting Policy Setting Let Windows apps access account information Enabled Force Deny Let Windows apps access call history Enabled Force Deny Let Windows apps access contacts Enabled Force Deny Let Windows apps access email Enabled Force Deny Let Windows apps access location Enabled Force Deny Let Windows apps access messaging Enabled Force Deny Let Windows apps access motion Enabled Force Deny Let Windows apps access the calendar Enabled Force Deny Let Windows apps access the camera Enabled Force Deny Let Windows apps access the microphone Enabled Force Deny Let Windows apps access trusted devices Enabled Force Deny Let Windows apps control radios Enabled Force Deny Let Windows apps sync with devices Enabled Force Deny

Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [Windows Components]

 App Runtime (Windows Component) The following table shows the setting.

Table 3.6.6-12 Setting Policy Setting Block launching Windows Store apps with Windows Enabled Runtime API access from hosted content

Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [Windows Components] > [App runtime]

Note: This policy disables starting of Windows store applications that are directly accessed by Windows runtime API from Web content.

TI 50A01A10-04EN Sep. 18, 2019-00 <3. Details of security measures> 3-26

 AutoPlay Policies (Windows Component) These policies prevent automatic execution of programs from external media. This setting is effective as a measure against viruses that infect computers through USB memory devices (USB worms). The following table shows the setting.

Table 3.6.6-13 Setting Policy Setting Enabled Turn off Autoplay All drives Disallow Autoplay for non-volume devices Enabled

Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [Windows Components] > [Cloud Content]

 Cloud Content (Windows Component) The following table shows the setting.

Table 3.6.6-14 Setting Policy Setting Do not show Windows tips Enabled Turn off Microsoft consumer experiences Enabled

 Data Collection and Preview Builds (Windows Component) The following table shows the setting.

Table 3.6.6-15 Setting Policy Setting Enabled Allow Telemetry 0 - Security [Enterprise Only] Disable pre-release features or settings Disabled Do not show feedback notifications Enabled Toggle user control over Insider builds Disabled

Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [Windows Components] > [Data Collection and Preview Builds]

Note: If this setting is enabled, Windows authentication dialog boxes appear only after you press [Ctrl] + [Alt] + [Del] on the keyboard.

TI 50A01A10-04EN Sep. 18, 2019-00 <3. Details of security measures> 3-27

 Event Log Service (Windows Component) The following table shows the setting.

Table 3.6.6-16 Setting Policy Setting Enabled Specify the maximum log file size (KB) 32768 KB

Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [Windows Components] > [Event Log Service] > [Application] > [Security] > [System]

 File Explorer (Windows Component) The following table shows the setting.

Table 3.6.6-17 Setting Policy Setting Turn off heap termination on corruption Disabled

Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [Windows Components] > [File Explorer]

 HomeGroup (Windows Component) The following table shows the setting.

Table 3.6.6-18 Setting Policy Setting Prevent the computer from joining a homegroup Enabled

Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [Windows Components] > [Home Group]

 OneDrive (Windows Component) The following table shows the setting.

Table 3.6.6-19 Setting Policy Setting Prevent the usage of OneDrive for file storage Enabled Save documents to OneDrive by default (Save Enabled documents to the local PC by default)

Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [Windows Components] > [OneDrive / SkyDrive]

TI 50A01A10-04EN Sep. 18, 2019-00 <3. Details of security measures> 3-28

 Remote Desktop Service (Windows Component) The following table shows the settings.

Table 3.6.6-20 Settings Policy Setting [Remote Desktop Connection Client] \ Do not allow Enabled passwords to be saved [Remote Desktop Session Host] \ [Device and Re- Enabled source Redirection] \ Do not allow drive redirection [Remote Desktop Session Host] \ [Security] \ Require Enabled secure RPC communication [Remote Desktop Session Host] \ [Security] \ Require user authentication for remote connections by using Enabled Network Level Authentication

Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [Windows Components] > [Remote Desktop Service]

 Search (Windows Component) The following table shows the setting.

Table 3.6.6-21 Setting Policy Setting Allow Cortana Disabled Don't search the web or display web results in Enabled Search Don't search the web or display web results in Enabled Search over metered connections

Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [Windows Components] > [Search]

 Software Protection Platform (Windows Component) The following table shows the setting.

Table 3.6.6-22 Setting Policy Setting Turn off KMS Client Online AVS Validation Enabled

Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [Windows Components] > [Software Protection Platform]

TI 50A01A10-04EN Sep. 18, 2019-00 <3. Details of security measures> 3-29

 Store (Windows Component) The following table shows the setting.

Table 3.6.6-23 Setting Policy Setting Turn off Automatic Download of updates on Win8 Enabled machines Turn off Automatic Download and Install of updates Enabled Turn off the offer to update to the latest version of Enabled Windows Turn off the Store application Enabled

Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [Windows Components] > [Store]

 Sync Your Settings (Windows Component) The following table shows the setting.

Table 3.6.6-24 Setting Policy Setting Do not sync Apps Enabled Do not sync start settings Enabled

Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [Windows Components] > [Sync your settings] > [Sync your settings]

 Windows Defender (Windows Component) The following table shows the setting.

Table 3.6.6-25 Setting Policy Setting Turn off Windows Defender Enabled

Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [Windows Components] > [Windows Defender]

 Windows Error Reporting (Windows Component) The following table shows the setting.

Table 3.6.6-26 Setting Policy Setting Automatically send memory dumps for OS-generated Disabled error reports

Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [Windows Components] > [Windows Error Reporting]

TI 50A01A10-04EN Sep. 18, 2019-00 <3. Details of security measures> 3-30

 Windows Logon Options (Windows Component) The following table shows the setting.

Table 3.6.6-27 Setting Policy Setting Sign-in last interactive user automatically after a sys- Disabled tem-initiated restart

Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [Windows Components] > [Windows Logon Options] > [Windows Logon Options]

 User Configuration The following table shows the setting for the Taskbar menu.

Table 3.6.6-28 Setting Policy Setting Turn off toast notifications on the lock screen Enabled

Setup location: [User Configuration] > [Administrative Templates] > [Start Menu and Taskbar] > [Notifications]

 Windows Update Delivery Optimization The Windows Update Delivery Optimization feature enables you to download Windows update programs or Windows store applications from a Microsoft Server as well as from a computer on the same network. It is recommended to disable downloading of programs and applications for strengthening the IT security. The following table shows the setting for the Taskbar menu.

Table 3.6.6-29 Setting Policy Setting Download Mode Enabled (HTTP only)

Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [Windows Components] > [Delivery Optimization]

TI 50A01A10-04EN Sep. 18, 2019-00 <4. Precautions on operations> 4-1 4. Precautions on operations updates This section describes the precautions to observe when you apply security settings.

4.1 When running FAST/TOOLS Server The FAST/TOOLS Server can be started only by using a dedicated user account (FTS_ PROCESS). If you want to run the Server by using another user account, add the user account to the Administrators user group. After the IT Security Tool is applied, add the user account to one of following user groups: • FTS_MAINTENANCE • FTS_ENGINEER • FTS_OPC

4.2 When running the FAST/TOOLS OPC Server The FAST/TOOLS OPC Server can be started only by using a dedicated user account (FTS_ PROCESS). If you want to run the Server by using another user account, add the user account to the user group that has the permission to run the Server. After the IT Security Tool is applied, add the user account to one of following user groups: • FTS_MAINTENANCE • FTS_ENGINEER • FTS_OPC

4.3 When disabling NetBIOS over TCP/IP NetBIOS over TCP/IP can be disabled by using the IT Security Tool. If the Domain management type or Combination management type for user management is selected, NetBIOS over TCP/IP is disabled by default. If NetBIOS over TCP/IP is disabled, the OPC Server node is not displayed automatically. To specify the connection destination Server node, you must manually enter the host address of the OPC Server to which you want to connect.

4.4 When setting the display language When setting the display language on your computer, ensure that the same language is specified for “Display language” and “Format”. Otherwise, the displayed texts may contain different languages.

TI 50A01A10-04EN Sep. 18, 2019-00 <4. Precautions on operations> 4-2 4.5 When changing the display language If you run the IT Security Tool after changing the language settings to or from Japanese, a warning message may appear. If the following warning message appears, check the settings of each item and reconfigure as necessary.

F010401E.ai Figure 4.5-1 Select Setting Item dialog box (English)

F010402E.ai Figure 4.5-2 Select Setting Item dialog box (Japanese)

TI 50A01A10-04EN Sep. 18, 2019-00 <4. Precautions on operations> 4-3 4.6 When using Remote Desktop Connection (RDC) After applying IT security settings, Remote Desktop Connection (RDC) to the FAST/TOOLS Server may fail. This failure occurs because the patch versions (for the operating system) that are applied to the FAST/TOOLS Server and the Remote Desktop Client are different. To resolve this issue, apply the latest patch versions on both computers.

4.7 When using the Start menu on Windows 10 and Windows Server 2016 When a user who does not have permission to access the FAST/TOOLS programs expands the FAST/TOOLS folder from the Start menu, the program icons are not displayed. Even after the user gets access to the FAST/TOOLS programs, the program icons may not be displayed. In such cases, follow these steps to restore the program icons on the Start menu by following these steps: 1. From the Start menu, right-click [Command Prompt] and select [Run as Administrator]. The Command Prompt window appears. 2. Navigate to the folders whose icons you want to restore.

Table 4.7-1 Start menu folders Product Folder

FAST/TOOLS Server C:\ProgramData\Microsoft\Windows\Start Menu\Pr ograms\FAST TOOL FAST/TOOLS Remote Connect C:\ProgramData\Microsoft\Windows\Start Menu\Pr ograms\FAST TOOL Remote Connect 3. Run the following command: >COPY /B * +,, The current directory for accessing the Start menu is updated and program icons in the related folders are displayed. 4. Repeat steps 1-3 to restore the icons for YOKOGAWA Security, YOKOGAWA Redundancy, and other folders as necessary.

TI 50A01A10-04EN Sep. 18, 2019-00 <5. Working with the IT Security Tool> 5-1 5. Working with the IT Security Tool The IT Security Tool is a security configuration tool developed for YOKOGAWA system products. You must use this tool to implement security measures on computers installed with the product. By using the IT Security Tool, you can protect computers from security threats by selecting security models and user management types. The tool automatically applies the security settings on the computers based on your selection. The following table describes the IT Security Tool functions.

Table 5-1 IT Security Tool functions Function Description Configures security settings, such as the security model and user Setup management type Save Saves the security settings of the local computer Restore Restores the saved security settings to a computer Change Password (Encryption Key) Changes the password of a saved security setting file Import or Export Imports and exports the saved security setting file Information Displays the summary of the configured security settings

Note: The default display of the IT Security Tool differs depending on whether the tool is used during a new installation or an upgrade.

 Supported security configuration types The IT Security Tool supports the following security configuration types: • Standard model - Standalone management • Standard model - Domain management • Standard model - Combination management

5.1 Configuring IT security settings You can configure security settings as the last step of installing the product software, or at any time after installation. Note: If multiple YOKOGAWA products are installed on the same computer, you can apply only the IT security version that is supported by all products.

Follow these steps to configure IT security settings: 1. Start the IT Security Tool from the product installer or the Start menu. Start menu location: [YOKOGAWA Security] > [IT Security Tool] If you started the tool from the product installer, skip the next step. Otherwise, proceed to the next step. Note: If the User Account Control dialog box appears, asking if you want to allow the program to run, click [Yes].

2. Click [Setup]. The IT Security Settings page appears.

TI 50A01A10-04EN Sep. 18, 2019-00 <5. Working with the IT Security Tool> 5-2

Figure 5.1-1 IT Security Settings page

Note: If IT security is already applied, the previously applied settings are selected by default.

3. In the Select user management section, select a user management type. Note: If you are logged on to a computer that is not a member of a domain and you selected [Domain Management] or [Combination Management], a message box appears, indicating that your selection is not valid because you are using a standalone computer. 4. If you want to view or modify the detailed settings, perform these steps: a. Click [Details]. The Select Setting Items page appears, indicating the security setting items. Default setting items appear in gray rows, and the check boxes cannot be cleared. b. Select the check boxes next to the setting items that you want to apply, and clear the check boxes of the setting items that you want to remove. Note: You can click Recommend to restore the selection of setting items to the default.

c. Click [Next]. The Confirm Setting Information page appears, enabling you to review your selections. Note: • If you made any changes to the selection of setting items, a dialog box appears, indicating the change and asking if you want to continue. Click [Yes] to continue or [No] to return to the Select Setting Items page. • We recommend that you use the default selection of setting items. 5. Click [Next] to apply the security settings. The Applying Security Settings page appears, indicating the progress of the configuration process. After the process is complete, the Setup Completed page appears. Note: If the Program Compatibility Assistant dialog box appears, click [Cancel].

6. Click [Finish]. 7. Restart the computer for the settings to take effect.

TI 50A01A10-04EN Sep. 18, 2019-00 <5. Working with the IT Security Tool> 5-3

 Running the IT Security Tool from the installation media This section describes how to run the IT Security Tool for Mobile Client/ Domain Controller. Follow these steps to run the IT Security Tool from the installation media: 1. Log on as a user with administrative rights. 2. If you want to run the IT Security Tool for Mobile Client and Domain Controller, perform these steps: a. Create the FTS_MAINTENANCE user account manually. b. Add the logged on user account to FTS_MAINTENANCE. c. Log off and log on again. 3. Insert the FAST/TOOLS installation media into the DVD drive. 4. Navigate to the following folder: :\Windows\FASTTOOLS 5. Double-click [fasttools-Rxx.yy-rzzzz-ITSecurity.exe]. For example, fasttools-R10.04-SP1-r6697-ITSecurity.exe. 6. In the dialog box that appears, select one of the following options as necessary: • FAST/TOOLS and IT Security Tool Select this option to install FAST/TOOLS Server and run the IT Security Tool • IT Security for multi-product environment Select this option to run the IT Security Tool for FAST/TOOLS Remote Connect • Apply IT Security only Select this option to run the IT Security Tool for Mobile Client and Domain Controller

SEE ALSO For more information about the options for running the IT Security Tool, refer to: Appendix 2.5, “Options for running the IT Security Tool” on page App.2-7

TI 50A01A10-04EN Sep. 18, 2019-00 <5. Working with the IT Security Tool> 5-4 5.2 Saving IT security settings You can save the IT security settings on a local computer by using the IT Security Tool. The saved IT security settings can be restored on the local computer by using the Restore function of the IT Security Tool. Follow these steps to save the current IT security settings: 1. Start the IT Security Tool from the Start menu. 2. Click [Save]. The Specify destination page appears. 3. Click the [.] button next to the Destination box, and navigate to the folder where you want to save the file. The Save As window appears. 4. In the File name box, enter a file name. 5. Click [Save]. 6. In the Distinguished Name box, type a name for the file. 7. In the Support Product box, type a description for the YOKOGAWA system products. 8. From the Support OS list, select one or more operating systems. Note: In the Support Product box and Support OS list, you can provide any information about the security settings that you are saving. This information is for your own reference.

9. In the File Version box, type a version for the file. 10. Click [Next]. The Type default account password page appears. 11. Type the default account password that you want to set for the Windows user accounts on the computer. Note: The default account password serves as the initial password for all restored Windows user accounts. Since it serves as an initial password only, you will be asked to change the password in the next logon. If the Windows user account is existing in the computer where the security settings are restored, the existing password is used and the default account password is disregarded. The default account password must meet the password policy in your organization.

12. Click [Next]. The Type password (Encryption Key) page appears. 13. In the Type password (Encryption Key) and Retype password (Encryption Key) boxes, type a password for the file. Note: • The Encryption Key is the password for the security setting file. You need to provide the correct Encryption Key to restore the saved security settings on a computer. • The Encryption Key must meet the following criteria: • It must be more than one character. • It can consist of alphanumeric characters and these characters: ` ~ ! @ # $ % ^ & * ( ) _ + - = { } ¦ ¥ : “ ; ‘ < > ? , . / • It cannot consist of full-width characters.

14. Click [Next]. The Saving Security Settings page appears, displaying the progress of the save process. After the process is complete, the Save completed page appears and the HED and CSF files are created. Note: The security settings are saved in HED and CSF file formats. These files must always exist in the same location and their file names must always be the same.

TI 50A01A10-04EN Sep. 18, 2019-00 <5. Working with the IT Security Tool> 5-5 5.3 Restoring IT security settings You can restore the saved security settings on a computer by using the IT Security Tool.

IMPORTANT • Ensure that the computer on which you are restoring the security settings has the same configuration as the computer on which you saved the security settings. • Before you restore the security settings, you must perform the following actions: • Install the same product version and packages. • If the product coexisted with other YOKOGAWA system products on the computer where you saved the security settings, install the same versions and packages of these system products. • If you want to restore the Standard model with Domain or Combination management, connect the computer to the domain. • Set the same security model and user management type by using the IT Security Tool. • Obtain the default account password and Encryption Key. • Store the pair of HED and CSF files in the same location. These files store the security setting configuration and they must always have the same file name.

Follow these steps to restore the saved IT security settings: 1. Start the IT Security Tool from the Start menu. 2. Click [Restore]. The Select Security Setting File page appears. 3. At the right of the Setting File box, click the [.] button. The Select File window appears. 4. Navigate to the folder on which the HED file that you want to restore is saved and select the HED file. 5. Click [Open]. 6. In the dialog box that appears, type the Encryption Key. 7. Click [OK]. The file loads and its properties appear in the Description of Setting File pane. 8. Click [Next]. The Confirm Setting Information page appears, indicating the security settings that are included in the file. 9. Review the security settings and click [Next]. The Applying Security Settings page appears, displaying the progress of the restore process. After the process is complete, the Setup Completed page appears. 10. Click [Finish]. 11. Restart the computer for the settings to take effect. After restoring the security settings, the Windows user accounts that are saved in the security settings file are created if they do not exist. Upon initial logon by using any of these Windows users accounts, you need to use the Default account password, and replace it with a new password. However, if these Windows user accounts exist, the existing passwords will be used.

TI 50A01A10-04EN Sep. 18, 2019-00 <5. Working with the IT Security Tool> 5-6 5.4 Changing the security setting file password (Encryption Key) An Encryption Key protects the use of the security settings which are saved in HED and CSF file formats. These files must always be in the same location. You can change the password (Encryption Key) for security setting files used by the IT Security Tool. Follow these steps to change the Encryption Key: 1. Start the IT Security Tool from the Start menu. 2. Click [Change Password (Encryption Key)]. The Specify backup file of security page appears. 3. On the Apply Changes to pane, select any of the following options: • [Single File] to change the Encryption Key for one security setting file • [Multiple File] to change the Encryption Key for multiple security setting files 4. Next to the Source box, click the […] button. 5. Perform any of the following steps, depending on the number of files that you want to change: • For a single file In the Open dialog box that appears, navigate to the location of the HED file, and then select [Open]. • For multiple files In the Browse For Folder dialog box that appears, navigate to the folder where the HED files are saved, select the folder, and then click [OK]. 6. Next to the Destination box, click the […] button. The Browse For Folder dialog box appears. 7. Navigate to the folder where you want to save the changed HED files, select the folder, and then click [OK]. 8. Click [Next]. The Change Password (Encryption Key) page appears. 9. In the Type old password (Encryption Key) box, type the current Encryption Key. 10. In the Type new password (Encryption Key) and Retype new password (Encryption Key) boxes, type the new Encryption Key. 11. Click [Next]. 12. Click [Finish].

TI 50A01A10-04EN Sep. 18, 2019-00 <5. Working with the IT Security Tool> 5-7 5.5 Exporting and importing the IT security setting file The IT Security Tool saves the currently applied security settings in the IT security setting file. You can export and import this file to apply the selection state of the IT security settings on a different operating system version. Note: The settings are dependent on the operating system. Therefore, the settings cannot be restored on a different operating system version by using the “Restore” function of the IT Security Tool. You must use the “Import or Export” function if you want to apply the same settings on a different operating system version.

 Exporting the IT security setting file Follow these steps to export the IT security setting file: 1. Start the IT Security Tool from the Start menu. 2. Click [Import or Export]. The Export or Import the Selection State of Setting Items dialog box appears. 3. Select [Export]. The following default export destination file name appears automatically in the text box for the file name entry: :\ProgramData\Yokogawa\IA\iPCS\Platform\Security\Config\DisplaySele ctInfo. xml 4. Leave the default file name as is, or change it as necessary. 5. Click [Execute]. The IT Security Tool starts exporting the IT security setting file. If you specify an existing file, it will be overwritten. The following information is written to the specified file: • Security model • User management type • IT security version • State of check box selections made in the Select Setting Items page of the tool

 Importing the IT security setting file Follow these steps to import the IT security setting file: 1. Start the IT Security Tool from the Start menu. 2. Click [Import or Export]. The Export or Import the Selection State of Setting Items dialog box appears. 3. Select [Import]. 4. Specify the IT security setting file that you want to import. 5. Click [Execute]. 6. In the IT Security Tool dialog box, click [Setup]. The imported IT security settings are applied. Note: Alternatively, you can also import the selection state of IT security settings by clicking [Setup] in the IT Security Tool dialog box, and then clicking [Import] on the IT Security Settings page.

TI 50A01A10-04EN Sep. 18, 2019-00 <5. Working with the IT Security Tool> 5-8 5.6 Viewing the summary of IT security settings You can view the basic information related to IT security settings by using the IT Security Tool. Follow these steps to view the summary of IT security settings: 1. Start the IT Security Tool from the Start menu. 2. Click the [Information]. The Current setting information dialog box appears, displaying the basic information about the currently applied IT security settings in the following categories: • IT Security Tool information Displays the version, copyright, and issuer of the IT Security Tool • Basic information Displays the security model, user management type, and IT security version set by the IT Security Tool • Security setting conditions Displays the status of IT security settings for all YOKOGAWA products that are installed on the computer under the following categories: • IT security setting completed Displays the products for which IT security settings are applied • Install completed Displays the products for which IT security settings are not applied

TI 50A01A10-04EN Sep. 18, 2019-00 <5. Working with the IT Security Tool> 5-9 5.7 Reapplying IT security settings This section describes how to reapply the IT security settings. Note: You need not restore the IT security settings to their initial status before reapplying the IT security settings. 5.7.1 For FAST/TOOLS Server and Remote Connect Follow these steps to reapply IT security settings for FAST/TOOLS Server and Remote Connect: 1. From the Start menu, select [YOKOGAWA Security] > [IT Security Tool]. 2. Click [Setup]. 3. Apply the IT security settings as necessary.

5.7.2 For Mobile Client and Domain Controller You can reapply the IT security settings in any of the following scenarios: • When the target components selected in the IT security settings remain the same • When the target components selected in the IT security settings are different

 When the target components selected in the IT security settings remain the same Follow these steps to reapply the IT security settings when the target components selected in the IT security settings remain the same: 1. Log on as a user with administrative rights. 2. Insert the FAST/TOOLS installation media into the DVD drive. 3. Navigate to the following folder: :\Windows\FASTTOOLS 4. Double-click [fasttools-Rxx.yy-rzzzz-ITSecurity.exe]. For example, fasttools-R10.04-SP1-r6697-ITSecurity.exe. 5. In the window that appears, select [Apply IT Security only]. The IT Security Settings page appears. 6. Apply the IT security settings as necessary.

 When the target components selected in the IT security settings are different Follow these steps to reapply the IT security settings when the target components selected in the IT security settings are different: 1. Log on as a user with administrative rights. 2. Insert the FAST/TOOLS installation media into the DVD drive. 3. From the Start menu, right-click [Command Prompt] and select [Run as Administrator]. The Command Prompt window appears. 4. Run [PrepareReconstruction.cmd], which is available in the following folder: :\Windows\FASTTOOLS\ITSecurity Note: If software restriction policies are set, run the IT Security Tool as an Administrator.

TI 50A01A10-04EN Sep. 18, 2019-00 <5. Working with the IT Security Tool> 5-10

5. Navigate to the following folder: :\Windows\FASTTOOLS 6. Double-click [fasttools-Rxx.yy-rzzzz-ITSecurity.exe]. For example, fasttools-R10.04-SP1-r6697-ITSecurity.exe. 7. In the window that appears, select [Apply IT Security only]. The IT Security Settings page appears. 8. Apply the IT security settings as necessary.

TI 50A01A10-04EN Sep. 18, 2019-00 <5. Working with the IT Security Tool> 5-11 5.8 Changing the FAST/TOOLS user account This section describes how to change the FAST/TOOLS user account in the following scenarios: • When IT security settings are not applied • When IT security settings are applied in the standalone environment • When IT security settings are applied in the domain or combination environment Note: By default, FTS_PROCESS is configured as the user account for using the FAST/TOOLS service and FAST/TOOLS OPC Server.

 When IT security settings are not applied Follow these steps to change the FAST/TOOLS user account in an environment where IT security settings are not applied: 1. Create a user account. The user account can be a local user account or domain user account. 2. Assign the created user account to the Administrators group on the computer on which FAST/TOOLS is installed. 3. Assign the created user account to the RDC_GA_CLIENT group on the computer on which FAST/TOOLS is installed when a dual-redundant platform is used. 4. Set the created user account as the user account for using the FAST/TOOLS Service by performing these steps: a. In the Control Panel, select [Administrative Tools] > [Services]. b. Right-click [FAST/TOOLS Service] and select [Properties]. c. In the dialog box that appears, click the [Log On] tab. d. Click [Browse] to select the created user account and set the password as necessary. e. Click [OK]. 5. Set the created user account as the user account for using the FAST/TOOLS OPC Server by performing these steps: a. In the Control Panel, select [Component Services]. The Component Services window appears. b. On the navigation pane, select [Component Services] > [Computers] > [My Computer] > [DCOM Config]. c. Right-click [FAST/TOOLS OPC AE Server] and select [Properties]. d. In the dialog box that appears, click the [Log On] tab. e. Click [Browse] to select the created user account and set the password as necessary. f. Click [OK]. g. Repeat steps c. to f. for [FAST/TOOLS OPC DA Server]. Note: • When IT security settings are applied in the standalone environment, assign the created user account to the local FTS_OPC user group on the computer where FAST/TOOLS is installed. • When IT security settings are applied in the domain or combination environment, assign the created user account to the FTS_OPC user group of the domain on the Domain Controller. If a local user account must be used, assign the created user account to a local FTS_OPC_LCL user group.

TI 50A01A10-04EN Sep. 18, 2019-00 <6. Other utility programs> 6-1 6. Other utility programs The following utility programs are provided as supporting tools to the IT Security Tool: • CreateFasttoolsProcess Use this utility to create the FTS_PROCESS user account and to change its password • StorageDeviceCTL Use this utility to temporarily use removable storage devices to write or update data • ITSecuritySettingItemExport Use this utility to export the applied IT security settings to a file

6.1 CreateFasttoolsProcess utility You can use this utility to create the FTS_PROCESS user account on computers installed with Yokogawa products that collaborate with FAST/TOOLS. Moreover, this tool enables you to change the password of an existing FTS_PROCESS user account.

 Running the CreateFasttoolsProcess utility Follow these steps to create internal user accounts of FAST/TOOLS on computers installed with other products: 1. Log on to Windows as a user with administrative rights. 2. Insert the FAST/TOOLS installation media into the DVD drive and navigate to the following folder: :\Windows\FASTTOOLS\ITSecurity 3. Double-click [Yokogawa.IA.iPCS.Platform.Security.CreateFasttoolsProcess.exe]. A dialog box appears, asking if you want to create the internal user account (FTS_PROC- ESS). 4. Click [Yes]. The internal user account (FTS_PROCESS) is created.

 Changing the internal user account password Follow these steps to change the password of the internal user account: 1. Log on to Windows as a user with administrative rights. 2. From the Start menu, right-click [Command Prompt] and select [Run as Administrator]. The Command Prompt window appears. 3. Insert the FAST/TOOLS installation media into the DVD drive and navigate to the following folder: :\Windows\FASTTOOLS\ITSecurity 4. Run the following command: Yokogawa.IA.iPCS.Platform.Security.CreateFasttoolsProcess.exe -p The FTS_PROCESS user account is created with the specified password. If the user account already exists, its password is updated as specified in the command.

TI 50A01A10-04EN Sep. 18, 2019-00 <6. Other utility programs> 6-2 6.2 StorageDeviceCTL utility You can use this utility to temporarily use removable storage devices to write or update data by performing the following actions on the computer where the StorageDevicePolicies function is enabled or access to USB storage devices is disabled: • Disabling the StorageDevicePolicies function • Enabling access to USB storage devices Note: To run the StorageDeviceCTL utility, you must be a member of any of the following Windows user groups: • FTS_MAINTENANCE • FTS_MAINTENANCE_LCL

 Running the StorageDeviceCTL utility Follow these steps to temporarily grant the write permission for removable storage devices: 1. Log on to Windows as a user with administrative rights. 2. In Windows, run the following program file to start the StorageDeviceCTL utility: :\Program Files (x86)\YOKOGAWA\IA\iPCS\Platform\Security\ PROGRAM\Yokogawa.IA.iPCS.Platform.Security.StorageDeviceCTL.exe Note: If the User Account Control dialog box appears, asking if you want to allow the program to run, click [Yes].

The StorageDeviceCTL utility appears on the task bar, indicating that the write permission is granted. 3. Insert a removable storage device into the computer. 4. Write or update data on the storage device. 5. After you finish writing or updating data, properly remove the storage device. 6. From the task bar, click [StorageDeviceCTL]. 7. In the StorageDeviceCTL message box, click [Write Stop] to close the utility. The write permission for the removable storage devices is removed.

TI 50A01A10-04EN Sep. 18, 2019-00 <6. Other utility programs> 6-3 6.3 ITSecuritySettingItemExport utility You can use this utility to export the security model, user management, security settings that are applied by the IT Security Tool to an external file. If the exported file is imported by using the IT Security Tool, each security setting that is selected in the IT Security Tool is reproduced in the exported environment.

 Running the ITSecuritySettingItemExport utility Follow these steps to run the ITSecuritySettingItemExport utility: 1. Log on to Windows as a user with administrative rights. 2. Insert the FAST/TOOLS installation media into the DVD drive and navigate to the following folder: :\Windows\FASTTOOLS\ITSecurity 3. Double-click [Yokogawa.IA.iPCS.Platform.Security.ITSecuritySettingItemExport.exe]. A dialog box appears, indicating that the IT security settings are exported to a folder. 4. Click [OK]. Note: • This utility is available only on computers where a YOKOGAWA system product is installed. It is not available on a file server or domain controller, where security configuration is performed by using the IT Security Tool without installing product software. • The account used to run this utility must belong to the maintenance group of the product. • The folder and file that are exported by this utility have a fixed name. If they exist on the computer already, the file will be overwritten.

TI 50A01A10-04EN Sep. 18, 2019-00 <7. Connecting YOKOGAWA products> 7-1 7. Connecting YOKOGAWA products FAST/TOOLS can be connected with other YOKOGAWA products in one of the following ways: • Coexistence When FAST/TOOLS and the other product are installed on the same computer • Collaboration When FAST/TOOLS and the other product are installed on separate computers but they communicate with each other over a network Note: • Ensure that the security model and the user management type of the products that you are connecting to are the same. • If the Strengthened model is applied to the products that you want to connect, contact YOKOGAWA. • For more information, refer to the user’s manual of the product that you want to connect with FAST/TOOLS.

7.1 FAST/TOOLS and STARDOM This section describes the security settings that are required to connect FAST/TOOLS with STARDOM. 7.1.1 Coexistence The following figure shows the network structure of coexistence with FAST/TOOLS and STARDOM FCN/FCJ systems.

FCN/FCJ engineering environment

with FAST/TOOLS

Control Bus (Ethernet)

FCN/FCJ FCN/FCJ PLC

F070101E.ai Figure 7.1.1-1 Network connection

 Connecting FAST/TOOLS and STARDOM The IT security settings should be configured manually on the computer where STARDOM and FAST/TOOLS systems are installed.

TI 50A01A10-04EN Sep. 18, 2019-00 <7. Connecting YOKOGAWA products> 7-2 7.1.2 Collaboration The FAST/TOOLS system accesses data from STARDOM FCN/FCJ through Ethernet (TCP/IP) by using the HSE interface. The following figure shows the network connection between FAST/TOOLS and STARDOM (HSE).

SCADA Server

Control Bus (Ethernet)

FCN/FCJ F070102E.ai Figure 7.1.2-1 Network connection

 Connecting FAST/TOOLS and STARDOM Follow these steps to configure the collaboration settings for FAST/TOOLS and STARDOM FCN/ FCJ: 1. Create a user account that has the following privileges: • Copy project data to FAST/TOOLS system • Convert copied project data • Send converted data to FAST/TOOLS system 2. Define personal firewall exceptions.

Table 7.1.2-1 Firewall program exceptions Application Description Where used EQPFCX eqpfcx.exe SCADA Server

Table 7.1.2-2 Firewall port exceptions Program Port Where used HSE TCP: 1090 SCADA Server

3. Configure EQUIPMENT/FAST. 4. Define TCP/IP line type and STARDOM-FCX equipment. Refer to EQUIPMENT/FAST System Integrator’s Manual (IM50L07L02-21E) for more information. 5. Create I/O points on the FAST/TOOLS computer.

TI 50A01A10-04EN Sep. 18, 2019-00 <7. Connecting YOKOGAWA products> 7-3 7.2 FAST/TOOLS and ProSafe-RS This section describes the security settings that are required to connect FAST/TOOLS with ProSafe-RS. 7.2.1 Collaboration The FAST/TOOLS system accesses data from ProSafe-RS SCS through Vnet/IP. The following figure shows the network connection between FAST/TOOLS and ProSafe-RS SCS.

SCADA Server

VNet/IP

SCS F070201E.ai Figure 7.2.1-1 Network connection

 Connecting FAST/TOOLS and ProSafe-RS Follow these steps to connect FAST/TOOLS and ProSafe-RS systems: 1. Install Vnet/IP card and driver. Refer Integration with FAST/TOOLS IM (32P56H20-01EN) for more information. 2. Define personal firewall exceptions.

Table 7.2.1-1 Firewall program exceptions Application Description Where used SCADA Server EQPVNET eqpvnet.exe RGS Server

Table 7.2.1-2 Firewall port exceptions Program or application Port Where used Vnet/IP UDP: 9940, 5313 SCADA Server Open PIO UDP: 6000 RGS Server

3. Configure EQUIPMENT/FAST. 4. Define Vnet/IP line type and ProSafe-RS equipment. Refer to EQUIPMENT/FAST System Integrator’s Manual (IM 50L07L02-01EN/R9.03) for more information. 5. Create I/O points on the FAST/TOOLS computer.

TI 50A01A10-04EN Nov. 29, 2019-00 <7. Connecting YOKOGAWA products> 7-4 7.3 FAST/TOOLS and Matrikon OPC Server This section describes the security settings that are required to connect FAST/TOOLS with Matrikon OPC Server. 7.3.1 Collaboration The FAST/TOOLS system accesses data from the Matrikon OPC Server through Ethernet (TCP/ IP) by using the OPC interface. The SCADA Server is used as the OPC Client for receiving data from the Matrikon OPC Server. The following figure shows the network connection between FAST/TOOLS and Matrikon OPC Server.

SCADA Server (OPC Client)

Ethernet (TCP/IP)

Matrikon OPC Server F070301E.ai Figure 7.3.1-1 Network connection

 Connecting FAST/TOOLS and Matrikon OPC Server Follow these steps to connect FAST/TOOLS and Matrikon OPC Server: 1. Install Matrikon OPC Client software on the SCADA Server. 2. Define the OPC user account to access both Client and Server machines. On the OPC Server and SCADA Server, create the FTS_PROCESS user account. For a domain, the account should be defined only once on the Domain Controller. For a workgroup, the same account should be defined on the Client machine and server machine separately. Note: The following restrictions apply: • A password must be defined. (Blank password or password such as “admin” is not allowed.) • The user name and password must be identical on both machines. • The OPC Client (SCADA Server) and OPC Server should use the same user account.

3. Define personal firewall exceptions.

TI 50A01A10-04EN Sep. 18, 2019-00 <7. Connecting YOKOGAWA products> 7-5

Table 7.3.1-1 Firewall program exceptions Application Description Where used opxdas12.exe OPC Server opcism.exe OPC Server UNWISE.exe OPC Client opxdac.exe OPC Client Microsoft Management %System32%\mmc.exe OPC Client and OPC Server Console OPCEnum OPC Emulation Server OPC Server

Table 7.3.1-2 Firewall port exceptions Program or application Port (*1) Where used RPC/DCOM TCP: 135 NetBIOS Session Service TCP: 139 SCADA Server RGS Server DCOM TCP: 20500-20550 OPC Server NetBIOS Name Resolution UDP: 137 OPC Client NetBIOS Datagram Service UDP: 138

*1: The scope of the ports should be changed to “Any”. Note: You can use the IT Security Tool to configure the firewall exceptions. 4. Configure EQUIPMENT/FAST. 5. Define TCP/IP line type and OPC DA equipment. Refer to EQUIPMENT/FAST System Integrator’s Manual (IM 50L07L02-01EN/R9.03) for more information. 6. Create I/O points on the FAST/TOOLS computer.

TI 50A01A10-04EN Nov. 29, 2019-00 <7. Connecting YOKOGAWA products> 7-6 7.4 FAST/TOOLS and Exaquantum This section describes the security settings that are required to connect FAST/TOOLS with Exaquantum. 7.4.1 Collaboration The FAST/TOOLS system accesses data from Exaquantum Server through Ethernet (TCP/IP) by using the OPC interface. The Exaquantum Server is used as the OPC Client for receiving data and the SCADA Server is used as the OPC Server. The following figure shows the network connection between FAST/TOOLS and Exaquantum Server.

Exaquantum Server (OPC Client)

Ethernet (TCP/IP)

SCADA Server (OPC Server) F070401E.ai Figure 7.4.1-1 Network connection

 Connecting FAST/TOOLS and Exaquantum Follow these steps to connect FAST/TOOLS and Exaquantum: 1. Install the OPC Client software (FAST/TOOLS OPC-DA Tunneler) on the Exaquantum Server. 2. Create user accounts on both the computers as follows: • Standalone management type a. Create QTM_PROCESS and FTS_PROCESS user accounts on Exaquantum and FAST/TOOLS computers. b. Add QTM_PROCESS to FTS_OPC on the FAST/TOOLS computer to use the DCOM function of FAST/TOOLS. c. Add FTS_PROCESS to QTM_OPC on the Exaquantum computer to use the DCOM function of Exaquantum. • Domain management type a. Create QTM_PROCESS and FTS_PROCESS user accounts on Exaquantum and FAST/TOOLS computers. b. Add QTM_PROCESS to FTS_OPC_LCL on the FAST/TOOLS computer to use the DCOM function of FAST/TOOLS. c. Add FTS_PROCESS to QTM_OPC_LCL on the Exaquantum computer to use the DCOM function of Exaquantum.

TI 50A01A10-04EN Sep. 18, 2019-00 <7. Connecting YOKOGAWA products> 7-7

3. Define personal firewall exceptions.

Table 7.4.1-1 Firewall program exceptions Program or application Port (*1) Where used Application Description Where used OPC Server opxdas12.exe OPC Server OPC Client Quantum.exe OPC Client Microsoft Management %System32%\mmc.exe OPC Client and OPC Server Console OPCEnum OPC Emulation Server OPC Server

Table 7.4.1-2 Firewall port exceptions Program or application Port (*1) Where used RPC/DCOM TCP: 135 NetBIOS Session Service TCP: 139 DCOM TCP: 20500-20550 OPC Client and OPC Server NetBIOS Name Resolution UDP: 137 NetBIOS Datagram Service UDP: 138

*1: The scope of the ports should be changed to “Any”. Note: You can use the IT Security Tool to configure the firewall exceptions. 4. Create items on the Exaquantum Server to access the FAST/TOOLS items on the SCA- DA server. Note: • The OPC flag must be enabled for the FAST/TOOLS items to be accessed by Exaquantum. • The OPC Server Type must be defined on the Exaquantum Server. • The OPC-DA Server ProgID must be changed to the name of the latest FAST/TOOLS OPC Server.

TI 50A01A10-04EN Sep. 18, 2019-00 <7. Connecting YOKOGAWA products> 7-8 7.5 Coexistence with FAST/TOOLS Client and other products The Web HMI Client and FAST/TOOLS Mobile Client can coexist with other Yokogawa products. You can configure the IT security settings in one of the following ways: • Running the IT Security Tool from the product installer This is the most common method for running the IT Security Tool. The IT security settings must be configured by using this method if the FAST/TOOLS Client is installed on a computer where a Yokogawa product is already installed. This method is also used for applying IT security settings in the FAST/TOOLS Server. • Running the IT Security Tools from the installation media The IT security settings can be configured by using this method if the FAST/TOOLS Client and other Yokogawa products are installed on separate computers. • Configuring the IT security settings manually The IT security settings can be configured manually if the FAST/TOOLS Client is installed on a computer at CORPORATE LEVEL or BUSINESS LEVEL.

TI 50A01A10-04EN Sep. 18, 2019-00 <8. Optional IT security settings> 8-1 8. Optional IT security settings This section describes the optional IT security settings that you can configure to further strengthen your computer.

8.1 Security measures for Windows 10 and Windows Server 2016 When installing Windows 10 or Windows Server 2016 operating systems, the following information is shared by default: • Personal speech • Inking input • Geographical location • Browsing data • Auto connect to (insecure) hotspots • Full diagnostic (not limited to) usage data • Skype is allowed to process your contacts (if bundled) It is recommended to use the Long-Term Servicing Branch (LTSB) edition for Windows 10 or Windows Server 2016 operating systems and disable the sharing of the above mentioned information

8.2 Disabled Windows applications The following applications should be disabled or uninstalled from your computer: • Netmeeting (uninstalled) • Windows Messenger (uninstalled) • Windows Movie Maker (disabled) • Windows Update (disabled) • Windows Media Player (uninstalled) • All games (uninstalled) • Outlook express (uninstalled) • Yahoo messenger (uninstalled) • Skype (uninstalled) • VOIP (uninstalled) • Groove Music (uninstalled)

TI 50A01A10-04EN Sep. 18, 2019-00 <8. Optional IT security settings> 8-2

 Removing bundled apps for a specific user Some versions of Windows 8, Windows 8.1, and Windows 10 are delivered with a number of bundled apps. When a user first signs in, Windows installs those apps to the user account. Even when the apps are uninstalled from the user account, many of them are downloaded automatically after a Windows update. It is recommended to remove all the available bundled apps from your computer. Follow these steps to remove the bundled apps from your computer: 1. Log on to Windows as a user with administrative rights. 2. From the Start menu, right-click [Command Prompt] and select [Run as Administrator]. The Command Prompt window appears. 3. Run the following command: • To remove the bundled apps for a specific user Get-AppxPackage -User | Remove-AppXPackage • To remove the bundled apps for all users Get-AppxPackage -AllUsers | Remove-AppXPackage The bundled apps are removed from the computer. Note: The following apps are not removed: • Contact Support • Cortana • Photos • Microsoft Edge • Windows Feedback • Settings • Windows Store (May be reinstalled after a Windows update)

TI 50A01A10-04EN Sep. 18, 2019-00 <8. Optional IT security settings> 8-3 8.3 Audit policies You can apply audit policies to record account logon conditions and security events. This recorded data is useful for detecting abnormal system conditions at an early stage and for checking the causes of security problems.

IMPORTANT You must observe the following precautions if you want to apply audit policies: • The system performance is affected if you increase the number of recorded event types. • You must determine the event record size that is appropriate for the system operation conditions. The number of generated events varies depending on the types of recorded events and system operations.

The following table describes the details of events that can be recorded by applying audit policies.

Table 8.3-1 Audit policies Option Setting Audit account logon events Success, Failure Audit account management Success, Failure Audit object access Failure Audit system events Success Audit directory service access Failure Audit process tracking No auditing Audit policy change Success Audit logon events Success, Failure Audit privilege use Failure

8.3.1 Applying Audit Policy settings Follow these steps to apply the Audit Policy settings: 1. Log on to your computer as a user with administrative rights. 2. In the Small icons view of the Control Panel, select [Administrative Tools] > [Local Security Policy]. The Local Security Policy window appears. 3. On the navigation pane, under Security Settings, select [Local Policies] > [Audit Policy]. The security setting for each Audit Policy is displayed. 4. Apply the Audit Policy settings as necessary. 5. Close the Local Security Policy window.

TI 50A01A10-04EN Sep. 18, 2019-00 <8. Optional IT security settings> 8-4 8.3.2 Defining maximum event log size To prevent data loss, you need to specify the maximum size for the following event logs: • Security • Application • System

Follow these steps to define the maximum event log size: 1. Log on to your computer as a user with administrative rights. 2. In the Small icons view of the Control Panel, select [Administrative Tools] > [Event Viewer]. The Local Security Policy window appears. 3. On the navigation pane, under Event Viewer, select [Windows Logs]. 4. Under Windows Logs, right-click the event and select [Properties]. 5. In the dialog box that appears, specify the settings as follows:

Table 8.3.2-1 Settings Item Security Application System Maximum log size (KB) (*1) 81,920 KB 16,384 KB 16,384 KB When maximum log size is Overwrite events as needed reached

*1: This is the recommended log size considering standard usage. You can determine the appropriate log size based on the operation frequency, engineering data size, and HDD capacity of your computer.

TI 50A01A10-04EN Sep. 18, 2019-00 <8. Optional IT security settings> 8-5 8.4 Disabling recovery console Automatic logon as a standard operating procedure is a known security risk, especially with Administrator privileges. Therefore, automatic administrative logon must be disabled.

Note: In known limited environments where automated login is unavoidable, strong passwords must be used for these services and proper documentation must be maintained.

Follow these steps to disable automatic administrative logon: 1. Log on to your computer as a user with administrative rights. 2. In the Small icons view of the Control Panel, select [Administrative Tools] > [Local Security Policy]. The Local Security Policy window appears. 3. On the navigation pane, under Security Settings, select [Local Policies] > [Security Options]. The security setting for the each Security Option is displayed. 4. From the list of security settings, double-click [Recovery Console: Allow automatic administrative logon] and select [Disabled]. 5. Close the Local Security Policy window.

8.5 Setting user rights for internal system objects Only appropriate administrative groups should be able to configure settings such as COM ports, serial ports, or printers.

Follow these steps to set user rights for internal system objects: 1. Log on to your computer as a user with administrative rights. 2. In the Small icons view of the Control Panel, select [Administrative Tools] > [Local Security Policy]. The Local Security Policy window appears. 3. On the navigation pane, under Security Settings, select [Local Policies] > [Security Options]. The security setting for the each Security Option is displayed. 4. From the list of security settings, double-click [System Objects: Strengthen default permissions of internal system objects (e.g. Symbolic links)] and select [Enabled]. 5. Close the Local Security Policy window.

TI 50A01A10-04EN Sep. 18, 2019-00 <8. Optional IT security settings> 8-6 8.6 Verifying user rights assignments Only the specified users or groups are allowed to perform a certain operation. It is recommended to verify if the user rights assignment is configured appropriately.

Follow these steps to verify the user rights assignment: 1. Log on to your computer as a user with administrative rights. 2. In the Small icons view of the Control Panel, select [Administrative Tools] > [Local Security Policy]. The Local Security Policy window appears. 3. On the navigation pane, under Security Settings, select [Local Policies] > [User Rights Assignment]. The user rights assignment for each policy is displayed. 4. Verify that the user rights are assigned as follows:

Table 8.6-1 User rights assignments User right (Policy) Security setting Act as part of the operating system None Adjust memory quotas for a process None Back up files and directories FTS_MAINTENANCE Bypass traverse checking None Change the system time FTS_MAINTENANCE Create a page file None Create a token object None Enable computer and user accounts to be trusted FTS_MAINTENANCE for delegation Force shutdown from a remote system None Impersonate a Client after authentication FTS_MAINTENANCE Increase scheduling priority None Lock pages in memory None Modify firmware environment values FTS_MAINTENANCE Perform volume maintenance tasks FTS_MAINTENANCE Profile single process None Profile system performance None Replace a process level token None Restore files and directories FTS_MAINTENANCE Shut down the system FTS_MAINTENANCE Synchronize directory service data None Take ownership of files or other objects FTS_MAINTENANCE

5. Close the Local Security Policy window.

TI 50A01A10-04EN Sep. 18, 2019-00 <8. Optional IT security settings> 8-7 8.7 Disabling the Guest account The Guest account must be disabled and the password must be both long and complex. The password should have at least 15 characters and should contain lowercase and uppercase alphanumeric characters and special symbols. Contact the network administrator and verify if the Guest account is disabled.

8.8 Restricting access to audit logs Only authorized administrative and service personnel should have access to the following audit logs: • Application logs • Security logs • System logs

Follow these steps to restrict access to audit logs: 1. Log on to Windows as a user with administrative rights. 2. In Windows Explorer, navigate to the following folder: %systemroot%\System32\Winevt\Logs 3. RIght-click [Application] and select [Properties]. 4. In the dialog box that appears, click the [Security] tab. 5. Verify that Full control is granted to Administrators, SYSTEM, EventLog, and other appropriate user groups. 6. Click [Advanced]. 7. In the dialog box that appears, verify that the [Allow Inheritable Permissions from Parent to Propagate to this Object] check box is cleared. 8. Repeat steps 3 to 7 for Security and System logs.

TI 50A01A10-04EN Sep. 18, 2019-00 <8. Optional IT security settings> 8-8 8.9 Configuring advanced audit policy settings Audit logs may contain information about the system usage and location of objects that could be used as a basis for an attack. Follow these steps to configure advanced audit policy settings: 1. Log on to your computer as a user with administrative rights. 2. In the Small icons view of the Control Panel, select [Administrative Tools] > [Local Security Policy]. The Local Security Policy window appears. 3. On the navigation pane, under Security Settings, select [Local Policies] > [Security Options]. The policies related to security options are displayed. 4. Disable the following settings: • Audit: Audit the access of global system objects • Audit: Shut down system immediately if unable to log security audits 5. Close the Local Security Policy window.

8.10 Restricting access to removable media The permission to format and eject removable media should be granted to appropriate administrative groups only. Follow these steps to restrict access to removable media: 1. Log on to your computer as a user with administrative rights. 2. In the Small icons view of the Control Panel, select [Administrative Tools] > [Local Security Policy]. The Local Security Policy window appears. 3. On the navigation pane, under Security Settings, select [Local Policies] > [Security Options]. The policies related to security options are displayed. 4. Double-click [Devices: Allowed to format and eject removable media]. 5. In the dialog box that appears, select an appropriate administrative user group and click [OK]. 6. Close the Local Security Policy window.

TI 50A01A10-04EN Sep. 18, 2019-00 <8. Optional IT security settings> 8-9 8.11 Making the screen saver password protection immediate The password protection for the screen saver should be applied immediately without any grace period. Follow these steps to apply immediate password protection for the screen saver: 1. Log on to your computer as a user with administrative rights. 2. Open the Registry Editor of your computer. 3. On the navigation pane, navigate to the following location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Winlogon 4. Verify that the subkey “ScreenSaverGracePeriod” exists and its value is set to 0. 5. Close the Registry Editor.

8.12 Configuring the SNMP service settings To reduce potential attacks on the SNMP interface, the SNMP service should be disabled. If you must enable the SNMP service, change the default community names to hide them from potential attackers. Follow these steps to configure the SNMP service settings: 1. Log on to your computer as a user with administrative rights. 2. Open the Services window. 3. Double-click [SNMP Service]. 4. In the dialog box that appears, click the [Security] tab. 5. Verify that default PUBLIC and PRIVATE community names are not used. If default names are used, changed the PUBLIC and PRIVATE community names. 6. Verify that [Accept SNMP packets from these hosts] is selected. 7. Close the Services window.

TI 50A01A10-04EN Sep. 18, 2019-00 <8. Optional IT security settings> 8-10 8.13 Configuring SSL registry settings Due to known vulnerabilities, the use of SSL 2.0 or SSL 3.0 is prohibited and should be disabled. Follow these steps to disable SSL 2.0 or SSL 3.0: 1. Log on to your computer as a user with administrative rights. 2. Open the Registry Editor of your computer. 3. On the navigation pane, navigate to the following location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SecurityProviders\SCHANNE L\Protocols\ 4. Verify that the SSL settings are configured as follows:

Table 8.13-1 SSL settings Key Name Type Data HKEY_LOCAL_MACHINE\S YSTEM\ CurrentControl Set\Control\Security Enabled REG_SZ 0 Providers\SCHANNEL\P rotocols\SSL 2.0\ Ser ver HKEY_LOCAL_MACHINE\S YSTEM\ CurrentControl Set\Control\Security Enabled REG_SZ 0 Providers\SCHANNEL\P rotocols\SSL 3.0\ Ser ver HKEY_LOCAL_MACHINE\S YSTEM\ CurrentControl Set\Control\Security Enabled REG_SZ 0 Providers\SCHANNEL\P rotocols\SSL 2.0\ Cli ent HKEY_LOCAL_MACHINE\S YSTEM\ CurrentControl Set\Control\Security Enabled REG_SZ 0 Providers\SCHANNEL\P rotocols\SSL 3.0\ Cli ent

5. Close the Registry Editor.

TI 50A01A10-04EN Sep. 18, 2019-00 <8. Optional IT security settings> 8-11 8.14 Configuring TLS registry settings TLS 1.0 and TLS 1.1 must be disabled and TLS must be 1.2 enabled. A server that cannot use TLS 1.2 should be registered as an exception in the IT environment and isolated accordingly. Follow these steps to disable TLS registry settings: 1. Log on to your computer as a user with administrative rights. 2. Open the Registry Editor of your computer. 3. On the navigation pane, navigate to the following location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SecurityProviders\SCHANNE L\Protocols\ 4. Verify that the SSL settings are configured as follows:

Table 8.14-1 TLS settings Key Name Type Data HKEY_LOCAL_MACHINE\S YSTEM\CurrentControl Set\Control\ Enabled REG_SZ 0 Security Providers\SCHANNEL\P rotocols\ TLS 1.0\Ser ver HKEY_LOCAL_MACHINE\S YSTEM\CurrentControl Set\Control\ Enabled REG_SZ 0 Security Providers\SCHANNEL\P rotocols\ TLS 1.1\Ser ver HKEY_LOCAL_MACHINE\S YSTEM\CurrentControl Set\Control\ Enabled REG_SZ 1 Security Providers\SCHANNEL\P rotocols\ TLS 1.2\Ser ver HKEY_LOCAL_MACHINE\S YSTEM\CurrentControl Set\Control\ Enabled REG_SZ 0 Security Providers\SCHANNEL\P rotocols\ TLS 1.0\Cli ent HKEY_LOCAL_MACHINE\S YSTEM\CurrentControl Set\Control\ Enabled REG_SZ 0 Security Providers\SCHANNEL\P rotocols\ TLS 1.1\Cli ent HKEY_LOCAL_MACHINE\S YSTEM\CurrentControl Set\Control\ Enabled REG_SZ 1 Security Providers\SCHANNEL\P rotocols\ TLS 1.2\Cli ent

5. Close the Registry Editor.

TI 50A01A10-04EN Sep. 18, 2019-00 <8. Optional IT security settings> 8-12 8.15 Securing registry keys for programs that run during startup Unauthorized users should not have access to the list of programs that run during startup. Follow these steps to secure the registry keys for programs that run during startup: 1. Log on to your computer as a user with administrative rights. 2. Open the Registry Editor of your computer. 3. Verify that appropriate security settings are configured for the following registry keys:

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 4. Close the Registry Editor.

TI 50A01A10-04EN Sep. 18, 2019-00 <8. Optional IT security settings> 8-13 8.16 Securing AllowedPaths and AllowedExactPaths registry keys The AllowedPaths and AllowedExactPaths registry keys control the remote registry access control. If these keys are modified, certain registry keys can be accessed remotely. Therefore, the permission to modify these keys should be granted to appropriate administrative group only. Follow these steps to secure the AllowedPaths and AllowedExactPaths registry keys: 1. Log on to your computer as a user with administrative rights. 2. Open the Registry Editor of your computer. 3. On the navigation pane, navigate to the following location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SecurePipeServers\winreg\ 4. Perform these steps for the AllowedPaths and AllowedExactPaths folders: a. Right-click the folder and select [Permissions]. b. Verify that Full Control is allowed for the Administrators user group. c. Review additional users and groups for appropriate access. (*1) d. Click [OK]. e. On the right pane, right-click [Machine] and select [Modify]. f. In the Edit Multi-String dialog box, set and verify the allowed paths. (*1) 5. Close the Registry Editor. *1: • The default Alllowed Paths are as follows: •HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers •HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog •HKEY_LOCAL_MACHINE\Software\Microsoft\OLAP Server •HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ContentIndex •HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server •HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\Us erConfig •HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\De faultUserConfiguration •HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Perflib •HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print •HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows •HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SysmonLog • The default Alllowed Exact Paths are as follows: •HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ProductOptions •HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Server Applications •HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion

TI 50A01A10-04EN Sep. 18, 2019-00 <8. Optional IT security settings> 8-14 8.17 Disabling “Everyone” group permissions for anonymous users If anonymous users are granted “Everyone” group permissions, they can access all the resources that are allowed for the “Everyone” group, which could be a possible security threat. Follow these steps to disable “Everyone” group permissions for anonymous users: 1. Log on to your computer as a user with administrative rights. 2. In the Small icons view of the Control Panel, select [Administrative Tools] > [Local Security Policy]. The Local Security Policy window appears. 3. On the navigation pane, under Security Settings, select [Local Policies] > [Security Options]. The security setting for the each Security Option is displayed. 4. From the list of security settings, double-click [Network access: Let Everyone permissions apply to anonymous users] and select [Disabled]. 5. Close the Local Security Policy window.

8.18 Removing unwanted network protocols To reduce potential network attacks on a Server computer, unwanted applications, services, and network protocols should be removed. Follow these steps to remove unwanted network protocols from the Server computer: 1. Log on to your computer as a user with administrative rights. 2. In the Small icons view of the Control Panel, select [Network and Sharing Center]. 3. On the navigation pane, select [Change adapter settings]. The Network Connections window appears, displaying the available network interfaces. 4. Right-click each network interface and select [Properties]. 5. In the dialog box that appears, select the following check boxes and click [Uninstall]. • AppleTalk • DLC • NetBEUI • NWLink A dialog box appears, asking if you want to uninstall the selected item. 6. Click [Yes]. The selected items network protocols are uninstalled. 7. Close the Network Connections window.

Figure Minimum session security for NTLM SSP based servers (Windows Server 2008/ Windows 7)

TI 50A01A10-04EN Sep. 18, 2019-00 <8. Optional IT security settings> 8-15 8.19 Deploying TCP/IP protocol settings If TCP/IP is installed on a computer, the TCP/IP protocol settings must be deployed to enhance network security. However, this must be considered on a case-by-case basis because there could be policies or connection requirements that limit the types of settings to be applied. Follow these steps to deploy TCP/IP protocol settings: 1. Log on to your computer as a user with administrative rights. 2. Open the Registry Editor of your computer. 3. On the navigation pane, navigate to the following location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ Parameters\ 4. Verify that appropriate values are assigned for each parameter. 5. Close the Registry Editor.

8.20 Enabling safe DLL search order It is possible to attack a computer by installing malicious DLLs to a system and then allowing the system to locate them by using default search paths. Safe DLL search prevents the system from locating DLLs outside the installation folder and known system folders. Follow these steps to enable safe DLL search order: 1. Log on to your computer as a user with administrative rights. 2. Open the Registry Editor of your computer. 3. On the navigation pane, navigate to the following location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\ 4. Configure the following settings: Name: SafeDllSearchMode Type: DWORD Data: 1 5. Close the Registry Editor.

8.21 Using NTFS on all non-removable partitions NTFS is the primary file system for recent versions of Windows. This file system has more features than FAT. NTFS should be used on all non-removable partitions. If there is a compelling business need to use non-NTFS partitions, access to such partitions must be local (not shared) or limited to appropriate administrative groups. Follow these steps to convert an FAT partition to NTFS: 1. Log on to Windows as a user with administrative rights. 2. From the Start menu, right-click [Command Prompt] and select [Run as Administrator]. The Command Prompt window appears. 3. Run the following command: convert : /fs ntfs /v For example, the command to use NTFS for the “E” drive is: convert E: /fs ntfs /v

TI 50A01A10-04EN Nov. 29, 2019-00 <8. Optional IT security settings> 8-16 8.22 Enforcing password protection for third- party SMB Servers SMB is a common method for remote file access. Ideally this should not be applied in an OT environment. However, password protection must be enforced in case it is applied. For centrally controlled domains, this control objective should be implemented within the Group Policy Object (GPO) of the domain. For member Servers that are not a part of the domain, these settings should be implemented in the Local Computer Policy. Follow these steps to enforce password protection for third-party SMB Servers: 1. Log on to your computer as a user with administrative rights. 2. In the Small icons view of the Control Panel, select [Administrative Tools] > [Local Security Policy]. The Local Security Policy window appears. 3. On the navigation pane, under Security Settings, select [Local Policies] > [Security Options]. The security setting for each Security Option is displayed. 4. From the list of security settings, double-click [Microsoft network Client: Send unencrypted password to third party SMB Servers] and select [Disabled]. 5. Close the Local Security Policy window.

8.23 Setting unique password for each Administrator account It is not recommended to use the same password across multiple systems and services. The Administrator account should therefore have a unique password on each Server. Verify with the network administrator that account passwords at administrator level are unique across all managed Servers. Follow these steps to set a unique password for each Administrator-level account: 1. Log on to Windows as a user with administrative rights. 2. In the Small icons view of the Control Panel, select [Administrative Tools] > [Computer Management]. The Computer Management window appears. 3. On the navigation pane, expand [System Tools] > [Local Users and Groups]. 4. In the Name section, double-click [Users]. 5. Right-click the [Administrator] user account and select [Set Password]. If a warning message is displayed, click [Proceed]. 6. In the dialog box that appears, type a unique password in the New Password and Confirm Password boxes respectively, and then click [OK]. 7. Close the Computer Management window.

TI 50A01A10-04EN Sep. 18, 2019-00 <8. Optional IT security settings> 8-17 8.24 Setting up advanced personal firewall When you run the IT Security Tool, the inbound personal firewall rules are applied. In addition, you must define the outbound rules to prevent sending sensitive information from your computer. Follow these steps to define the outbound rules for the Windows firewall: 1. Log on to your computer as a user with administrative rights. 2. In the Small icons view of the Control Panel, select [Windows Firewall]. The Windows Firewall window appears. 3. On the left pane, select [Advanced settings]. The Windows Firewall with Advanced Security window appears. 4. On the left pane, right-click [Windows Firewall with Advanced Security] and select [Properties]. 5. In the dialog box that appears, from the Outbound connections drop-down list, select [Block] for each of the following tabs: • Domain Profile • Private Profile • Public Profile 6. Click [OK].

TI 50A01A10-04EN Sep. 18, 2019-00 App.1-1 Appendix 1. IT security setting items This section describes the security setting items that are configured by using the IT Security Tool, their default values, and whether they can be modified.

Appendix 1.1 Security setting items in FAST/TOOLS computer This section describes the security setting items that are configured by using the IT Security Tool, their default values, and whether they can be modified for the following computers: • SCADA Server • Web HMI Server • Web HMI Client • Mobile Client

 Security setting items for Standard model with Standalone management The following table shows the security setting items for the Standard model with Standalone management.

Table Appendix 1.1-1 Standard Model - Standalone Management (1/5) Setting item Default check box Modification state Creating local users and groups Selected Fixed Access control for files and folders Selected Fixed Access control for product registry Selected Fixed Access control for DCOM (OPC) objects Selected Fixed Personal firewall tuning Selected Fixed Disable ‘Personal Firewall-[Allow unicast response]’ Clear Editable Disabling NetBIOS over TCP/IP Clear Editable Applying the StorageDevicePolicies function Clear Editable Disabling USB storage devices Clear Editable Applying the software restriction policies Clear Editable User Rights Assignment-[Deny log on locally] Selected Fixed Security Options-[Audit: Force audit policy subcategory settings Selected Editable (Windows Vista or later) to override audit policy category settings] Security Options-[Devices: Prevent users from installing printer Selected Editable drivers] Security Options-[Devices: Restrict CD-ROM access to locally Selected Editable logged-on user only] Security Options-[Devices: Restrict floppy access to locally Selected Editable logged- on user only] Security Options-[Domain member: Require strong (Windows Selected Editable 2000 or later) session key] Security Options-[Interactive logon: Do not display last user name] Selected Fixed Disable 'Security Options-[Interactive logon: Do not require CTRL

TI 50A01A10-04EN Nov. 29, 2019-00 App.1-2

Table Appendix 1.1-1 Standard Model - Standalone Management (2/5)

Setting item Default check box Modification state +ALT+DEL]’ Selected Editable Security Options-[Interactive logon: Prompt user to change Selected Editable password before expiration] Security Options-[Microsoft network Server: Digitally sign Selected Editable communications (if Client agrees)] Security Options-[Microsoft network Server: Server SPN target Selected Editable name validation level] [MSS: (DisableIPSourceRouting) IP source routing protection Selected Editable level (protects against packet spoofing)] Disable [MSS: (PerformRouterDiscovery) Allow IRDP to detect Selected Editable and configure Default Gateway addresses (could lead to DoS)] [MSS: (TcpMaxDataRetransmissions) How many times Selected Editable unacknowledged data is retransmitted (3 recommended, 5 is default)] Security Options-[Network access: Do not allow anonymous Selected Editable enumeration of SAM accounts] Security Options-[Network access: Do not allow anonymous Selected Editable enumeration of SAM accounts and shares] Security Options-[Network access: Do not allow storage of Selected Editable passwords and credentials for network authentication] Security Options-[Network security: Allow Local System to use Selected Editable computer identity for NTLM] Disable 'Security Options-[Network security: Allow LocalSystem Selected Editable NULL session fallback]’ Security Options-[Network security: LAN Manager authentication Selected Fixed level] Security Options-[Network security: Minimum session security for Selected Editable NTLM SSP based (including secure RPC) Clients] Security Options-[Network security: Minimum session security for Selected Editable NTLM SSP based (including secure RPC) Servers] Disable 'Security Options-[Shutdown: Allow system to be shut Selected Editable down without having to log on]' Security Options-[User Account Control: Admin Approval Mode for Selected Editable the Built'-in Administrator account] Security Options-[User Account Control: Behavior of the elevation Selected Editable prompt for administrators in Admin Approval Mode] Advanced Audit Policy Configuration-[Audit Credential Validation] Selected Editable Advanced Audit Policy Configuration-[Audit Computer Account Selected Editable Management] Advanced Audit Policy Configuration-[Audit Other Account Selected Editable Management Events] Advanced Audit Policy Configuration-[Audit Security Group Selected Editable Management] Advanced Audit Policy Configuration-[Audit User Account Selected Editable Management] Advanced Audit Policy Configuration-[Audit Process Creation] Selected Editable Advanced Audit Policy Configuration-[Audit Account Lockout] Selected Editable Advanced Audit Policy Configuration-[Audit Logoff] Selected Editable Advanced Audit Policy Configuration-[Audit Logon] Selected Editable Advanced Audit Policy Configuration-[Audit Other Logon/Logoff Selected Editable Events]

TI 50A01A10-04EN Sep. 18, 2019-00 App.1-3

Table Appendix 1.1-1 Standard Model - Standalone Management (3/5)

Setting item Default check box Modification state Advanced Audit Policy Configuration-[Audit Special Logon] Selected Editable Advanced Audit Policy Configuration-[Audit Removable Storage] Selected Editable Advanced Audit Policy Configuration-[Audit Audit Policy Change] Selected Editable Advanced Audit Policy Configuration-[Audit Authentication Policy Selected Editable Change] Advanced Audit Policy Configuration-[Audit Filtering Platform Selected Editable Policy Change] Advanced Audit Policy Configuration-[Audit MPSSVC Rule-Level Selected Editable Policy Change] Advanced Audit Policy Configuration-[Audit Other Policy Change Selected Editable Events] Advanced Audit Policy Configuration-[Audit Sensitive Privilege Selected Editable Use] Advanced Audit Policy Configuration-[Audit Other System Events] Selected Editable Advanced Audit Policy Configuration-[Audit Security State Selected Editable Change] Advanced Audit Policy Configuration-[Audit Security System Selected Editable Extension] Advanced Audit Policy Configuration-[Audit System Integrity] Selected Editable Personalization-[Prevent enabling lock screen camera] Selected Editable Personalization-[Prevent enabling lock screen slide show] Selected Editable WLAN Settings-[Allow Windows to automatically connect to Selected Editable suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services] Group Policy-[Configure registry policy processing] Selected Editable Internet Communication settings-[Turn off downloading of print Selected Editable drivers over HTTP] Internet Communication settings-[Turn off Event Viewer "Events. Selected Editable asp" links] Internet Communication settings-[Turn off Internet download for Selected Editable Web publishing and online ordering wizards] Internet Communication settings-[Turn off printing over HTTP] Selected Editable Internet Communication settings-[Turn off Search Companion Selected Editable content file updates] Internet Communication settings-[Turn off the "Publish to Web" Selected Editable task for files and folders] Internet Communication settings-[Turn off the Windows Customer Selected Fixed Experience Improvement Program] Internet Communication settings-[Turn off the Windows Selected Fixed Messenger Customer Experience Improvement Program] Logon-[Do not display network selection UI] Selected Editable Logon-[Do not enumerate connected users on domain-joined Selected Editable computers] Disable 'Logon-[Enumerate local users on domain-joined Selected Editable computers]' Logon-[Turn off app notifications on the lock screen] Selected Editable Mitigation Options-[Untrusted Font Blocking] Selected Editable User Profiles-[Turn off the advertising ID] Selected Editable App Privacy-[Let Windows apps access account information] Selected Editable

TI 50A01A10-04EN Sep. 18, 2019-00 App.1-4

Table Appendix 1.1-1 Standard Model - Standalone Management (4/5)

Setting item Default check box Modification state App Privacy-[Let Windows apps access call history] Selected Editable App Privacy-[Let Windows apps access contacts] Selected Editable App Privacy-[Let Windows apps access email] Selected Editable App Privacy-[Let Windows apps access location] Selected Editable App Privacy-[Let Windows apps access messaging] Selected Editable App Privacy-[Let Windows apps access motion] Selected Editable App Privacy-[Let Windows apps access the calendar] Selected Editable App Privacy-[Let Windows apps access the camera] Selected Editable App Privacy-[Let Windows apps access the microphone] Selected Editable App Privacy-[Let Windows apps access trusted devices] Selected Editable App Privacy-[Let Windows apps control radios] Selected Editable App Privacy-[Let Windows apps sync with devices] Selected Editable App runtime-[Block launching Windows Store apps with Windows Selected Editable Runtime API access from hosted content] AutoPlay Policies-[Turn off Autoplay] Selected Editable AutoPlay Policies-[Disallow Autoplay for non-volume devices] Selected Editable Cloud Content-[Do not show Windows Tips] Selected Editable Cloud Content-[Turn off Microsoft consumer experiences] Selected Editable Data Collection and Preview Builds-[Allow Telemetry] Selected Editable Data Collection and Preview Builds-[Disable pre-release features Selected Editable or settings] Data Collection and Preview Builds-[Do not show feedback Selected Editable notifications] Data Collection and Preview Builds-[Toggle user control over Selected Editable Insider builds] Event Log Service(Application)-[Specify the maximum log file size Selected Editable (KB)] Event Log Service(Security)-[Specify the maximum log file size Selected Editable (KB)] Event Log Service(System)-[Specify the maximum log file size Selected Editable (KB)] File Explorer-[Turn off heap termination on corruption] Selected Editable HomeGroup-[Prevent the computer from joining a homegroup] Selected Editable OneDrive-[Prevent the usage of OneDrive for file storage] Selected Editable OneDrive-[Save documents to OneDrive by default](Save Selected Editable documents to the local PC by default) Remote Desktop Connection Client-[Do not allow passwords to Selected Editable be saved] Device and Resource Redirection-[Do not allow drive redirection] Selected Editable Security-[Require secure RPC communication] Selected Editable Security-[Require user authentication for remote connections by Selected Editable using Network Level Authentication] Disable ‘Search-[Allow Cortana]’ Selected Editable Software Protection Platform-[Turn off KMS Client Online AVS Selected Editable Validation] Sync your settings-[Do not sync Apps] Selected Editable Sync your settings-[Do not sync start settings] Selected Editable

TI 50A01A10-04EN Sep. 18, 2019-00 App.1-5

Table Appendix 1.1-1 Standard Model - Standalone Management (5/5)

Setting item Default check box Modification state Disable 'Windows Error Reporting-[Automatically send memory Selected Fixed dumps for OS-generated error reports]' Disable 'Windows Logon Options-[Sign'-in last interactive user Selected Editable automatically after a system'-initiated restart]' Notifications-[Turn off toast notifications on the lock screen] Selected Editable

 Security setting items for Standard model with Domain or Combination management The following table shows the security setting items for the Standard model with Domain or Combination management.

Table Appendix 1.1-2 Standard Model - Domain/Combination Management (1/4) Setting item Default check box Modification state Creating local users and groups Selected Fixed Creating domain users and groups Selected Fixed Access control for files and folders Selected Fixed Access control for product registry Selected Fixed Access control for DCOM (OPC) objects Selected Fixed Personal firewall tuning Selected Fixed Disable 'Personal Firewall-[Allow unicast response]' Clear Editable Disabling NetBIOS over TCP/IP Selected Fixed Applying the StorageDevicePolicies function Clear Editable Disabling USB storage devices Clear Editable Applying the software restriction policies Clear Editable User Rights Assignment-[Deny log on locally] Selected Fixed Security Options-[Audit: Force audit policy subcategory settings Selected Editable (Windows Vista or later) to override audit policy category settings] Security Options-[Devices: Prevent users from installing printer Selected Editable drivers] Security Options-[Devices: Restrict CD-ROM access to locally Selected Editable logged-on user only] Security Options-[Devices: Restrict floppy access to locally Selected Editable logged-on user only] Security Options-[Domain member: Require strong (Windows Selected Editable 2000 or later) session key] Security Options-[Interactive logon: Do not display last user name] Selected Fixed Disable ‘Security Options-[Interactive logon: Do not require Selected Editable CTRL+ALT+DEL]’ Security Options-[Interactive logon: Prompt user to change Selected Editable password before expiration] Security Options-[Microsoft network Server: Digitally sign Selected Editable communications (if Client agrees)] Security Options-[Microsoft network Server: Server SPN target Selected Editable name validation level] [MSS: (DisableIPSourceRouting) IP source routing protection Selected Editable level (protects against packet spoofing)]

TI 50A01A10-04EN Sep. 18, 2019-00 App.1-6

Table Appendix 1.1-2 Standard Model - Domain/Combination Management (2/4)

Setting item Default check box Modification state Disable [MSS: (PerformRouterDiscovery) Allow IRDP to detect Selected Editable and configure Default Gateway addresses (could lead to DoS)] [MSS: (TcpMaxDataRetransmissions) How many times Selected Editable unacknowledged data is retransmitted (3 recommended, 5 is default)] Security Options-[Network access: Do not allow anonymous Selected Editable enumeration of SAM accounts] Security Options-[Network access: Do not allow anonymous Selected Editable enumeration of SAM accounts and shares] Security Options-[Network access: Do not allow storage of Selected Editable passwords and credentials for network authentication] Security Options-[Network security: Allow Local System to use Selected Editable computer identity for NTLM] Disable 'Security Options-[Network security: Allow LocalSystem Selected Editable NULL session fallback]’ Security Options-[Network security: LAN Manager authentication Selected Fixed level] Security Options-[Network security: Minimum session security for Selected Editable NTLM SSP based (including secure RPC) Clients] Security Options-[Network security: Minimum session security for Selected Editable NTLM SSP based (including secure RPC) Servers] Disable 'Security Options-[Shutdown: Allow system to be shut Selected Editable down without having to log on]' Security Options-[User Account Control: Admin Approval Mode for Selected Editable the Built'-in Administrator account] Security Options-[User Account Control: Behavior of the elevation Selected Editable prompt for administrators in Admin Approval Mode] Advanced Audit Policy Configuration-[Audit Credential Validation] Selected Editable Advanced Audit Policy Configuration-[Audit Computer Account Selected Editable Management] Advanced Audit Policy Configuration-[Audit Other Account Selected Editable Management Events] Advanced Audit Policy Configuration-[Audit Security Group Selected Editable Management] Advanced Audit Policy Configuration-[Audit User Account Selected Editable Management] Advanced Audit Policy Configuration-[Audit Process Creation] Selected Editable Advanced Audit Policy Configuration-[Audit Account Lockout] Selected Editable Advanced Audit Policy Configuration-[Audit Logoff] Selected Editable Advanced Audit Policy Configuration-[Audit Logon] Selected Editable Advanced Audit Policy Configuration-[Audit Other Logon/Logoff Selected Editable Events] Advanced Audit Policy Configuration-[Audit Special Logon] Selected Editable Advanced Audit Policy Configuration-[Audit Removable Storage] Selected Editable Advanced Audit Policy Configuration-[Audit Audit Policy Change] Selected Editable Advanced Audit Policy Configuration-[Audit Authentication Policy Selected Editable Change] Advanced Audit Policy Configuration-[Audit Filtering Platform Selected Editable Policy Change]

TI 50A01A10-04EN Sep. 18, 2019-00 App.1-7

Table Appendix 1.1-2 Standard Model - Domain/Combination Management (3/4)

Setting item Default check box Modification state Advanced Audit Policy Configuration-[Audit MPSSVC Rule-Level Selected Editable Policy Change] Advanced Audit Policy Configuration-[Audit Other Policy Change Selected Editable Events] Advanced Audit Policy Configuration-[Audit Sensitive Privilege Selected Editable Use] Advanced Audit Policy Configuration-[Audit Other System Events] Selected Editable Advanced Audit Policy Configuration-[Audit Security State Selected Editable Change] Advanced Audit Policy Configuration-[Audit Security System Selected Editable Extension] Advanced Audit Policy Configuration-[Audit System Integrity] Selected Editable Personalization-[Prevent enabling lock screen camera] Selected Editable Personalization-[Prevent enabling lock screen slide show] Selected Editable WLAN Settings-[Allow Windows to automatically connect to Selected Editable suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services] Group Policy-[Configure registry policy processing] Selected Editable Internet Communication settings-[Turn off downloading of print Selected Editable drivers over HTTP] Internet Communication settings-[Turn off Event Viewer "Events. Selected Editable asp" links] Internet Communication settings-[Turn off Internet download for Selected Editable Web publishing and online ordering wizards] Internet Communication settings-[Turn off printing over HTTP] Selected Editable Internet Communication settings-[Turn off Search Companion Selected Editable content file updates] Internet Communication settings-[Turn off the "Publish to Web" Selected Editable task for files and folders] Internet Communication settings-[Turn off the Windows Customer Selected Fixed Experience Improvement Program] Internet Communication settings-[Turn off the Windows Selected Fixed Messenger Customer Experience Improvement Program] Logon-[Do not display network selection UI] Selected Editable Logon-[Do not enumerate connected users on domain-joined Selected Editable computers] Disable 'Logon-[Enumerate local users on domain-joined Selected Editable computers]' Logon-[Turn off app notifications on the lock screen] Selected Editable Mitigation Options-[Untrusted Font Blocking] Selected Editable User Profiles-[Turn off the advertising ID] Selected Editable App Privacy-[Let Windows apps access account information] Selected Editable App Privacy-[Let Windows apps access call history] Selected Editable App Privacy-[Let Windows apps access contacts] Selected Editable App Privacy-[Let Windows apps access email] Selected Editable App Privacy-[Let Windows apps access location] Selected Editable App Privacy-[Let Windows apps access messaging] Selected Editable App Privacy-[Let Windows apps access motion] Selected Editable App Privacy-[Let Windows apps access the calendar] Selected Editable

TI 50A01A10-04EN Sep. 18, 2019-00 App.1-8

Table Appendix 1.1-2 Standard Model - Domain/Combination Management (4/4)

Setting item Default check box Modification state App Privacy-[Let Windows apps access the camera] Selected Editable App Privacy-[Let Windows apps access the microphone] Selected Editable App Privacy-[Let Windows apps access trusted devices] Selected Editable App Privacy-[Let Windows apps control radios] Selected Editable App Privacy-[Let Windows apps sync with devices] Selected Editable App runtime-[Block launching Windows Store apps with Windows Selected Editable Runtime API access from hosted content] AutoPlay Policies-[Turn off Autoplay] Selected Editable AutoPlay Policies-[Disallow Autoplay for non-volume devices] Selected Editable Cloud Content-[Do not show Windows Tips] Selected Editable Cloud Content-[Turn off Microsoft consumer experiences] Selected Editable Data Collection and Preview Builds-[Allow Telemetry] Selected Editable Data Collection and Preview Builds-[Disable pre-release features Selected Editable or settings] Data Collection and Preview Builds-[Do not show feedback Selected Editable notifications] Data Collection and Preview Builds-[Toggle user control over Selected Editable Insider builds] Event Log Service(Application)-[Specify the maximum log file size Selected Editable (KB)] Event Log Service(Security)-[Specify the maximum log file size Selected Editable (KB)] Event Log Service(System)-[Specify the maximum log file size Selected Editable (KB)] File Explorer-[Turn off heap termination on corruption] Selected Editable HomeGroup-[Prevent the computer from joining a homegroup] Selected Editable OneDrive-[Prevent the usage of OneDrive for file storage] Selected Editable OneDrive-[Save documents to OneDrive by default](Save Selected Editable documents to the local PC by default) Remote Desktop Connection Client-[Do not allow passwords to Selected Editable be saved] Device and Resource Redirection-[Do not allow drive redirection] Selected Editable Security-[Require secure RPC communication] Selected Editable Security-[Require user authentication for remote connections by Selected Editable using Network Level Authentication] Disable ‘Search-[Allow Cortana]’ Selected Editable Software Protection Platform-[Turn off KMS Client Online AVS Selected Editable Validation] Sync your settings-[Do not sync Apps] Selected Editable Sync your settings-[Do not sync start settings] Selected Editable Disable 'Windows Error Reporting-[Automatically send memory Selected Fixed dumps for OS-generated error reports]' Disable 'Windows Logon Options-[Sign'-in last interactive user Selected Editable automatically after a system'-initiated restart]' Notifications-[Turn off toast notifications on the lock screen] Selected Editable

TI 50A01A10-04EN Sep. 18, 2019-00 App.1-9 Appendix 1.2 Security setting items in Domain Controller This section describes the security setting items that are configured by using the IT Security Tool, their default values, and whether they can be modified for the Domain Controller.

 Security setting items for Standard model with Domain or Combination management The following table shows the security setting items for the combination of Standard model and Domain or Combination management.

Table Appendix 1.2-1 Domain Controller: Standard Model - Domain/Combination Management (1/3) Default check box Setting item Modification state Creating domain users and groups Selected Fixed Access control for files and folders Selected Editable Access Control for DCOM (OPC) objects Selected Fixed Personal firewall tuning Selected Fixed Disable 'Personal Firewall-[Allow unicast response]’ Selected Editable Disabling NetBIOS over TCP/IP Selected Editable Applying the StorageDevicePolicies function Clear Editable Disabling USB storage devices Clear Editable User Rights Assignment-[Access this computer from the network] Selected Editable User Rights Assignment-[Add workstations to domain] Selected Editable Security Options-[Audit: Force audit policy subcategory settings Selected Editable (Windows Vista or later) to override audit policy category settings] Security Options-[Devices: Prevent users from installing printer Selected Editable drivers] Security Options-[Devices: Restrict CD-ROM access to locally Selected Editable logged-on user only] Security Options-[Devices: Restrict floppy access to locally Selected Editable logged-on user only] Disable 'Security Options-[Domain Controller: Allow Server Selected Editable operators to schedule tasks]' Disable 'Security Options-[Domain Controller: Refuse machine Selected Editable account password changes]' Security Options-[Domain member: Require strong (Windows Selected Editable 2000 or later) session key] Security Options-[Interactive logon: Do not display last user name] Selected Editable Disable 'Security Options-[Interactive logon: Do not require Selected Editable CTRL+ALT+DEL]’ Security Options-[Interactive logon: Prompt user to change Selected Editable password before expiration] Security Options-[Microsoft network Server: Digitally sign Selected Editable communications (if Client agrees)] Security Options-[Microsoft network Server: Server SPN target Selected Editable name validation level] [MSS: (DisableIPSourceRouting) IP source routing protection Selected Editable level (protects against packet spoofing)] Disable [MSS: (PerformRouterDiscovery) Allow IRDP to detect Selected Editable and configure Default Gateway addresses (could lead to DoS)]

TI 50A01A10-04EN Sep. 18, 2019-00 App.1-10

Table Appendix 1.2-1 Domain Controller: Standard Model - Domain/Combination Management (2/3)

Default check box Setting item Modification state [MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is Selected Editable default)] Security Options-[Network access: Do not allow anonymous Selected Editable enumeration of SAM accounts] Security Options-[Network access: Do not allow anonymous Selected Editable enumeration of SAM accounts and shares] Security Options-[Network access: Do not allow storage of Selected Editable passwords and credentials for network authentication] Security Options-[Network security: Allow Local System to use Selected Editable computer identity for NTLM] Disable 'Security Options-[Network security: Allow Local System Selected Editable NULL session fallback]’ Security Options-[Network security: Force logoff when logon Selected Editable hours expire] Security Options-[Network security: LAN Manager authentication Selected Fixed level] Security Options-[Network security: Minimum session security for Selected Editable NTLM SSP based (including secure RPC) Clients] Security Options-[Network security: Minimum session security for Selected Editable NTLM SSP based (including secure RPC) Servers] Disable 'Security Options-[Shutdown: Allow system to be shut Selected Editable down without having to log on]' Security Options-[User Account Control: Admin Approval Mode for Selected Editable the Built'-in Administrator account] Security Options-[User Account Control: Behavior of the elevation Selected Editable prompt for administrators in Admin Approval Mode] Advanced Audit Policy Configuration-[Audit Credential Validation] Selected Editable Advanced Audit Policy Configuration-[Audit Computer Account Selected Editable Management] Advanced Audit Policy Configuration-[Audit Other Account Selected Editable Management Events] Advanced Audit Policy Configuration-[Audit Security Group Selected Editable Management] Advanced Audit Policy Configuration-[Audit User Account Selected Editable Management] Advanced Audit Policy Configuration-[Audit Process Creation] Selected Editable Advanced Audit Policy Configuration-[Audit RPC Events] Selected Editable Advanced Audit Policy Configuration-[Audit Directory Service Selected Editable Access] Advanced Audit Policy Configuration-[Audit Directory Service Selected Editable Changes] Advanced Audit Policy Configuration-[Audit Account Lockout] Selected Editable Advanced Audit Policy Configuration-[Audit Logoff] Selected Editable Advanced Audit Policy Configuration-[Audit Logon] Selected Editable Advanced Audit Policy Configuration-[Audit Other Logon/ Logoff Selected Editable Events] Advanced Audit Policy Configuration-[Audit Special Logon] Selected Editable Advanced Audit Policy Configuration-[Audit Application Selected Editable Generated]

TI 50A01A10-04EN Sep. 18, 2019-00 App.1-11

Table Appendix 1.2-1 Domain Controller: Standard Model - Domain/Combination Management (3/3)

Default check box Setting item Modification state Advanced Audit Policy Configuration-[Audit Removable Storage] Selected Editable Advanced Audit Policy Configuration-[Audit Audit Policy Change] Selected Editable Advanced Audit Policy Configuration-[Audit Authentication Policy Selected Editable Change] Advanced Audit Policy Configuration-[Audit Filtering Platform Selected Editable Policy Change] Advanced Audit Policy Configuration-[Audit MPSSVC Rule Level Selected Editable Policy Change] Advanced Audit Policy Configuration-[Audit Other Policy Change Selected Editable Events] Advanced Audit Policy Configuration-[Audit Sensitive Privilege Selected Editable Use] Advanced Audit Policy Configuration-[Audit IPsec Driver] Selected Editable Advanced Audit Policy Configuration-[Audit Other System Events] Selected Editable Advanced Audit Policy Configuration-[Audit Security State Selected Editable Change] Advanced Audit Policy Configuration-[Audit Security System Selected Editable Extension] Advanced Audit Policy Configuration-[Audit System Integrity] Selected Editable Personalization-[Prevent enabling lock screen camera] Selected Editable Personalization-[Prevent enabling lock screen slide show] Selected Editable Logon-[Do not display network selection UI] Selected Editable AutoPlay Policies-[Disallow Autoplay for non-volume devices] Selected Editable Event Log Service(Application)-[Specify the maximum log file size Selected Editable (KB)] Event Log Service(Security)-[Specify the maximum log file size Selected Editable (KB)] Event Log Service(System)-[Specify the maximum log file size Selected Editable (KB)] File Explorer-[Turn off heap termination on corruption] Selected Editable Security-[Require secure RPC communication] Selected Editable Store-[Turn off Automatic Download and Install of updates] Selected Editable Store-[Turn off Automatic Download of updates on Win8 Selected Editable machines] Store-[Turn off the offer to update to the latest version of Windows] Selected Editable Store-[Turn off the Store application] Selected Editable Sync your settings-[Do not sync Apps] Selected Editable Sync your settings-[Do not sync start settings] Selected Editable Disable 'Windows Error Reporting-[Automatically send memory Selected Editable dumps for OS-generated error reports]' Disable 'Windows Logon Options-[Sign'-in last interactive user Selected Editable automatically after a system'-initiated restart]'

TI 50A01A10-04EN Sep. 18, 2019-00 App.2-1 Appendix 2. Additional information This section provides additional information for configuring the IT security settings.

Appendix 2.1 Notes on security packs and security updates FAST/TOOLS should be installed and tested on a defined patch level for the project. For example, if additional updates are required or critical fixes are released, Yokogawa must first validate the relevance of such fixes and test FAST/TOOLS on the patched system to check if that functionality is not adversely affected. Therefore, it is recommended to turn off the Windows automatic updates feature because only approved fixes should be installed. Instructions on how to change these settings can be found on the Microsoft homepage. Yokogawa maintains a list of security updates that have been tested and evaluated. Before applying Windows updates, you should obtain this list from YHQ or your nearest Yokogawa Center of excellence. Follow these steps to view the list of Windows updates on your computer: 1. In the Control Panel, select [Programs and Features]. 2. On the navigation pane, select [View installed updates]. A list of updates is displayed. 3. Compare the displayed list of Windows updates with the list that you obtain from Yokogawa. 4. Add or remove the Windows updates accordingly. Note: The above method is for standalone computers. Alternatively, it is also possible to configure the automatic Windows updates by using centralised Servers (similar to centralized antivirus pattern updates).

 Antivirus software It is recommended to install only the antivirus software verified by Yokogawa on the terminals connected to the FAST/TOOLS system and the Domain Controller. You can contact Yokogawa for applying the antivirus software. Updating the search engine or pattern file of the antivirus software may lead to restarting the computer or other unexpected issues. Therefore, you must check the behavior of the antivirus software update on a test computer before applying the antivirus on the FAST/TOOLS computer.

TI 50A01A10-04EN Sep. 18, 2019-00 App.2-2 Appendix 2.2 User account management when security model is changed The IT Security Tool creates the user group accounts for FAST/TOOLS based on the selected user management type. If you want to change the user management type, the existing user group accounts for FAST/TOOLS should be deleted or renamed. The following table describes how to manage the user group accounts when the user management type is changed to Standalone management.

Table Appendix 2.2-1 When user management type is changed to Standalone management User account From Domain management From Combination management Rename from FTS_OPERA- FTS_OPERATOR Add the user account TOR_LCL to FTS_OPERATOR FTS_OPERATOR_LCL - FTS_ENGINEER Add the user account - Rename from FTS_ENGINEER_ FTS_ENGINEER_LCL - LCL to FTS_ENGINEER Rename from FTS_ Rename from FTS_ FTS_MAINTENANCE MAINTENANCE_LCL to MAINTENANCE_LCL to FTS_MAINTENANCE FTS_MAINTENANCE FTS_MANATENANCE_LCL Rename from FTS_OPC_LCL to Add the user account FTS_OPC FTS_OPC FTS_OPC_LCL -

The following table describes how to manage the user group accounts when the user management type is changed to Domain management.

Table Appendix 2.2-2 When user management type is changed to Domain management User account From Domain management From Combination management FTS_OPERATOR Delete the user account - FTS_OPERATOR_LCL - Delete the user account FTS_ENGINEER Delete the user account - FTS_ENGINEER_LCL - Delete the user account Rename from FTS_ FTS_MAINTENANCE MAINTENANCE to - FTS_MAINTENANCE_LCL Use existing FTS_MANATENANCE_LCL Delete the user account FTS_MAINTENANCE_LCL FTS_OPC - FTS_OPC_LCL - Delete the user account

The following table describes how to manage the user group accounts when the user management type is changed to Combination management.

Table Appendix 2.2-3 When user management type is changed to Combination management User account From Domain management From Combination management FTS_OPERATOR Rename from FTS_OPERATOR - FTS_OPERATOR_LCL to FTS_OPERATOR_LCL Add the user account FTS_ENGINEER Rename from FTS_ENGINEER to - FTS_ENGINEER_LCL FTS_ENGINEER_LCL Add the user account

TI 50A01A10-04EN Sep. 18, 2019-00 App.2-3

Table Appendix 2.2-3 When user management type is changed to Combination management (Table continued) User account From Domain management From Combination management FTS_MAINTENANCE Rename from FTS_ - MAINTENANCE to Use existing FTS_MANATENANCE_LCL FTS_MAINTENANCE_LCL FTS_MAINTENANCE_LCL FTS_OPC Rename from FTS_OPC to - FTS_OPC_LCL FTS_OPC_LCL Add the user account

Appendix 2.3 Tools for defining local policies The following table describes the tools for defining local policies.

Table Appendix 2.3-1 Tools for defining local policies Tool Description This is the Group Policy Object Editor. gpedit.msc You can use this msc to define group policy objects. This is used for configuring local security settings. You can use this msc secpol.msc to define security settings only.

Appendix 2.4 Stopping Windows services before configuring IT security settings The IT Security Tool accesses the FAST/TOOLS resources and changes the user rights of FAST/ TOOLS user accounts. The following issues may occur when applying the IT security settings during the operation of FAST/TOOLS. • The security settings may not be applied appropriately. • Unexpected behavior of FAST/TOOLS operations. Therefore, certain programs must be stopped before applying the IT security settings. The following table lists the programs that should be stopped before applying IT security settings.

Table Appendix 2.4-1 FAST/TOOLS programs Order in which the program should be Program Program type Where used stopped 1 FAST/TOOLS service Windows service FAST/TOOLS Server Redundancy Guest Computer Redundant 2 Windows service Agent platform 3 BK SyncTime (*1) Windows service Vnet/IP driver 4 BK Timerd (*1) Windows service Vnet/IP driver 5 BK Vhfd (*1) Windows service Vnet/IP driver 6 BK Vhfd_SM (*1) Windows service Vnet/IP driver 7 BK VLmon (*1) Windows service Vnet/IP driver 8 BK WDT (*1) Windows service Vnet/IP driver *1: Applicable only when Vnet/IP driver is installed.

TI 50A01A10-04EN Sep. 18, 2019-00 App.2-4 Appendix 2.5 Options for running the IT Security Tool The following table describes the options for running the IT Security Tool.

Table Appendix 2.5-1 Options for running the IT Security Tool Option Applicable components Remarks FAST/TOOLS and IT Security Tool FAST/TOOLS Server • FAST/TOOLS and IT Security Security settings can be applied Tool are installed on any FAST/TOOLS Server • Security settings can be applied after installing both packages IT Security for multi-product FAST/TOOLS Client • Only IT Security Tool is installed environment Security settings can be applied • Security settings can be applied on Web HMI Client (Remote after installing Remote Connect Connect) and Mobile Client (HTML5 Client) Apply IT Security only Security settings can be applied • IT Security Tool is not installed on Mobile Client (HTML5 Client) • IT Security Tool can be launched and Domain Controller from the installation media and security settings can be applied

Note: When the software restriction policy is applied to FAST/TOOLS with IT security settings, right-click[fasttools- Rxx.yy-rzzzz- ITSecurity.exe] in the installation media and select [Run as administrator] to launch the IT Security Tool.

 FAST/TOOLS and IT Security Tool This option is to install the FAST/TOOLS Server, IT Security Tool, and IT security definition file. The name of the IT security definition file is SERV. After installing both the packages, the IT Security Tool is launched automatically. Note: It is not possible to install the IT Security Tool only. If you select this option on a computer on which FAST/TOOLS is already installed, you must follow the update procedure.

 IT Security for multi-product environment This option is to install the IT Security Tool and IT security definition file. The name of the definition file set is CLNT1. After installing the IT Security Tool, it is launched automatically. Note: • If FAST/TOOLS Client is installed on a computer where other Yokogawa products are installed with IT security, select this option. Never select “Apply IT Security only”. • This option can be selected regardless of the Remote Connect installation. If Remote Connect is installed after installing the IT Security Tool, you must apply the security settings again.

 Apply IT Security only This option is for Mobile Client and Domain Controller. This enables you to launch the IT Security Tool from the FAST/TOOLS installation media. The component (Client or Domain Controller) to which security is applied can be selected after launching the IT Security Tool. Note: When this option is used to launch the IT Security Tool, all the security settings for FAST/TOOLS programs are changed. Therefore, it is recommended not to use this option in an environment where other products are installed.

TI 50A01A10-04EN Sep. 18, 2019-00 Blank Page i Revision Information

Title: FAST/TOOLS Windows IT Security Guide Manual number : TI 50A01A10-04EN

Nov. 2019/2nd Edition Introduction Corrected of “Introduction”. 3.1.3 Table 3.1.3-2, 3.1.3-3, 3.1.3-4, and.3.2-6 Correction of errors

Sep. 2019/1st Edition/R10.04 or later Newly published

TI 50A01A10-02EN Nov. 29, 2019-00 Written by Yokogawa Electric Corporation

Published by Yokogawa Electric Corporation 2-9-32 Nakacho, Musashino-shi, Tokyo 180-8750, JAPAN

Subject to change without notice.