Cybersecurity Suite

HFCS 2101 (January 2021)

Hardening Compliance Engine (HCE)

User Guide

CS-HFCSE612en-2101A

January 2021 Disclaimer

This document contains Honeywell proprietary information. Information con- tained herein is to be used solely for the purpose submitted, and no part of this document or its contents shall be reproduced, published, or disclosed to a third party without the express permission of Honeywell International Sàrl.

While this information is presented in good faith and believed to be accurate, Honeywell disclaims the implied warranties of merchantability and fitness for a purpose and makes no express warranties except as may be stated in its written agreement with and for its customer.

In no event is Honeywell liable to anyone for any direct, special, or con- sequential damages. The information and specifications in this document are subject to change without notice.

Copyright 2021 - Honeywell International Sàrl

CS-HFCSE612en-2101A 2 Notices

Trademarks

Experion®, PlantScape®, SafeBrowse®, TotalPlant®, and TDC 3000® are registered trademarks of Honeywell International, Inc.

ControlEdge™ is a trademark of Honeywell International, Inc.

OneWireless™ is a trademark of Honeywell International, Inc.

Other trademarks

Trademarks that appear in this document are used only to the benefit of the trademark owner, with no intention of trademark infringement.

Third-party licenses

This product may contain or be derived from materials, including software, of third parties. The third party materials may be subject to licenses, notices, restrictions and obligations imposed by the licensor.

The licenses, notices, restrictions and obligations, if any, may be found in the materials accompanying the product, in the documents or files accompanying such third party materials, or in a file named third_party_ licenses on the media containing the product.

Documentation feedback

You can the most up-to-date documents on the Honeywell Process Solu- tions support website : http://www.honeywellprocess.com/support

If you have comments about Honeywell Process Solutions documentation, send your feedback to: [email protected]

Use this email address to provide feedback, or to report errors and omissions in the documentation. For immediate with a technical problem, contact

CS-HFCSE612en-2101A 3 your local Honeywell Process Solutions Customer Contact Center (CCC) or Honeywell Technical Assistance Center (TAC).

How to report a security vulnerability

For the purpose of submission, a security vulnerability is defined as a software defect or weakness that can be exploited to reduce the operational or security capabilities of the software.

Honeywell investigates all reports of security vulnerabilities affecting Honey- well products and services.

To report a potential security vulnerability against any Honeywell product, please follow the instructions at:

https://honeywell.com/pages/vulnerabilityreporting.aspx

Submit the requested information to Honeywell using one of the following methods:

Send an email to [email protected].

or

Contact your local Honeywell Process Solutions Customer Contact Center (CCC) or Honeywell Technical Assistance Center (TAC) listed in the “Sup- port” section of this document.

Support

For support, contact your local Honeywell Process Solutions Customer Contact Center (CCC). To find your local CCC visit the website, https://www.honeywellprocess.com/en-US/contact-us/customer-support- contacts/Pages/default.aspx.

Training classes

Honeywell holds technical training classes that are taught by process control systems experts. For information about these classes, contact your Honeywell representative, or see http://www.automationcollege.com.

CS-HFCSE612en-2101A 4 About this Guide

This guide provides instructions for using Hardening Compliance Engine, the solution of the Cybersecurity Suitefor hardening network assets.

Hardening is a process performed by a collection of tools, techniques, and best practices that allow reducing a system’s vulnerability. While the vul- nerability of a system increases in direct proportion to the number of functions the system performs, hardening is aimed at reducing security risk by elim- inating potential attack vectors and condensing the system’s attack surface.

Scope

This guide provides step-by-step instructions for collecting data on the VSE and for installing and using the Hardening Compliance solution.

Intended audience

This guide is intended for the following audience types:

● Honeywell Support personnel, who install and configure the Hardening Compliance Engine Software

● Honeywell or customer Support personnel who collect data in the VSE

● System administrators who use the Hardening Compliance Engine Soft- ware

● Executives who make decisions based on the data presented in the report generated by running the Hardening Compliance Engine Software

Prerequisite skills

For the installation and configuration of the Hardening Compliance Engine Software, the guide assumes knowledge of the product lines that can be hardened by using the engine. In addition, there is a need to be familiar with Station product line.

CS-HFCSE612en-2101A 5 Related documents

The following list identifies publications that may contain information relevant to the information in this document.

Document Name Document Number

Cybersecurity Suite 2003 (March 2020) - VSE CS-HFCS-601en-2003A User Guide

Cybersecurity Suite 2009 - Hardening Com- CS-HFCS-612en-2009A pliance User Guide

Revision history

Revision Supported Date Description Release

B 2101 January 2021 This software is an upgrade- only release from release 2003

A 2006 June 2020 First release as a service

A 2003 March 2020 First release within HFCS (Cybersecurity Suite).

CS-HFCSE612en-2101A 6 Contents

1 Security Considerations 12

1.1 Physical security 12

1.2 Secured zone 12

1.3 Limiting access 12

1.3.1 At the VSE level 12

1.3.2 At the directory or file level 13

1.4 Authorization measures 13

2 Terms and Definitions 14

3 Hardening Compliance Engine Overview 16

3.1 Hardening Compliance Engine architecture 16

3.2 Asset types supported for hardening calculation 18

4 Requirements 19

4.1 Requirements for data collection 19

4.2 Requirements for the Hardening Compliance Engine 20

5 Collecting the Configuration Data at the VSE 21

5.1 Collecting configuration data on Windows machines 22

5.1.1 OS information 24

5.1.2 Hardening compliance data 24

5.1.3 Saving the GPO information to a file 25

5.1.4 Saving the registry data data 25

CS-HFCSE612en-2101A 7 5.1.5 Tagging the Windows machine as an Experion com- ponent 25

5.2 Data collection on Cisco machines 26

5.2.1 Version and Cisco configuration data 26

5.2.2 Saving the configuration data to TXT files 26

6 Installing the Hardening Compliance solution 28

7 Upgrading the Hardening Compliance Solution 30

8 Using the Hardening Compliance Manager 33

8.1 Overview 33

8.2 Configuring Hardening Compliance Manager 34

8.3 Exporting and modifying benchmarks 35

8.4 Reimporting and applying benchmarks 36

9 the Hardening Report Generation 39

10 Reviewing the Excel Report 43

10.1 Reviewing the Errors tab 44

11 Uninstalling the Hardening Compliance Man- ager 45

Appendices AT

Appendix A: Known Issues AU

A.1 Non-supported Rules AU

A.2 Configuration data collection not supported on non-Eng- lish locale OS AU

A.3 GPO HTML report generated incorrectly AU

CS-HFCSE612en-2101A 8 A.4 Uninstallation does not remove all traces of the current installation AV

Appendix B: Resolved Issues AW

B.1 Resolved Windows Issues AX

B.2 Resolved Cisco Issues BA

Appendix C: Installing Oracle 12.2 client BB

C.1 Oracle 12.2 Client win 32-bit - Base Install BB

CS-HFCSE612en-2101A 9 List of Figures

Figure 3-1: Hardening Compliance Engine architecture 16

Figure 5-1: Custom Protocol 23

Figure 5-2: OS information generated from a Windows machine 24

Figure 5-3: Hardening compliance information 24

Figure 5-4: Saving the GPO information to a file 25

Figure 5-5: Saving the registry file 25

Figure 5-6: Information collected from a Cisco machine 26

Figure 5-7: Saving configuration data 27

Figure 6-1: Pre-Installation Summary page 29

Figure 6-2: Install Complete page 29

Figure 7-1: Hardening Compliance upgrade installation Introduction 31

Figure 7-2: Hardening Pre-Installation Summary 31

Figure 7-3: Upgrading Hardening Compliance 32

Figure 8-1: Benchmark repository 34

Figure 8-2: Hardening Compliance Manager icon 34

Figure 8-3: Factory default benchmarks tab 35

Figure 8-4: Import File dialog box 36

Figure 8-5: Import File dialog box 37

Figure 8-6: Apply the benchmark to selected sites or all sites 37

Figure 8-7: Hardening Compliance Manager with customizations 38

Figure 9-1: Windows task scheduler 39

Figure 9-2: Create Basic Task command 40

CS-HFCSE612en-2101A 10 Figure 9-3: Entering the task's name and description 40

Figure 9-4: Setting when the task starts 41

Figure 9-5: Details of weekly execution 41

Figure 9-6: a Program page 42

Figure 9-7: Last page of the Create Basic Task wizard 42

Figure 10-1: Policy value in a Windows machine 43

Figure 10-2: Errors tab in the Excel report 44

CS-HFCSE612en-2101A 11 1 Security Considerations

1 Security Considerations

This chapter outlines the security measures for the .

1.1 Physical security

Caution: HFCS-Hardening Compliance Engine is a mission-critical component.

Take all necessary physical security measures to prevent attacks or disasters.

Ensure that the server where the product is installed is located in an approved physically secure location that is accessible only to authorized personnel.

1.2 Secured zone

Hardening Compliance Engine contains sensitive information, the loss of which could have severe consequences. Therefore, there is a need to protect the sensitive information and prevent attacks against the product. To do that, the Hardening Compliance Engine software, as well as its related extensions, must be installed in an internally secured zone with strict access control lists and appropriate firewall/routing rules.

1.3 Limiting access

It is highly recommended to follow regulatory, industry, and enterprise stand- ards for limiting access to sensitive information as specified below.

1.3.1 At the VSE level

The user management at the host running the VSE must follow the principles of need to know and least privilege: Only users who absolutely must have

CS-HFCSE612en-2101A 12 1 Security Considerations

access to the computer are granted access, and these users are assigned the minimal set of permissions allowing them to perform their job.

1.3.2 At the directory or file level

Access to directories and files should also be granted in accordance with the principles of need to know and least privilege: Only users who absolutely must have access to the requested directory and file are granted access, and these users are assigned the minimal set of permissions allowing them to perform their jobs.

Use the built-in file access audit logging on the OS to monitor unauthorized changes to sensitive files.

1.4 Authorization measures

You are strongly advised to implement the following security measures:

● Change the default administrative password and delete/disable the default service accounts as soon as new administrative accounts are cre- ated.

● Disable any default Administrator/Root user on the computer.

● Disable any default Guest user on the computer.

● Disable any unauthenticated access to the computer via shared - ectories etc.

● Ensure that the OS is up to date with the latest security patches provided by the OS vendor.

CS-HFCSE612en-2101A 13 2 Terms and Definitions

2 Terms and Definitions

Note: The terms and definitions are listed in alphabetical order.

R

Remote Access Bridge (RAB) A Cybersecurity Suite component installed externally to the Security Center, which enables secure remote access between the Security Center and the VSE.

Remote Access Gateway (RAG) The Remote Access Gateway is part of the Cybersecurity Suite remote access solution. When initiated, the Remote Access Gateway automatically pulls the connection details from the database. For each request to access a remote site, the Remote Access Gateway establishes a secure con- nection to the Remote Access Bridge to enable a secure com- munication tunnel.

S

Security Center (SC) A Cybersecurity Suite component that is installed at the cor- porate data center. The Security Center is composed of vari- ous software components, which enable it to remotely collect, analyze, view, manage, and store data retrieved from the VSEs. This data refers to the monitored network assets and devices found at the VSE’s sites.

CS-HFCSE612en-2101A 14 2 Terms and Definitions

V

Virtual Security Engine (VSE) The Cybersecurity Suite component that is installed at the remote site, monitors the assets at the site, and provides addi- tional functionalities such as remote access.

CS-HFCSE612en-2101A 15 3 Hardening Compliance Engine Overview

3 Hardening Compliance Engine Overview

This chapter presents a brief introduction to the Honeywell Forge Cyber- security - Hardening Compliance Engine.

3.1 Hardening Compliance Engine architecture

The architecture of the Honeywell Forge Cybersecurity - Hardening Com- pliance Engine is as shown below.

Figure 3-1: Hardening Compliance Engine architecture

CS-HFCSE612en-2101A 16 3 Hardening Compliance Engine Overview

The Hardening Engine calculation is as follows:

1. The VSE collects data from the assets (computers, servers and stations) that operate by using Windows Supplemental Product Line and Cisco Device Product Line, either as a standalone or installed on a Station Server.

2. The collected data is transferred on predefined intervals to the Security Center.

3. Upon request to generate a hardening report, the hardening engine sends a query to the Security Center database to retrieve the raw data. Reports can be either scheduled or generated instantly (on-demand). For details, see sections Scheduling reports and Generating on-demand (instant) reports.

Note: The frequency at which the engine retrieves inform- ation from the Security Center database is much less than the frequency at which the VSEs transfer data to the Security Center; for example, once a week vs. once a day.

■ The parameters relevant for identifying the device and the actual con- figuration and security settings that help in the collection of inform- ation, such as:

○ Vendor

○ Model

○ Version

○ Role- for example Experion (EPKS) Server, EPKS Station, and domain controller.

Note: The Experion Server-Station Product Line is used for tagging Windows machines as Experion devices. This is taken into account when the Hardening Compliance Engine calculates the set of results required for hardening.

CS-HFCSE612en-2101A 17 3 Hardening Compliance Engine Overview

4. For each product, the Hardening Engine checks whether it meets the hardening requirements.

5. The engine performs a calculation on the collected data and creates an Excel report.

3.2 Asset types supported for hardening cal- culation

The following operating systems, as well as all their patches and updates, are supported by the hardening:

● Cisco Firewall Appliances – versions 8-9.5

● Cisco Router – IOS version 12,15,16,3E

● Cisco Switch – IOS version 12,15,16,3E

● Domain Controller Server 2008

● Domain Controller Server 2012

● Domain Controller Server 2016

● Experion Server [ESV(Process), ESC(SCADA), eServer, ESVT]

● Experion Server 2008

● Experion Server 2016

● Experion Station (ES-F, ES-C, ES-CE or ES-T)

● Experion Station

● Experion Station

● Windows 7

● Windows 10

● Windows Server 2012

● Windows Server 2016

CS-HFCSE612en-2101A 18 4 Requirements

4 Requirements

This chapter specifies the requirements for using the Honeywell Forge Cyber- security - Hardening Compliance Engine, as detailed in the following sections .

4.1 Requirements for data collection

Data collection requires the following:

● VSE version 7.1 and higher versions

● Honeywell Windows Supplemental version 2.20.1 and higher versions (PA)

● Honeywell Cisco Network Devices version 2.8.1 and higher versions (PA)

● Honeywell Server Station (PA) version 2.10.1

● SSH connectivity from the VSE to the network devices

● WMI connectivity with admin privileges from the VSE to the Windows devices

Note: If the WMI user provided under WMI credentials is a non-interactive user, you need to provide an addi- tional user under the protocol settings of the Windows Supplemental product line.

● HTTP/HTTPS connectivity on port 8449 from the Windows devices from which data is collected to the VSE machine

● PowerShell 3.0 and above on target Windows machines

CS-HFCSE612en-2101A 19 4 Requirements

4.2 Requirements for the Hardening Com- pliance Engine

Use of the Hardening Compliance Engine requires the following:

● The VSE is configured as specified in section Requirements for data col- lection and is connected to the Security Center for data transfer.

● Oracle client [Oracle Database 12c Release 2 Client (12.2.0.1.0).] is installed on the Hardening machine, and connection credentials are provided via the management interface. For details, see Appendix Installing Oracle 12.2 client.

CS-HFCSE612en-2101A 20 5 Collecting the Configuration Data at the VSE

5 Collecting the Configuration Data at the VSE

This chapter provides instructions for collecting the configuration data at the VSE, for both Cisco and Windows machines.

To enable the collection of the configuration data:

1. Ensure that the file lic.txt is located on the VSE machine under the ...NextNine\SiteServer\Files\FilesFromVendor folder. Creating this file allows the collection of the configuration data required for calculating the hardening compliance, from both Windows and Cisco machines.

2. Ensure that you have a user with the required privileges:

■ For Windows Machines:

A local administrator user with WMI access that allows collecting the GPO and registry data, namely: the policy that determines which rules apply from the domain controller).

■ For Cisco devices:

Privileges that allow executing of show configuration commands by using SSH access.

After these requirements are met, you can run the reports as detailed in the fol- lowing sections :

● Collecting configuration data on Windows machines

● Data collection on Cisco machines

CS-HFCSE612en-2101A 21 5 Collecting the Configuration Data at the VSE

5.1 Collecting configuration data on Windows machines

The following configuration data must be collected daily on Windows machines:

● OS information - sent to the Security Center in raw .

● Hardening compliance data - saves the GPO data (as an HTML file) and the registry data (as zip file). These data items are then automatically sent to the Security Center.

To enable the daily data collection, ensure that the execution profile Collect Daily for Hardening compliance data is activated.

When a hardening compliance report is being requested, both OS information and GPO data are retrieved from the Security Center database, in order to perform the hardening compliance calculation.

Successful generation of the Hardening Compliance report will only take place if the execution profiles mentioned above are run successfully and the data is transferred to the Security Center. If the runs encountered one or more errors, these errors will be displayed in the report.

Note: If the WMI user that was provided under WMI credentials is a non-interactive user, successful collection of the Hardening Compliance data requires the user performing the collection to be an interactive user defined in the Group Policies User.

Note: If in the Protocol Settings dialog box, under the WMI tab, the domain is only a period, the procedure to define the user as the group policies user must be followed to ensure the user is interactive.

CS-HFCSE612en-2101A 22 5 Collecting the Configuration Data at the VSE

To define the user as the Group Policies User:

1. In the VSE, go to Asset Profiles.

2. Select the asset for which you would like to make the changes.

3. Click the edit icon to get the Protocol Settings dialog box.

4. Select the Custom tab, as shown here.

Figure 5-1: Custom Protocol Settings

5. Go to row Group Policies-User.

6. In the Value column, enter the name of the interactive user who will collect the Hardening Compliance data.

Note: The name specified in the Value column must be identical with the name found under the WMI tab, in the User Name box.

7. Click Save.

CS-HFCSE612en-2101A 23 5 Collecting the Configuration Data at the VSE

5.1.1 OS information

Figure 5-2: OS information generated from a Windows machine

5.1.2 Hardening compliance data

Figure 5-3: Hardening compliance information

CS-HFCSE612en-2101A 24 5 Collecting the Configuration Data at the VSE

5.1.3 Saving the GPO information to a file

Figure 5-4: Saving the GPO information to a file

The GPO-related information is automatically sent to the Security Center as an HTML file. To save this file locally, click the link under the Value column.

5.1.4 Saving the registry data data

Figure 5-5: Saving the registry file

The Registry-related information is automatically sent to the Security Center as a zip file. To save this file locally, click the link under the Value column.

5.1.5 Tagging the Windows machine as an Experion component

To enable the hardening compliance service to tag a Windows machine as a machine with an Experion component, ensure that the asset from which

CS-HFCSE612en-2101A 25 5 Collecting the Configuration Data at the VSE

configuration data has been collected, and which has been associated with a Windows Supplemental asset profile, is also associated with Honeywell Server Station asset profile. The model of the Honeywell Server Station asset profile should specify the exact of the Experion component.

5.2 Data collection on Cisco machines

When running the Collect Daily Profile report on Cisco machines, the Harden- ing solution will query the Security Center database for the most recent data collected from all sites. This data is used to calculate the report.

Cisco configuration data is saved as text files that are then automatically sent to the Security Center.

When a compliance report is being requested, both IOS information and Cisco configuration data are retrieved from the Security Center database, in order to perform the hardening compliance calculation

5.2.1 Version and Cisco configuration data

Figure 5-6: Information collected from a Cisco machine

5.2.2 Saving the configuration data to TXT files

The configuration data is automatically sent to the Security Center as TXT files. To save these files locally, click each command.

CS-HFCSE612en-2101A 26 5 Collecting the Configuration Data at the VSE

Figure 5-7: Saving configuration data

Note: If one of the data collections is not collected, the screen shows an error message and the entire compliance test for this device will fail to start. This is valid for both Cisco and Windows machines.

CS-HFCSE612en-2101A 27 6 Installing the Hardening Compliance solution

6 Installing the Hardening Compliance solution

Warning: If the Hardening Compliance Engine version 1.5.1 is installed on the target machine, ensure that you uninstall it before running this installation. Then re-install the Harden- ing Compliance Engine by using the new installation pack- age provided.

The installation of the Hardening Compliance solution is performed by using a wizard.

To run the installation wizard:

1. Download and run the file Install_Hardening_Compliance_1_4_7.exe.

Note: While the screenshots in this guide refer to version 1.0.2, the actual version number can be different in the installation package.

2. Use the License Agreement page to accept the terms of the license agreement and click Next.

3. Use the Choose Install Folder page to select whether to leave the default path or browse to select another path.

The Pre-Installation Summary page displays your choices, as shown below.

CS-HFCSE612en-2101A 28 6 Installing the Hardening Compliance solution

Figure 6-1: Pre-Installation Summary page

4. Click Install to run the installation wizard. If the installation was suc- cessful, the Install Complete page shown below is displayed at the end of the process.

Figure 6-2: Install Complete page

CS-HFCSE612en-2101A 29 7 Upgrading the Hardening Compliance Solution

7 Upgrading the Hardening Compliance Solution

Attention: Upgrading Hardening Compliance is only possible from version 1.3.3 and higher.

To upgrade the hardening compliance solution:

1. Download and run the file Install_Hardening_Compliance_1_4_7.exe.

2. Run the installation wizard by following the steps specified in section Installing the Hardening Compliance solution.

The wizard automatically recognizes the existing version and proceeds as an upgrade installation.

CS-HFCSE612en-2101A 30 7 Upgrading the Hardening Compliance Solution

Figure 7-1: Hardening Compliance upgrade installation Introduction

Figure 7-2: Hardening Pre-Installation Summary

CS-HFCSE612en-2101A 31 7 Upgrading the Hardening Compliance Solution

Figure 7-3: Upgrading Hardening Compliance

3. To reflect the change of the factory benchmarks, re-import the factory default benchmarks by following the procedure specified in section Con- figuring Hardening Compliance Manager.

Attention: The upgrade procedure creates an additional, identical shortcut to Hardening Compliance Manager. You need to manually remove one of the shortcuts from your desktop.

CS-HFCSE612en-2101A 32 8 Using the Hardening Compliance Manager

8 Using the Hardening Com- pliance Manager

The Hardening Compliance Manager is a standalone tool that allows import- ing, modifying, and re-applying benchmarks to each combination of vendor, type, version, and role; for example, asset type, of various types on each vendor OS version and for each role; for example, an Experion Server oper- ating on Windows 2016 .

Note: The Hardening Compliance Manager retrieves its data from the Security Center database, and therefore must have access to this database.

The settings contained in the benchmarks.zip file are the initial Factory Default settings, which apply to all devices that share the same combination as mentioned above (vendor, type, version, and role).

You can export these settings to an external Excel file, modify these settings, and then re-import the modified file and apply the modified benchmarks to all or specific sites, as described in the following sections.

● Overview

● Configuring Hardening Compliance Manager

● Exporting and modifying benchmarks

● Reimporting and applying benchmarks

8.1 Overview

By default, the Hardening Compliance Manager is empty. Working with benchmarks requires you to import the definitions from the benchmarks.zip file, which resides in the following public repository: https://bitbucket.org/hce- honeywell/hardening-compliance-benchmarks/src/master/.

The following figure displays the benchmark repository after the import of the default benchmark.zip file.

CS-HFCSE612en-2101A 33 8 Using the Hardening Compliance Manager

Figure 8-1: Benchmark repository

8.2 Configuring Hardening Compliance Man- ager

To configure the Hardening Compliance Manager:

1. Click the Hardening Compliance Manager icon on the desktop.

Figure 8-2: Hardening Compliance Manager icon

Alternatively, go to the folder where the Hardening Compliance Manager was installed; by default, c:\program files\Hardening Compliance\UI.

2. Click the cog wheel icon ( ) on the upper right corner.

3. Use the Factory default benchmarks tab to drag or upload the bench- marks.zip file.

CS-HFCSE612en-2101A 34 8 Using the Hardening Compliance Manager

Figure 8-3: Factory default benchmarks tab

4. Use the Database client configuration tab to enter your IP and cre- dentials for the Security Center database.

Warning: Ensure that you enter the correct credentials. After ten consecutive failed attempts to access the data- base your database will be locked. To unlock the data- base, contact Support.

The Hardening Compliance Manager user interface is displayed, pop- ulated with the list of benchmark files (Factory Default settings) and their sites.

8.3 Exporting and modifying benchmarks

This section provides instructions for modifying the settings of one or more rows. With the Hardening Compliance Manager user interface displayed with the list of benchmark files and their sites, perform the steps specified below.

Note: Each Excel file has an internal marker, which determ- ines the targeted asset combination (type, vendor and so on). When modifying settings, ensure that you modify the Excel file that corresponds to your reques- ted asset combination.

CS-HFCSE612en-2101A 35 8 Using the Hardening Compliance Manager

To export and import benchmarks:

1. Click the three dots ( ) icon at the end of the row.

2. Click Export benchmark.

3. Save the Excel file with the settings in a folder of your .

4. Use Excel to open the file.

5. Switch to the Policies tab.

6. Modify the settings, as required. The following figure displays the settings to be modified, including the policy name, the values, and the Act- ive/Inactive state.

Figure 8-4: Import File dialog box

7. Click Import on the upper right.

8.4 Reimporting and applying benchmarks

To re-import and apply a customized benchmark:

1. Use the Import File dialog box to drag or upload the customized Excel file.

2. Click Next to proceed. Alternatively, to select another Excel file, click Reset file.

CS-HFCSE612en-2101A 36 8 Using the Hardening Compliance Manager

Figure 8-5: Import File dialog box

3. Select how to apply the modified benchmark:

■ Apply to all sites (System Default)

■ Apply only to one or more sites (Site-specific)

Figure 8-6: Apply the benchmark to selected sites or all sites

The Hardening Compliance Manager now displays a list of benchmarks, both customized and Factory Default.

CS-HFCSE612en-2101A 37 8 Using the Hardening Compliance Manager

Figure 8-7: Hardening Compliance Manager with customizations

Attention: For each asset type, you can revert at any to the previously applied benchmark, by clicking the ... on the end of the row and selecting the option Restore benchmark.

CS-HFCSE612en-2101A 38 9 Scheduling the Hardening Report Generation

9 Scheduling the Hardening Report Generation

Note: The Windows Supplemental product line collects data on a daily basis, by using the Collect Daily execution profile. This collection frequency should be considered when con- figuring the scheduling of the Hardening Compliance Engine.

To schedule the running of the Hardening Engine as a Windows task:

1. Open Windows Task Scheduler by using either of the following ways:

■ In the Run box (to the right of the Start button or by clicking Windows + R), type taskschd.msc.

■ Go to > Administrative Tools > Task Scheduler.

Figure 9-1: Windows task scheduler

2. From the Actions pane on the right, click Create Basic Task….

CS-HFCSE612en-2101A 39 9 Scheduling the Hardening Report Generation

Figure 9-2: Create Basic Task command

3. Use the wizard page Create Basic Task to enter the name and descrip- tion of the task, as shown below.

Figure 9-3: Entering the task's name and description

4. Use the Trigger page to set the frequency at which the task will start.

CS-HFCSE612en-2101A 40 9 Scheduling the Hardening Report Generation

Figure 9-4: Setting when the task starts

5. Based on the frequency you chose, use the next page to set the exact details of the run. In the example below, see the weekly execution of the running.

Figure 9-5: Details of weekly execution

6. On the following page, Action, select the action Start a program.

7. Use the page Start a program to browse to the path:

C:\Program Files\HardeningCompliance\services\hardening-man- ager\requests, and select the file QueryHardeningManager.bat.

CS-HFCSE612en-2101A 41 9 Scheduling the Hardening Report Generation

Figure 9-6: Start a Program page

Note: If the Hardening Engine is configured to run in HTTPS mode, a different batch file named QueryHarden- ingManagerSecure.bat resides in the location spe- cified above.

8. In the Finish page, review the summary of the newly created task and then click Finish to complete the creation process.

Figure 9-7: Last page of the Create Basic Task wizard

CS-HFCSE612en-2101A 42 10 Reviewing the Excel Report

10 Reviewing the Excel Report

The Hardening Compliance Engine process creates an Excel report for each site that was collected from the Security Center database. The Excel report is generated automatically and includes information about the Hardening Com- pliance results for all devices for which a Hardening Compliance check was performed. Go to the path where the Excel files are stored: C:\Program Files\HardeningCompliance\services\hardening-manager\generated_ reports.

For each policy the report compares the value retrieved with the expected value indicated in the policy, as shown below. For example, in the two rows highlighted in the Windows version, the expected result is Disabled and in one case this was indeed the result while in the other, no data was available and therefore the policy status is Failed.

Figure 10-1: Policy value in a Windows machine

The policy value is provided in the format of the information taken from the machine.

● In Windows machines – by using GPResult and col- lection

● In Cisco machines - by using show commands.

CS-HFCSE612en-2101A 43 10 Reviewing the Excel Report

10.1 Reviewing the Errors tab

If one or more errors were encountered during the running of the Hardening Compliance Engine checks, these errors are displayed in the Errors tab.

Figure 10-2: Errors tab in the Excel report

CS-HFCSE612en-2101A 44 11 Uninstalling the Hardening Compliance Manager

11 Uninstalling the Hardening Compliance Manager

To uninstall the Hardening Compliance Manager:

1. Stop the Asset Management and Asset Management Watchdog services and close any files related to their operation.

2. In the installation folder, go to Hardening Compliance Sup- port\InstallInfo\\Uninstall_HardeningCompliance.

3. Run the file Uninstall_HardeningCompliance.exe.

4. Manually delete all remaining files in the installation folder.

5. Reboot the machine.

Attention: The uninstallation procedure described above completely removes all Honeywell Asset Management products installed on the same machine, such as Active Asset Dis- covery and Patch Compliance Engine. However, to remove all traces of the current installation of Honeywell Asset Management, in case you want to install another version later on, you need to manually delete an XML file in the Program Files folder. For details about the deletion of this XML file and its possible implications, see Unin- stallation does not remove all traces of the current install- ation.

CS-HFCSE612en-2101A 45 Appendices

Appendices

This user guide includes the following appendices:

● Known Issues

● Resolved Issues on page AW

● Installing Oracle 12.2 client

CS-HFCSE612en-2101A AT Appendix A: Known Issues

Appendix A: Known Issues

This appendix contains the following known issues:

● Non-supported Rules

● Configuration data collection not supported on non-English locale OS

● GPO HTML report generated incorrectly

● Uninstallation does not remove all traces of the current installation

A.1 Non-supported Rules

The rule types listed below are not supported by the Hardening Compliance solution:

● All User Configuration rules (rules index starts with 19)

● All Bitlocker Drive Encryption rules for Windows 7 and Windows 10 bench- marks

Note: Bitlocker rules index number is 18.9.11, and they can have the prefix BL.

A.2 Configuration data collection not supported on non-English locale OS

Because configuration settings are written in the same language as that of the OS locale, the collection of the configuration data cannot be performed on operating systems with a non-English locale.

A.3 GPO HTML report generated incorrectly

GPO HTML Report is not generated in the correct format for some of the Win- dows Server 2008 and Windows 7 machines. As a result, the Hardening

CS-HFCSE612en-2101A AU Appendix A: Known Issues

calculation may not be supported for assets of types Windows Server 2008 32-bit version and Windows 7 32-bit version.

A.4 Uninstallation does not remove all traces of the current installation

The uninstallation procedure described in chapter Uninstalling the Hardening Compliance Manager completely removes all Honeywell Asset Management products installed on the same machine, such as Active Asset Discovery and Patch Compliance Engine. However, if you plan to install one or more Honey- well Asset Management products at a later stage, the installation will fail unless you delete the file .com.zerog.registry.xml, which contains information about the Cybersecurity Suite products installed on the machine.

Caution: If you have VSE installed on the same machine in which Hardening Compliance Manager is installed, deleting the .com.zerog.registry.xml will affect future VSE upgrades. In such a case, leave this file and contact Support if you want to install one or more Honeywell Asset Management products.

To remove all traces of the current installation of Honeywell Asset Man- agement products:

1. Go to C:\Program Files\Zero G Registry\.

2. Delete the file .com.zerog.registry.xml.

CS-HFCSE612en-2101A AV Appendix B: Resolved Issues

Appendix B: Resolved Issues

The resolved issues in this version are as specified in the table below.

Table B-1: Resolved issues

Issue Description Issue Resolution

A partial collection of policy data from The policy data items are now Windows machines resulted in an incon- also collected in a form of sistent compliance report registry data.

The compliance engine looks for the data gathered from the GPO report just like today, and if the data if not found, it will look also for the registry data.

The benchmark files were updated to hold the condition rules for the registry values as well as the conditions for the current GPO data.

Windows rules that are complex rules, Complex rules conditions can- namely: consist of more than one con- not be editable in Excel. dition, were still editable in Excel file.

Editing these rules in the excel affected only the first condition but not the rest.

Data collected from registry and priv- When running compliance ileges is not verified. checks against registry and/or privilege rights, the collected data is verified to not be empty.

CS-HFCSE612en-2101A AW Appendix B: Resolved Issues

Issue Description Issue Resolution

Several Windows rules were missing or See Resolved Windows not working properly. Issues.

Several Cisco rules were missing or were See Resolved Cisco Issues. not working properly.

B.1 Resolved Windows Issues

The Windows issues resolved in this version are as specified in the table below.

Table B-2: Windows resolved issues

Resolution Type Details

Fixed Windows rules (L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled'

(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with Require Mutual Authentic- ation and Require Integrity set for all NETLOGON and SYSVOL shares'

(L2) Ensure 'Set time limit for active but idle sessions' is set to 'Enabled: 15 minutes or less'

(L1) Ensure 'System: Control Event Log behavior when the log file reaches its max- imum size' is set to 'Disabled'

(L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any commands'

(L1) Ensure 'Network Security: Allow PKU2U authentication requests to this com- puter to use online identities' is set to 'Dis- abled'

CS-HFCSE612en-2101A AX Appendix B: Resolved Issues

Resolution Type Details

(L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account'

(L1) Ensure 'EMET 5.52' or higher is installed

(L1) Ensure LAPS AdmPwd GPO Exten- sion / CSE is installed

(L1) Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)') (MS Only)

(L2) Disable IPv6 (Ensure TCPIP6 Para- meter 'DisabledComponents' is set to '0xff (255)')

(L2) Ensure 'Let Windows apps *' is set to 'Enabled: Force Deny'

(L1) Ensure 'Configure SMB v1 client' is set to 'Enabled: Bowser, MRxSmb20, NSI'

(L1) Configure 'Allow log on through Remote Desktop Services'

(L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account'

(L1) Configure 'Deny log on through Remote Desktop Services'

(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'

(L1) Ensure 'Download Mode' is NOT set to 'Enabled: Internet'

CS-HFCSE612en-2101A AY Appendix B: Resolved Issues

Resolution Type Details

(L1) Ensure 'Allow Work- space' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'

Added missing Windows (L2) Ensure 'Bluetooth Support Service (bth- rules serv)' is set to 'Disabled' (Scored)

(L1) Ensure 'Windows CardSpace (idsvc)' is set to 'Disabled' or 'Not Installed'

(L1) Ensure 'WDigest Authentication' is set to 'Disabled'

(L2) Ensure 'Configure Watson events' is set to 'Disabled'

(L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'

(L2) Ensure 'Turn off Windows Location Pro- vider' is set to 'Enabled

(L1) Ensure 'Deny log on as a batch job' to include 'Guests'

(L1) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'

(L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'

(L2) Ensure 'Microsoft iSCSI Initiator Ser- vice (MSiSCSI)' is set to 'Disabled'

(L1) Ensure 'HomeGroup Listener (HomeGroupListener)' is set to 'Disabled'

CS-HFCSE612en-2101A AZ Appendix B: Resolved Issues

B.2 Resolved Cisco Issues

The Cisco issues resolved in this version are as specified in the table below.

Table B-3: Cisco resolved issues

Resolution Type Details

Added Cisco rules Set 'no service compress-config' (2.1.10)

Set 'no ip http secure-server' (1.2.12)

Set 'no service config' (2.1.9)

Set 'no ip domain-lookup' (2.1.13)

Set 'process cpu threshold' (2.5.3)

Set 'no lldp run' (2.1.11)

Set 'no ip gratuitous-arps' (2.1.14)

Set 'memory free low-watermark IO' (2.5.2)

Set 'no vstack' (2.1.12)

Set 'no ip http server' (1.2.11)

Set 'memory free low-watermark processor' (2.5.1)

Shutdown unused interfaces (3.4.1) – for FW onl

CS-HFCSE612en-2101A BA Appendix C: Installing Oracle 12.2 client

Appendix C: Installing Oracle 12.2 client

This appendix walks you through the installation of the Oracle Client.

Caution: Unless specified otherwise, the entire Oracle Client install- ation, as described in this section , should only be per- formed on the Application machine.

C.1 Oracle 12.2 Client win 32-bit - Base Install

To perform the Oracle 12.2 Client win 32-bit base install:

1. Prepare the installer:

a. On the target application computer, create a folder anywhere, to be used for unzipping and running the Oracle installation packages.

Note: Ensure there are no spaces in the name of the path.

b. Unzip the following files into the newly created folder:

○ win32_12201_client

○ nn_ora12_2

c. the following files from nn_ora12_2 to the sub-folder client 32 of the folder you have created:

○ nn_install_oracle12_2c_c.bat

○ nn_install_oracle12_2c_c.rsp

2. Run the installer:

a. Run the file nn_install_oracle12c_c.bat as an administrator.

CS-HFCSE612en-2101A BB Appendix C: Installing Oracle 12.2 client

Wait several minutes until the installer appears, during which time a progress screen is displayed.

When the installer displays, it may be hidden behind the windows you have already opened. To verify the installer is indeed displayed, look for its icon at the .

Note: Unless specified otherwise, follow the installer steps with the default settings until the installation completes.

b. Review the summary and Click Install.

c. When the installation completes, click Close in the Finish screen.

CS-HFCSE612en-2101A BC Honeywell Process Solutions

1250 W Sam Houston Pkwy S #150, Houston, TX 77042

Honeywell House, Skimped Hill Lane Bracknell, Berkshire, RG12 1EB

Building #1, 555 Huanke Road, Zhangjiang Hi-Tech Park, Pudong New Area, Shanghai, China 201203 CS-HFCSE612en-2101A