Technical FAST/TOOLS R10.03 Information System Hardening Windows 10, Windows Server 2016 TI 50A01A30-01EN (Rev. 2.0)

Yokogawa Electric Corporation TI 50A01A10-03EN 2-9-32, Nakacho, Musashino-shi, Tokyo, 180-8750 Japan ©Copyright Apr. 2018 (YK) 2nd Edition May 2018 (YK) Blank Page i Introduction n Purpose In order to protect systems from network related security vulnerabilities, it is important to harden the operating system on which the application is running. This document describes the hardening procedure to be followed for FAST/TOOLS R10.03 systems running Microsoft operating systems. n Validity This document is primarily intended for internal Yokogawa use when engineering projects that use FAST/TOOLS on Microsoft operating systems. n Definitions, Abbreviations and Acronyms AV : Antivirus software. DMZ : Demilitarized Zone GSC : Global SCADA Center SCADA : Supervisory Control And Data Acquisition n References [1] AV11000 (Yokogawa standard antivirus software) [2] ACCESS/FAST System Integrators Manual IM50R07R00-01EN/R10.03 [3] EQUIPMENT/FAST System Integrator’s Manual IM50L07L02-01EN/R10.03 [4] Integration with FAST/TOOLS IM 32P56H20-01EN [5] Exaquantum Engineering Guide Volume 2 – Network Configuration IM 36J04A15-02E

All Rights Reserved Copyright © 2018, Yokogawa Electric Corporation TI 50A01A10-03EN May 31, 2018-00 ii n Symbol Marks Throughout this Technical Information, you will find several different types of symbols are used to identify different sections of text. This section describes these icons.

WARNING Indicates precautions to avoid a danger that may lead to death or severe injury.

CAUTION Indicates precautions to avoid a danger that may lead to minor or moderate injury or property damage.

IMPORTANT Identifies important information required to understand the operations or functions.

TIP Identifies additional information.

SEE ALSO Identifies a source to be referred to. n Trademark • FAST/TOOLS is trademark or registered trademark of Yokogawa Electric Corporation. • All other company and product names mentioned in this manual are trademarks or registered trademarks of their respective companies. • We do not use TM or ® mark to indicate those trademarks or registered trademarks in this manual.

TI 50A01A10-03EN May 31, 2018-00 Toc-1 FAST/TOOLS R10.03 System Hardening Windows 10, Windows Server 2016 (Rev. 2.0)

TI 50A01A10-03EN 2nd Edition

CONTENTS 1 General...... 1-1 1.1 Targets of IT Security...... 1-1 1.2 Security Measures...... 1-3 1.3 Security measures upon the installation of Windows 10...... 1-4 2. Windows Firewall...... 2-1 3. Disabled applications...... 3-1 3.1 Disable bundled “modern” –apps...... 3-1 3.1.1 Remove bundled apps for a specific user...... 3-1 3.1.2 Remove bundled apps for all user accounts...... 3-1 3.1.3 Exceptions...... 3-1 4 Service packs and security updates...... 4-1 5 Antivirus...... 5-1 6 User account considerations...... 6-1 6.1 Access User Group Control...... 6-6 6.2 Folder Access Permissions...... 6-7 6.3 Web-HMI Client Deployment page modifications...... 6-12 7. Disabling Unused Services...... 7-1 8 IT Environment Settings...... 8-1 8.1 Hiding the Last Logon ID...... 8-1 8.2 Applying the Audit Policy...... 8-2 8.3 Changing the LAN Manager Authentication Level...... 8-5 8.4 Applying the Password Policy...... 8-9 8.5 Applying the Account Lockout Policy...... 8-10 8.6 Restriction on AutoRun...... 8-11 8.7 Disabling NetBIOS over TCP/IP...... 8-12 8.8 Applying Syskey...... 8-13 8.9 Interactive logon...... 8-14 8.10 Disable recovery console...... 8-14 8.11 Set user rights for certain system-wide base attributes...... 8-15 8.12 Limit access to CD-ROM from network...... 8-15 8.13 Limit user right assignments...... 8-16

TI 50A01A10-03EN May 31, 2018-00 Toc-2

8.14 Enable “Do not allow enumeration of Security Accounts Manager (SAM) accounts.”...... 8-18 8.15 Guest account must be disabled...... 8-18 8.16 The local administrator account must be renamed...... 8-18 8.17 Auditing must be enabled for system events for success and failure...... 8-19 8.18 Limit access to logs containing auditing information to appropriate support/administrative groups...... 8-19 8.19 “Audit the access of global system objects” should not be enabled...... 8-20 8.20 The system should not be shut down if the audit log becomes full...... 8-20 8.21 It must not be possible to shut down the server without logging on...... 8-21 8.22 The ability to format and eject removable media should be limited to appropriate administrative groups...... 8-21 8.23 Make the screen saver password protection immediate...... 8-22 8.24 If the SNMP service is installed on a server, the default PUBLIC and PRIVATE community names must be changed...... 8-22 8.25 The use of SSL 2.0 or SSL 3.0 is prohibited...... 8-23 8.26 TLS 1.0 and TLS 1.1 must be disabled and TLS 1.2 enabled...... 8-23 8.27 Secure the registry to prevent modification to the list of programs that are run upon start up...... 8-24 8.28 Write access to the registry’s AllowedPaths and AllowedExactPaths must be limited to appropriate administrative group...... 8-25 8.29 Permissions granted to the Everyone group must not apply to anonymous users...... 8-26 8.30 Network protocols that are not required must be removed...... 8-27 8.31 If TCP/IP is installed on a system, TCP/IP protocol settings must be deployed to enhance network security...... 8-27 8.32 Enable safe DLL search order must be implemented...... 8-28 8.33 NTFS should be used on all non-removable partitions...... 8-28 8.34 “Interactive Logon: Prompt user to change password before expiration” parameter should be set to 14 days...... 8-29 8.35 Disable “Microsoft network client: Send unencrypted password to third party SMB servers”...... 8-30 8.36 Unique password for renamed Administrator account across all servers...... 8-31 9 Collaboration with Other Programs...... 9-1 9.1 STARDOM (HSE)...... 9-1 9.2 ProSafe-RS (Vnet/IP)...... 9-2 9.3 Matrikon OPC Server (OPC)...... 9-3 9.4 Exaquantum (OPC)...... 9-5

TI 50A01A10-03EN May 31, 2018-00 Toc-3

10 Appendix...... 10-1 10.1 Activation of ICMP on Windows Firewall...... 10-1 10.2 Configuration for OPC...... 10-7 10.2.1 Local security policy...... 10-7 10.2.2 DCOM configuration...... 10-11 10.2.3 Personal Firewall exceptions...... 10-20 10.3 Installed Services...... 10-33 10.4 Legacy services...... 10-43

TI 50A01A10-03EN May 31, 2018-00 Blank Page <1. General> 1-1 1 General

1.1 Targets of IT Security

Environment This document presumes the application of the IT security in the following environment.

Table Environment of IT security Type Description SCADA Server Front-End Server Applicable terminals Web HMI Server Web HMI Client (*2) Web HMI Mobile Client (port no, enabling/ disabling) Windows 10 Pro (64 bit) Windows 10 Enterprise (64 bit) Windows 10 Enterprise 2016 LTSB (64 bit) Windows 10 IoT Enterprise 2016 LTSB (64 bit) OS (*1) Windows 7 Professional SP1 (64 bit) Windows Server 2008 R2 ; (for RGS, Vnet/IP card requires) Windows Server 2012 R2 (64 bit) Windows Server 2016 (64 bit) Package FAST/TOOLS R10.03

*1: Refer to the General Specifications of the FAST/TOOLS for more information about their support for the OS Service Pack. *2: Web HMI Client is not supported on Windows Server 2008 R2 ; (for RGS, Vnet/IP card requires).

TI 50A01A10-03EN May 31, 2018-00 <1. General> 1-2

Threat In this document, threats are classified as follows: 1. Attack over a network Threat of a negative impact on the system brought by an unauthorized person from Business Network/DMZ/PCN via a network, which causes the leakage of critical data, and/or unavailability of services, operation interruption, etc. 2. Direct attack by operating a terminal Threat of a negative impact on the system or taking out of critical data by an unauthorized person operating a terminal. 3. Theft of critical data Threat that arises when a terminal or critical data is stolen and the data is analyzed.

Business Network

1.Attack over a network

DMZ

Reverse Proxy, etc. Firewall

CSN ASN

Web HMI Server Web HMI Client PCN

3.Theft of 2.Direct attack critical data by operating a terminal SCADA Server Front-End Server Control BUS

Controller Controller

F010101E.ai Figure Target system configuration of IT security

TI 50A01A10-03EN May 31, 2018-00 <1. General> 1-3 1.2 Security Measures This document describes the steps that should be taken for hardening the Windows systems used in your project. The hardening process consists of the following steps: 1. Windows Firewall 2. Disabled applications 3. Service packs 4. Antivirus 5. Account considerations 6. Remote network access 7. Windows services 8. IT Environment settings Note: This document is specifically related to operating system and network configuration for a Windows machine. However, it may be useful to read the Security White Paper first to get a broader idea of the security aspects associated with SCADA systems in general. To cope with the threats studied in the previous chapter, 14 kinds of security measures realizable in the environment for the FAST/TOOLS are chosen. These measures are based on the security guides for OS issued by Microsoft and on the security measures applied to the general business network environment. They are arranged in such a way that they can fit the FAST/TOOLS. It depends on the customers security policy which measures should be taken.

Table Security measures

Description In Target threat Security Type Security Measures this document [1] [2] [3] Windows Firewall 3  Disabled Applications 4   Service Pack & Security Update 5   AntiVirus 6   User account Considerations 7   Stopping Windows Services 8  Hiding the Last Logon ID 9   Applying the Audit Policy 9   Changing the LAN Manager Authentication Level 9   Applying the Password Policy 9   IT Environment Applying the Account Lockout Policy 9   Settings Restriction on Auto Run 9   Disabling NetBIOS over TCP/IP 9  Applying SysKey 9  HDD Password Function by BIOS (*1) 

Target threat [1]: Attack over a network [2]: Direct attack by operating a terminal [3]: Theft of a terminal/critical data : Security Measures for Threat

*1: Refer to the TI "IT Security Guide for System Products (Common Information)" (TI 30A15B30-01E).

TI 50A01A10-03EN May 31, 2018-00 <1. General> 1-4 1.3 Security measures upon the installation of Windows 10 The Long-Term Service Branch (LTSB) editions of Windows 10 and 2016 should be applied to projects. These editions provide the greatest control for upgrades and patching in a managed environment. Before installing Windows, it should be aware that some other editions of Windows 10 or Windows Server 2016 send a lot of information to third parties. This is for different purposes, a few examples of these purposes are: • Commercial promotion • Geographical services • Connectivity • Error resolving For example when a system hosting a web client is connected to the internet, it is normally not desirable to send this information to third parties. The following information is shared by default when using the “express” installation of Windows: • Personal speech, inking input • Geographical location • Browsing data • Auto connect to (insecure) hotspots • Full diagnostic (not limited to) usage data • Skype is allowed to process your contacts (if bundled) It is recommended to use the non-express installation method and disable all above subjects. Remark: When disabling the option “Send full diagnostic and usage data to Microsoft” still sends “basic data”. Only with the enterprise edition of Windows it can be disabled completely.

TI 50A01A10-03EN May 31, 2018-00 <2. Windows Firewall> 2-1 2. Windows Firewall The Microsoft firewall must be activated (Switched ON) on each system. All ports and application exceptions must be blocked expect for those described in this section or any specifically required by project applications. The following exceptions are required for FAST/TOOLS (manual engineering is required). As some ports are configurable, make sure correct ports are handled.

Table Firewall Port Exceptions Port number Protocol Description When and where used Only if VNC is required for this machine. 3389 TCP Remote desktop connection If VNC is required for particular users, restrict access to only those users. On Web-HMI Client and Web-HMI 8080/80 TCP Web communication Server, HTML5 graphics On Web-HMI Client and Web-HMI 8443/443 TCP Secure communication Server, HTML5 graphics On each machine with a DURM connection. Make exceptions for the port number used for each DURM line. For example, if you are using a dual redundant network connection, you 17001 UDP FAST/TOOLS DURM connection must do this twice, once for each line. When you connect some FAST/TOOLS terminals (Ex. Web HMI server) more port exceptions are needed. (20000- 20499 are recommended) From R10.03 DURM also has a static send –port. Make exceptions for the send port number used for each DURM 17101 UDP FAST/TOOLS DURM connection line. For example, if you are using a dual redundant network connection, you must do this twice, once for each line. FAST/TOOLS system logging collection 18002 UDP SMDMON configuration program. Port is fixed.

Table Firewall Program Exceptions Application Description When and where used All machines HAC, EQP (some), OPC Tunneller, Echo request Echo request (ICMP) INTTCPMON, use this function. It is also useful for trouble shooting network configurations.

SEE ALSO 11.1 Activation of ICMP on Windows Firewall.

TI 50A01A10-02EN May 31, 2018-00 <2. Windows Firewall> 2-2

The additional exceptions are required when using: • A redundant server configuration and the high-availability (HAC) software • ODBC • Alarm to email • Windows Domain • NTP • Antivirus • OPC • TCP/IP based equipment’s

HAC The following application should be defined as exceptions in the firewall when FAST/TOOLS works on HAC (manual engineering is required).

Table Firewall Port Exceptions (HAC) Port Protocol Description When and where used number On the servers and all HMI machines, only when using a 16000 UDP GUI port for HAC redundant server configuration and the HAC software. On the servers and all HMI machines, only when using a 16001 UDP logger port for HAC redundant server configuration and the HAC software. On the servers and all HMI machines, only when using a 16002 UDP mirror port for HAC redundant server configuration and the HAC software. On the servers and all HMI machines, only when using a 16003 UDP recovery port for HAC redundant server configuration and the HAC software. On the servers and all HMI machines, only when using a 16004 UDP watchdog for HAC redundant server configuration and the HAC software. On the servers and all HMI machines, only when using a 16005 UDP HACWITM for setting items redundant server configuration and the HAC software. On the servers and all HMI machines, only when using a 16006 UDP HACMIR for data redundant server configuration and the HAC software. In case multiple HACW_HMI windows are required 16010 UDP HAC server to HACW_HMI on the same machine (e.g. to monitor various HAC – 16041 systems) Note: • port number for 16000 -16001 can be set in hac.sup and jhacProperties\application.properties • port number for 16002 – 16006 can be set from hac.sup • port numbers for 16010 – 16041 can be set from jhacProperties\application.properties

ODBC The following application should be defined as exceptions in the firewall when ODBC works on FAST/TOOLS.

Table Firewall Port Exceptions (ODBC) Port Protocol Description When and where used number Only on the server machine and only when using the 1583 TCP SimbaServer ODBC interface of ACCESS/FAST

TI 50A01A10-02EN May 31, 2018-00 <2. Windows Firewall> 2-3

Alarm to email The following application should be defined as exceptions in the firewall when Alarm to email is used.

Table Firewall Port Exceptions (ODBC) Port Protocol Description When and where used number Default alarm to email Only used when alarm to email is used and only from 25 TCP port. See alnsmtp.sup. machine sending messages to mail server. Changeable from there.

Windows domain The following application should be defined as exceptions in the firewall when FAST/TOOLS operates on a Windows domain.

Table Firewall Port Exceptions (Windows domain) Port Protocol Description Where used number 53 TCP DNS SCADA server and Web HMI client/server 88 TCP Kerberos Authentication SCADA server and Web HMI client/server 389 TCP LDAP SCADA server and Web HMI client/server 445 TCP Direct Hosting SCADA server and Web HMI client/server 3268 TCP Global Catalogue SCADA server and Web HMI client/server 3269 TCP Global Catalogue SSL SCADA server and Web HMI client/server 9389 TCP SOAP For Active Directory Web service 53 UDP DNS SCADA server and Web HMI client/server 67 UDP DHCP SCADA server and Web HMI client/server 88 UDP Kerberos Authentication SCADA server and Web HMI client/server 389 UDP LDAP SCADA server and Web HMI client/server 445 UDP SMB/CIFS/SMB2 SCADA server and Web HMI client/server 2535 UDP MADCAP Web HMI client (for DHCP) Note: WINS legacy authentication should not be used.

Time synchronization The following applications should be defined as exceptions in the firewall when using Windows time service. These settings are not required if you are using the ecutl or it connects to the Vnet/IP.

Table Firewall Port Exceptions (Time synchronization) Port Protocol Description Where used number 123 TCP NTP/SNTP SCADA server and Web HMI client/server

Antivirus If you are using a virus scanner then you may want to open the port for automatic updates. It is advisable to use a managed machine (located in a DMZ) with an internet connection to download new pattern files and deploy them on the machines rather than having a direct connection to the internet.

TI 50A01A10-02EN May 31, 2018-00 <2. Windows Firewall> 2-4

OPC The following applications should be defined as exceptions in the firewall when using OPC connections. These settings are not required if you are using the OPC DCOM tunneler because the tunneler uses the DURM connection for this purpose. Since DCOM(OPC) communication require many open ports, the OPC tunneler is recommended since it only requires the DURM ports to be opened.

Table Firewall Port Exceptions (OPC) Port Protocol Description Where used number 135 TCP RPC/DCOM OPC client and OPC server 139 TCP NetBIOS Session Service OPC client and OPC server 20500- DCOM TCP OPC client and OPC server 20550 (These are customized) 137 UDP NetBIOS Name Resolution OPC client and OPC server 138 UDP NetBIOS Datagram Service OPC client and OPC server OPC-UA discovery port. Only use if you need to use discovery (if you already know the address 4840 TCP OPC-UA server and port of the server, then discovery is not required and port can be disabled). OPC-UA Communication port can defined by user Definable TCP OPC-UA server in OPC-UA Server Note: The scope of the ports should be changed to “Any”. Exception port No should be defined one by one. (20500, 20501, 20502, …)

Table Firewall Program Exceptions (OPC) Application Description Where used OPC Server OPC server specific. OPC server OPC Client OPC client specific. OPC client Microsoft Management %System32%\mmc.exe OPC client and OPC server Console OPCEnum OPC Emulation server OPC Server Print and file sharing OPC client and OPC server

SEE ALSO ACCESS/FAST System Integrators Manual IM50R07R00-01EN/R10.03

TI 50A01A10-02EN May 31, 2018-00 <2. Windows Firewall> 2-5

TCP/IP based equipment The following applications should be defined as exceptions in the firewall for each TCP/IP based equipment.

Table Firewall Port Exceptions (TCP/IP based equipment) Port number Protocol Description Where used 44818 TCP Rockwell CIP line and station definition forms 44818 TCP PLC5 via CIP line and station definition forms 34260 and 34434 TCP DAQ station line and station definition forms 20000 TCP DNP3 line and station definition forms 12289 TCP FAM3 line and station definition forms 44818 TCP Fisher ROC line and station definition forms 2404 TCP IEC 60870-5-104 line and station definition forms 102 TCP IEC 61850 line and station definition forms (*1) TCP MELSEC (*1) 7075 TCP MeTro line and station definition forms 502 TCP MODBUS line and station definition forms 502 TCP MODBUS SLAVE See note. (*2) TCP Siemens S7 (*2) 1090 TCP Stardom FCX line and station definition forms Note: MODBUS Slave port can be changed from command line (EQPMDCSLVTCP) *1: Please refer to System Integrator’s Manual to EQUIPMENT/FAST Chapter A.14. *2: Please refer to System Integrator’s Manual to EQUIPMEN/FAST Chapter A.20.

Table Firewall Program Exceptions (TCP/IP based equipment (other equipment) Application Description Where used Other TCP/IP based Protocol specific. SCADA server equipment

SEE ALSO 10. Combination with other programs

TI 50A01A10-02EN May 31, 2018-00 <3. Disabled applications> 3-1 3. Disabled applications The following applications should be disabled or uninstalled on all the systems if present: - Netmeeting (uninstalled) - Windows Messenger (uninstalled) - Windows Movie Maker (disabled) - Windows Update (disabled) - Windows Media Player (uninstalled) - All games (uninstalled) - Outlook express (uninstalled) - Yahoo messenger (uninstalled) - Skype (uninstalled) - VOIP (uninstalled) - Groove Music (uninstalled)

3.1 Disable bundled “modern” –apps Some versions of Windows 8, Windows 8.1 and Windows 10 are delivered with some bundled apps. When a user first signs in, Windows installs those apps to the user account. Even when the apps are uninstalled from a user account, many of them return once the OS gets updated and are copied again to the user account(s) from the system account. It is recommended to remove all bundled apps (if present). 3.1.1 Remove bundled apps for a specific user Start Windows PowerShell with administrator rights (see picture on the right) and enter the following command: Get-AppxPackage –User | Remove-AppXPackage

3.1.2 Remove bundled apps for all user accounts Start Windows PowerShell with administrator rights and enter the following command: Get-AppxPackage –AllUsers | Remove-AppxPackage This command will make sure that the “Modern” apps don’t keep coming back to the user account(s). 3.1.3 Exceptions Some apps cannot be removed via this method, when executing the above command(s) an error may be shown that the app cannot be uninstalled because it is part of Windows. The following apps are not removed: Contact Support app, Cortana, Photos, Microsoft Edge, Windows Feedback app and the Settings –app. The Windows Store may be re-installed with Windows Update.

TI 50A01A10-03EN May 31, 2018-00 <4. Service packs and security updates> 4-1 4 Service packs and security updates FAST/TOOLS should be installed and tested on a defined patch level for the project. If for example the customer requires additional updates at a later date or critical fixes are released, then Yokogawa must first determine the relevance of such a fix and test FAST/ TOOLS on the patched system to check that functionality is not adversely affected. Therefore, do not turn Windows automatic updates feature on, since only approved fixes may be installed. Instructions on how to change these settings can be found Microsoft homepage. Yokogawa maintains a list of security updates that have been tested and evaluated. After updating your system through Windows updates, obtain this list from YHQ or your nearest Yokogawa Center of excellence. - Open Add/Remove programs from the Control Panel. - Check the option “Show updates”. - The updates are shown in numerical order. Scroll down the list in the Add/Remove programs dialog and find the last Windows update that is also included in the Yokogawa list. - If there are more updates in the Yokogawa list that come after this one then install only the latest updates that come afterwards. Do not install older updates that come before since these changes may have been overruled by Windows hot fixes. Note: The above method is based on updating on a per individual machine basis. Alternatively, it is also possible to configure updating by making use of centralised servers (similar to centralized anti-virus pattern updates). http://en.wikipedia.org/wiki/Windows_Server_Update_Services

TI 50A01A10-03EN May 31, 2018-00 <5. Antivirus> 5-1 5 Antivirus Antivirus software should be installed on all systems. The recommended antivirus software used by YHQ is described in ref[1], though the customer may have standardized on other software. The antivirus should be configured so that real-time scanning is enabled. If the virus scanner permits exceptions, then the following FAST/TOOLS directories should be configured as exceptions to the anti-virus software:

c:\Users\Public\Yokogawa\tls\dat c:\Users\Public\Yokogawa\tls\sav c:\Users\Public\Yokogawa\tls\his

Note: Virus pattern updates should be downloaded via a separate machine. They should be applied either manually or through automatic updates from a controlled system, preferably from within a demilitarized zone in the network (DMZ), in order to prevent direct internet access.

TI 50A01A10-03EN May 31, 2018-00 <6. User account considerations> 6-1 6 User account considerations The following tables show the recommended user group definitions and their authentication.

Table User Groups Name Description This user group has no limitations for system administration. Administrators This user group is defined for the system custodian. This user group performs the system maintenance with FAST/TOOLS maintenance Maintenance tools. They create users and analyze the system log and maintain the datasets. This user group performs the FAST/TOOLS engineering with the FAST/TOOLS Engineers engineering modules. They design alarm policies, reports and graphics. This user group has normal USER privileges. Operators The operator mimics run under this account. For internal processes. Internal Process These users’ passwords should not be expired.

Note: If the HMI station is configured to automatically logon with the Operators account, then the USER/FAST software must be started as the OS Shell. This will automatically disable the Windows Explorer functions like the task bar, desktop and the Windows function keys. Other functions like, Lock computer, System Shutdown, Change password and Task manager are also disabled for the Operators account. Note: If you use remote access software such as VNC then make sure that access can only be acquired via the Administrators account and that it is used for maintenance purposes only.

Table Authentication (1/6) User Group Authentication Description [1] [2] [3] [4] ALARM_ACK_DELETE   ALARM_ACK_INSERT   Definition alarm acknowledgment types ALARM_ACK_MODIFY   ALARM_ACK_READ     ALARM_AOI_DELETE   ALARM_AOI_INSERT   Definition alarm area of interest ALARM_AOI_MODIFY   ALARM_AOI_READ     ALARM_ASA_DELETE   ALARM_ASA_INSERT   Definition alarm selection area ALARM_ASA_MODIFY   ALARM_ASA_READ     ALARM_CHRONO_READ Reading historical alarms via DSS     ALARM_CURRENT_ACK    Acting current alarms via DSS ALARM_CURRENT_READ     ALARM_DISPLAY_DELETE   ALARM_DISPLAY_INSERT   Definition alarm display ALARM_DISPLAY_MODIFY   ALARM_DISPLAY_READ     User Groups [1]: Administrators [2]: Maintenance [3]: Engineers [4]: Operators

TI 50A01A10-03EN May 31, 2018-00 <6. User account considerations> 6-2

Table Authentication (2/6) User Group Authentication Description [1] [2] [3] [4] ALARM_FO_DELETE   ALARM_FO_INSERT   Definition alarm first out group ALARM_FO_MODIFY   ALARM_FO_READ     ALARM_FU_DELETE   ALARM_FU_INSERT   Definition alarm collections ALARM_FU_MODIFY   ALARM_FU_READ     ALARM_GROUP_DELETE   ALARM_GROUP_INSERT   Definition alarm groups ALARM_GROUP_MODIFY   ALARM_GROUP_READ     ALARM_NOT_DEST_DELETE   ALARM_NOT_DEST_INSERT   Definition alarm Notification destination ALARM_NOT_DEST_MODIFY   ALARM_NOT_DEST_READ     ALARM_NOT_USR_DELETE   ALARM_NOT_USR_INSERT   Definition alarm notification user ALARM_NOT_USR_MODIFY   ALARM_NOT_USR_READ     ARCHIVE_COMMANDS Performs archive operations    ARCHIVE_GROUPS_READ    Archive overview functions ARCHIVE_ACTIONS_READ    ARCHIVE_TAPES_READ Archive tape functions    AUDIT_EVENT_CLAS_MODIFY    Definition audit AUDIT_EVENT_CLAS_READ     AUDIT_SELGRP_DELETE    AUDIT_SELGRP_INSERT    Definition audit selection group AUDIT_SELGRP_MODIFY    AUDIT_SELGRP_READ     AUDIT_TRAIL_READ     Audit trail AUDIT_TRAIL_UPDATE    AUTH_ACTION_READ Reading authorization options    AUTH_GROUP_DELETE    AUTH_GROUP_INSERT    Definition authorisation group AUTH_GROUP_MODIFY    AUTH_GROUP_READ    CLASS_ATTR_VAL_MODIFY   Method class attribute CLASS_ATTR_VAL_READ     User Groups [1]: Administrators [2]: Maintenance [3]: Engineers [4]: Operators

TI 50A01A10-03EN May 31, 2018-00 <6. User account considerations> 6-3

Table Authentication (3/6) User Group Authentication Description [1] [2] [3] [4] CLASS_DELETE   CLASS_INCLUDED_READ     CLASS_INSERT   Definition method class CLASS_MODIFY   CLASS_READ     CLASS_SIGNALS_READ     DISPLAY_DELETE   DISPLAY_INSERT   Viewing Edit module and Operator interface DISPLAY_MODIFY   DISPLAY_READ     DIS_GROUP_DELETE DIS_GROUP_INSERT N/A DIS_GROUP_MODIFY DIS_GROUP_READ EXECUTE_GENERAL_COMMANDS All none data set specific actions    FOLDER_DELETE    FOLDER_INSERT    Operation folders FOLDER_MODIFY    FOLDER_READ     HIS_GROUP_DELETE    HIS_GROUP_INSERT    Definition item storage group HIS_GROUP_MODIFY    HIS_GROUP_READ     HIS_GROUP_FORCE_ROLLOVER Force storage group rollover    HIS_UNITS_DELETE    HIS_UNITS_MODIFY Storage unit    HIS_UNITS_READ     INSTALL_BLOCK_UNBLOCK Change blocking of installation    INSTALL_DELETE    INSTALL_INSERT    Definition installation INSTALL_MODIFY    INSTALL_READ     ITEM_ACK_ALARM Acknowledge item alarm    ITEM_DELETE   ITEM_READ     Definition item ITEM_INSERT   ITEM_MODIFY   ITEM_HISTORY_INSERT   ITEM_HISTORY_MODIFY Operating historical data via DSS   ITEM_HISTORY_READ     User Groups [1]: Administrators [2]: Maintenance [3]: Engineers [4]: Operators

TI 50A01A10-03EN May 31, 2018-00 <6. User account considerations> 6-4

Table Authentication (4/6) User Group Authentication Description [1] [2] [3] [4] ITEM_HIS_DELETE   ITEM_HIS_INSERT   Definition history storage group ITEM_HIS_MODIFY   ITEM_HIS_READ     ITEM_MODIFY_APPLICATION_ Modify item application flag   FLAG ITEM_MODIFY_BLOCKED_VALUE Modify item blocked value   ITEM_MODIFY_DEADBAND Modify item limits   ITEM_MODIFY_HISTORY Modify historical value item   ITEM_MODIFY_LIMIT_HIGH   ITEM_MODIFY_LIMIT_HIGH_HIGH   Modify item limits ITEM_MODIFY_LIMIT_LOW   ITEM_MODIFY_LIMIT_LOW_LOW   ITEM_MODIFY_QUALITY_CODE Modify item quality   ITEM_MODIFY_STATUS Modify item status   ITEM_MODIFY_STRING_VALUE Modify string item value   ITEM_MODIFY_VALUE Modify item value   ITEM_READ_ALARM_TYPE View item alarms   NODE_LOCAL_READ View definition local nodes     NODE_HOST_READ View definition host nodes     OBJECT_ATTR_VAL_MODIFY    Method object attribute OBJECT_ATTR_VAL_READ     OBJECT_DELETE   OBJECT_INSERT   Definition method object OBJECT_MODIFY   OBJECT_READ     OBJECT_SIGNALS_READ Reading properties of object     OPC_GROUP_DELETE   OPC_GROUP_INSERT   Definition OPC group OPC_GROUP_MODIFY   OPC_GROUP_READ    REPORT_CANCEL    REPORT_DELETE    REPORT_INSERT    Definition report REPORT_MODIFY    REPORT_PRINT    REPORT_READ     REPORT_DELETE_ANY_GEN_ Deleting generated report    REPORT REPORT_DELETE_GENERATED_ Delete generated report    REPORT User Groups [1]: Administrators [2]: Maintenance [3]: Engineers [4]: Operators

TI 50A01A10-03EN May 31, 2018-00 <6. User account considerations> 6-5

Table Authentication (5/6) User Group Authentication Description [1] [2] [3] [4] REPORT_GENERATE_ADHOC Adhoc generation of report    REPORT_MAINTAIN_LOGBOOK Maintain logbook    REPORT_READ_GENERATED_ View generated report     REPORT SCAN_TYPE_DELETE   SCAN_TYPE_INSERT   Definition scan type SCAN_TYPE_MODIFY   SCAN_TYPE_READ     SEQUENCE_DELETE   SEQUENCE_INSERT   Definition sequence SEQUENCE_MODIFY   SEQUENCE_READ     STATION_DELETE   STATION_INSERT   Definition station STATION_MODIFY   STATION_READ     STATION_ON_OFF_SCAN Change scanning of station   STATUS_DELETE   STATUS_INSERT   Definition item status STATUS_MODIFY   STATUS_READ     SUB_ITEM_DELETE   SUB_ITEM_INSERT   Definition sub- item SUB_ITEM_MODIFY   SUB_ITEM_READ     SYMBOL_DELETE   SYMBOL_INSERT   Definition symbol SYMBOL_MODIFY   SYMBOL_READ     SYS_LOG_READ Reading syslog     SECTION_BLOCK_UNBLOCK Change blocking of section   SECTION_DELETE   SECTION_INSERT   Definition section SECTION_MODIFY   SECTION_READ     SCHEME_DELETE   SCHEME_INSERT   Definition Scheme SCHEME_MODIFY   SCHEME_READ     User Groups [1]: Administrators [2]: Maintenance [3]: Engineers [4]: Operators

TI 50A01A10-03EN May 31, 2018-00 <6. User account considerations> 6-6

Table Authentication (6/6) User Group Authentication Description [1] [2] [3] [4] TRIGGER_GROUP_DELETE   TRIGGER_GROUP_INSERT   Definition trigger group TRIGGER_GROUP_MODIFY   TRIGGER_GROUP_READ     UNIT_BLOCK_UNBLOCK Change blocking of unit   UNIT_DELETE   UNIT_INSERT   Definition unit UNIT_MODIFY   UNIT_READ     USER_DELETE    USER_INSERT    Definition user USER_MODIFY    USER_READ   User Groups [1]: Administrators [2]: Maintenance [3]: Engineers [4]: Operators

6.1 Access User Group Control The following two user/group control methods that make use of access control on an access user group basis are available.

Table Access user group control Control Configuration Operation Other method Register the accounts Workgroup Consists of FAST/TOOLS of the users in all the control terminals only. terminals. It allows administrators to Requires a Domain Register the accounts of manage resources efficiently. Controller to be Domain control the users on the domain Consolidating the users reduces established besides server. human errors, which can be a FAST/TOOLS terminals. plus with respect to security.

TI 50A01A10-03EN May 31, 2018-00 <6. User account considerations> 6-7 6.2 Folder Access Permissions Access to the folder of the installed package is controlled on an access user group basis (requires manual engineering), so that falsification or destruction of installed modules can be avoided. The permission of each folder for access user group is shown in the following table.

Table Folder access permissions (1/5) Access User Group Folder [1] [2] [3] [4] [5] FAST/TOOLS (Common) (*1) F F F RX F |---tls F F F RX F | |---com F F F RX F | |---dat (*2) F F F RX F | |---doc F F F RX F | |---exe F F F RX F | | |---EZSocketPcRedistributableInstaller F F F RX F | |---his (*2) F F F RX F | | |---has F F F RX F | |---hlp F F F RX F | |---jre F F F RX F | | |---bin F F F RX F | | |---db F F F RX F | | | |---bin F F F RX F | | | |---lib F F F RX F | | |---include F F F RX F | | | |---win32 F F F RX F | | | | |---bridge F F F RX F | | |---jre F F F RX F | | | |---bin F F F RX F | | | | |---dtplugin F F F RX F | | | | |---plugin2 F F F RX F | | | | |---server F F F RX F | | | |---lib F F F RX F | | | | |---amd64 F F F RX F | | | | |---applet F F F RX F | | | | |---cmm F F F RX F | | | | |---deploy F F F RX F | | | | |---ext F F F RX F

Access User Groups [1]: Administrators [2]: Maintenance [3]: Engineers [4]: Operators [5]: Internal Process

Variation of access permissions F: Full access control RX: Right to read and execute, and display the overview of contents in the folder

*1: FAST/TOOLS (Common) is an installation folder name. (Default C:\Program Files\Yokogawa\FAST TOOLS and C:\Users\ Public\Yokogawa) *2: These are installed in users folder. (Default C:\Users\Public\Yokogawa)

TI 50A01A10-03EN May 31, 2018-00 <6. User account considerations> 6-8

Table Folder access permissions (2/5) Access User Group Folder [1] [2] [3] [4] [5] | | | | |---fonts F F F RX F | | | | |---images F F F RX F | | | | | |---cursors F F F RX F | | | |---jfr F F F RX F | | | |---management F F F RX F | | | |---security F F F RX F | | |---lib F F F RX F | | | |---missioncontrol F F F RX F | | | | |---configuration F F F RX F | | | | | |---org.eclipse.equinox.simpleconfigurator F F F RX F | | | | | |---org.eclipse.update F F F RX F | | | | |---dropins F F F RX F | | | | |---features (and all below) F F F RX F | | | | |---p2 (and all below) F F F RX F | | | | |---plugins (and all below) F F F RX F | | | |---visualvm (and all below) F F F RX F | |---lst (*2) F F F RX F | | |---printing F F F RX F | |---sav (*2) F F F RX F | |---src F F F RX F | |---sup F F F RX F | |---tpl F F F RX F | |---wap (*2) F F F RX F | | |---admin F F F RX F | | |---apk F F F RX F | | |---authconfig F F F RX F | | |---cfg F F F RX F | | | |---chartGroups F F F RX F | | | |---charts F F F RX F | | | | |---dtschart F F F RX F | | | | |---SOEPebConfigurations F F F RX F | | | | |---xychart F F F RX F | | | | | |---default F F F RX F | | | | | |---powerCurve F F F RX F | | | | | |---windDistribution F F F RX F | | | | | |---windRose F F F RX F

Access User Groups [1]: Administrators [2]: Maintenance [3]: Engineers [4]: Operators [5]: Internal Process

Variation of access permissions F: Full access control RX: Right to read and execute, and display the overview of contents in the folder

*2: These are installed in users folder. (Default C:\Users\Public\Yokogawa)

TI 50A01A10-03EN May 31, 2018-00 <6. User account considerations> 6-9

Table Folder access permissions (3/5) Access User Group Folder [1] [2] [3] [4] [5] | | | |---charWorkspaces F F F RX F | | | |---colors F F F RX F | | | |---configurations F F F RX F | | | | |---Enterprise F F F RX F | | | |---dialog F F F RX F | | | | |---dialogs F F F RX F | | | |---icons F F F RX F | | | |---jhacProperties F F F RX F | | | |---keystore F F F RX F | | | |---memofields F F F RX F | | | |---operatorInterfaces F F F RX F | | | | |---DEPLOY F F F RX F | | | | | |---components F F F RX F | | | | | |---displays F F F RX F | | | | | |---layouts F F F RX F | | | | | |---locales F F F RX F | | | | | |---symbols F F F RX F | | | | | |---thresholds F F F RX F | | | |---playback F F F RX F | | | |---plugins F F F RX F | | | | |---abcip F F F RX F | | | | |---abplc5 F F F RX F | | | | |---acgateway F F F RX F | | | | |---bachmann F F F RX F | | | | |---bkhfbk8100 F F F RX F | | | | |---bristolbck F F F RX F | | | | |---comli F F F RX F | | | | |---daqstation F F F RX F | | | | |---dnp3 F F F RX F | | | | |---dts F F F RX F | | | | |---fam3 F F F RX F | | | | |---fisherroc F F F RX F | | | | |---gefanuc F F F RX F | | | | |---hartrouter F F F RX F | | | | |---hexrepeater F F F RX F | | | | |---hosthost F F F RX F | | | | |---iec101 F F F RX F Access User Groups [1]: Administrators [2]: Maintenance [3]: Engineers [4]: Operators [5]: Internal Process

Variation of access permissions F: Full access control RX: Right to read and execute, and display the overview of contents in the folder

TI 50A01A10-03EN May 31, 2018-00 <6. User account considerations> 6-10

Table Folder access permissions (4/5) Access User Group Folder [1] [2] [3] [4] [5] | | | | |---iec102 F F F RX F | | | | |---iec103 F F F RX F | | | | |---iec104 F F F RX F | | | | |---iec61850 F F F RX F | | | | |---melsec F F F RX F | | | | |---metro F F F RX F | | | | |---modbus F F F RX F | | | | |---omronfins F F F RX F | | | | |---opcaec F F F RX F | | | | |---opcdac F F F RX F | | | | |---opcuac F F F RX F | | | | |---prosafecom F F F RX F | | | | |---prosafeplc F F F RX F | | | | |---sapis7 F F F RX F | | | | |----search F F F RX F | | | | |---siemens3964 F F F RX F | | | | |---stardomfcx F F F RX F | | | | |---STXBackmann F F F RX F | | | | |---tie8705 F F F RX F | | | | |---vnet F F F RX F | | | |---preferences F F F RX F | | | |---properties F F F RX F | | | |---set F F F RX F | | | |---textures F F F RX F | | |---downloads F F F RX F | | | |---jreDownloadFiles F F F RX F | | |---jws F F F RX F | | |---lib F F F RX F | | |---mobileoperator F F F RX F | | | |---operatorInterfaces F F F RX F | | | |---src F F F RX F | | | | |---closure-library (and below) F F F RX F | | | | |---fasttools F F F RX F | | | |---woff F F F RX F | | |---static F F F RX F | | |---webapps F F F RX F | | | |---auth F F F RX F | | | | |---jws F F F RX F Access User Groups [1]: Administrators [2]: Maintenance [3]: Engineers [4]: Operators [5]: Internal Process

Variation of access permissions F: Full access control RX: Right to read and execute, and display the overview of contents in the folder

TI 50A01A10-03EN May 31, 2018-00 <6. User account considerations> 6-11

Table Folder access permissions (5/5) Access User Group Folder [1] [2] [3] [4] [5] | | | | |---mbl F F F RX F | | | | |---WEB-INF F F F RX F | | |---WEB-INF F F F RX F Access User Groups [1]: Administrators [2]: Maintenance [3]: Engineers [4]: Operators [5]: Internal Process

Variation of access permissions F: Full access control RX: Right to read and execute, and display the overview of contents in the folder

TI 50A01A10-03EN May 31, 2018-00 <6. User account considerations> 6-12 6.3 Web-HMI Client Deployment page modifications Users who connect to FAST/TOOLS via the Web interface make use of the page below to setup a connection. This Web-HMI Client page (default set-up shown below) can be modified.

F060301E.ai

TI 50A01A10-03EN May 31, 2018-00 <7. Disabling Unused Services> 7-1 7. Disabling Unused Services Windows provides a service startup type for each system service. The possible values for these settings are: • Automatic. Service automatically starts when the computer is restarted. • Automatic (Delayed start). Service starts automatically when the computer is restarted, but delays the start of the service until after higher priority services and drivers are started. • Manual. Service does not start until a program starts it or it is explicitly started by the user. • Disabled. The service cannot be started. • Not Defined Disabling unused Windows services makes it possible to enhance the security against attacks from an unknown area. If there are vulnerabilities in Windows, user information in FAST/TOOLS may be stolen or critical data in the system may be leaked, falsified or damaged. At worst, the attacker can get the administrator privileges of the domain. The following table describes common services which should be disabled. For a full list of available services and their task, please refer to Microsoft homepage. Make sure to only disable Services which are not required for operation and which do not cause malfunction of other services if not running. Note: If you wish to configure DCOM for OPC, then you must set the “Distributed Transaction Coordinator” service as Automatic. Otherwise it is not possible to run the DCOM configuration tool.

Table Disabling unused Windows Services (1/2)

Service Description 10 2016 Registers and updates IP addresses and DNS records for this computer. If this service is stopped this computer will not receive DHCP Client   dynamic IP addresses and DNS updates. If this service is disabled any services that explicitly depend on it will fail to start. Error Reporting Allows error reporting for services and applications running in non- — — Service standard environments. Allows errors to be reported when programs stop working or responding and allows existing solutions to be delivered. Also allows logs to be Windows Error generated for diagnostic and repair services. If this service is stopped   Reporting Service error reporting might not work correctly and results of diagnostic services and repairs might not be displayed. Help and Support Enables Help and Support Centre to run on this computer. — — Provides tunnel connectivity using IPv6 transition technologies (6to4 ISATAP Port Proxy and Teredo) and IP-HTTPS. If this service is IP Helper   stopped the computer will not have the enhanced connectivity benefits that these technologies offer. Internet Protocol security (IPsec) supports network-level peer authentication data origin authentication data integrity data confidentiality (encryption) and replay protection. This service enforces IPsec policies created through the IP Security Policies snap-in or the IPsec Policy Agent   command-line tool "netsh ipsec". If you stop this service you may experience network connectivity issues if your policy requires that connections use IPsec. Also remote management of Windows Firewall is not available when this service is stopped. Manages IP security policy and starts the ISAKMP/Oakley (IKE) and IPSEC Services — — the IP security driver. : Disable

TI 50A01A10-03EN May 31, 2018-00 <7. Disabling Unused Services> 7-2

Table Disabling unused Windows Services (2/2) Service Description 10 2016 Provides network transport and security for Dynamic Data Exchange Network DDE (DDE) for programs running on the same computer or on different — — computers. Network DDE Manages Dynamic Data Exchange (DDE) network shares. — — DSDM The Offline Files service performs maintenance activities on the Offline Files cache responds to user logon and logoff events implements the Offline Files   internals of the public API and dispatches interesting events to those interested in Offline Files activities and changes in cache state. Enables a computer to recognize and adapt to hardware changes with Plug and Play little or no user input. Stopping or disabling this service will result in   system instability. Enables remote users to modify registry settings on this computer. If this service is stopped the registry can be modified only by users on this Remote Registry   computer. If this service is disabled any services that explicitly depend on it will fail to start. Shell Hardware Provides notifications for AutoPlay hardware events.   Detection Allows UPnP devices to be hosted on this computer. If this service Universal Plug and is stopped any hosted UPnP devices will stop functioning and no   Play Device Host additional hosted devices can be added. If this service is disabled any services that explicitly depend on it will fail to start. Enables Windows-based programs to create access and modify Internet-based files. If this service is stopped these functions will not be WebClient — — available. If this service is disabled any services that explicitly depend on it will fail to start. Windows Image Provides image acquisition services for scanners and cameras. — — Acquisition (WIA) WinHTTP implements the client HTTP stack and provides developers WinHTTP Web with a Win32 API and COM Automation component for sending Proxy Auto- HTTP requests and receiving responses. In addition, WinHTTP   Discovery Service provides support for auto-discovering a proxy configuration via its implementation of the Web Proxy Auto-Discovery (WPAD) protocol. Wireless Zero Provides automatic configuration for the 802.11 adapters. — — Configuration

: Disable

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-1 8 IT Environment Settings This section provides an introduction to the Windows security functions that run in the IT environment and are applicable to the FAST/TOOLS. When adopting the security functions, consider the suitability of each security function to the FAST/TOOLS.

8.1 Hiding the Last Logon ID Hiding the last user name in the logon dialog prevents the active user name from being exposed in the system.

Setting Procedure 1. In [Control panel], launch [Administrative Tools] - [Local Security Policy]. 2. Select [Local Policies] - [Security Options] and set [Interactive logon: Do not display last user name] to [Enabled].

F080101E.ai Figure Do not display last user name Properties

Note: You need to input the user name when log on.

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-2 8.2 Applying the Audit Policy The application of the appropriate audit policy is recommended. The account logon status data and security-related events will help you detect errors in the system in an early stage and trace the cause in case of an accident. Windows does not collect the audit data by default.

Setting Procedure 1. In [Control Panel], launch [Administrative Tools] - [Local Security Policy]. 2. Select [Local Policies] - [Audit Policies] and then configure the setting. 3. Check and change the event acquisition size, if necessary (refer to Notes).

F080201E.ai Figure Local Security Settings

Reference Values

Table Setting Values of Audit Policy Policy Reference value Audit account logon events Success/Failure Audit account management Success/Failure Audit object access Failure Audit system events Success Audit directory service access Failure Audit process tracking No auditing Audit policy change Success Audit logon events Success/Failure Audit privilege use Failure Note: - Increased number of the types of acquired events affects the system performance. - The number of events occurring differs according to the system operation and the type of events acquired. Decide on an event acquisition size based on the operating condition of the system.

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-3

[Setting Event Acquisition Size] 1. In [Control Panel], Launch [Administrative Tools] - [Event Viewer].

F080202E.ai Figure Event Viewer

2. Right-click [Security], and select [Properties]. Background info notes: • Inside the gpedit.msc, there is another location which allows administrator to specify “advanced Audit policy”. Go to gpedit -> Computer Configuration -> Windows Settings -> Security settings -> Advanced Audit Policy Configuration. This advanced audit template allow administrator to configure 53 audit settings. • Setting of Event Acquisition Size can also be configured from local policy. Go to gpedit, -> computer configuration -> Administrative template -> Windows components -> Event Log service

F080203E.ai Figure Security Properties

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-4

3. On the [General] tab, in the [Maximum log size] text box in the [Log size] group box, enter the size to be set. 4. Under [When maximum log size is reached], select the overwrite option to be set. 5. Click [OK]. 6. Right-click [Application] in [Event Viewer], select [Properties], configure [Log Size] in the same way, and then click [OK]. 7. Right-click [System] in [Event Viewer], select [Properties], configure [Log Size] in the same way, and then click [OK].

Reference Values

Table Setting Values of Log Size Item Reference value Maximum log size 81,920 KB Security When maximum log size is reached Overwrite events as needed Maximum log size 16,384 KB Application When maximum log size is reached Overwrite events as needed Maximum log size 16,384 KB System When maximum log size is reached Overwrite events as needed

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-5 8.3 Changing the LAN Manager Authentication Level Windows provides three kinds of authentication methods (classified into two types) for downward compatibility. Only the NTLM (*2) authentication should be applied in the FAST/TOOLS environment because the password processing (hash processing) of the LM (*1) authentication made for the Windows9x series is very vulnerable. By Windows default, both LM and NTLM authentication methods are available. Additionally, the setting for “Not storing the password data for the LM authentication”, “Minimum session security for NTLM SSP based (including secure RPC) clients,” and “Minimum session security for NTLM SSP based (including secure RPC) servers” should be configured together with this change. *1: LAN Manager *2: Windows NT LAN Manager

Setting Items 1. In [Control Panel], launch [Administrative Tools] - [Local Security Policy]. 2. Select [Local Policies] - [Security Options], and then set [Network security: LAN Manager authentication level] to [Send NTLMv2 response only].

F080301E.ai Figure LAN Manager authentication level Properties

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-6

3. Select [Local Policies] - [Security Options], and then set [Network security: Do not store LAN Manager hash value on next password change] to [Enabled].

F080302E.ai Figure Do not store LAN Manager hash value Properties

4. Expand [Local Policies], click [Security Options], and then double-click [Network security: Minimum session security for NTLM SSP based (including secure RPC) clients]. Check the [Require NTLMv2 session security] and [Require 128-bit encryption] check boxes.

F080303E.ai Figure Minimum session security for NTLM SSP based clients (Windows Server 2008/Windows 7)

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-7

F080304E.ai Figure Minimum session security for NTLM SSP based clients (Windows Server 2012 / Windows 8)

5. Expand [Local Policies], click [Security Options], and then double-click [Network security: Minimum session security for NTLM SSP based (including secure RPC) servers]. Check the [Require NTLMv2 session security] and [Require 128-bit encryption] check boxes.

F080305E.ai Figure Minimum session security for NTLM SSP based servers (Windows Server 2016/ Windows 10)

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-8

F080306E.ai Figure Minimum session security for NTLM SSP based servers (Windows Server 2016/ Windows 10)

Note: - This setting disables the connection from Windows 95/ Windows 98/ Windows ME/Windows NT/ Windows 2000. - The settings for [Minimum session security for NTLM SSP based (including secure RPC) clients] and [Minimum session security for NTLM SSP based (including secure RPC) servers] must be the same on all terminals.

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-9 8.4 Applying the Password Policy The strength of the security for user authentication depends greatly on the configured password. It is recommended to ensure minimum security by applying the password policy.

Setting Procedure 1. In [Control Panel], launch [Administrative Tools] - [Local Security Policy]. 2. Select [Account Policies] - [Password Policies] and configure the setting.

F080401E.ai Figure Local Security Settings

Reference Values

Table Setting Values of Password Policy Policy Reference value Minimum password length 8 characters or more Minimum password age 1 day Maximum password age 42 days Enforced password history 24 passwords can be recorded (*1) Password must meet complexity requirements Enabled Store all passwords using reversible encryption. Disabled

Note: Standalone servers have other recommended settings. Please refer to Microsoft homepage. *1: This setting requires 25 or more passwords.

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-10 8.5 Applying the Account Lockout Policy This function is effective in protecting FAST/TOOLS against attacks such as online cracks. However, prompt logon may be impossible due to this function in case of emergency because lockout occurs. Note however that in a domain environment, administrators can use “Fine- grained password policy” to define another set of settings for password and account lockout.

Setting Procedure 1. In [Control Panel], launch [Administrative Tools] - [Local Security Policy]. 2. Select [Account Policies] - [Account Lockout Policies] and configure the setting.

F080501E.ai Figure Local Security Settings

Reference Values

Table Setting Values of Account Lockout Policy Policy Reference value Account lockout threshold 10 invalid logon attempts Reset account lockout counter after In 15 minutes Account lockout duration 15 minutes

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-11 8.6 Restriction on AutoRun This operation prevents an illegal program from being launched from a medium such as a CD- ROM inserted into a drive. This is an effective measure specially for countering virus infections (USB worms) in a computer caused by means of USB flash memories.

Setting Procedure 1. Start the registry editor. 2. Add the “Explorer” key to the path of [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\]. 3. Add the following items to the “Explorer” key you created.

Item NoDriveTypeAutoRun Type REG_WORD Set value 0xFF (Restricts all the AutoRun drives)

Table Settings Value Meaning 0x01 or 0x80 Disables AutoRun on drives of unknown type 0x04 Disables AutoRun on removable drives 0x08 Disables AutoRun on fixed drives 0x10 Disables AutoRun on network drives 0x20 Disables AutoRun on CD-ROM drives 0x40 Disables AutoRun on RAM disks 0xFF Disables AutoRun on all kinds of drives

Note: If you want to disable Autorun for multiple drives, you must add the corresponding hexadecimal values. For example, if you want to disable Autorun for removable drives (0x04) and for CD-ROM drives (0x20), you must add 0x04 and 0x20. Therefore, in this example, you would set the value of the NoDriveTypeAutoRun entry to 0x24. 4. Restart Windows.

Alternative Setting Procedure From windows search type in gpedit.msc. Then Go to Computer configuration -> Administrative template -> Windows Components -> Autoplay policies.

Note: Take note of the following points while restricting AutoRun. - If AutoRun is not available for CD-ROM drives, even when FAST/TOOLS software medium is inserted, the installation menu does not automatically appear. Refer to FAST/TOOLS Installation Manual Windows IM50C03C00-01EN/R10.03 for information on how to install. - To disable the Autorun functionality in Windows Server 2008, you must have security update 950582 installed (security bulletin MS08-038). - To disable the Autorun functionality in Windows XP, you must have security update 950582, update 967715, or update 953252 installed. - In a domain environment, these settings may overwrite the original settings of the domain controller according to the policies of the domain controller. In such a case, you need to modify the settings of the domain controller.

Further note that any USB device should be ‘anti-virus’ checked before usage on the actual system.

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-12 8.7 Disabling NetBIOS over TCP/IP The use of NetBIOS may allow an attacker to acquire the list of services running on the target machine or that of users. Therefore, it is recommended to disable NetBIOS. For more information on NetBIOS, refer to IT Security Guide for System Products (Common Information) TI 30A15B30-01E.

Setting Procedure 1. Open the network connection property window. 2. Then [Internet Protocol (TCP/IP) Properties] dialog box opens. 3. Click [Advanced...] button. 4. Select the [WINS] tab. 5. Select [Disable NetBIOS over TCP/IP]. 6. Click [OK] button.

F080701E.ai Figure Disabling NetBIOS over TCP/IP

Note: - It is an absolute requirement that the computer name and the station name are the same. - This setting disables the File Share connection from Windows 95/ Windows 98/ Windows ME/ Windows NT. - For domain management, register the domain controller information correctly in the DNS server collaborating with the domain controller. - The computer name should be resolved by name with DNS or the HOSTS file.

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-13 8.8 Applying Syskey This function introduced in Windows NT 4.0 Service Pack 3 or later protects confidential information contained in the host and serves as an effective measure against offline password cracking. The confidential information includes SAM data (password hash information on a local machine), ActiveDirectory and LSA secret (password information stored in the service or dialup functions). The following three types of protective function are provided. Type 2 is recommended for the FAST/TOOLS. This type requires the entry of a password each time a terminal starts up.

Protective Function Type 1: Stores a Syskey key in the registry. (Default) Type 2: Creates a Syskey key based on the startup password. (Recommended) Type 3: Stores a Syskey key in a floppy disk and requires the disk upon startup.

Setting Procedure Configure type 2 using the following steps: 1. Enter “Syskey” at the command prompt and press the Enter key. 2. Select [Encryption Enabled] and click [Update] button.

F080801E.ai Figure Securing the Account Database

3. Select [Password Startup], enter a password, and then click [OK] button.

F080802E.ai Figure Startup Key

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-14 8.9 Interactive logon The option for not requiring CTRL+ALT+DEL requirement for interactive logon must be disabled. This means that the SAS (Secure Authentication Sequence) [Ctrl+Alt+Del] must be pressed to start a login.

Setting Procedure 1. Open the Group Policy Object Editor focused on the Local System (i.e. Local Computer Policy) - If the server is a member of the domain, the parameter should be applied at the container of that server. - If not a member of the domain, the parameter should be applied via the Local Computer Policy. 2. Navigate to the following subtree location: Security Settings\Local Policies\Security Options 3. Verify that the disabled radio button is selected for the security option labelled “Interactive Logon: Do not require CTRL+ALT+DEL” requirement for logon 4. Close the Group Policy Object Editor.”

8.10 Disable recovery console Automatic logon as standard operating procedures are known security risks, and should not be used (especially with admin privileges). In known limited environments where automated login is unavoidable, strong passwords must still be used for these services and proper documentation must be kept.

Setting Procedure 1. Open the Group Policy Object Editor focused on the Local System (i.e. Local Computer Policy). 2. Navigate to the following subtree location: Computer Configuration\Windows Settings\ Security Settings\Local Policies\Security Options. 3. Double click on “Recovery Console: Allow automatic administrative logon”. 4. Confirm setting is disabled. 5. Click OK. 6. Close the Group Policy Object Editor. Note: Since W2012r2 the Start button has been replaced with the Metro interface button. Right click on the Metro interface button to access Run, or click on the Metro interface button to get to the Admin Tools.

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-15 8.11 Set user rights for certain system-wide base attributes Only appropriate administrative groups must be able to redefine certain base system-wide attributes such as COM ports, serial ports or printers.

Setting Procedure Start, Run, MMC and then add Group Policy Object Editor. Open file, add/remove snap-in, and add Group Policy Object Editor focused on the local computer. 1. Open the group policy object editor focused on the appropriate OU or the Local Computer Policy. 2. Navigate to the following subtree location: Computer Configuration\Windows Settings\ Security Settings\Local Policies\Security Options 3. Double click on the security option labelled “System Objects: Strengthen default permissions of internal system objects (e.g. Symbolic links)”. 4. Verify that the “define this policy” check box is selected and that the enabled radio button is selected. 5. Click cancel. 6. Close the Group Policy Object Editor. Note: For W10/W2016 the Start button has been replaced with the Metro interface button. Right click on the Metro interface button to access “Run”.

8.12 Limit access to CD-ROM from network For centrally controlled domains, this control object should be implemented within a GPO for the domain. For member servers which are not part of a domain, these settings should be implemented in the Local Computer Policy.

Setting Procedure Start, Run, MMC and then add Group Policy Object Editor. Open file, add/remove snap-in, and add Group Policy Object Editor focused on the local computer. 1. Open the Group Policy Object Editor focused on the appropriate object. 2. Navigate to the following subtree location: Computer Configuration\Windows Settings\ Security Settings\Local Policies\Security Options 3. Verify that the enabled radio button is selected for the security option labelled “Devices: Restrict CD ROM access to locally logged-on user only” 4. Close the Group Policy Object Editor. Note: For W10/W2016 the Start button has been replaced with the Metro interface button. Right click on the Metro interface button to access Run.

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-16 8.13 Limit user right assignments Perform the following steps for verifying ALL user assignment option described in this section:

Setting Procedure 1. Go to Start, Run, and enter MMC. Add the Group Policy Object Editor by selecting File, Add/Remove Snap-in, and add Group Policy Object Editor. Focus the editor on the Local Computer. 2. Navigate to the following sub tree location: Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. 3. Double click on each User Right. 4. Check the User Rights for each user. 5. Close the Group Policy Object Editor.

If Admin Tools are installed: 1. Go to Start, Admin tools, Local Security Policy. 2. Navigate to the following sub tree location: Security Settings\Local Policies\User Rights Assignment. 3. Double click on each User Right. 4. Check the User Rights for each user. 5. Close the Local Security Policy editor. The following user assignments should be checked:

• The User Right Assignment, “access this computer from the network”, must either be granted to no one, or to appropriate, managed service accounts and administrative groups only. • The User Right Assignment, “act as part of the operating system”, must either be granted to no one or to only the “Allowed” users (including svc accounts) or groups as define in the project’s User Rights matrix. • The User Right Assignment, “back up files and directories”, must either be granted to no one or to only the “Allowed” users (including svc accounts) or groups as define in the project’s User Rights matrix. • The User Right Assignment, “enable computer and user accounts to be trusted for delegation”, must either be granted to no one or to only the “Allowed” users (including svc accounts) or groups as define in the project’s User Rights matrix. • The User Right Assignment, “impersonate a client after authentication”, must either be granted to no one or to only the “Allowed” users (including svc accounts) or groups as define in the project’s User Rights matrix. • The User Right Assignment, “log on as a service”, must either be granted to no one, or to appropriate, managed service accounts and administrative groups only. • The User Right Assignment, “perform volume maintenance tasks”, must either be granted to no one or to only the “Allowed” users (including svc accounts) or groups as define in the project’s User Rights matrix. • The User Right Assignment, “restore files and directories”, must either be granted to no one or to only the “Allowed” users (including svc accounts) or groups as define in the project’s User Rights matrix.

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-17

• The User Right Assignment, “synchronize directory service data”, must either be granted to no one or to only the “Allowed” users (including svc accounts) or groups as define in the project’s User Rights matrix. • The User Right Assignment, “take ownership of files or other objects”, must either be granted to no one or to only the “Allowed” users (including svc accounts) or groups as define in the project’s User Rights matrix. • The User Right Assignment, “adjust memory quotas for a process”, must either be granted to no one or to only the “Allowed” users (including svc accounts) or groups as define in the project’s User Rights matrix. • The User Right Assignment, “change the system time”, must either be granted to no one or to only the “Allowed” users (including svc accounts) or groups as define in the project’s User Rights matrix. • The User Right Assignment, “create a pagefile”, must either be granted to no one or to only the “Allowed” users (including svc accounts) or groups as define in the project’s User Rights matrix. • The User Right Assignment, “create a token object”, must either be granted to no one or to only the “Allowed” users (including svc accounts) or groups as define in the project’s User Rights matrix. • The User Right Assignment, “debug programs”, must either be granted to no one or to only the “Allowed” users (including svc accounts) or groups as define in the project’s User Rights matrix. • The User Right Assignment, “force Shutdown from a remote system”, must either be granted to no one or to only the “Allowed” users (including svc accounts) or groups as define in the project’s User Rights matrix. • The User Right Assignment, “increase scheduling priority”, must either be granted to no one or to only the “Allowed” users (including svc accounts) or groups as define in the project’s User Rights matrix. • The User Right Assignment, “lock pages in memory”, must either be granted to no one or to only the “Allowed” users (including svc accounts) or groups as define in the project’s User Rights matrix. • The User Right Assignment, “modify firmware environment values”, must either be granted to no one or to only the “Allowed” users (including svc accounts) or groups as define in the project’s User Rights matrix. • The User Right Assignment, “profile single process”, must either be granted to no one or to only the “Allowed” users (including svc accounts) or groups as define in the project’s User Rights matrix. • The User Right Assignment, “profile system performance”, must either be granted to no one or to only the “Allowed” users (including svc accounts) or groups as define in the project’s User Rights matrix. • The User Right Assignment, “replace a process level token”, must either be granted to no one or to only the “Allowed” users (including svc accounts) or groups as define in the project’s User Rights matrix. • The User Right Assignment, “shut down the system”, must either be granted to no one or to only the “Allowed” users (including svc accounts) or groups as define in the project’s User Rights matrix. • The User Right Assignment, “bypass traverse checking”, must either be granted to no one or to only the “Allowed” users (including svc accounts) or groups as define in the project’s User Rights matrix.

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-18 8.14 Enable “Do not allow enumeration of Security Accounts Manager (SAM) accounts.” The ability to discover information from a server can be used in conjunction with other data to launch attacks. The “Network access: Do not allow anonymous enumeration of SAM accounts” security option should be enabled.

Setting Procedure • If Administrative Tools are enabled on the machine, go to Administrative tools, Local Computer Policy • If the Administrative Tools are not enabled, Start, Run, MMC and then add Group Policy Object Editor. Open file, add/remove snap-in, and add Group Policy Object Editor focused on the local computer.

1. Open the Group Policy Object Editor focused on the Local System (i.e. Local Computer Policy) 2. Navigate to the following subtree location: Security Settings\Local Policies\Security Options. 3. Verify that the security option labelled “Network access: Do not allow anonymous enumeration of SAM accounts” is enabled. 4. Close the Group Policy Object Editor.

8.15 Guest account must be disabled The Guest account must be disabled and the password set to be both long and complex. A long and complex password should be at least 15 characters and a mixture of lower/upper-case alphabetic characters, numeric characters, and special symbols.

Setting Procedure Verify with the network administrator and physically inspect, that the Guest account has been disabled.

8.16 The local administrator account must be renamed Default system account names should be avoided since a pre-defined, known name could be used in conjunction with other information to perform an attack.

Setting Procedure Verify that the local administrator account is renamed.

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-19 8.17 Auditing must be enabled for system events for success and failure Being able to determine and correlate system events can be invaluable for system auditing forensics in detecting abnormal behaviour.

Setting Procedure 1. Open the group policy editor focused on the Local System (i.e. Local Computer Policy). 2. Navigate to the following subtree location: Computer Configuration\Windows Settings\ Security Settings\Local Policies\Audit Policy. 3. Double click on the audit option Audit system events. 4. Confirm the success and failure check boxes. 5. Click ok. 6. Close the group policy editor.

8.18 Limit access to logs containing auditing information to appropriate support/ administrative groups Audit logs should only be visible to authorized administrative and service personnel.

Setting Procedure 1. Right click on the file in explorer. 2. Choose properties. 3. Select the security tab. 4. Compare the current permissions to the recommendations. 5. Verify that the “Allow Inheritable Permissions from Parent to Propagate to this Object” checkbox has been deselected. 6. Repeat for all listed files. 7. Close Windows Explorer. The following files must be secured: %systemroot%\System32\Winevt\Logs\Application.evtx %systemroot%\System32\Winevt\Logs\Security.evtx %systemroot%\System32\Winevt\Logs\System.evtx Permissions must be set as follows: Allow Administrators, Full Control; EventLog, Full Control. Acceptable, if present: Allow System, Full Control Allow Appropriate Support groups (e.g., Performance Monitoring, Audit, etc.) who have a business case to read these logs.

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-20 8.19 “Audit the access of global system objects” should not be enabled Audit logs may contain information about the system usage and location of objects that could be used as a basis for an attack.

Setting Procedure 1. Open the Group Policy Object Editor focused on the appropriate object.  If the server is a member of the domain, apply to the container of that server.  If not a member of the domain, apply via the Local Computer Policy. 2. Navigate to the following subtree location: Security Settings\Local Policies\Security Options. 3. Verify that disabled checkbox for the security option labelled “Audit: Audit the access of global system objects” is selected. 4. Close the Group Policy Object Editor.

8.20 The system should not be shut down if the audit log becomes full Generating events to fill the audit log could be used as a mechanism to force a shutdown and reduce system availability.

Setting Procedure Verify that the “Audit: Shut down system immediately if unable to log security audits” security option has been disabled by performing the following steps: 1. Open the Group Policy Object Editor focused on the appropriate object.  If the server is a member of the domain, the parameter should be applied at the container of that server.  If not a member of the domain, the parameter should be applied via the Local Computer Policy. 2. Navigate to the following subtree location: Security Settings\Local Policies\Security Options. 3. Verify that the security option labelled “Audit: Shut down system immediately if unable to log security audits” is disabled. 4. Close the Group Policy Object Editor.

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-21 8.21 It must not be possible to shut down the server without logging on System shutdown should be a controlled action and allowing server shutdown without being a part of a controlled procedure can result in loss of system availability.

Setting Procedure Start, Run, MMC and then add Group Policy Object Editor. Open file, add/remove snap-in, and add Group Policy Object Editor focused on the local computer. 1. Open the Group Policy Object Editor focused on the appropriate object. If the server is a member of the domain, the parameter should be applied at the container of that server. If not a member of the domain, the parameter should be applied via the Local Computer Policy. 2. Navigate to the following subtree location: Computer Configuration\Windows Settings\ Security Settings\Local Policies\Security Options. 3. Double click on the security option labelled “Shutdown: Allow system to be shut down without having to log on” 4. Select the define this policy check box. 5. Verify that the disabled radio button is selected. 6. Click cancel. 7. Close the Group Policy Object Editor.

8.22 The ability to format and eject removable media should be limited to appropriate administrative groups Allowing access to removable media should be limited to authorised personnel.

Setting Procedure 1. Open the group policy editor focused on the Local System (i.e. Local Computer Policy). 2. Navigate to the following subtree location: Computer Configuration\Windows Settings\ Security Settings\Local Policies\Security Options. 3. Double click on the security option labelled “Devices: Allowed to format and eject removable media”. 4. Confirm the appropriate administrative groups. 5. Click OK to confirm changes. 6. Close the group policy editor.

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-22 8.23 Make the screen saver password protection immediate In case a screensaver is used to lock the workstation after a period of inactivity then password protection should be applied immediately without use of a grace period.

Setting Procedure 1. Click Start, Run 2. Type Regedt32, then hit Enter. 3. Navigate to: *HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\. 4. Verify that the string subkey ScreenSaverGracePeriod exists and is set to zero (0). 5. Close Regedt32.

8.24 If the SNMP service is installed on a server, the default PUBLIC and PRIVATE community names must be changed In order to reduce the potential attack surface of a SNMP interface, either SNMP should be disabled if it not required by the project or at least the default community names should be changed to reduce visibility from outside.

Setting Procedure 1. Open the Services snap-in 2. Double click on the SNMP Service 3. Select the Security tab 4. Verify that the PUBLIC and PRIVATE community strings are not present 5. Click Cancel To verify that SNMP is restricted to specific IP addresses, perform the following steps: 1. Verify that the radio button “Accept SNMP packets from these hosts” is selected 2. Click Cancel 3. Close the services snap-in Note: If SNMP was not installed, the SNMP service will not show up in the services snap-in at all.

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-23 8.25 The use of SSL 2.0 or SSL 3.0 is prohibited Due to known vulnerabilities, the use of SSL 2.0 or SSL 3.0 is prohibited and should be disabled.

Setting Procedure Server: SSL 2.0 Disabled (HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \ SCHANNEL\Protocols\SSL 2.0\Server\Enabled = 0) SSL 3.0 Disabled (HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \ SCHANNEL\Protocols\SSL 3.0\Server\Enabled = 0) Client: SSL 2.0 Disabled (HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \ SCHANNEL\Protocols\SSL 2.0\Client\Enabled = 0) SSL 3.0 Disabled (HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \ SCHANNEL\Protocols\SSL 3.0\Client\Enabled = 0)

8.26 TLS 1.0 and TLS 1.1 must be disabled and TLS 1.2 enabled TLS 1.0 and TLS 1.1 must be disabled and TLS 1.2 enabled. A server that cannot use TLS 1.2 should be registered as an exception in the IT environment and isolated appropriately.

Setting Procedure Server: TLS 1.0 Disabled (HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \ SCHANNEL\Protocols\TLS 1.0\Server\Enabled = 0) TLS 1.1 Disabled (HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \ SCHANNEL\Protocols\TLS 1.1\Server\Enabled = 0) Client: TLS 1.0 Disabled (HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \ SCHANNEL\Protocols\TLS 1.0\Client\Enabled = 0) TLS 1.1 Disabled (HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \ SCHANNEL\Protocols\TLS 1.1\Client\Enabled = 0) Client and Server TLS 1.2 Enabled (HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \ SCHANNEL\Protocols\TLS 1.2\Server\Enabled = 1) TLS 1.2 Enabled (HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \ SCHANNEL\Protocols\TLS 1.2\Client\Enabled = 1)

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-24 8.27 Secure the registry to prevent modification to the list of programs that are run upon start up Allowing users access to the list of programs allowed to run at start-up could be used as an attack vector to run malware.

Setting Procedure Verify that appropriate security settings exist on the following registry keys:

- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx - HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run - HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-25 8.28 Write access to the registry’s AllowedPaths and AllowedExactPaths must be limited to appropriate administrative group Allowing users access to the list of programs allowed to run at start-up could be used as an attack vector to run malware.

Setting Procedure Limit write access to the allowed paths registry key (HKLM\SYSTEM\CurrentControlSet\Control\ SecurePipeServers\winreg\AllowedPaths) to the appropriate administrative groups by performing the following steps: 1. Click Start, Run. 2. Type regedt32. 3. Select the AllowedPaths key. 4. Choose Security menu and select the permissions option. 5. The following permissions should be set: - ALLOW Administrators Full Control - Review additional users and groups for appropriate access. (See Notes below.) 6. Click OK to confirm changes. 7. Open the Machines REG_MULTI_SZ Mult-String Value. 8. Set/Verify the AllowedPaths. (See Notes below for acceptable Allowed Paths.) 9. Repeat steps 3-8 for the AllowedExactPaths key. 10. Close Regedt32. Note: Any additional User or Group (local or domain) with Read is acceptable.These additional groups or users may have Full Control and are acceptable. BUILTIN\Backup Operators (Full Control) NT AUTHORITY\SYSTEM (Full Control) What should not have any access: Everyone The following are the default Allowed Paths: - HKLM\System\CurrentControlSet\Control\Print\Printers - HKLM\System\CurrentControlSet\Services\Eventlog - HKLM\Software\Microsoft\OLAP Server - HKLM\System\CurrentControlSet\Control\ContentIndex - HKLM\System\CurrentControlSet\Control\Terminal Server - HKLM\System\CurrentControlSet\Control\Terminal Server\UserConfig - HKLM\System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Perflib - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Print - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows - HKLM\System\CurrentControlSet\Services\SysmonLog

The following are the default Allowed Exact Paths: - HKLM\System\CurrentControlSet\Control\ProductOptions - HKLM\System\CurrentControlSet\Control\Server Applications - HKLM\Software\Microsoft\Windows NT\CurrentVersion

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-26 8.29 Permissions granted to the Everyone group must not apply to anonymous users If anonymous users are granted “Everyone” group permissions, anonymous users can access all resources for this group which could be used as attack vector.

Setting Procedure For a member server, this control objective should be set at the domain level within the Group Policy Object for the Domain. Refer to the Domain Controller Security Standards for additional information. To remove anonymous users from the Everyone group by using local security settings: 1. Click Start, point to Programs, point to Administrative Tools, and then click either Local Security Policy or Domain Security Policy (on domain controllers only). 2. Click Security Settings, expand Local Policies, and then click Security Options. 3. Right-click Let Everyone permissions apply to anonymous users, and then click Properties. 4. To prevent the inclusion of the Everyone security group SID in the anonymous user’s access token (the Windows XP default), click Disabled. The Group Policy control “Network access: Let Everyone permissions apply to anonymous users” should remain disabled. This is equivalent to configuring the following Registry value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa EveryoneIncludesAnonymous = 0 (REG_DWORD)

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-27 8.30 Network protocols that are not required must be removed To reduce the potential attack surface of a server, any unused applications, services and network protocols should be removed.

Setting Procedure Do not install the following network protocols when building a server: - AppleTalk - DLC - NetBEUI - NWLink If any of these services has been installed, uninstall it by performing the following steps: 1. Right click on the “Network” desktop icon and select properties (this will open the network and dial-up connections control panel). 2. For Windows Server 2008: Click on “Manage Network Connections’ link. For Windows Server 2008 R2: Click on “Change adapter settings”. 3. Right click on each network interface and select properties. 4. Highlight the desired protocols and select the Uninstall button. 5. Click yes when prompted. 6. Repeat steps 2-4 for each network interface and each unnecessary protocol. 7. Close the network connections dialog box.

8.31 If TCP/IP is installed on a system, TCP/IP protocol settings must be deployed to enhance network security TCP/IP protocol settings should be carefully considered to enhance network security. Since there may be policies or connection requirements that limit the types of settings to be applied, this must be considered on a case-by-case basis.

Setting Procedure 1. Click Start, Run 2. Type Regedt32, then hit Enter 3. Navigate to: -HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters 4. For each of the sub-keys in the control procedure above, ensure the proper type and value are assigned. 5. Close Regedt32 6. Confirm documentation exists and is updated for any changed settings

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-28 8.32 Enable safe DLL search order must be implemented It is possible to attack a system by applying malicious DLLs to a system and then allowing the system to locate them using default search paths. Safe DLL search will prevent the system from trying to locate DLLs outside the installation folder and know system folders.

Setting Procedure 1. Click Start, Run. 2. Type Regedt32, then hit Enter. 3. Navigate to:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\ 4. If the SafeDllSearchMode DWORD subkey does not exist, create it. 5. Set it to one (1). 6. Close Regedt32.

8.33 NTFS should be used on all non-removable partitions NTFS v3.1 is the latest NTFS release. Although there have been additional features added to the file system, the core has been the same since Windows 200 and is sometimes referred to as NTFS 5 to correspond with the Windows operating system version 5 with which it was introduced.

Setting Procedure NTFS 5 should be used on all non-removable partitions. If there is a compelling business need to use non-NTFS partitions, access to such partitions must be local (not shared) or limited to appropriate administrative groups. Upgrade all partitions to NTFS v3.1. This should be performed through the installation of Windows. To convert a fat partition to NTFS the following command can be entered:

- convert X: /fs ntfs /v

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-29 8.34 “Interactive Logon: Prompt user to change password before expiration” parameter should be set to 14 days In an OT environment operator workstations are normally manned 24/7 and not subject to interactive login. In case of workstations that are not accessed 24/7, especially in IT domains, it is good practice to force the user to change their password at regular intervals. How often this happens should be decided on according to the company security policy. The user should be given sufficient advanced warning of this event to allow for absence and access to the system.

Setting Procedure If admin tools are enabled on the machine, go to Admin tools Local Security Policy. 1. Navigate to the following subtree location: Security Settings\Local Policies\Security Options. 2. Confirm the security option labelled “Interactive Logon: Prompt user to change password before expiration” is set to 14 days. 3. Close Administration Tools. If the admin tools are not enabled, Start, Run, MMC and then add group policy object editor. Open file, add/remove snap-in, and add group policy object editor focused on the local computer. 1. Open the group policy editor focused on the Local System (i.e. Local Computer Policy). 2. Navigate to the following subtree location: Computer Configuration\Windows Settings\ Security Settings\Local Policies\Security Options. 3. Confirm the security option labelled “Interactive Logon: Prompt user to change password before expiration” is set to 14 days. 4. Close the group policy editor.

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-30 8.35 Disable “Microsoft network client: Send unencrypted password to third party SMB servers” SMB is a common method for remote file access. Ideally this should not be applied in a OT environment, but in case it is password protection should be enforced.

Setting Procedure For centrally controlled domains, this control objective should be implemented within a GPO for the domain. For member servers which are not part of a domain, these settings should be implemented in the Local Computer Policy. If admin tools are enabled on the machine, go to Admin tools Local Security Policy. 1. Navigate to the following subtree location: Security Settings\Local Policies\Security Options. 2. Confirm the security option labelled “Microsoft network client: Send unencrypted password to third party SMB servers” is disabled. 3. Close Administration Tools. If the admin tools are not enabled, Start, Run, MMC and then add group policy object editor. Open file, add/remove snap-in, and add group policy object editor focused on the local computer. 1. Open the group policy editor focused on the Local System (i.e. Local Computer Policy). 2. Navigate to the following subtree location: Computer Configuration\Windows Settings\ Security Settings\Local Policies\Security Options. 3. Confirm the security option labelled “Microsoft network client: Send unencrypted password to third party SMB servers” is disabled. 4. Close the group policy editor.

TI 50A01A10-03EN May 31, 2018-00 <8. IT Environment Settings> 8-31 8.36 Unique password for renamed Administrator account across all servers It is bad proactive to use the same password across multiple systems and services. The Administrator account should therefore have a unique password on each server.

Setting Procedure Verify with the network administrator that Administrator-level account passwords are unique across all managed servers. Change password for the renamed Administrator account and any other Administrator-equivalent accounts by performing the following steps: 1. Start -> Programs -> Administrative Tools -> Server Manager 2. Expand Configuration 3. Expand the Local Users and Groups tree. 4. Select the users folder. 5. Right click on the renamed Administrator account and select Set Password. 6. Enter the new, complex password in both the New Password and the Confirm Password fields. 7. Click OK to close.

TI 50A01A10-03EN May 31, 2018-00 <9. Collaboration with Other Programs> 9-1 9 Collaboration with Other Programs This section describes the procedures required for linking the FAST/TOOLS with the YOKOGAWA solution-based software packages. However this description is for the procedures for currently released products. Please check the user’s manuals of the solution-based software packages for products released following the release of FAST/ TOOLS. The descriptions in this section are written with the assumption that users are experienced in computer administration. Detailed procedures for add-ons to user creations and groups are not described.

9.1 STARDOM (HSE)

Network connection

F090101E.ai Figure SCADA server – STARDOM

The FAST/TOOLS accesses the data in STARDOM FCN/FCJ via Ethernet (TCP/IP) by HSE interface.

Setting Procedure 1. Define the Personal firewall exceptions. Define standard and following exceptions. Refer to 3. Windows Firewall and 11.2.3 Personal firewall exceptions

Table Firewall Port Exceptions Port number Protocol Description Where used 1090 TCP HSE SCADA server

Table Firewall Program Exceptions Application Description Where used EQPFCX eqpfcx.exe SCADA server

2. Configure EQUIPMENT/FAST. Define TCP/IP line type and STARDOM-FCX equipment. Refer to EQUIPMENT/FAST System Integrator’s Manual IM50L07L02-21E. 3. Create I/O points on the FAST/TOOLS.

TI 50A01A10-03EN May 31, 2018-00 <9. Collaboration with Other Programs> 9-2 9.2 ProSafe-RS (Vnet/IP)

Network connection

SCS

F090201E.ai Figure SCADA server – ProSafe-RS

The FAST/TOOLS accesses the data in SCS via Vnet/IP.

Setting Procedure 1. Install Vnet/IP card and driver. Refer to Integration with FAST/TOOLS IM 32P56H20-01EN. 2. Define the Personal firewall exceptions. Define standard and following exceptions. Refer to 3. Windows Firewall and 11.2 Personal firewall exceptions.

Table Firewall Port Exceptions Port number Protocol Description Where used 5313 UDP SCADA server 9940 UDP For Vnet/IP R9 SCADA server 6000 UDP Open PIO SCADA server

Table Firewall Program Exceptions Application Description Where used EQPVNET eqpvnet.exe SCADA server

3. Configure EQUIPMENT/FAST. Define Vnet line type and ProSafe-RS equipment. Refer to EQUIPMENT/FAST System Integrator’s Manual IM 50L07L02-01EN/R9.03. 4. Create I/O points on the FAST/TOOLS.

TI 50A01A10-03EN May 31, 2018-00 <9. Collaboration with Other Programs> 9-3 9.3 Matrikon OPC Server (OPC)

Network connection

F090301E.ai Figure SCADA server – Matrikon OPC server

The FAST/TOOLS accesses the data in OPC server via Ethernet (TCP/IP) by OPC interface. The SCADA server is a OPC client in this system.

Setting Procedure 1. Install Matrikon OPC client software on the SCADA server. 2. Define accounts. Define a user account to access both client and server machines. This account will be referred to as the OPC user account. For a domain the account only needs to be defined once on the domain controller. For a workgroup, the same account needs to be defined, once on the client machine and once on the server machine. The following restrictions apply: - A password must be defined. (blank password or password “admin” not allowed) - The user name and password must be IDENTICAL on both machines.

- The OPC client (SCADA server) should use the user account defined above when run. - The user under which the OPC server will be launched will the use the user account defined above. 3. Configure local security policy, DCOM and personal firewall exceptions. Refer to 11.2 Configuration for OPC in detail. The following personal firewall exceptions must be defined.

Table Firewall Port Exceptions Port number Protocol Description Where used 135 TCP RPC/DCOM OPC client and OPC server 139 TCP NetBIOS Session Service OPC client and OPC server 20500-20550 TCP DCOM OPC client and OPC server 137 UDP NetBIOS Name Resolution OPC client and OPC server 138 UDP NetBIOS Datagram Service OPC client and OPC server Note: The scope of the ports should be changed to “Any”.

TI 50A01A10-03EN May 31, 2018-00 <9. Collaboration with Other Programs> 9-4

Table Firewall Program Exceptions Application Description Where used OPC Server opcsim.exe, UNWISE.exe OPC server OPC Client opxdac.exe OPC client Microsoft Management Console %System32%\mmc.exe OPC client and OPC server OPCEnum OPC Emulation server OPC Server Print and file sharing OPC client and OPC server

4. Configure EQUIPMENT/FAST. Define TCP/IP line type and OPC DA equipment.

Line Type:

Station:

F090302E.ai Note: OPC server name is Matrikon.OPC.Simulation.

Refer to EQUIPMENT/FAST System Integrator’s Manual IM50L07L02-01EN/R9.03 in detail.

5. Create I/O points on the FAST/TOOLS.

TI 50A01A10-03EN May 31, 2018-00 <9. Collaboration with Other Programs> 9-5 9.4 Exaquantum (OPC)

Network connection

F090401E.ai Figure Exaquantum server – SCADA server

The Exaquantum server accesses the data in FAST/TOOLS via Ethernet (TCP/IP) by OPC interface. The Exaquantum server is a OPC client, and the SCADA server is a OPC server in this system.

Setting Procedure 1. Install OPC client software (FAST/TOOLS OPC-DA Tunneler) on the Exaquantum server. 2. Define accounts Create “quantumuser” account on the SCADA server or domain controller. For a domain the account only needs to be defined once on the domain controller. For a workgroup, the same account needs to be defined on the Exaquantum server and SCADA server. The following restrictions apply: - A password must be defined. (blank password or password “admin” not allowed) - The user name and password must be IDENTICAL on both machines. The “quantumuser” account on the Exaquantum server is created when Exaquantum is installed. 3. Configure local security policy, DCOM and personal firewall exceptions. Refer to 11.2 Configuration for OPC in detail. The following personal firewall exceptions must be defined.

Table Firewall Port Exceptions Port number Protocol Description Where used 135 TCP RPC/DCOM OPC client and OPC server 139 TCP NetBIOS Session Service OPC client and OPC server 20500-20550 TCP DCOM OPC client and OPC server 137 UDP NetBIOS Name Resolution OPC client and OPC server 138 UDP NetBIOS Datagram Service OPC client and OPC server Note: The scope of the ports should be changed to “Any”.

TI 50A01A10-03EN May 31, 2018-00 <9. Collaboration with Other Programs> 9-6

Table Firewall Program Exceptions Application Description Where used OPC Server opxdas12.exe OPC server OPC Client Quantum.exe OPC client Microsoft Management Console %System32%\mmc.exe OPC client and OPC server OPCEnum OPC Emulation server OPC Server Print and file sharing OPC client and OPC server

4. Create items. Create items on the Exaquantum server to access the items on the SCADA server. The OPC flag must be enable of the items of the FAST/TOOLS accessed by Exaquantum.

The OPC Server Type must be defined from existing OPC Server Type “FAST/TOOLS” on the Exaquantum server. The OPC-DA Server ProgID must be changed for the latest FAST/TOOLS OPC server.

F090402E.ai Figure OPC Server Type Wizard

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-1 10 Appendix

10.1 Activation of ICMP on Windows Firewall ICMP is used when you shoot network troubles, so that it is necessary to change their settings to “enable” when some ICMP are allowed in the Windows Firewall setting.

Windows 10 / Windows Server 2016 1. Log on as a user with administrative privilege and then launch [Control Panel] -[Administrative Tools].

F100101E.ai Figure Administrative Tools

2. Double-click [Windows Firewall with Advanced Security].

F100102E.ai Figure Windows Firewall with Advanced Security

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-2

3. Select [Inbound Rules] and then select [private] of [File and Printer Sharing (Echo Request- ICMPv4-IN)].

F100103E.ai Figure Windows Firewall with Advanced Security

4. Tick the [Allow the connections] checkbox.

F100104E.ai Figure File and Printer Sharing

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-3

5. Click the [Scope] tab.

F100105E.ai Figure File and Printer Sharing

6. Confirm the ICMP response scope. If the destination is not in the local subnet, change the scope of [Remote IP Address] to an appropriate setting such as [Any IP Addresses], and click [OK].

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-4

Windows 10 / Windows Server 2016 1. Log on as a user with administrative privilege and then launch [Control Panel] -[Administrative Tools].

F100106E.ai Figure Administrative Tools

2. Double-click [Windows Firewall with Advanced Security].

F100107E.ai Figure Windows Firewall with Advanced Security

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-5

3. Select [Inbound Rules] and then select [private] of [File and Printer Sharing (Echo Request- ICMPv4-IN)].

F100108E.ai Figure Windows Firewall with Advanced Security

4. Tick the [Allow the connections] checkbox.

F100109E.ai Figure File and Printer Sharing

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-6

5. Click the [Scope] tab.

F100110E.ai Figure File and Printer Sharing

6. Confirm the ICMP response scope. If the destination is not in the local subnet, change the scope of [Remote IP Address] to an appropriate setting such as [Any IP Addresses], and click [OK].

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-7 10.2 Configuration for OPC A common problem under Windows is that the client returns an “Access denied” error when connecting to an OPC server, even though the server appears in the remote server list. The following things must be configured to solve this problem. - Local security policy - DCOM configuration - Personal firewall This part describes these procedures. 10.2.1 Local security policy 1. The first security policy setting is to allow users to defined remote objects: From the start menu activate Administrative Tools from the Control Panel and open Local Security Policy.

F100201E.ai Figure Control Panel

F100202E.ai Figure Administrative Tools

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-8

2. Select User Rights Assignment from the tree view. A list of policies will be displayed in the right hand pane. 3. From the list of policies in the right hand pane, select “Create permanent Shared Object”.

F100203E.ai Figure Local Security Policy

4. Right click and select Properties

F100204E.ai Figure Create permanent Shared Object

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-9

5. Fill in the name of the OPC user account.

F100205E.ai Figure Create permanent Shared Object (Add Users or Groups)

The second policy setting is to allow applications to authenticate themselves as local users. 6. From the same Local Security Settings tree view, select Security Options. Scroll down until you see “Network Access: Sharing and security settings for local accounts”.

F100206E.ai Figure Local Policies

7. Right click on this entry and select Properties.

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-10

8. Select “Classic - local users authenticate as themselves”.

F100207E.ai Figure Network Access: Sharing and security settings for local accounts

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-11 10.2.2 DCOM configuration A DCOM component is added by installing OPC functions. By setting up access authority for every access group, each component is protected from impersonation, vandalism or theft via DCOM. This section involves using the DCOMCNFG utility to define the behavior of distributed COM interface. This involves defining the general computer behavior, the behavior for OPCEnum and the behavior for the OPC server. The following procedure describes how to define the general computer behavior and should be performed on both the client and server machines. Note that this allows access to any OPC server from any OPC client on the network. 1. Start DCOMCNFG from a command window. 2. First define the DCOM properties for the computer by double clicking Component services, double clicking Computers, selecting My Computer, right click and select Properties.

F100208E.ai Figure My Computer Properties

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-12

3. In the Default properties tab: - Make sure “Enable Distributed COM on this computer” is checked. - Set the “Default authentication Level” to “Connect”. - Set the “Default Impersonation level” to “Identify”

F100209E.ai Figure Default Properties

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-13

4. In the COM Security tab: - There are four buttons: “Edit Limits”, “Edit defaults” for Access Permissions and “Edit Limits”, “Edit defaults” for Launch permission - For each of these dialogs add the users: SYSTEM, INTERACTIVE, NETWORK, ANONYMOUS LOGON and the OPC user account. - In each of the dialogs allow ALL permissions For ALL of the users defined above.

F100210E.ai Figure COM Security

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-14

F100211E.ai Figure Launch and Activation Permission, Access Permission

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-15

Setting the Restriction of Ports for DCOM This procedure should be carried out on the OPC server and OPC client. 5. On the Default Protocols tab, click Connection-oriented TCP/IP in the DCOM Protocols list box, and then click Properties.

F100212E.ai Figure My Computer Properties (Default Protocols)

6. In the Properties for COM Internet Services dialog box, click Add.

F100213E.ai Figure Properties for COM Internet Services

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-16

7. In the Port range text box, add a port range 20500-20550, and then click OK.

F100214E.ai Figure Add Port Range

8. Leave the Port range assignment and the Default dynamic port allocation options set to Internet range.

F100215E.ai Figure Properties for COM Internet Services

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-17

The following steps only apply to the server machine and describe how to define the DCOM behaviour for OPCEnum and OPC server. 9. In the DCOMCNFG windows, open My Computer then open DCOM config. A list of DCOM applications will be displayed.

F100216E.ai Figure DCOM Config

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-18

10. First find OPCEnum in the list, right click and select Properties - In the General tab: Set the Authentication level to “Default” - In the Location tab: Select “Run application on this computer” - In the Security tab: Set Launch and Access Permissions to “Use default” Set Access Permissions to “Use default” Set Configuration permissions to “Customize” - In the Identity tab: Select “The System account”

F100217E.ai Figure OPCEnum Properties

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-19

11. First find OPC server in the list, right click and select Properties - In the General tab: Set the Authentication level to “Connect” - In the Location tab: Select “Run application on this computer” - In the Security tab: Set Launch and Access Permissions to “Use default” Set Access Permissions to “Use default” Set Configuration permissions to “Customize” - In the Identity tab: Select “This user” and entry User and Password.

F100218E.ai Figure FAST/TOOLS OPC DA server Properties

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-20 10.2.3 Personal Firewall exceptions The Windows firewall is active by default on a Windows XP SP 2 and later Windows systems. For OPC connections the following applications should be defined as exceptions in the firewall: - OPC server (OPC server machine only) - OPC client (OPC client machine only) - Microsoft Management Console (located in C:\Windows\Systems32\mmc.exe) (both client and server machines) - OPCEnum (OPC server machine only) - Print and file sharing - DCOM TCP port 135

Windows 10 1. From the start menu activate Administrative Tools from the Control Panel and open Windows Firewall.

F100219E.ai Figure Control Panel

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-21

2. Select Advanced settings.

F100220E.ai Figure Windows Firewall

F100221E.ai Figure Advanced settings

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-22

3. Then to add a rule open in bound rules and then select ‘New Rule…’ to invoke the wizard.

F100222E.ai Figure Add a New Rule

4. Adding a Program Rule To add a program rule allowing DCOM connection to a particular program follow the steps shown in Figure Type of rule (Program) to Figure Name and description of this rule.

F100223E.ai Figure Type of rule (Program)

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-23

F100224E.ai

Figure Apply to a specific program

F100225E.ai Figure Allow the connection

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-24

F100226E.ai

Figure When does this rule apply?

F100227E.ai Figure Name and description of this rule

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-25

5. Adding a Port Rule To add a Port Rule choose the port option and follows the steps from Figure Type of rule (Port) to Figure Apply to specific ports.

F100228E.ai Figure Type of rule (Port)

F100229E.ai Figure Apply to specific ports The remaining steps are same as the Program rule.

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-26

6. Amending an existing Rule Select an existing rule and double click then edit in the properties box to amend it. From here additional definitions for the rule may be added, for example specifying which source computers the inbound rule applies to etc,

F100230E.ai Figure DCOM Port-No Properties

Windows Server 2016 1. From the start menu activate Administrative Tools from the Control Panel and open Windows Firewall.

F100231E.ai Figure Control Panel

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-27

2. Select Advanced settings.

F100232E.ai Figure Windows Firewall

F100233E.ai Figure advanced settings

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-28

3. Then to add a rule open in bound rules and then select ‘New Rule…’ to invoke the wizard.

F100234E.ai Figure Add a New Rule

4. Adding a Program Rule To add a program rule allowing DCOM connection to a particular program follow the steps shown in Figure Type of rule (Program) to Figure Name and description of this rule.

F100235E.ai Figure Type of rule (Program)

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-29

F100236E.ai Figure Apply to a specific program

F100237E.ai Figure Allow the connection

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-30

F100238E.ai Figure When does this rule apply?

F100239E.ai Figure Name and description of this rule

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-31

5. Adding a Port Rule To add a Port Rule choose the port option and follows the steps from Figure Type of rule (Port) to Figure Apply to specific ports.

F100240E.ai

Figure Type of rule (Port)

F100241E.ai Figure Apply to specific ports

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-32

The remaining steps are same as the Program rule. 6. Amending an existing Rule Select an existing rule and double click then edit in the properties box to amend it. From here additional definitions for the rule may be added, for example specifying which source computers the inbound rule applies to etc.,

F100242E.ai Figure DCOM Port-No Properties

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-33 10.3 Installed Services The following table lists all installed services with the default versus the recommended setting. Note: This table describes Windows 10 Professional services. Not all services described in the table may be running on the system, depending on hardware and software driver differences and the Windows edition being used.

Table Installed Services (1/10) Display name Service name Win 10 Pro Default Recommended Quick notes ActiveX Installer AxInstSV Manual Manual (AxInstSV) AllJoyn Router AJRouter Manual (Trigger Start) Manual Service App Readiness AppReadiness Manual Manual Application Host If installed (Automatic, AppHostSvc Not Installed Not Installed Helper Service ** Running) Application Identity AppIDSvc Manual (Trigger Start) Manual Application Manual (Trigger Start, Appinfo Manual Information Running) Application Layer Old functionality no longer ALG Manual Disabled * Gateway Service needed. Application Required for Group Policy AppMgmt Manual Manual Management software management AppX Deployment Windows Store integration. Service AppXSVC Manual Manual Cannot be disabled via (AppXSVC) services.msc ASP.NET State aspnet_state Not Installed Not Installed If installed: (Manual) Service ** Auto Time Zone tzautoupdate Disabled Disabled Updater Manual or Automatic (Delayed Background Manual or Automatic Automatic Start, Running) depending Intelligent Transfer BITS (Delayed Start, (Delayed Start) on other optional services Service Running) installed Background Tasks Broker Cannot be disabled via Infrastructure Automatic (Running) Automatic Infrastructure services.msc Service Base Filtering Do not disable due to BFE Automatic (Running) Automatic Engine Windows Firewall integration BitLocker Drive Do not disable if using storage BDESVC Manual (Trigger Start) Manual Encryption Service encryption. Block Level Backup Engine Wbengine Manual Manual Used by Windows Backup Service Bluetooth BthHFSrv Manual (Trigger Start) Manual Wireless headsets. Handsfree Service Bluetooth Support Disable if no requirement for Bthserv Manual (Trigger Start) Manual Service Bluetooth devices is desired. Used by Windows Update for BranchCache PeerDistSvc Manual Disabled * download sharing. Capability Access Camsvc Manual Manual New Manager Service Used with Smart Card login. Certificate CertPropSvc Manual Manual No harm in keeping the Propagation default Manual mode.

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-34

Table Installed services (2/10) Display name Service name Win 10 Pro Default Recommended Quick notes Claims to Windows c2wts Not Installed Not Installed If installed: (Manual) Token Service ** Network File System Client Client for NFS NfsClnt Not Available Disabled * available in Education/ Enterprise versions. Client License Cannot be disabled via ClipSVC Manual (Trigger Start) Manual Service (ClipSVC) services.msc Manual (Trigger Start, CNG Key Isolation KeyIso Manual Do not disable. Running) COM+ Event EventSystem Automatic (Running) Automatic Do not disable. System COM+ System COMSysApp Manual Manual Do not disable. Application Network discovery of systems Computer Browser Browser Manual (Trigger Start) Manual on local network. Connected Device Automatic (Delayed Automatic CDPSvc Platform Service Start, Trigger Start) (Delayed Start) Connected Devices CDPUser Automatic (Running) Automatic Platform User Svc_????? Service_????? Connected User Experiences and DiagTrack Automatic (Running) Automatic Feedback and Diagnostics. Telemetry PimIndex Contact Cannot be disabled via Maintenance Manual Manual Data_????? services.msc Svc_????? CoreMessaging Cannot be disabled via CoreMessaging Automatic (Running) Automatic Registrar services.msc Credential VaultSvc Manual Manual Do not disable. Manager Cryptographic CryptSvc Automatic (Running) Automatic Do not disable. Services Data Sharing DsSvc Manual (Trigger Start) Manual Service Data Usage DusmSvc Automatic (Running) Automatic DCOM Server Cannot be disabled via DcomLaunch Automatic (Running) Automatic Process Launcher services.msc Delivery Automatic (Delayed Automatic DoSvc Optimization Start) (Delayed Start) Device Association DeviceAssociation Manual (Trigger Start) Manual Service Service Device Install DeviceInstall Manual (Trigger Start) Manual Service Device Management DmEnrollmentSvc Manual Manual Enrollment Service Device Setup DsmSVC Manual (Trigger Start) Manual Manager Devices DevicesFlowUser Cannot be disabled via Manual Manual Flow_????? Svc_????? services.msc DevQuery Background DevQueryBroker Manual (Trigger Start) Manual Discovery Broker

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-35

Table Installed services (3/10) Display name Service name Win 10 Pro Default Recommended Quick notes DHCP Client Dhcp Automatic (Running) Automatic Do not disable. Diagnostic Diagsvc Manual Manual New. Execution Service Diagnostic Policy DPS Automatic (Running) Automatic Service Diagnostic Service WdiServiceHost Manual (Running) Manual Host Diagnostic System WdiSystemHost Manual Manual Host Distributed Link TrkWks Automatic (Running) Automatic Tracking Client Distributed Transaction MSDTC Manual Manual Coordinator dmwappushsvc dmwappushsvc Manual (Trigger Start) Disabled * Automatic (Trigger DNS Client Dnscache Automatic Do not disable. Start, Running) Downloaded Maps Automatic (Delayed MapsBroker Disabled * Manager Start) DS Role Server ** DsRoleSvc Not Installed Not installed If installed: (Manual) Embedded Mode embeddedmode Manual (Trigger Start) Manual Encrypting File EFS Manual (Trigger Start) Manual Do not disable. System (EFS) Enterprise App Cannot be disabled via Management EntAppSvc Manual Manual services.msc Service Fax ** Fax Manual Uninstalled * File History Fhsvc Manual (Trigger Start) Manual Used by Windows Backup. Service Function Discovery fdPHost Manual Manual Provider Host Function Discovery Resource FDResPub Manual (Running) Manual Publication Geolocation Manual (Trigger Start, Lfsvc Disabled * Service Running) GraphicsPerfSvc GraphicsPerfSvc Manual (Trigger Start) Manual New Automatic (Trigger Cannot be disabled via Group Policy Client Gpsvc Automatic Start) services.msc HomeGroup HomeGroup Manual Manual Listener Listener HomeGroup HomeGroup Manual (Trigger Start, Manual Provider Provider Running) Host Network Hns Not Installed Not Installed If installed: (Manual) Service ** Manufacture function keys Human Interface generally on laptops for Hidserv Manual (Trigger Start) Manual Device Service volume, screen brightness, etc. HV Host Service HvHost Manual (Trigger Start) Disabled * Hyper-V Data vmickvpexchange Manual (Trigger Start) Disabled * Exchange Service

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-36

Table Installed services (4/10) Display name Service name Win 10 Pro Default Recommended Quick notes Hyper-V Guest vmicguestinterface Manual (Trigger Start) Disabled * Service Interface Hyper-V Host If installed: (Manual, Trigger Compute Service Vmcompute Not Installed Not Installed Start, Running) ** Hyper-V PowerShell Direct Vmicvmsession Manual (Trigger Start) Disabled * Service Hyper-V Remote Desktop Vmicrdv Manual (Trigger Start) Disabled * Virtualization Service Hyper-V Time Synchronization Vmictimesync Manual (Trigger Start) Disabled * Service Hyper-V Virtual Not Installed Machine Vmms Not Installed (Automatic, Running) Management ** Hyper-V Volume Shadow Copy Vmicvss Manual (Trigger Start) Disabled * Requestor IIS Admin Service Not Installed IISADMIN Not Installed Do not install. ** (Automatic, Running) IKE and AuthIP IPsec Keying IKEEXT Manual (Trigger Start) Manual Modules Infrared monitor File transfer via infrared Irmon Manual Disabled * service devices. Interactive UI0Detect Manual Manual Services Detection Internet Connection SharedAccess Manual (Trigger Start) Disabled * Old service no longer needed. Sharing (ICS) IP Helper Iphlpsvc Automatic (Running) Automatic IPv6 translation. KtmRm for Distributed KtmRm Manual (Trigger Start) Manual Transaction Coordinator Link-Layer Topology Lltdsvc Manual Manual Discovery Mapper Local Profile Wlpasvc Manual (Trigger Start) Manual New. Assistant Service Local Session Cannot be disabled via LSM Automatic (Running) Automatic Manager services.msc Not Installed LPD Service ** LPDSVC Not Installed (Automatic, Running) LxssManager ** LxssManager Not Installed (Manual) Not Installed Message Queuing Not Installed MSMQ Not Installed ** (Automatic, Running) Message Queuing Not Installed MSMQTriggers Not Installed Triggers ** (Automatic, Running) Messaging Messaging Manual (Trigger Start) Manual Service_????? Service_?????

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-37

Table Installed services (5/10) Display name Service name Win 10 Pro Default Recommended Quick notes Microsoft (R) diagnosticshub. Diagnostics Hub standardcollector. Manual Manual Standard Collector service Service Microsoft Account Running if using MS account Wlidsvc Manual (Trigger Start) Manual Sign-in Assistant to log in to computer. Microsoft App-V AppVClient Disabled Disabled Client Enable only if iSCSI device Microsoft iSCSI MSiSCSI Manual Disabled * connectivity is required (rare Initiator Service for home user). Microsoft Not Installed MsKeyboardFilter Not Installed Keyboard Filter ** (Disabled) Cannot be disabled via Microsoft Passport NgcSvc Manual (Trigger Start) Manual services.msc Microsoft Passport Cannot be disabled via NgcCtnrSvc Manual (Trigger Start) Manual Container services.msc Microsoft Software Manual (Runningat Shadow Copy Swprv Manual Used by Windows Backup. boot, then stops) Provider Microsoft Storage Probably One Drive Smphost Manual Manual Spaces SMP functionality. Microsoft Windows SMS Router SmsRouter Manual (Trigger Start) Disabled * Service MultiPoint Repair Not Installed WmsRepair Not Installed Leave Not Installed. Service ** (Automatic, Running) MultiPoint Service Not Installed Wms Not Installed Leave Not Installed. ** (Automatic, Running) Natural Natural Silly bio-metrics or face Manual Manual Authentication Authentication recognition login. Net.Pipe Listener Not Installed NetPipeActivator Not Installed Leave Not Installed. Adapter ** (Automatic, Running) Net.Tcp Listener Not Installed NetTcpActivator Not Installed Leave Not Installed. Adapter ** (Automatic, Running) Disabled (Changed to Net.Tcp Port Manual and Runningif NetTcpPortSharing Uninstalled * Leave Not Installed. Sharing Service ** the previous 3 Services are installed) Used only with a domain Netlogon Netlogon Manual Manual controller environment. Network Connected Manual (Trigger Start, NcdAutoSetup Manual Devices Running) Auto-Setup Network Manual (Trigger Start, NcbService Manual Connection Broker Running) Network Netman Manual Manual Connections Network Connectivity NcaSVC Manual (Trigger Start) Manual Assistant Network List Netprofm Manual (Running) Manual Service

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-38

Table Installed services (6/10) Display name Service name Win 10 Pro Default Recommended Quick notes Network Location NlaSvc Automatic (Running) Automatic Awareness Network Setup NetSetupSvc Manual (Trigger Start) Manual Service Network Store Nsi Automatic (Running) Automatic Interface Service Offline Files CscService Manual (Trigger Start) Disabled * Near Field Communication is Payments and a mobile phone technology. SEMgrSvc Manual (Trigger Start) Disabled * NFC/SE Manager Not needed on desktops and tablets. Peer Name Resolution PNRPsvc Manual Manual Protocol Peer Networking p2psvc Manual Manual Grouping Peer Networking p2pimsvc Manual Manual Identity Manager Performance PerfHost Manual Manual Counter DLL Host Performance Logs Pla Manual Manual & Alerts Phone Service PhoneSvc Manual (Trigger Start) Disabled * Windows Phone Service. Plug and Play PlugPlay Manual (Running) Manual Do not disable. PNRP Machine Name Publication PNRPAutoReg Manual Manual Service Portable Device Enumerator WPDBusEnum Manual (Trigger Start) Manual Service Power Power Automatic (Running) Automatic Print Spooler Spooler Automatic (Running) Automatic Do not disable. Printer Extensions PrintNotify Manual Manual and Notifications Problem Reports and Solutions Wercplsupport Manual Manual Control Panel Support Program Compatibility PcaSvc Automatic (Running) Automatic Assistant Service Quality Windows Audio Video QWAVE Manual Manual Experience Keep Manual for Mobile Radio devices, Disabled stops all Management RmSvc Manual Manual wireless communication, Service including Bluetooth and WiFi. Remote Access Auto Connection RasAuto Manual Manual Manager Remote Access Connection RasMan Manual Manual Manager

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-39

Table Installed services (7/10) Display name Service name Win 10 Pro Default Recommended Quick notes Manual (Maybe Remote Desktop SessionEnv Running when using Manual Configuration Remote Desktop) Manual (Maybe Remote Desktop TermService Running when using Manual Services Remote Desktop) Remote Procedure Cannot be disabled via RpcSs Automatic (Running) Automatic Call (RPC) services.msc Remote Procedure RpcLocator Manual Disabled * No function in Windows 10. Call (RPC) Locator Remote Registry RemoteRegistry Disabled Disabled Retail Demo Not disabled by default? RetailDemo Manual Disabled * Service Really? Not Installed RIP Listener ** Iprip Not Installed Leave Not Installed. (Automatic, Running) Routing and RemoteAccess Disabled Disabled Remote Access RPC Endpoint Cannot be disabled via RpcEptMapper Automatic (Running) Automatic Mapper services.msc Secondary Logon Seclogon Manual Manual Secure Socket Tunneling Protocol SstpSvc Manual Manual SSTP VPN Capability. Service Security Accounts SamSs Automatic (Running) Automatic Manager Automatic (Delayed Automatic Security Center Wscsvc Start, Running) (Delayed Start) Sensor Data Leave as default for laptops SensorDataService Manual (Trigger Start) Disabled * Service and tablets. Sensor Monitoring Leave as default for laptops SensrSvc Manual (Trigger Start) Disabled * Service and tablets. Server LanmanServer Automatic (Running) Automatic Shared PC Shpamsvc Disabled Disabled Account Manager Shell Hardware ShellHWDetection Automatic (Running) Automatic Autoplay Detection Simple TCP/IP Not Installed Simptcp Not Installed Keep Not Installed. Services ** (Automatic, Running) Not needed if Smart Card Smart Card SCardSvr Disabled Disabled login is not in use. Smart Card Device Not needed if Smart Card Enumeration ScDeviceEnum Manual (Trigger Start) Disabled * login is not in use. Service Smart Card Not needed if Smart Card SCPolicySvc Manual Disabled * Removal Policy login is not in use. Not Installed SNMP Service ** SNMP Not Installed Keep Not Installed. (Automatic, Running) SNMP Trap SNMPTRAP Manual Disabled * Software Automatic (Delayed Automatic Cannot be disabled via Sppsvc Protection Start,Trigger Start) (Delayed Start) services.msc Spatial Data SharedReality Manual Manual Virtual Reality data manager. Service Svc

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-40

Table Installed services (8/10) Display name Service name Win 10 Pro Default Recommended Quick notes Spot Verifier Svsvc Manual (Trigger Start) Manual State Repository Cannot be disabled via StateRepository Manual (Running) Manual Service services.msc Still Image WiaRpc Manual Manual Acquisition Events Storage Service StorSvc Manual (Trigger Start) Manual Required for Windows Store. Storage Tiers TieringEngine Manual Manual Management Service Superfetch SysMain Automatic (Running) Automatic OneSync Automatic (Delayed Automatic Sync Host_????? Svc_????? Start) (Delayed Start) System Event Notification SENS Automatic (Running) Automatic Service System Events SystemEvents Automatic (Trigger Cannot be disabled via Automatic Broker Broker Start, Running) services.msc Cannot be disabled via Task Scheduler Schedule Automatic (Running) Automatic services.msc TCP/IP NetBIOS Manual (Trigger Start, Lmhosts Manual Helper Running) Telephony TapiSrv Manual Manual Themes Themes Automatic (Running) Automatic Tile Data model Cannot be disabled via tiledatamodelsvc Manual Manual server services.msc Touch Keyboard TabletInput Keep in Manual for laptop and Handwriting Manual (Trigger Start) Disabled * Service touch screens and tablets. Panel Service Unified Write Filter Keep Not Installed. If installed: Servicing Helper UwfServcingSvc Not Installed Not Installed (Disabled) Service ** Update Orchestrator UsoSvc Manual (Running) Manual Service for Windows Update UPnP Device Host Upnphost Manual Manual User Data UserData Cannot be disabled via Manual (Running) Manual Access_????? Svc_????? services.msc User Data Unistore Cannot be disabled via Manual (Running) Manual Storage_????? Svc_????? services.msc User Experience UevAgent Virtualization Disabled Disabled Service Service Automatic (Trigger User Manager UserManager Automatic Start, Running) User Profile ProfSvc Automatic (Running) Automatic Service Virtual Disk Vds Manual Manual Volume Shadow VSS Manual Manual Windows Backup. Copy W3C Logging Keep Not Installed. If installed: W3LOGSVC Not Installed Not Installed Service ** (Manual)

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-41

Table Installed services (9/10) Display name Service name Win 10 Pro Default Recommended Quick notes WarpJITSvc Manual (Trigger Start) Manual Web Account TokenBroker Manual (Running) Manual Manager Web Management WMSVC Not Installed (Manual) Not Installed Service ** WebClient WebClient Manual (Trigger Start) Manual Wi-Fi Direct Services WFDSConSvc Manual (Trigger Start) Disabled * Connect to wireless display. Connection Manager Service Windows Audio AudioSrv Automatic (Running) Automatic Do not disable. Windows Audio AudioEndpoint Automatic (Running) Automatic Do not disable. Endpoint Builder Builder Windows Backup SDRSVC Manual Manual Do not disable. Windows Biometric WbioSrvc Manual (Trigger Start) Manual Service Windows Camera Could be needed to capture FrameServer Manual (Trigger Start) Disabled * Frame Server webcam frames. Windows Connect Now - Config Wcncsvc Manual Manual Registrar Windows Automatic (Trigger Connection Wcmsvc Automatic Start, Running) Manager Windows Defender Advanced Threat Sense Manual Manual Protection Service Windows Defender Cannot be disabled via Antivirus Network WdNisSvc Manual (Running) Manual services.msc Inspection Service Windows Defender Cannot be disabled via MpsSvc Automatic (Running) Automatic Firewall services.msc Windows Defender SecurityHealth Cannot be disabled via Security Center Automatic (Running) Automatic Service services.msc Service Windows Encryption WEPHOSTSVC Manual (Trigger Start) Manual Provider Host Service Windows Error WerSvc Manual (Trigger Start) Manual Reporting Service Windows Event Wecsvc Manual Manual Collector Windows Event EventLog Automatic (Running) Automatic Log Windows Font FontCache Automatic (Running) Automatic Cache Service Windows Image StiSvc Manual Manual Acquisition (WIA) Disable if not beta testing new Windows Insider Wisvc Manual Disabled * versions Windows via the Service Insider program. Cannot be disabled via Windows Installer Msiserver Manual Manual services.msc

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-42

Table Installed services (10/10) Display name Service name Win 10 Pro Default Recommended Quick notes Windows License LicenseManager Manual (Trigger Start) Manual Windows Store. Manager Service Windows Management Winmgmt Automatic (Running) Automatic Instrumentation Mobile Network Connection Windows Mobile Icssvc Manual (Trigger Start) Disabled * (3G, 4G, LTE, Etc). Disable on Hotspot Service devices without those options. Windows Modules TrustedInstaller Manual Manual Installer Windows Spectrum Manual (Trigger Start) Manual New Virtual Reality Service Perception Service Windows Presentation FontCache3.0.0.0 Not Installed (Manual) Not Installed Foundation Font Cache 3.0.0.0 ** Windows Process Not Installed (Manual, Activation Service WAS Not Installed Running) ** Windows Push Notifications WpnService Automatic (Running) Automatic System Service Windows Push WpnUser Cannot be disabled via Notifications User Manual Manual Service_????? services.msc Service_????? Windows Remote Management WinRM Manual Disabled * (WS-Management) Automatic (Delayed Automatic Windows Search WSearch Start, Running) (Delayed Start) Windows Store InstallService Manual Manual New Install Service Windows Update Wuauserv Manual (Trigger Start) Manual Do not disable. WinHTTP Web WinHttpAuto Proxy Auto- Manual (Running) Manual ProxySvc Discovery Service Wired AutoConfig dot3svc Manual Manual Automatic with Wireless Card WLAN AutoConfig WlanSvc Automatic Manual Installed. WMI Performance wmiApSrv Manual Manual Adapter Work Folders ** workfolderssvc Manual Uninstalled * Lanman Workstation Automatic (Running) Automatic Workstation World Wide Web Not Installed If installed: (Automatic, Publishing Service W3SVC Not Installed (Automatic, Running) Running). Do not install. ** Mobile Network Connection WWAN AutoConfig WwanSvc Manual Disabled * (3G, 4G, LTE, Etc). Disable on devices without those options. Xbox Accessory Management XboxGipSvc Manual (Trigger Start) Manual Service Xbox Game For XBOX console PC to Xbgm Manual (Trigger Start) Disabled * Monitoring Console functions.

TI 50A01A10-03EN May 31, 2018-00 <10. Appendix> 10-43 10.4 Legacy services For information purposes the following table describes for legacy Windows systems. These are listed here in case projects are being upgraded and have to connect to legacy systems. It is recommended to disable these services unless explicitly required for project applications.

Table Installed Services (1/11) Display name Service name Win 10 Pro Default Recommended Quick notes Only enabled/ installed on Active directory Not installed Disabled Windows Server 2008, 2008 Domain Services R2, 2012, 2012 R2, 2016 TP May be enabled on Windows Certificate Not installed Disabled Server 2008, 2008 R2, 2012 Services R2 May be enabled on Windows DNS Server Not installed Disabled Server 2003, 2008, 2008 R2, 2012 R2 May be enabled on Windows Microsoft FTP Not installed Disabled Server 2008, 2008 R2, 2012 Service R2 ICS (Internet May be enabled on Windows Connection Not installed Disabled Server 2008, 2003, 2008 R2, Sharing) 2012 R2 May be enabled on Windows Indexing service Not installed Disabled Server 2003, 2008, 2008 R2, 2012 R2 Kerberos Key May be enabled on Windows Distribution Not installed Disabled Server 2003, 2008, 2008 R2, Service 2012 R2 Routing and May be enabled on Windows Remote Access Not installed Disabled Server 2003, 2008, 2008 R2, service 2012 R2 May be enabled on Windows Simple TCP/IP Not installed Disabled Server 2003, 2008, 2008 R2, Services 2012 R2 Special May be enabled on Windows Administration Not installed Disabled Server 2003, 2008, 2008 R2, Console Helper 2012 R2 May be enabled on Windows Telnet Server Not installed Disabled Server 2003, 2008, 2008 R2, 2012 R2 May be enabled on Windows Trivial FTP Not installed Disabled Server 2003, 2008, 2008 R2, Daemon 2012 R2 Windows Internet May be enabled on Windows Name Service Not installed Disabled Server 2003, 2008, 2008 R2, (WINS) 2012 R2

TI 50A01A10-03EN May 31, 2018-00 i Revision Information

Title: FAST/TOOLS R10.03 System Hardening Windows 10, Windows Server 2016 (Rev. 2.0) Manual number : TI 50A01A10-03EN

May 2018/2nd Edition Clerical error correction

Apr. 2018/1st Edition Newly published

TI 50A01A10-03EN May 31, 2018-00 Written by Yokogawa Electric Corporation

Published by Yokogawa Electric Corporation 2-9-32 Nakacho, Musashino-shi, Tokyo 180-8750, JAPAN

Subject to change without notice.