Foxboro Evo™

Process Automation System

Security Implementation
User's Guide for I/A Series
and Foxboro Evo
Workstations
with Windows 7 or Windows Server
2008 Operating Systems

*B0700ET* *E*

B0700ET

Rev E
December 19, 2014
Invensys, Foxboro, Foxboro Evo, I/A Series, and InFusion are trademarks of Invensys Limited, its subsidiaries,
and affiliates.
All other brand names may be trademarks of their respective owners.

Copyright 2012–2014 Invensys Systems, Inc.

All rights reserved.

SOFTWARE LICENSE AND COPYRIGHT INFORMATION

Before using the Invensys Systems, Inc. supplied software supported by this documentation, you
should read and understand the following information concerning copyrighted software.
1. The license provisions in the software license for your system govern your obligations
and usage rights to the software described in this documentation. If any portion of
those license provisions is violated, Invensys Systems, Inc. will no longer provide you
with support services and assumes no further responsibilities for your system or its
operation.
2. All software issued by Invensys Systems, Inc. and copies of the software that you are
specifically permitted to make, are protected in accordance with Federal copyright
laws. It is illegal to make copies of any software media provided to you by
Invensys Systems, Inc. for any purpose other than those purposes mentioned in the
software license.
Contents
Figures................................................................................................................................... vii

Tables..................................................................................................................................... ix

Preface.................................................................................................................................... xi
Revision Information ............................................................................................................... xi
Reference Documents .............................................................................................................. xi
Glossary of Terms .................................................................................................................. xiii

1. Overview of Security Enhancements.................................................................................. 1

Levels of Security ...................................................................................................................... 1
BIOS Settings ........................................................................................................................... 1
Foxboro-Supplied OS Images .................................................................................................... 2
Foxboro Software Installation .................................................................................................... 2
Third-Party Security Tools ........................................................................................................ 2
Services Available from Foxboro ................................................................................................ 3
Supported Platforms ................................................................................................................. 3
Foxboro Control Software or Foxboro Evo Control Software Considerations ........................... 4
Related Documentation ............................................................................................................ 4
Recommended Practices ............................................................................................................ 4

2. Platform Security............................................................................................................... 7
Physical Access .......................................................................................................................... 7
BIOS Settings ........................................................................................................................... 7
Foxboro-Supplied OS Images .................................................................................................... 9
How to Change OS Image Settings for Services ...................................................................... 31
Remote Desktop Services ........................................................................................................ 31
I/A Series/Control Core Services Startup and Logon Options ................................................. 31
Autologon Configurator ..................................................................................................... 32

3. Security Enhancements Installation and Configuration ................................................... 35

Platform Requirements ........................................................................................................... 35
Secondary Domain Controllers in an I/A Series or Foxboro Evo System ................................. 36
I/A Series Software or Control Core Services Installation ........................................................ 36

iii
B0700ET – Rev E Contents

Help and Support Feature ....................................................................................................... 38

Administrative Privileges ........................................................................................................ 38
Management of Software Ports ................................................................................................ 39
Active Directory Topics .......................................................................................................... 39
Active Directory Overview ................................................................................................. 39
Active Directory Structure .................................................................................................. 41
Organizational Units (OU) ........................................................................................... 41
Security Groups ............................................................................................................. 41
Group Policies and Group Policy Objects ..................................................................... 41
I/A Series or Control Core Services Specific Implementation of Active Directory ................... 42
Organizational Unit (OU) Structure .................................................................................. 43
Users and Security Groups ................................................................................................. 44
Group Policies .................................................................................................................... 45
Group Policy Naming Conventions .............................................................................. 48
Base-Level and Enhanced-Level Security Group Policies ................................................ 48
Base-Level Group Policy Descriptions ........................................................................... 48
Enhanced-Level Group Policy Descriptions ................................................................... 51
Configuring Group Policies ........................................................................................... 51
Group Policy Settings ............................................................................................................. 53
How to View Detailed Group Policy Settings ..................................................................... 53
How to Edit Group Policies ............................................................................................... 57
How to Document Group Policies ..................................................................................... 61
Group Policies for Microsoft Windows Event Logs ............................................................ 62
How to Display a Login Banner ......................................................................................... 64
Additional Security for FoxView Environments .................................................................. 71
Windows Server Backup Error ................................................................................................ 73
Troubleshooting Group Policy Issues ...................................................................................... 75
Group Policy Management Console ................................................................................... 76
Resultant Set of Policy Tool ............................................................................................... 76
Group Policy Results Tool ................................................................................................. 76
Managing User Accounts and Passwords ................................................................................. 76
Creating Domain User Accounts ........................................................................................ 77
Standard Password Complexity .......................................................................................... 85
Enhanced Password Complexity ......................................................................................... 87
Changing and Resetting Passwords ..................................................................................... 89
The “Administrator” User Account .................................................................................... 91
The “Guest” User Account ................................................................................................. 91
The “Fox” User Account .................................................................................................... 91
The “ia” User Account ....................................................................................................... 91
User Accounts with the Ability to Install Software ................................................................ 100
Backing Up Active Directory ................................................................................................ 100

4. Security Packages .......................................................................................................... 101

Overview ............................................................................................................................... 101

iv
Contents B0700ET – Rev E

Virus Scanner and Anti-Spyware ........................................................................................... 101

ePolicy Orchestrator .............................................................................................................. 101
Host Intrusion Prevention ..................................................................................................... 102
Device Control ...................................................................................................................... 103
Integrity Control ................................................................................................................... 103
Software Services ................................................................................................................... 104

5. Software Updates .......................................................................................................... 105

Foxboro Software Fixes ......................................................................................................... 105
Microsoft Security Updates ................................................................................................... 105
McAfee Updates ................................................................................................................... 106

6. Station Assessment Tool................................................................................................ 107

Appendix A. Comparison of “Invensys Plant” GPOs ........................................................ 109

Index .................................................................................................................................. 117

v
B0700ET – Rev E Contents

vi
Figures
2-1. Autologon Configurator .............................................................................................. 32
2-2. Sample Autologon Configuration ................................................................................ 32
3-1. I/A Series or Foxboro Evo System Network Topologies
with Active Directory (Simplified) .............................................................................. 40
3-2. Active Directory Structure ........................................................................................... 43
3-3. Group Policies Structure ............................................................................................. 47
3-4. Opening Administrative Tools .................................................................................... 54
3-5. Opening Group Policy Management .......................................................................... 55
3-6. Group Policy Management - Group Policy Objects .................................................... 56
3-7. Group Policy Management - Group Policy Object Details .......................................... 57
3-8. Selecting to Back Up a GPO ....................................................................................... 58
3-9. Back Up Group Policy Dialog Box ............................................................................. 59
3-10. Editing a GPO ............................................................................................................ 60
3-11. Group Policy Management Editor .............................................................................. 61
3-12. Save GPO Report Dialog Box ..................................................................................... 62
3-13. Event Log Group Policy Settings for Operating Systems Prior to Windows Vista ....... 63
3-14. Event Log Group Policy Settings for Operating Systems
Newer than Windows Vista ........................................................................................ 64
3-15. Group Policy Management - Invensys Enhanced Interactive Logon Banner ON ........ 65
3-16. Group Policy Management - Edit ............................................................................... 66
3-17. Group Policy Management - Message Text ................................................................. 67
3-18. Group Policy Management - Title Text ...................................................................... 68
3-19. Group Policy Management - Link an Existing GPO… ............................................... 69
3-20. Select GPO Dialog Box ............................................................................................... 70
3-21. Group Policy Management - Linked Group Policy Objects ........................................ 71
3-22. Delete Invensys FoxView Environments GPO ............................................................ 72
3-23. Backup Schedule Wizard ............................................................................................. 73
3-24. Windows Server Backup Error .................................................................................... 73
3-25. Group Policy Management Editor - Security Options ................................................. 74
3-26. Define This Policy Setting Checkbox .......................................................................... 75
3-27. Active Directory Users and Computers Tool ............................................................... 77
3-28. Active Directory Users and Computers Tool - Selecting User ..................................... 78
3-29. New Object - User Name ............................................................................................ 79
3-30. New Object - User Password ....................................................................................... 80
3-31. Selecting Operator1 Properties .................................................................................... 81
3-32. Operator1 Properties Dialog Box - Selecting “Member Of” Tab ................................. 82
3-33. Select Groups Dialog Box ........................................................................................... 83
3-34. Select Groups Dialog Box - Selecting Group Name .................................................... 83
3-35. Select Groups Dialog Box - Proceeding ....................................................................... 84
3-36. Select Groups Dialog Box - Group Domain Added ..................................................... 84
3-37. Editing the Default Domain Controllers Policy .......................................................... 86
3-38. Password Policy ........................................................................................................... 87
3-39. Selecting Password Complexity ................................................................................... 88
3-40. Password Complexity Properties Dialog Box ............................................................... 89

vii
B0700ET – Rev E Figures

3-41. Resetting Password ...................................................................................................... 90

3-42. Reset Password Dialog Box ......................................................................................... 91
3-43. Active Directory Users and Computers - New User .................................................... 93
3-44. New Object - User ...................................................................................................... 94
3-45. New Object - User - Password .................................................................................... 95
3-46. Active Directory Users and Computers - Properties .................................................... 96
3-47. ia User Properties - Environment Tab ......................................................................... 97
3-48. ia User Properties - Sessions Tab ................................................................................. 98
3-49. ia User Properties - Member Of Tab ........................................................................... 99
4-1. ePO Installed on Foxboro Servers ............................................................................. 102

viii
Tables
1-1. Foxboro Platforms Supporting Security Enhancements ................................................. 3
2-1. Example BIOS Settings for Security Enhancements on
P92 (Dell-Based) Workstation ...................................................................................... 8
2-2. Windows Services Configuration for Security Enhancements ...................................... 10
3-1. Windows Services Startup Configuration for Stations with Security Enhancements .... 37
3-2. Active Directory Container and Security Group Associations ...................................... 44
3-3. Security Group Members ............................................................................................ 45
3-4. Group Policy Section and Enabled/Disabled Status .................................................... 46
3-5. Default Links Between Group Policies and Active Directory Containers ..................... 51
3-6. Group Policy Filters for User Groups .......................................................................... 52
3-7. FoxView Environments Accessible to Security Group Members (Default) .................. 71
4-1. McAfee Services Startup Configuration for Stations with Security Enhancements ..... 104
A-1. Group Policy Settings for I/A Series Software v8.8 or Foxboro Evo Control Core Services
v9.0 or Later .............................................................................................................. 109

ix
B0700ET – Rev E Tables

x
Preface
This document describes the implementation of security enhancements for I/A Series® software
v8.8, or Foxboro Evo™ Control Core Services v9.0 or later. These features provide additional
security to systems which include the I/A Series/Control Core Services or Foxboro® Control
Software (FCS)/Foxboro Evo™ Control Software platforms and software discussed in this docu-
ment.

NOTE
If a workstation has control software installed on it along with security enhanced
I/A Series software v8.8, or Foxboro Evo™ Control Core Services v9.0 or later, the
version of control software must be Foxboro Control Software v4.0 or later or Fox-
boro Evo Control Software (the Control Software) v5.0 or later.later.

Revision Information
For this release of this document (B0700ET, Rev. E), the following changes were made:
Global
♦ Updated title to include coverage for Foxboro Evo system.
Preface
♦ Updated initial paragraph.
♦ Updated “Reference Documents” section.

Reference Documents
The following documents provide additional and related information.
♦ Control Core Services v9.0 Software Installation Guide (B0700SP)
♦ Control Core Services v9.0 Release Notes (B0700SQ)
♦ I/A Series V8.8 Software Installation Guide (B0700SF)
♦ I/A Series® System V8.8 Release Notes (B0700SG)
♦ Station Assessment Tool (SAT) User’s Guide (B0700DZ)
♦ Optional McAfee® Security Products Installation and Configuration Guide (B0700EX)
♦ Symantec System Recovery 2011 Workstation Edition and Server Edition Guide for
I/A Series Workstations (B0700ES)
♦ McAfee VirusScan® and AntiSpyware Enterprise 8.8i Installation (B0700EQ)
♦ The MESH Control Network Architecture Guide (B0700AZ)
♦ The MESH Control Network Operation, and Switch Installation and Configuration
Guide (B0700CA)
♦ Security Guidelines For ISASecure™ Certified Products (B0700GH)

xi
B0700ET – Rev E Preface

The following documents provide configuration information about the platforms which support
the security enhancements:
♦ Hardware and Software Specific Instructions Model P92*K Workstation (T3500)
(B0700DU)
♦ Hardware and Software Specific Instructions for Model P90*D (R710, Windows Server®
2003, Standard Edition Operating System) (B0700DV)
♦ Hardware and Software Specific Instructions for Model P91*G (T610, Windows Server®
2003, Standard Edition Operating System) (B0700DW)
♦ Hardware and Software Specific Instructions for Model P92 Workstation (T3500 Gen II)
(B0700EF)
♦ Hardware and Software Specific Instructions for Model P90 Workstation (R710 Gen II)
(B0700EG)
♦ Hardware and Software Specific Instructions for Model P91 Workstation (T710 Gen II)
(B0700EH)
♦ Hardware and Software Specific Instructions for Model H92 (HP Z400) (B0700EM)
♦ Hardware and Software Specific Instructions for the Model H92 Workstation (HP Z400)
(Windows 7 Operating System) (B0700FF)
♦ Hardware and Software Specific Instructions for Model P92 Workstation (T3500) with
Windows 7 Operating System (B0700FJ)
♦ Hardware and Software Specific Instructions for Model P92 Workstation (T3500 Gen II)
with Windows 7 Operating System (B0700FM)
♦ Hardware and Software Specific Instructions for the Model H92 Workstation (HP Z420
Windows XP Operating System) (B0700FR)
♦ Hardware and Software Specific Instructions for the Model H92 Workstation (HP Z420
Windows 7 Operating System) (B0700FS)
♦ Hardware and Software Specific Instructions for Model P90 (R710) with Windows
Server® 2008 Operating System (B0700FK)
♦ Hardware and Software Specific Instructions for Model P90 (R710 Gen II) with Windows
Server 2008 Operating System (B0700FN)
♦ Hardware and Software Instructions for Model H90 Workstation (HP DL380) with
Windows Server 2008 Operating System (B0700FG)
♦ Hardware and Software Specific Instructions for Model P91 (T610) with Windows
Server® 2008 Operating System (B0700FL)
♦ Hardware and Software Specific Instructions for Model P91 (T710 Gen II) with Win-
dows Server 8 Operating System (B0700FP)
♦ Hardware and Software Instructions for Model H91 Workstation (HP ML350) with
Windows Server 2008 Operating System (B0700FH)
These documents are available on the Foxboro Evo Electronic Documentation media
(K0174MA). The latest revisions of each document are also available through our Invensys
Global Customer Support at https://support.ips.invensys.com.

xii
Preface B0700ET – Rev E

Glossary of Terms
The following terminology, used throughout this user’s guide, relates to these security
enhancements.

Expression Meaning
API Application Programming Interface
ATS Address Translation Station
Control Core See “Foxboro Evo Control Core Services” below.
Services
COTS Commercial Off-the-Shelf
CP Control Processor. The control processor performs any mix of integrated
first-level automation functions such as continuous, sequential, or discreet
logic functions.
FCP280 Field Control Processor 280
FCP270 Field Control Processor 270
FCS (Obsolete) Foxboro Control Software (formerly known as InFusion). With
v5.0, this term has been superseded by “Foxboro Evo Control Software” -
defined below.
Foxboro Evo Core software environment, formerly known as “I/A Series (Intelligent Auto-
Control Core mation Series) software”. A workstation which runs this software is known as
Services a “Foxboro Evo Control Core Services workstation”.
Foxboro Evo Formerly known as “FCS Configuration Tools”, “InFusion Engineering
Control Editors Environment”, or “IEE”, these are the Control Software engineering and
configuration tools built on the ArchestrA Integrated Development Environ-
ment (IDE).
Foxboro Evo Formerly known as “Foxboro Control Software (FCS)” and “InFusion”, a
Control Soft- suite of software built on the ArchestrA Integrated Development Environ-
ware ment (IDE) to operate with the Foxboro Evo Control Core Services.
Foxboro Evo An overall term used to refer to a system which may include either, or both,
Process Auto- Foxboro Evo Control Software and Foxboro Evo Control Core Services.
mation System
I/O Input/Output
NERC North American Electric Reliability Corporation
NIST National Institute of Standards and Technology
OM Object Manager: a proprietary, Foxboro OS extension that supports data
access to Foxboro Evo objects.
PDC Primary Domain Controller
PRD Product Requirements Document
The Control See “Foxboro Evo Control Software” above.
Software

xiii
B0700ET – Rev E Preface

Expression Meaning
Workstations Stations that connect to bulk storage devices and optimally to information
networks to allow bi-directional information flow. These processors perform
computation intensive functions as well as process file requests from tasks
within themselves or from other stations. They also interface to an LCD
monitor and the input devices associated with it. These may be alphanumeric
keyboards, mice, trackballs, touchscreens, or up to two modular keyboards.
Each processor manages the information on its CRT and exchanges data with
other processor modules.
WSUS Microsoft® Windows Server Update Services enable system administrators to
deploy and manage the distribution of the latest Microsoft product updates
to computers in their network that are running Microsoft operating systems.
ZCP270 Z-Format Control Processor 270

xiv
1. Overview of Security
Enhancements
This chapter describes the security enhancements provided for systems with I/A Series software
v8.8 or Foxboro Evo Control Core Services v9.0 or later, which may also include Foxboro
Control Software v4.x or Foxboro Evo Control Software v5.0 or later.

Levels of Security
“Security” is a continuum of features and options that can vary from one environment to another,
rather than being a simple black and white issue. There are many levels at which security can be
approached, ranging from physical access to a building or a room to controlling what actions indi-
vidual computer users have permission to perform. This concept is sometimes referred to as “secu-
rity in layers” or “defense in depth.”
As evidenced in this document, Foxboro® has striven to provide you with multiple options for
making your systems as secure as you decide they need to be. Since each site is different and may
be covered by different regulatory agencies and standards, Foxboro allows you to make decisions
about balancing the trade-offs regarding security compliance versus usability and production effi-
ciency.
Foxboro implements default security settings that provide a good overall secure environment.
Since it is recognized that there is no “one size fits all” in the security arena, Foxboro provides
information about how to change those default settings should you find the need to do so.
The approach that Foxboro provides with regard to securing a system involves the following
levels:
♦ Computer BIOS settings
♦ Pre-configured OS images
♦ Features and pre-configured options provided by the Foxboro software
♦ Incorporation of globally-recognized third-party tools
♦ Additional service offerings from Foxboro Consulting
The following are high-level descriptions of each of these levels with pointers to the chapter that
provides more detailed information where appropriate.

BIOS Settings
It is possible to configure BIOS settings that render the workstation useless. For example, if all its
ports and drives are turned off, there is no way to install the I/A Series software or Foxboro Evo
Control Core Services (hereinafter referred to as the Control Core Services) on it. Therefore, the
BIOS settings are left open typically until all the software that is required to be installed is in
place, and then all features that are not needed are turned off. Once that is done, the ability to
change BIOS settings can be protected by configuring a BIOS password.

1
B0700ET – Rev E 1. Overview of Security Enhancements

Foxboro provides the BIOS settings for each platform that it ships in a separate document. No
changes will be made to the BIOS settings for securing workstations. Foxboro will continue to
document the BIOS settings that are available and leave it to you to configure them as you want
to.
Refer to Chapter 2 “Platform Security” for more detailed information about BIOS settings.

Foxboro-Supplied OS Images
Foxboro ships each workstation with a pre-configured Operating System (OS) image. (In
addition to being installed on the hard drive, an OS restore image is provided on DVD-ROM
media.)
This image has some security features incorporated in it. For example, virus scanning and anti-
spyware software is pre-installed in the image. Also, certain OS features are disabled. The inten-
tion is to disable features that are not needed for the successful installation and operation of Fox-
boro software, such as the I/A Series software or Control Core Services, and Foxboro Control
Software (FCS) or Foxboro Evo Control Software (hereinafter referred to as the Control Software)
packages.
Refer to Chapter 2 “Platform Security” for more detailed information about the OS Images pro-
vided by Foxboro.

Foxboro Software Installation

The Foxboro software installation includes additional security mechanisms, such as the following
examples:
♦ The Control Core Services or I/A Series Day 0 installation allows you to change user
accounts and passwords rather than having a fixed user account with a fixed password.
♦ A set of Group Policies which have been customized by Foxboro will be installed. The
intention of these policies is to reduce vulnerabilities of the workstation while ensur-
ing that Foxboro software will install and operate properly.
Refer to Chapter 3 “Security Enhancements Installation and Configuration” for more detailed
information about the security features incorporated by the Foxboro software installation.

Third-Party Security Tools

There are additional features that are being provided via third-party security tools. These include:
♦ Host intrusion prevention
♦ A powerful and configurable firewall
♦ Application blocking
♦ Hardware port (device) control
♦ Whitelisting.
Foxboro provides a separate, optional DVD and instructions for installing these tools, including
some default configuration options. (Refer to the release notes included with your version of
I/A Series or Control Core Services for the part number for the System McAfee® Products Media

2
1. Overview of Security Enhancements B0700ET – Rev E

Kit, which includes this DVD.) You will have the ability to customize these options as required
for your site requirements.
Foxboro supplies documentation to provide some basic guidelines for navigating these tools and
changing your settings.
Refer to Chapter 4 “Security Packages” for more detailed information about the security features
available with the additional third-party tools.

Services Available from Foxboro

In addition to the above security measures, you have the option of contracting with Foxboro to
provide security assessments and to assist in customizing the security solution at your site.
More information about Foxboro Security Services can be found at
http://iom.invensys.com/cybersecurity.

Supported Platforms
The security enhancements provided by Foxboro are supported on the Foxboro platforms listed in
Table 1-1.

Table 1-1. Foxboro Platforms Supporting Security Enhancements

Described in
Foxboro Hewlett-Packard or Media Part Foxboro
H-Code/ P-Code Type Dell Model Number Document1
H92 Workstation HP Z420 K0174KA2 B0700FS
-OR- (Windows 7)
K0174KB3 B0700FR
(Windows XP)
H92 Workstation HP Z400 K0174HP B0700FF
(Windows 7)
B0700EM
(Windows XP)
P92*K Workstation T3500 Gen II K0174HE B0700EF
P92*K Workstation T3500 K0174HB B0700DU
H91 Server HP ML350 K0174HQ B0700FH
(Windows 7)
B0700EP
(Windows XP)
H90 Server HP DL380 K0174HR B0700FG
(Windows 7)
B0700EN
(Windows XP)
P91 Server T710 Gen II K0174HF B0700EH
P90 Server R710 Gen II K0174HF B0700EG
P91*G Server T610 K0174HD B0700DW

3
B0700ET – Rev E 1. Overview of Security Enhancements

Table 1-1. Foxboro Platforms Supporting Security Enhancements (Continued)

Described in
Foxboro Hewlett-Packard or Media Part Foxboro
H-Code/ P-Code Type Dell Model Number Document1
P90*D Server R710 K0174HD B0700DV
1.
Although the titles of some of these documents refer to older operating systems, Foxboro pro-
vides OS restore images for these hardware platforms to support either Windows 7 Professional
(for workstation platforms) or Windows Server 2008 R2 (for server-class platforms).
2. Restore optical media (P/N K0174KA) – For use with Model H92 HP Z420 processors with
Windows XP with Service Pack 3 and I/A Series software v8.2 to v8.4.x.
3. Restore optical media (P/N K0174KB) – For use with Model H92 HP Z420 processors with
Windows XP with Service Pack 3 and I/A Series software v8.5-v8.8 or Control Core Services
v9.0 and later.

The documents listed in Table 1-1 are available through our Invensys Global Customer Support
at https://support.ips.invensys.com.

Foxboro Control Software or Foxboro Evo Control

Software Considerations
There are special considerations when installing Foxboro Control Software (FCS) or the Control
Software on a workstation/server with I/A Series or Control Core Services that has been installed
with the security enhancements described in this document. If you plan to install FCS or the
Control Software on such workstations/servers, refer to the appropriate revision1 of Foxboro Evo
Control Software Installation Guide (B0750RA) and the latest set of release notes associated with
the FCS or the Control Software release version, available from Invensys Global Customer Sup-
port at https://support.ips.invensys.com.

Related Documentation
Refer to “Reference Documents” on page xi for a list of documents which discuss the hardware
and software affected by these security enhancements.

Recommended Practices
Installing a system and making it secure can become quite complicated and requires careful
planning. The following is a recommended sequence for Foxboro systems:
1. Decide where the equipment is going to be located and make sure appropriate
physical access measures are put in place.
2. Create appropriate system drawings, including a network drawing showing computer
names (remember the I/A Series/Control Core Services and FCS/the Control Soft-

1. Refer to “InFusion/FCS Installation Instructions in Previous Revisions of B0750RA” in Foxboro Evo

Control Software Installation Guide (B0750RA, Rev. R) to determine which revision of B0750RA is
appropriate for installing your version of FCS or the Control Software.

4
1. Overview of Security Enhancements B0700ET – Rev E

ware assume a six-character letterbug for each station) and the specific roles that the
stations are going to provide, such as: the Master Timekeeper (MTK), the CSA data-
base host, primary Active Directory domain controller, secondary Active Directory
domain controller, System Monitors, Data Historian, Remote Desktop Services, and
so forth.

NOTE
For security reasons, Remote Desktop Services should never be enabled on a
domain controller.

3. Use the System Definition utility or FCS Configuration Tools/Foxboro Evo Control
Editors to configure the I/A Series or Foxboro Evo system (including the servers that
will provide the role of Active Directory domain controller if they are on The Mesh
control network). Create the System Commit installation media.
4. Install the Primary Active Directory domain controller first using the I/A Series soft-
ware or Control Core Services installation media to perform a Day 0 installation. (It
will install the necessary OS components to provide the Active Directory role.) For
specific instructions, refer to I/A Series V8.8 Software Installation Guide (B0700SF) or
the appropriate Control Core Services v9.x Software Installation Guide.
5. Install the I/A Series software or Control Core Services on the other stations by first
joining the station to the Active Directory domain created in the previous step. This
process is performed as part of the Day 0 installation. For specific instructions, refer to
I/A Series V8.8 Software Installation Guide (B0700SF) for the appropriate Control Core
Services v9.x Software Installation Guide.
6. Configure or load your control blocks and custom displays.
7. Verify the system to make sure it is operating correctly from a process control system
perspective.
8. Make adjustments to the security settings as desired. (This might include making
manual changes to the BIOS settings, changing group policies, and/or turning on
Device Control features.)
9. Verify the system to ensure that the security adjustments are not interfering with the
proper operation of the system.
10. Continue to monitor logs, first for a period of time to ensure that all critical software
operations have been verified, and then periodically as a regular part of the normal
operating procedure.

5
B0700ET – Rev E 1. Overview of Security Enhancements

6
2. Platform Security
This chapter describes the security enhancements provided specifically for I/A Series or Control
Core Services platforms (hardware).

Physical Access
Physical security of the plant control area is your responsibility. This can include guarded gates to
the site, security cameras, locks, badges, biometric devices, and so forth. Foxboro does not
provide this level of security.

BIOS Settings
Foxboro ships a document with each workstation or server platform that lists the BIOS settings
that are configured for each specific platform type. These are listed below:
♦ Hardware and Software Specific Instructions Model P92*K Workstation (T3500)
(B0700DU)
♦ Hardware and Software Specific Instructions for Model P90*D (R710, Windows Server®
2003, Standard Edition Operating System) (B0700DV)
♦ Hardware and Software Specific Instructions for Model P91*G (T610, Windows Server®
2003, Standard Edition Operating System) (B0700DW)
♦ Hardware and Software Specific Instructions for Model P92 Workstation (T3500 Gen II)
(B0700EF)
♦ Hardware and Software Specific Instructions for Model P90 Workstation (R710 Gen II)
(B0700EG)
♦ Hardware and Software Specific Instructions for Model P91 Workstation (T710 Gen II)
(B0700EH)
♦ Hardware and Software Specific Instructions for Model H92 (HP Z400) (B0700EM)
♦ Hardware and Software Specific Instructions for the Model H92 Workstation (HP Z400)
(Windows 7 Operating System) (B0700FF)
♦ Hardware and Software Specific Instructions for Model P92 Workstation (T3500) with
Windows 7 Operating System (B0700FJ)
♦ Hardware and Software Specific Instructions for Model P92 Workstation (T3500 Gen II)
with Windows 7 Operating System (B0700FM)
♦ Hardware and Software Specific Instructions for Model P90 (R710) with Windows
Server® 2008 Operating System (B0700FK)
♦ Hardware and Software Specific Instructions for Model P90 (R710 Gen II) with Windows
Server 2008 Operating System (B0700FN)
♦ Hardware and Software Instructions for Model H90 Workstation (HP DL380) with
Windows Server 2008 Operating System (B0700FG)

7
B0700ET – Rev E 2. Platform Security

♦ Hardware and Software Specific Instructions for Model P91 (T610) with Windows
Server® 2008 Operating System (B0700FL)
♦ Hardware and Software Specific Instructions for Model P91 (T710 Gen II) with Win-
dows Server 8 Operating System (B0700FP)
♦ Hardware and Software Instructions for Model H91 Workstation (HP ML350) with
Windows Server 2008 Operating System (B0700FH)
♦ Hardware and Software Specific Instructions for the Model H92 Workstation (HP Z420
Windows XP Operating System) (B0700FR)
♦ Hardware and Software Specific Instructions for the Model H92 Workstation (HP Z420
Windows 7 Operating System) (B0700FS)

NOTE
Although the titles of these documents refer to older operating systems, Foxboro
provides OS restore images for these hardware platforms to support either
Windows 7 (for workstation platforms) and Windows Server 2008 R2 (for server-
class platforms).

These documents are available on the Foxboro Evo Electronic Documentation media
(K0174MA). The latest revisions of each document are also available through our Invensys
Global Customer Support at https://support.ips.invensys.com.
If you want to implement security by using features available in the BIOS, you can do so manu-
ally. Table 2-1 provides an example of BIOS settings that you may manually choose to set in order
to harden a workstation, such as disabling unnecessary boot options, closing all external ports,
and applying a BIOS password.

Table 2-1. Example BIOS Settings for Security Enhancements on

P92 (Dell-Based) Workstation

BIOS Parameter on P92* Workstation Setting

System, Boot Sequence Disable all boot devices except the internal hard drive.
Onboard Devices, USB Controller No Boot
Onboard Devices, Rear Quad USB Off
Onboard Devices, Front USB Off
Onboard Devices, LPT Port Mode Off (if no local printer)
Onboard Devices, Serial Port #1 Off (if no local serial COM devices)
Onboard Devices, PS/2 Mouse Port Off
Security, Admin Password Set to a strong password that will be communicated to
authorized users
Security, Password Changes Locked
Security, Chassis Intrusion On
Security, Execute Disable On
Power Management, AC Recovery Last
Power Management, Auto Power On Off

8
2. Platform Security B0700ET – Rev E

Table 2-1. Example BIOS Settings for Security Enhancements on

P92 (Dell-Based) Workstation (Continued)

BIOS Parameter on P92* Workstation Setting

Power Management, Low Power Mode Off
Power Management, Remote Wake Up Off
POST Behavior, POST Hotkeys Setup

The documents listed above contain instructions about how to change the BIOS settings for each
specific platform.

Foxboro-Supplied OS Images
The OS images supplied by Foxboro for the supported platforms have been configured to incor-
porate security measures such as removing unnecessary software components and turning off ser-
vices that are not required for Foxboro software operation.
The following is a list of changes applied to the Windows® OS image to enhance security:
♦ Removed unused Windows OS components: [All Games], Media Player, Messenger,
MSN Explorer, Outlook Express
♦ Removed “Favorites” from Start menu
♦ Removed “My Pictures” from Start menu
♦ Removed “My Music” from the Start menu
♦ Removed “Set Program Access and Defaults” from Start menu
♦ Disabled unnecessary user accounts (Guest, HelpAssistant, Support_38*)
♦ Disabled anonymous access and hash password storage
♦ Disabled the Shared Documents folder
♦ Power button behavior set to: “When I press the power button, do nothing.”

NOTE
Be aware that if you press and hold the button (for about seven seconds), the station
will still shut down.

♦ Disabled unused services (See Table 2-2 below.)

Table 2-2 provides a list of services and indicates how they are configured.

9
 B0700ET – Rev E 2. Platform Security

Table 2-2. Windows Services Configuration for Security Enhancements

Startup Type Startup Type

on Windows on Windows
Windows Startup Type Server 2008 Server 2008
Service Display on R2 Client R2 Domain
Name Windows 7 Servers Controllers Description
Active Directory N/A N/A Auto This service provides a Web Service inter-
Web Services face to instances of the directory service
(AD DS and AD LDS) that are running
locally on this server. If this service is
stopped or disabled, client applications,
such as Active Directory PowerShell, will
not be able to access or manage any direc-
tory service instances that are running
locally on this server.
Active Directory N/A N/A Auto AD DS Domain Controller service. If this
Domain Services service is stopped, users will be unable to
log on to the network. If this service is dis-
abled, any services that explicitly depend
on it will fail to start.
ActiveX Installer Manual N/A N/A Provides User Account Control validation
(AxInstSV) for the installation of ActiveX controls from
the Internet and enables management of
ActiveX control installation based on Group
Policy settings. This service is started on
demand and if disabled the installation of
ActiveX controls will behave according to
default browser settings.
Adaptive Bright- Manual N/A N/A Monitors ambient light sensors to detect
ness changes in ambient light and adjust the
display brightness. If this service is
stopped or disabled, the display brightness
will not adapt to lighting conditions.
Application Experi- Manual Disabled Disabled Processes application compatibility cache
ence requests for applications as they are
launched.
Application Host N/A Manual Manual Provides administrative services for IIS, for
Helper Service example configuration history and Applica-
tion Pool account mapping.
Application Identity Manual Manual Manual Determines and verifies the identity of an
application. Disabling this service will pre-
vent AppLocker from being enforced.
Application Infor- Manual Manual Manual Facilitates the running of interactive appli-
mation cations with additional administrative privi-
leges.
Application Layer Disabled Disabled Disabled Provides support for 3rd party protocol
Gateway Service plug-ins for Internet Connection Sharing.
Application Manual Manual Manual Processes installation, removal, and enu-
Management meration requests for software deployed
through Group Policy.
ASP.NET State Manual Manual Manual Provides support for out-of-process ses-
Service sion states for ASP.NET.

10
 2. Platform Security B0700ET – Rev E

Table 2-2. Windows Services Configuration for Security Enhancements (Continued)

Startup Type Startup Type

on Windows on Windows
Windows Startup Type Server 2008 Server 2008
Service Display on R2 Client R2 Domain
Name Windows 7 Servers Controllers Description
Background Intelli- Disabled Disabled Disabled Transfers files in the background using idle
gent Transfer Ser- network bandwidth. If the service is dis-
vice abled, then any applications that depend
on BITS, such as Windows Update or MSN
Explorer, will be unable to automatically
download programs and other information.
Base Filtering Auto Auto Auto The Base Filtering Engine (BFE) is a ser-
Engine vice that manages firewall and Internet Pro-
tocol security (IPsec) policies and
implements user mode filtering. Stopping
or disabling the BFE service will signifi-
cantly reduce the security of the system. It
will also result in unpredictable behavior in
IPsec management and firewall applica-
tions.
BitLocker Drive Disabled N/A N/A BDESVC hosts the BitLocker Drive Encryp-
Encryption Service tion service. BitLocker Drive Encryption
provides secure startup for the operating
system, as well as full volume encryption
for OS, fixed or removable volumes. This
service allows BitLocker to prompt users
for various actions related to their volumes
when mounted, and unlocks volumes auto-
matically without user interaction. Addition-
ally, it stores recovery information to Active
Directory, if available, and, if necessary,
ensures the most recent recovery certifi-
cates are used. Stopping or disabling the
service would prevent users from leverag-
ing this functionality.
Block Level Manual Manual Manual The WBENGINE service is used by Win-
Backup Engine dows Backup to perform backup and
Service recovery operations. If this service is
stopped by a user, it may cause the cur-
rently running backup or recovery opera-
tion to fail. Disabling this service may
disable backup and recovery operations
using Windows Backup on this computer.
Bluetooth Support Disabled N/A N/A The Bluetooth service supports discovery
Service and association of remote Bluetooth
devices. Stopping or disabling this service
may cause already installed Bluetooth
devices to fail to operate properly and pre-
vent new devices from being discovered or
associated.
BranchCache Manual N/A N/A This service caches network content from
peers on the local subnet.

11
 B0700ET – Rev E 2. Platform Security

Table 2-2. Windows Services Configuration for Security Enhancements (Continued)

Startup Type Startup Type

on Windows on Windows
Windows Startup Type Server 2008 Server 2008
Service Display on R2 Client R2 Domain
Name Windows 7 Servers Controllers Description
Certificate Propa- Disabled Disabled Disabled Copies user certificates and root certifi-
gation cates from smart cards into the current
user's certificate store, detects when a
smart card is inserted into a smart card
reader, and, if needed, installs the smart
card Plug and Play minidriver.
CNG Key Isolation Manual Manual Manual The CNG key isolation service is hosted in
the LSA process. The service provides key
process isolation to private keys and asso-
ciated cryptographic operations as required
by the Common Criteria. The service
stores and uses long-lived keys in a secure
process complying with Common Criteria
requirements.
COM+ Event Sys- Manual Auto Auto Supports System Event Notification Ser-
tem vice (SENS), which provides automatic dis-
tribution of events to subscribing
Component Object Model (COM) compo-
nents. If the service is stopped, SENS will
close and will not be able to provide logon
and logoff notifications.
COM+ System Manual Manual Manual Manages the configuration and tracking of
Application Component Object Model (COM)+-based
components. If the service is stopped,
most COM+-based components will not
function properly.
Computer Browser Disabled Disabled Disabled Maintains an updated list of computers on
the network and supplies this list to com-
puters designated as browsers. If this ser-
vice is stopped, this list will not be updated
or maintained.
Credential Man- Manual Manual Manual Provides secure storage and retrieval of
ager credentials to users, applications and secu-
rity service packages.
Cryptographic Ser- Auto Auto Auto Provides four management services: Cata-
vices log Database Service, which confirms the
signatures of Windows files and allows new
programs to be installed; Protected Root
Service, which adds and removes Trusted
Root Certification Authority certificates
from this computer; Automatic Root Certifi-
cate Update Service, which retrieves root
certificates from Windows Update and
enable scenarios such as SSL; and Key
Service, which helps enroll this computer
for certificates.
DCOM Server Pro- Auto Auto Auto The DCOMLAUNCH service launches
cess Launcher COM and DCOM servers in response to
object activation requests.
Desktop Window Auto Auto Auto Provides Desktop Window Manager
Manager Session startup and maintenance services
Manager

12
 2. Platform Security B0700ET – Rev E

Table 2-2. Windows Services Configuration for Security Enhancements (Continued)

Startup Type Startup Type

on Windows on Windows
Windows Startup Type Server 2008 Server 2008
Service Display on R2 Client R2 Domain
Name Windows 7 Servers Controllers Description
DFS Namespace N/A N/A Auto Enables you to group shared folders
located on different servers into one or
more logically structured namespaces.
Each namespace appears to users as a
single shared folder with a series of sub-
folders.
DFS Replication N/A N/A Auto Enables you to synchronize folders on mul-
tiple servers across local or wide area net-
work (WAN) network connections. This
service uses the Remote Differential Com-
pression (RDC) protocol to update only the
portions of files that have changed since
the last replication.
DHCP Client Auto Auto Auto Registers and updates IP addresses and
DNS records for this computer. If this ser-
vice is stopped, this computer will not
receive dynamic IP addresses and DNS
updates. (Needed by FCS/the Control Soft-
ware.)
Diagnostic Policy Auto Auto Auto The Diagnostic Policy Service enables
Service problem detection, troubleshooting and
resolution for Windows components.
Diagnostic Ser- Manual Manual Manual The Diagnostic Service Host is used by the
vice Host Diagnostic Policy Service to host diagnos-
tics that need to run in a Local Service con-
text. If this service is stopped, any
diagnostics that depend on it will no longer
function.
Diagnostic Sys- Manual Manual Manual The Diagnostic System Host is used by the
tem Host Diagnostic Policy Service to host diagnos-
tics that need to run in a Local System con-
text. If this service is stopped, any
diagnostics that depend on it will no longer
function.
Disk Defragmenter Manual Manual Manual Provides Disk Defragmentation Capabili-
ties.
Distributed Link Auto Auto Disabled Maintains links between NTFS files within
Tracking Client a computer or across computers in a net-
work. (Needed by FCS/the Control Soft-
ware.)
Distributed Trans- Manual Auto Auto Coordinates transactions that span multi-
action Coordinator ple resource managers, such as data-
bases, message queues, and file systems.
If this service is stopped, these transac-
tions will fail. (Needed by FCS/the Control
Software.)

13
 B0700ET – Rev E 2. Platform Security

Table 2-2. Windows Services Configuration for Security Enhancements (Continued)

Startup Type Startup Type

on Windows on Windows
Windows Startup Type Server 2008 Server 2008
Service Display on R2 Client R2 Domain
Name Windows 7 Servers Controllers Description
DNS Client Auto Auto Auto The DNS Client service (dnscache) caches
Domain Name System (DNS) names and
registers the full computer name for this
computer. If the service is stopped, DNS
names will continue to be resolved. How-
ever, the results of DNS name queries will
not be cached and the computer's name
will not be registered.
DNS Server N/A N/A Auto Enables DNS clients to resolve DNS
names by answering DNS queries and
dynamic DNS update requests. If this ser-
vice is stopped, DNS updates will not
occur.
DSM SA Connec- N/A Disabled [Dell] Disabled [Dell] Provides access to systems management
tion Service N/A [HP] N/A [HP] functions using an industry standard web
browser. [Dell Servers]
DSM SA Data N/A Auto [Dell] Auto [Dell] Provides a common interface and object
Manager N/A [HP] N/A [HP] model to access management information
about the operating system, devices,
enclosures and management devices. If
this service is stopped, several manage-
ment features will not function properly.
[Dell Servers] (Needed by Foxboro Server
Manager.)
DSM SA Event N/A Disabled [Dell] Disabled [Dell] Provides OS and file event logging service
Manager N/A [HP] N/A [HP] for systems management and is also used
by event log analyzers. If this service is
stopped, event logging features will not
function properly. [Dell Servers]
DSM SA Shared N/A Disabled [Dell] Disabled [Dell] Provides infrastructure support for system
Services N/A [HP] N/A [HP] management functions. [Dell Servers]

Encrypting File Manual Manual Manual Provides the core file encryption technol-
System (EFS) ogy used to store encrypted files on NTFS
file system volumes. If this service is
stopped or disabled, applications will be
unable to access encrypted files.
Extensible Authen- Manual Manual Manual The Extensible Authentication Protocol
tication Protocol (EAP) service provides network authenti-
cation in such scenarios as 802.1x wired
and wireless, VPN, and Network Access
Protection (NAP). EAP also provides appli-
cation programming interfaces (APIs) that
are used by network access clients, includ-
ing wireless and VPN clients, during the
authentication process. If you disable this
service, this computer is prevented from
accessing networks that require EAP
authentication.
Fax Disabled N/A N/A Enables you to send and receive faxes, uti-
lizing fax resources available on this com-
puter or on the network.

14
 2. Platform Security B0700ET – Rev E

Table 2-2. Windows Services Configuration for Security Enhancements (Continued)

Startup Type Startup Type

on Windows on Windows
Windows Startup Type Server 2008 Server 2008
Service Display on R2 Client R2 Domain
Name Windows 7 Servers Controllers Description
File Replication N/A N/A Disabled Synchronizes folders with file servers that
use File Replication Service (FRS) instead
of the newer DFS Replication technology.
Function Discov- Manual Manual Manual The FDPHOST service hosts the Function
ery Provider Host Discovery (FD) network discovery provid-
ers. These FD providers supply network
discovery services for the Simple Services
Discovery Protocol (SSDP) and Web Ser-
vices – Discovery (WS-D) protocol. Stop-
ping or disabling the FDPHOST service will
disable network discovery for these proto-
cols when using FD. When this service is
unavailable, network services using FD
and relying on these discovery protocols
will be unable to find network devices or
resources.
Function Discov- Manual Manual Manual Publishes this computer and resources
ery Resource Pub- attached to this computer so they can be
lication discovered over the network. If this service
is stopped, network resources will no lon-
ger be published and they will not be dis-
covered by other computers on the
network.
GenericMount Manual Manual Manual Part of Symantec backup product (Backup
Helper Service Exec System Recovery 2010 and later, and
Symantec System Recovery).
Group Policy Cli- Auto Auto Auto The service is responsible for applying set-
ent tings configured by administrators for the
computer and users through the Group
Policy component. If the service is stopped
or disabled, the settings will not be applied
and applications and components will not
be manageable through Group Policy. Any
components or applications that depend on
the Group Policy component might not be
functional if the service is stopped or dis-
abled.
Health Key and Manual Manual Manual Provides X.509 certificate and key man-
Certificate Man- agement services for the Network Access
agement Protection Agent (NAPAgent). Enforcement
technologies that use X.509 certificates
may not function properly without this ser-
vice.
HomeGroup Lis- Manual N/A N/A Makes local computer changes associated
tener with configuration and maintenance of the
homegroup-joined computer. If this service
is stopped or disabled, your computer will
not work properly in a homegroup and your
homegroup might not work properly. It is
recommended that you keep this service
running.

15
 B0700ET – Rev E 2. Platform Security

Table 2-2. Windows Services Configuration for Security Enhancements (Continued)

Startup Type Startup Type

on Windows on Windows
Windows Startup Type Server 2008 Server 2008
Service Display on R2 Client R2 Domain
Name Windows 7 Servers Controllers Description
HomeGroup Pro- Manual N/A N/A Performs networking tasks associated with
vider configuration and maintenance of home-
groups. If this service is stopped or dis-
abled, your computer will be unable to
detect other homegroups and your home-
group might not work properly. It is recom-
mended that you keep this service running.
HP Insight Event N/A Disabled [HP] Disabled [HP] HP Insight Event Notifier [HP Servers]
Notifier N/A [Dell] N/A [Dell]
HP Insight Foun- N/A Disabled [HP] Disabled [HP] HP Insight Foundation Agents [HP Serv-
dation Agents N/A [Dell] N/A [Dell] ers]
HP Insight NIC N/A Disabled [HP] Disabled [HP] HP Insight NIC Agents [HP Servers]
Agents N/A [Dell] N/A [Dell]
HP Insight Server N/A Auto [HP] Auto [HP] HP Insight Server Agents [HP Servers]
Agents N/A [Dell] N/A [Dell] (Needed by Foxboro Server Manager.)
HP Insight Storage N/A Disabled [HP] Disabled [HP] HP Insight Storage Agents [HP Servers]
Agents N/A [Dell] N/A [Dell]
HP ProLiant N/A Auto [HP] Auto [HP] Monitor thermal events.
Health Monitor N/A [Dell] N/A [Dell]
Service
HP ProLiant N/A Auto [HP] Auto [HP] Provides support for the HP ProLiant Inte-
Remote IML Ser- N/A [Dell] N/A [Dell] grated Management Log Viewer.
vice
HP ProLiant Sys- N/A Disabled [HP] Disabled [HP] Shuts down the system in the event of
tem Shutdown N/A [Dell] N/A [Dell] overheating or loss of cooling in response
Service to commands from the HP ProLiant iLO 2
Management Controller driver. [HP Serv-
ers]
HP System Man- N/A Disabled [HP] Disabled [HP] The HP System Management Homepage
agement Homep- N/A [Dell] N/A [Dell] allows an administrator to monitor the web-
age apps on the system. [HP Servers]
Human Interface Disabled Disabled Disabled Enables generic input access to Human
Device Access Interface Devices (HID), which activates
and maintains the use of predefined hot
buttons on keyboards, remote controls, and
other multimedia devices. If this service is
stopped, hot buttons controlled by this ser-
vice will no longer function.

16
 2. Platform Security B0700ET – Rev E

Table 2-2. Windows Services Configuration for Security Enhancements (Continued)

Startup Type Startup Type

on Windows on Windows
Windows Startup Type Server 2008 Server 2008
Service Display on R2 Client R2 Domain
Name Windows 7 Servers Controllers Description
IKE and AuthIP Auto Auto Auto The IKEEXT service hosts the Internet Key
IPsec Keying Mod- Exchange (IKE) and Authenticated Internet
ules Protocol (AuthIP) keying modules. These
keying modules are used for authentication
and key exchange in Internet Protocol
security (IPsec). Stopping or disabling the
IKEEXT service will disable IKE and
AuthIP key exchange with peer computers.
IPsec is typically configured to use IKE or
AuthIP; therefore, stopping or disabling the
IKEEXT service might result in an IPsec
failure and might compromise the security
of the system. It is strongly recommended
that you have the IKEEXT service running.
Intel(R) Rapid Auto N/A N/A Provides storage event notification and
Storage Technol- manages communication between the
ogy storage driver and user space applications.
Interactive Ser- Manual Manual Manual Enables user notification of user input for
vices Detection interactive services, which enables access
to dialogs created by interactive services
when they appear. If this service is
stopped, notifications of new interactive
service dialogs will no longer function and
there might not be access to interactive
service dialogs. If this service is disabled,
both notifications of and access to new
interactive service dialogs will no longer
function.
Internet Connec- Disabled Disabled Disabled Provides network address translation,
tion Sharing (ICS) addressing, name resolution and/or intru-
sion prevention services for a home or
small office network.
Intersite Messag- N/A N/A Auto Enables messages to be exchanged
ing between computers running Windows
Server sites. If this service is stopped,
messages will not be exchanged, nor will
site routing information be calculated for
other services.
IP Helper Auto Auto Auto Provides tunnel connectivity using IPv6
transition technologies (6to4, ISATAP, Port
Proxy, and Teredo), and IP-HTTPS. If this
service is stopped, the computer will not
have the enhanced connectivity benefits
that these technologies offer.

17
 B0700ET – Rev E 2. Platform Security

Table 2-2. Windows Services Configuration for Security Enhancements (Continued)

Startup Type Startup Type

on Windows on Windows
Windows Startup Type Server 2008 Server 2008
Service Display on R2 Client R2 Domain
Name Windows 7 Servers Controllers Description
IPsec Policy Agent Disabled Disabled Disabled Internet Protocol security (IPsec) supports
network-level peer authentication, data ori-
gin authentication, data integrity, data con-
fidentiality (encryption), and replay
protection. This service enforces IPsec pol-
icies created through the IP Security Poli-
cies snap-in or the command-line tool
“netsh ipsec”. If you stop this service, you
may experience network connectivity
issues if your policy requires that connec-
tions use IPsec. Also, remote management
of Windows Firewall is not available when
this service is stopped.
Kerberos Key Dis- N/A N/A Auto On domain controllers this service enables
tribution Center users to log on to the network using the
Kerberos authentication protocol. If this
service is stopped on a domain controller,
users will be unable to log on to the net-
work.
KtmRm for Distrib- Manual Manual Manual Coordinates transactions between the Dis-
uted Transaction tributed Transaction Coordinator (MSDTC)
Coordinator and the Kernel Transaction Manager
(KTM). If it is not needed, it is recom-
mended that this service remain stopped. If
it is needed, both MSDTC and KTM will
start this service automatically. If this ser-
vice is disabled, any MSDTC transaction
interacting with a Kernel Resource Man-
ager will fail and any services that explicitly
depend on it will fail to start.
Link-Layer Topol- Manual Manual Manual Creates a Network Map, consisting of PC
ogy Discovery and device topology (connectivity) informa-
Mapper tion, and metadata describing each PC and
device. If this service is disabled, the Net-
work Map will not function properly.
Matrox.Pdesk.Ser- Auto Auto Auto Powerdesk for earlier Matrox video cards (if
vicesHost installed).
Matrox.Pdesk3.Se N/A N/A Auto Powerdesk for Vista service control (if
rvicesHost Matrox video card is installed).
McAfee Frame- Auto Auto Auto Shared component framework for McAfee
work Service products
McAfee McShield Auto Auto Auto McAfee OnAccess Scanner
McAfee Task Man- Auto Auto Auto Allows scheduling of McAfee scanning and
ager updating activities.
McAfee Validation Auto Auto Auto Provides validation trust protection ser-
Trust Protection vices
Service
Microsoft .NET Disabled Disabled Disabled Microsoft .NET Framework NGEN
Framework NGEN
v2.0.50727_X64

18
 2. Platform Security B0700ET – Rev E

Table 2-2. Windows Services Configuration for Security Enhancements (Continued)

Startup Type Startup Type

on Windows on Windows
Windows Startup Type Server 2008 Server 2008
Service Display on R2 Client R2 Domain
Name Windows 7 Servers Controllers Description
Microsoft .NET Disabled Disabled Disabled Microsoft .NET Framework NGEN
Framework NGEN
v2.0.50727_X86
Microsoft .NET Auto Auto Auto Microsoft .NET Framework NGEN
Framework NGEN
v4.0.30319_X64
Microsoft .NET Auto Auto Auto Microsoft .NET Framework NGEN
Framework NGEN
v4.0.30319_X86
Microsoft Fibre N/A Manual Manual Registers the platform with all available
Channel Platform Fibre Channel fabrics, and maintains the
Registration Ser- registrations.
vice
Microsoft iSCSI Disabled Disabled Disabled Manages Internet SCSI (iSCSI) sessions
Initiator Service from this computer to remote iSCSI target
devices. If this service is stopped, this
computer will not be able to login or access
iSCSI targets.
Microsoft Soft- Manual Manual Manual Manages software-based volume shadow
ware Shadow copies taken by the Volume Shadow Copy
Copy Provider service. If this service is stopped, software-
based volume shadow copies cannot be
managed.
mr2kserv N/A N/A Auto Monitors plug’n’play RAID disk devices and
is required by the Disk Management Ser-
vice (on Dell servers).
Multimedia Class Auto Auto Auto Enables relative prioritization of work
Scheduler based on system-wide task priorities. This
is intended mainly for multimedia applica-
tions. If this service is stopped, individual
tasks resort to their default priority.
(Needed by audio volume control.)
Net.Msmq Listener Disabled Disabled Disabled Receives activation requests over the
Adapter net.msmq and msmq.formatname proto-
cols and passes them to the Windows Pro-
cess Activation Service.
Net.Pipe Listener Disabled Disabled Disabled Receives activation requests over the
Adapter net.pipe protocol and passes them to the
Windows Process Activation Service.
Net.Tcp Listener Disabled Disabled Disabled Receives activation requests over the
Adapter net.tcp protocol and passes them to the
Windows Process Activation Service.
Net.Tcp Port Shar- Disabled Disabled Disabled Provides ability to share TCP ports over the
ing Service net.tcp protocol.
Net Logon Manual Manual Auto Maintains a secure channel between this
computer and the domain controller for
authenticating users and services. If this
service is stopped, the computer may not
authenticate users and services and the
domain controller cannot register DNS
records.

19
 B0700ET – Rev E 2. Platform Security

Table 2-2. Windows Services Configuration for Security Enhancements (Continued)

Startup Type Startup Type

on Windows on Windows
Windows Startup Type Server 2008 Server 2008
Service Display on R2 Client R2 Domain
Name Windows 7 Servers Controllers Description
Network Access Manual Manual Manual The Network Access Protection (NAP)
Protection Agent agent service collects and manages health
information for client computers on a net-
work. Information collected by NAP agent
is used to make sure that the client com-
puter has the required software and set-
tings. If a client computer is not compliant
with health policy, it can be provided with
restricted network access until its configu-
ration is updated. Depending on the config-
uration of health policy, client computers
might be automatically updated so that
users quickly regain full network access
without having to manually update their
computer.
Network Connec- Manual Manual Manual Manages objects in the Network and Dial-
tions Up Connections folder, in which you can
view both local area network and remote
connections.
Network List Ser- Manual Manual Manual Identifies the networks to which the com-
vice puter has connected, collects and stores
properties for these networks, and notifies
applications when these properties
change.
Network Location Manual Manual Manual Collects and stores configuration informa-
Awareness tion for the network and notifies programs
when this information is modified. If this
service is stopped, configuration informa-
tion might be unavailable.
Network Store Auto Auto Auto This service delivers network notifications
Interface Service (e.g. interface addition/deleting etc) to user
mode clients. Stopping this service will
cause loss of network connectivity.
NVIDIA Display Auto Auto N/A Provides system and desktop level support
Driver Service to the NVIDIA display driver
NVIDIA Stereo- Auto Auto N/A Provides system support for NVIDIA Ste-
scopic 3D Driver reoscopic 3D driver
Service
NVIDIA WMI Pro- Auto Auto Auto Allows WMI clients to query and monitor
vider NVIDIA GPU parameters (if NVIDIA video
driver is installed).

Offline Files Auto Disabled Disabled The Offline Files service performs mainte-
nance activities on the Offline Files cache,
responds to user logon and logoff events,
implements the internals of the public API,
and dispatches interesting events to those
interested in Offline Files activities and
changes in cache state.

20
 2. Platform Security B0700ET – Rev E

Table 2-2. Windows Services Configuration for Security Enhancements (Continued)

Startup Type Startup Type

on Windows on Windows
Windows Startup Type Server 2008 Server 2008
Service Display on R2 Client R2 Domain
Name Windows 7 Servers Controllers Description
Parental Controls Disabled N/A N/A This service is a stub for Windows Parental
Control functionality that existed in Vista. It
is provided for backward compatibility only.
PDF Document Auto [HP] N/A N/A Manages the PDF document production
Manager process. A primary task is to enable the
routing of documents from the print spooler
to the user. (Only on HP Windows 7 work-
stations).
Peer Name Reso- Disabled N/A N/A Enables serverless peer name resolution
lution Protocol over the Internet using the Peer Name
Resolution Protocol (PNRP). If disabled,
some peer-to-peer and collaborative appli-
cations, such as Remote Assistance, may
not function.
Peer Networking Disabled N/A N/A Enables multi-party communication using
Grouping Peer-to-Peer Grouping. If disabled, some
applications, such as HomeGroup, may not
function.
Peer Networking Disabled N/A N/A Provides identity services for the Peer
Identity Manager Name Resolution Protocol (PNRP) and
Peer-to-Peer Grouping services. If dis-
abled, the Peer Name Resolution Protocol
(PNRP) and Peer-to-Peer Grouping ser-
vices may not function, and some applica-
tions, such as HomeGroup and Remote
Assistance, may not function correctly.
Performance Manual Manual Manual Enables remote users and 64-bit pro-
Counter DLL Host cesses to query performance counters pro-
vided by 32-bit DLLs. If this service is
stopped, only local users and 32-bit pro-
cesses will be able to query performance
counters provided by 32-bit DLLs.
Performance Logs Disabled Disabled Disabled Performance Logs and Alerts Collects per-
& Alerts formance data from local or remote com-
puters based on preconfigured schedule
parameters, then writes the data to a log or
triggers an alert. If this service is stopped,
performance information will not be col-
lected.
Plug and Play Auto Auto Auto Enables a computer to recognize and
adapt to hardware changes with little or no
user input. Stopping or disabling this ser-
vice will result in system instability.
PnP-X IP Bus Enu- Manual Disabled Disabled The PnP-X bus enumerator service man-
merator ages the virtual network bus. It discovers
network connected devices using the
SSDP/WS discovery protocols and gives
them presence in PnP. If this service is
stopped or disabled, presence of NCD
devices will not be maintained in PnP. All
pnpx based scenarios will stop functioning.

21
 B0700ET – Rev E 2. Platform Security

Table 2-2. Windows Services Configuration for Security Enhancements (Continued)

Startup Type Startup Type

on Windows on Windows
Windows Startup Type Server 2008 Server 2008
Service Display on R2 Client R2 Domain
Name Windows 7 Servers Controllers Description
PNRP Machine Disabled N/A N/A This service publishes a machine name
Name Publication using the Peer Name Resolution Protocol.
Service Configuration is managed via the netsh
context 'p2p pnrp peer'.
Portable Device Disabled Disabled Disabled Enforces group policy for removable mass-
Enumerator Ser- storage devices. Enables applications such
vice as Windows Media Player and Image
Import Wizard to transfer and synchronize
content using removable mass-storage
devices.
Power Auto Auto Auto Manages power policy and power policy
notification delivery.
Print Spooler Auto Auto Auto Loads files to memory for later printing
Problem Reports Manual Manual Manual This service provides support for viewing,
and Solutions sending and deletion of system-level prob-
Control Panel Sup- lem reports for the Problem Reports and
port Solutions control panel.
Program Compati- Auto N/A N/A This service provides support for the Pro-
bility Assistant gram Compatibility Assistant (PCA). PCA
Service monitors programs installed and run by the
user and detects known compatibility prob-
lems. If this service is stopped, PCA will
not function properly.
Protected Storage Disabled Disabled Auto Provides protected storage for sensitive
data, such as passwords, to prevent
access by unauthorized services, pro-
cesses, or users.
Quality Windows Disabled N/A N/A Quality Windows Audio Video Experience
Audio Video Expe- (qWave) is a networking platform for Audio
rience Video (AV) streaming applications on IP
home networks. qWave enhances AV
streaming performance and reliability by
ensuring network quality-of-service (QoS)
for AV applications. It provides mecha-
nisms for admission control, run time moni-
toring and enforcement, application
feedback, and traffic prioritization.
Remote Access Disabled Disabled Disabled Creates a connection to a remote network
Auto Connection whenever a program references a remote
Manager DNS or NetBIOS name or address.
Remote Access Disabled Disabled Disabled Manages dial-up and virtual private net-
Connection Man- work (VPN) connections from this com-
ager puter to the Internet or other remote
networks.
Remote Desktop Manual Manual Manual Remote Desktop Configuration service
Configuration (RDCS) is responsible for all Remote
Desktop Services and Remote Desktop
related configuration and session mainte-
nance activities that require SYSTEM con-
text. These include per-session temporary
folders, RD themes, and RD certificates.

22
 2. Platform Security B0700ET – Rev E

Table 2-2. Windows Services Configuration for Security Enhancements (Continued)

Startup Type Startup Type

on Windows on Windows
Windows Startup Type Server 2008 Server 2008
Service Display on R2 Client R2 Domain
Name Windows 7 Servers Controllers Description
Remote Desktop N/A Auto N/A Provides registered licenses for Remote
Licensing Desktop Services clients. If this service is
stopped, the server will be unavailable to
issue Remote Desktop Services licenses to
clients when they are requested.
Remote Desktop Disabled Disabled Disabled Allows users to connect interactively to a
Services remote computer. Remote Desktop and
Remote Desktop Session Host Server
depend on this service. To prevent remote
use of this computer, clear the checkboxes
on the Remote tab of the System proper-
ties control panel item.
Remote Desktop Manual Manual Manual Allows the redirection of Print-
Services User- ers/Drives/Ports for RDP connections
Mode Port Redi-
rector
Remote Proce- Auto Auto Auto The RPCSS service is the Service Control
dure Call (RPC) Manager for COM and DCOM servers. It
performs object activations requests,
object exporter resolutions and distributed
garbage collection for COM and DCOM
servers. If this service is stopped or dis-
abled, programs using COM or DCOM will
not function properly. It is strongly recom-
mended that you have the RPCSS service
running.
Remote Proce- Manual Auto Auto In Windows 2003 and earlier versions of
dure Call (RPC) Windows, the Remote Procedure Call
Locator (RPC) Locator service manages the RPC
name service database. In Windows Vista
and later versions of Windows, this service
does not provide any functionality and is
present for application compatibility.
Remote Registry Auto Auto Auto Enables remote users to modify registry
settings on this computer. If this service is
stopped, the registry can be modified only
by users on this computer. (Needed by
Foxboro Station Assessment Tool.)
Resultant Set of N/A Manual Manual Provides a network service that processes
Policy Provider requests to simulate application of Group
Policy settings for a target user or computer
in various situations and computes the
Resultant Set of Policy settings.
Routing and Disabled Disabled Disabled Offers routing services to businesses in
Remote Access local area and wide area network environ-
ments.
RPC Endpoint Auto Auto Auto Resolves RPC interfaces identifiers to
Mapper transport endpoints. If this service is
stopped or disabled, programs using
Remote Procedure Call (RPC) services will
not function properly.

23
 B0700ET – Rev E 2. Platform Security

Table 2-2. Windows Services Configuration for Security Enhancements (Continued)

Startup Type Startup Type

on Windows on Windows
Windows Startup Type Server 2008 Server 2008
Service Display on R2 Client R2 Domain
Name Windows 7 Servers Controllers Description
Secondary Logon Disabled Disabled Disabled Enables starting processes under alternate
credentials. If this service is stopped, this
type of logon access will be unavailable.
Secure Socket Manual Manual Manual Provides support for the Secure Socket
Tunneling Protocol Tunneling Protocol (SSTP) to connect to
Service remote computers using VPN. If this ser-
vice is disabled, users will not be able to
use SSTP to access remote servers.
Security Accounts Auto Auto Auto The startup of this service signals other
Manager services that the Security Accounts Man-
ager (SAM) is ready to accept requests.
Disabling this service will prevent other ser-
vices in the system from being notified
when the SAM is ready, which may in turn
cause those services to fail to start cor-
rectly. This service should not be disabled.
Security Center Disabled N/A N/A The WSCSVC (Windows Security Center)
service monitors and reports security
health settings on the computer. The health
settings include firewall (on/off), antivirus
(on/off/out of date), antispyware (on/off/out
of date), Windows Update (automati-
cally/manually download and install
updates), User Account Control (on/off),
and Internet settings (recommended/not
recommended). The service provides COM
APIs for independent software vendors to
register and record the state of their prod-
ucts to the Security Center service. The
Action Center (AC) UI uses the service to
provide systray alerts and a graphical view
of the security health states in the AC con-
trol panel. Network Access Protection
(NAP) uses the service to report the secu-
rity health states of clients to the NAP Net-
work Policy Server to make network
quarantine decisions. The service also has
a public API that allows external consum-
ers to programmatically retrieve the aggre-
gated security health state of the system.
Server Auto Auto Auto Supports file, print, and named-pipe shar-
ing over the network for this computer. If
this service is stopped, these functions will
be unavailable.
Shell Hardware Auto Auto Disabled Provides notifications for AutoPlay hard-
Detection ware events.
Smart Card Disabled Disabled Disabled Manages access to smart cards read by
this computer. If this service is stopped,
this computer will be unable to read smart
cards.
Smart Card Disabled Disabled Disabled Allows the system to be configured to lock
Removal Policy the user desktop upon smart card removal.

24
 2. Platform Security B0700ET – Rev E

Table 2-2. Windows Services Configuration for Security Enhancements (Continued)

Startup Type Startup Type

on Windows on Windows
Windows Startup Type Server 2008 Server 2008
Service Display on R2 Client R2 Domain
Name Windows 7 Servers Controllers Description
SNMP Service N/A Auto Auto Enables Simple Network Management
Protocol (SNMP) requests to be processed
by this computer. If this service is stopped,
the computer will be unable to process
SNMP requests.
SNMP Trap Manual Manual Disabled Receives trap messages generated by
local or remote Simple Network Manage-
ment Protocol (SNMP) agents and for-
wards the messages to SNMP
management programs running on this
computer. If this service is stopped, SNMP-
based programs on this computer will not
receive SNMP trap messages.
Software Protec- Auto Auto Auto Enables the download, installation and
tion enforcement of digital licenses for Windows
and Windows applications. If the service is
disabled, the operating system and
licensed applications may run in a notifica-
tion mode. It is strongly recommended that
you not disable the Software Protection
service.
Special Adminis- N/A Manual Manual Allows administrators to remotely access a
tration Console command prompt using Emergency Man-
Helper agement Services.
SPP Notification Manual Manual Manual Provides Software Licensing activation and
Service notification
SSDP Discovery Disabled Disabled Disabled Discovers networked devices and services
that use the SSDP discovery protocol,
such as UPnP devices. Also announces
SSDP devices and services running on the
local computer. If this service is stopped,
SSDP-based devices will not be discov-
ered.
Storage Service Manual N/A N/A Enforces group policy for storage devices
Superfetch Auto N/A N/A Maintains and improves system perfor-
mance over time.
Symantec SymS- Manual Manual Manual Symantec SymSnap VSS Provider
nap VSS Provider
Symantec System Auto Auto Auto Provides backup and restore services, job
Recovery scheduling, and event notification.
SymSnapService Manual Manual Manual Symantec Volume Snapshot Service
System Event Auto Auto Auto Monitors system events and notifies sub-
Notification Ser- scribers to COM+ Event System of these
vice events.
Tablet PC Input Disabled Disabled Disabled Enables Tablet PC pen and ink functional-
Service ity

25
 B0700ET – Rev E 2. Platform Security

Table 2-2. Windows Services Configuration for Security Enhancements (Continued)

Startup Type Startup Type

on Windows on Windows
Windows Startup Type Server 2008 Server 2008
Service Display on R2 Client R2 Domain
Name Windows 7 Servers Controllers Description
Task Scheduler Auto Auto Auto Enables a user to configure and schedule
automated tasks on this computer. The
service also hosts multiple Windows sys-
tem-critical tasks. If this service is stopped
or disabled, these tasks will not be run at
their scheduled times.
TCP/IP NetBIOS Auto Auto Auto Provides support for the NetBIOS over
Helper TCP/IP (NetBT) service and NetBIOS
name resolution for clients on the network,
therefore enabling users to share files,
print, and log on to the network. If this ser-
vice is stopped, these functions might be
unavailable.
Telephony Manual Manual Manual Provides Telephony API (TAPI) support for
programs that control telephony devices on
the local computer and, through the LAN,
on servers that are also running the ser-
vice.
Themes Auto Auto Auto Provides user experience theme manage-
ment.
Thread Ordering Manual Manual Manual Provides ordered execution for a group of
Server threads within a specific period of time.
TPM Base Ser- Manual Manual Manual Enables access to the Trusted Platform
vices Module (TPM), which provides hardware-
based cryptographic services to system
components and applications. If this ser-
vice is stopped or disabled, applications
will be unable to use keys protected by the
TPM.
UPnP Device Host Manual Disabled Disabled Allows UPnP devices to be hosted on this
computer. If this service is stopped, any
hosted UPnP devices will stop functioning
and no additional hosted devices can be
added.
User Profile Ser- Auto Auto Auto This service is responsible for loading and
vice unloading user profiles. If this service is
stopped or disabled, users will no longer be
able to successfully logon or logoff, appli-
cations may have problems getting to
users' data, and components registered to
receive profile event notifications will not
receive them.
Virtual Disk Manual Manual Manual Provides management services for disks,
volumes, file systems, and storage arrays.
Volume Shadow Manual Manual Manual Manages and implements Volume Shadow
Copy Copies used for backup and other pur-
poses. If this service is stopped, shadow
copies will be unavailable for backup and
the backup may fail.

26
 2. Platform Security B0700ET – Rev E

Table 2-2. Windows Services Configuration for Security Enhancements (Continued)

Startup Type Startup Type

on Windows on Windows
Windows Startup Type Server 2008 Server 2008
Service Display on R2 Client R2 Domain
Name Windows 7 Servers Controllers Description
WebClient Disabled Disabled Disabled Enables Windows-based programs to cre-
ate, access, and modify Internet-based
files. If this service is stopped, these func-
tions will not be available.
WinDefend Disabled Disabled Disabled Microsoft Windows Defender (not used).
Windows Activa- Manual N/A N/A Performs Windows 7 Validation.
tion Technologies
Service
Windows Audio Auto Auto Auto Manages audio for Windows-based pro-
grams.
Windows Audio Auto Auto Auto Manages audio devices for the Windows
Endpoint Builder Audio service.
Windows Backup Disabled N/A N/A Provides Windows Backup and Restore
capabilities.
Windows Biomet- Disabled N/A N/A The Windows biometric service gives client
ric Service applications the ability to capture, com-
pare, manipulate, and store biometric data
without gaining direct access to any bio-
metric hardware or samples. The service is
hosted in a privileged SVCHOST process.
Windows Card- Manual Manual Disabled Securely enables the creation, manage-
Space ment, and disclosure of digital identities.
Windows Color Manual Manual Manual The WcsPlugInService service hosts third-
System party Windows Color System color device
model and gamut map model plug-in mod-
ules. These plug-in modules are vendor-
specific extensions to the Windows Color
System baseline color device and gamut
map models. Stopping or disabling the
WcsPlugInService service will disable this
extensibility feature, and the Windows
Color System will use its baseline model
processing rather than the vendor's
desired processing. This might result in
inaccurate color rendering.
Windows Connect Disabled N/A N/A WCNCSVC hosts the Windows Connect
Now - Config Reg- Now Configuration which is Microsoft's
istrar Implementation of Wi-Fi Protected Setup
(WPS) protocol. This is used to configure
Wireless LAN settings for an Access Point
(AP) or a Wi-Fi Device. The service is
started programmatically as needed.
Windows Defender Disabled Disabled Disabled Microsoft Windows Defender (not used).
Windows Driver Manual Manual Manual Manages user-mode driver host processes.
Foundation - User-
mode Driver
Framework

27
 B0700ET – Rev E 2. Platform Security

Table 2-2. Windows Services Configuration for Security Enhancements (Continued)

Startup Type Startup Type

on Windows on Windows
Windows Startup Type Server 2008 Server 2008
Service Display on R2 Client R2 Domain
Name Windows 7 Servers Controllers Description
Windows Error Manual Manual Manual Allows errors to be reported when pro-
Reporting Service grams stop working or responding and
allows existing solutions to be delivered.
Also allows logs to be generated for diag-
nostic and repair services. If this service is
stopped, error reporting might not work
correctly and results of diagnostic services
and repairs might not be displayed.
Windows Event Manual Manual Manual This service manages persistent subscrip-
Collector tions to events from remote sources that
support WS-Management protocol. This
includes Windows Vista event logs, hard-
ware and IPMI-enabled event sources. The
service stores forwarded events in a local
Event Log. If this service is stopped or dis-
abled event subscriptions cannot be cre-
ated and forwarded events cannot be
accepted.
Windows Event Auto Auto Auto This service manages events and event
Log logs. It supports logging events, querying
events, subscribing to events, archiving
event logs, and managing event metadata.
It can display events in both XML and plain
text format. Stopping this service may com-
promise security and reliability of the sys-
tem.
Windows Firewall Disabled Disabled Disabled Windows Firewall helps protect your com-
puter by preventing unauthorized users
from gaining access to your computer
through the Internet or a network.
Windows Font Auto Auto Auto Optimizes performance of applications by
Cache Service caching commonly used font data. Applica-
tions will start this service if it is not already
running. It can be disabled, though doing
so will degrade application performance.
Windows Image Disabled Disabled Disabled Provides image acquisition services for
Acquisition (WIA) scanners and cameras
Windows Installer Manual Manual Manual Adds, modifies, and removes applications
provided as a Windows Installer (*.msi)
package.
Windows Manage- Auto Auto Auto Provides a common interface and object
ment Instrumenta- model to access management information
tion about operating system, devices, applica-
tions and services. If this service is
stopped, most Windows-based software
will not function properly.
Windows Modules Manual Manual Manual Enables installation, modification, and
Installer removal of Windows updates and optional
components. If this service is disabled,
install or uninstall of Windows updates
might fail for this computer.

28
 2. Platform Security B0700ET – Rev E

Table 2-2. Windows Services Configuration for Security Enhancements (Continued)

Startup Type Startup Type

on Windows on Windows
Windows Startup Type Server 2008 Server 2008
Service Display on R2 Client R2 Domain
Name Windows 7 Servers Controllers Description
Windows Presen- Manual Manual Manual Optimizes performance of Windows Pre-
tation Foundation sentation Foundation (WPF) applications
Font Cache by caching commonly used font data. WPF
3.0.0.0 applications will start this service if it is not
already running. It can be disabled, though
doing so will degrade the performance of
WPF applications.
Windows Process N/A Manual Manual The Windows Process Activation Service
Activation Service (WAS) provides process activation,
resource management and health man-
agement services for message-activated
applications.
Windows Remote Disabled Disabled Disabled Windows Remote Management (WinRM)
Management (WS- service implements the WS-Management
Management) protocol for remote management. WS-
Management is a standard web services
protocol used for remote software and
hardware management. The WinRM ser-
vice listens on the network for WS-Man-
agement requests and processes them.
The WinRM Service needs to be config-
ured with a listener using winrm.cmd com-
mand line tool or through Group Policy in
order for it to listen over the network. The
WinRM service provides access to WMI
data and enables event collection. Event
collection and subscription to events
require that the service is running. WinRM
messages use HTTP and HTTPS as trans-
ports. The WinRM service does not
depend on IIS but is preconfigured to share
a port with IIS on the same machine. The
WinRM service reserves the /wsman URL
prefix. To prevent conflicts with IIS, admin-
istrators should ensure that any websites
hosted on IIS do not use the /wsman URL
prefix.
Windows Search Auto N/A N/A Provides content indexing, property cach-
ing, and search results for files, e-mail, and
other content.
Windows Time Disabled Disabled Disabled Maintains date and time synchronization
on all clients and servers in the network. If
this service is stopped, date and time syn-
chronization will be unavailable.
Windows Update Disabled Disabled Disabled Enables the detection, download, and
installation of updates for Windows and
other programs. If this service is disabled,
users of this computer will not be able to
use Windows Update or its automatic
updating feature, and programs will not be
able to use the Windows Update Agent
(WUA) API.

29
 B0700ET – Rev E 2. Platform Security

Table 2-2. Windows Services Configuration for Security Enhancements (Continued)

Startup Type Startup Type

on Windows on Windows
Windows Startup Type Server 2008 Server 2008
Service Display on R2 Client R2 Domain
Name Windows 7 Servers Controllers Description
WinHTTP Web Manual Disabled Disabled WinHTTP implements the client HTTP
Proxy Auto-Discov- stack and provides developers with a
ery Service Win32 API and COM Automation compo-
nent for sending HTTP requests and
receiving responses. In addition, WinHTTP
provides support for auto-discovering a
proxy configuration via its implementation
of the Web Proxy Auto-Discovery (WPAD)
protocol.
Wired AutoConfig Manual Manual Manual The Wired AutoConfig (DOT3SVC) service
is responsible for performing IEEE 802.1X
authentication on Ethernet interfaces. If
your current wired network deployment
enforces 802.1X authentication, the
DOT3SVC service should be configured to
run for establishing Layer 2 connectivity
and/or providing access to network
resources. Wired networks that do not
enforce 802.1X authentication are unaf-
fected by the DOT3SVC service.
WLAN AutoConfig Manual N/A N/A The WLANSVC service provides the logic
required to configure, discover, connect to,
and disconnect from a wireless local area
network (WLAN) as defined by IEEE
802.11 standards. It also contains the logic
to turn your computer into a software
access point so that other devices or com-
puters can connect to your computer wire-
lessly using a WLAN adapter that can
support this. Stopping or disabling the
WLANSVC service will make all WLAN
adapters on your computer inaccessible
from the Windows networking UI. It is
strongly recommended that you have the
WLANSVC service running if your com-
puter has a WLAN adapter.
WMI Performance Disabled Disabled Disabled Provides performance library information
Adapter from Windows Management Instrumenta-
tion (WMI) providers to clients on the net-
work. This service only runs when
Performance Data Helper is activated.
Workstation Auto Auto Auto Creates and maintains client network con-
nections to remote servers using the SMB
protocol. If this service is stopped, these
connections will be unavailable.
WWAN AutoConfig Disabled N/A N/A This service manages mobile broadband
(GSM & CDMA) data card/embedded mod-
ule adapters and connections by auto-con-
figuring the networks. It is strongly
recommended that this service be kept
running for best user experience of mobile
broadband devices.

30
2. Platform Security B0700ET – Rev E

How to Change OS Image Settings for Services

To change the startup type of a service, proceed as follows:
1. Log in using an account that has Administrative privileges.
2. Open the Control Panel from the Start menu.
3. Click Administrative Tools -> Services.
4. In the Services window, double-click the service you want to change.
5. In the Properties window that is displayed, click on the drop-down menu next to the
label “Startup type” and select the desired setting. Note that new settings will not
take effect until a reboot occurs. If a service is already started and you want to stop it,
you can attempt to stop it by clicking on the “Stop” button under the “Service
Status” label. Likewise, if a service is in Manual but in the stopped state, you can
attempt to start it using the “Start” button.

Remote Desktop Services

The Terminal Services feature that was available in Windows Server 2003 has been renamed to
“Remote Desktop Services” for Windows Server 2008 R2 and Windows 7.
In accordance with good security practice, the “Remote Desktop Services” service is disabled on
workstations and servers. If you need remote access to these stations and are willing to accept any
resulting security risk, this service would need to be enabled. An organizational unit (OU) has
been created under the IA Computers OU for computers that need this service to be enabled.
Using the Active Directory Users and Computers tool, you can drag and drop a computer from
the IA Computers OU to the Remote Desktop Servers OU below it.
Note that this change will not take effect on that moved computer until one of these is true:
♦ The moved station is rebooted, or
♦ The next group policy update occurs (at the group policy refresh interval, typically
every 90 minutes), or
♦ A “gpupdate /force” command is executed in a command prompt on the moved
station.

I/A Series/Control Core Services Startup and Logon

Options
The I/A Series software or Control Core Services continue to provide various options for config-
uring station reboot behavior, such as determining whether or not a logon is required. Even
though it is not the most secure option, the ability to use the autologon feature instead of requir-
ing users to logon by providing credentials is still provided. In addition, when the autologon
option is selected, the user account that is to be used is configurable.
For a detailed discussions about the I/A Series or Control Core Services startup, security,
logon/logoff and shutdown options, refer to the release notes shipped with your version of
I/A Series software or Control Core Services.

31
B0700ET – Rev E 2. Platform Security

Autologon Configurator
The Autologon feature automates the logon process by storing a user-specified account and pass-
word in the registry database. While using this feature is more convenient than requiring users to
log on manually, be aware that it can pose a security risk since access to the desktop is provided
without requiring a user to provide appropriate credentials. This feature should only be used in
areas that are secured by other means.
After selecting an Autologon startup option from the control panel applet and clicking OK, you are
prompted for the logon credentials to use. A dialog box is displayed as shown in Figure 2-1:

Figure 2-1. Autologon Configurator

Enter the user account, domain name, and the password (in both fields) as shown in Figure 2-2.
When done, click OK.

Figure 2-2. Sample Autologon Configuration

32
2. Platform Security B0700ET – Rev E

NOTE
While entering the domain name, you must use the short name (for example,
IASERIES), not the long name (for example, iaseries.local).

NOTE
If you want to autologon to the local workstation (for example, if The Mesh control
network is not enabled), enter the workstation’s letterbug for the domain name.

33
B0700ET – Rev E 2. Platform Security

34
3. Security Enhancements
Installation and Configuration
This chapter details the installation and configuration procedures for the security enhancements
provided for systems with I/A Series software v8.8 or Foxboro Evo Control Core Services v9.0 or
later, which may also include Foxboro Control Software v4.x or the Control Software v5.0 or
later.

Platform Requirements
The security enhancements incorporated in I/A Series software v8.8 or Foxboro Evo Control Core
Services v9.0 or later software releases are supported on the platforms listed in Table 1-1 “Foxboro
Platforms Supporting Security Enhancements” on page 3.
Note that the implementation of security for The Mesh control network1 involves having servers
that provide the role of Microsoft® Active Directory Domain Controllers. There has to be at least
one domain controller present to act as the “primary” domain controller, but the recommendation
is to have a second server acting as a “secondary” domain controller to provide redundancy. The
Active Directory structure is covered in a section later in this chapter.
As shown in Figure 3-1 on page 40, Active Directory domain controllers can be connected to The
Mesh (referred to as “on-Mesh domain controllers”) or be installed on a separate network (referred
to as “off-Mesh domain controllers”). Domain controllers that are directly connected to The
Mesh are installed as Foxboro stations2 to make sure they operate properly on The Mesh network.
As far as the Active Directory is concerned, a domain controller has one static IP address (which is
required for an Active Directory domain controller). However, for an On-Mesh domain control-
ler, The Mesh network’s intermediate driver provides redundant paths to the network (in a way
that is transparent to the Active Directory software).
While an on-Mesh domain controller server is installed as an I/A Series or Control Core Services
station, it must not be used to run I/A Series/Control Core Services or FCS/the Control Software
applications. Whether on The Mesh or off-Mesh, Active Directory domain controllers are key
resources since they provide user authentication for all the workstations in the domain and there-
fore should not be put at risk by running applications which could have a detrimental impact on
the availability of its services. Likewise, Remote Desktop Services should never be enabled on a
domain controller so that the integrity of the domain could not be compromised by a remote
user.

1.
The Mesh control network and its implementation of security from the switch’s perspective are dis-
cussed in The MESH Control Network Architecture Guide (B0700AZ) and in The MESH Control
Network Operation, and Switch Installation and Configuration Guide (B0700CA). This document
describes the implementation of security for servers and workstations which connect to The Mesh
control network.
2. These domain controllers may only have the I/A Series software or Control Core Services on them,
not Foxboro Control Software or the Control Software.

35
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

Secondary Domain Controllers in an I/A Series or

Foxboro Evo System
Since domain controllers are considered a vital resource for Active Directory domains, it is a best
practice to have a secondary domain controller (SDC) in addition to the primary domain control-
ler (PDC). This provides redundancy and avoids the loss of functionality should the primary
domain controller fail. For information about how to setup and manage secondary domain con-
trollers, refer to I/A Series V8.8 Software Installation Guide (B0700SF) or the appropriate Control
Core Services v9.x Software Installation Guide.

I/A Series Software or Control Core Services

Installation
For information about how to install the I/A Series software or Control Core Services, refer to
I/A Series V8.8 Software Installation Guide (B0700SF) or the appropriate Control Core Services v9.x
Software Installation Guide.
Access to the various operations and features provided on a workstation with I/A Series or Control
Core Services (such as access to the Task Manager, I/A Station Management Change Actions or
the registry) are restricted in a number of ways, including via the:
♦ BIOS settings
♦ Configuration of the OS image (standard vs. security enhanced)
♦ “Group policies” (explained in more detail later in this chapter) - settings of opera-
tions allowed for members of specific user groups, such as the following (supplied by
Foxboro):
♦ IA Plant Admins (the least restrictive policies)
♦ IA Plant Engineers
♦ IA Plant Operators
♦ IA Plant View Only (the strictest policies).
Appendix A “Comparison of “Invensys Plant” GPOs” contains a list of the policy settings for the
above groups.
A complete list of group policies provided by Foxboro is provided later in this chapter.
In addition, the I/A Series or Control Core Services Day 0 installation configures the following at
the computer level:
♦ Sets the global NIC settings
♦ Renames the Administrator account and creates a dummy Administrator account
♦ Pre-configures the services in Table 3-1.
Table 3-1 provides a list of services and how they are configured by the I/A Series software or
Control Core Services installation. For the most part, these services could not be pre-configured
on the OS image since these services do not exist until the Foxboro software is installed.

36
 3. Security Enhancements Installation and Configuration B0700ET – Rev E

Table 3-1. Windows Services Startup Configuration for Stations with Security Enhancements

Startup Type on
Startup Type Windows Server
Startup on Windows 2008 R2 Domain
Type on Server 2008 R2 Controllers (On-
Service Name Windows 7 Client Servers MESH Only1) Description
Fox Shared Memory Auto Auto Auto Manages shared memory for
I/A Series or Control Core Ser-
vices applications. If this service is
disabled, I/A Series or Control
Core Services applications will not
function.
I/A Series Launcher Auto Auto Auto Manages the background pro-
cesses required by I/A Series or
Control Core Services. If this ser-
vice is disabled, I/A Series or Con-
trol Core Services will not start.
I/A Series Notification Auto Auto N/A Reports system configuration
changes performed by ADMC. If
this service is disabled, configura-
tion changes performed by ADMC
will not be reported for the work-
station.2
MessageManager - Calc Manual Manual N/A Communicates with CPs. Receives
and Filtering device database information from
CPs and forwards alarms to the
Message Manager Device Server
service for delivery to clients.3
MessageManager - Manual Manual N/A If Message Manager is configured
Device Server as redundant, communicates with
the Message Manager Redun-
dancy Controller service on the
partner station to determine
active/passive roles.3
MessageManager - Auto Auto N/A Controls the startup of all other
Internal Monitor Message Manager services.
Reports Message Manager status
via OM variables. Restarts other
Message Manager services if
issues are encountered.3
MessageManager - Manual Manual N/A Communicates with alarm destina-
Packet Receiver tion clients (CADs, historians,
printers). Receives alarms and
sends to clients.3
MessageManager - Manual Manual N/A Handles alarm re-prioritization.
Redundancy Controller Consumer of configuration files
created by the Message Manager
configurator.
MKSAUTH Manual Manual Manual MKS password authentication ser-
vice.
Network Time Protocol Manual Manual Manual Synchronizes computers over a
network
NuTCRACKER Service Auto Auto Auto MKS NuTCRACKER Service
(used by I/A Series or Control Core
Services infrastructure)

37
 B0700ET – Rev E 3. Security Enhancements Installation and Configuration

Table 3-1. Windows Services Startup Configuration for Stations with Security Enhancements (Continued)

Startup Type on
Startup Type Windows Server
Startup on Windows 2008 R2 Domain
Type on Server 2008 R2 Controllers (On-
Service Name Windows 7 Client Servers MESH Only1) Description
Open Text Exceed N/A Manual N/A A helper service for Exceed provid-
Display Controller ing Display Management.2
Open Text InetD Auto Auto N/A Open Text Internet Superservice.2
REDL Monitor Auto Auto Auto Monitors the Redundant Ethernet
Data Link and reports cable faults
to the System Monitor. If this ser-
vice is disabled, cable faults will
not be reported for this worksta-
tion.
System Manager Auto Auto Auto Provides system information to the
Service System Manager client applica-
tions.4

1.
I/A Series software or Control Core Services are not installed on off-Mesh Domain Controllers.
2.
Not installed if the IASVCS package is un-assigned from the workstation.
3. Only installed if the AMSGM7 package is assigned to the workstation.
4.
Only installed if the System Manager Server is installed.

Help and Support Feature

The Windows operating system provides a “Help and Support” feature normally accessible from
the Start menu. However, this information describes how to perform administrative tasks, which
may have an impact on security. Therefore, the “Help and Support” feature is turned off by
default.

Administrative Privileges
Administrative privileges are not required for normal I/A Series or Foxboro Evo system operation.
However, members of the IA Plant Admins security group are granted administrative privileges so
that they can perform important functions such as the ability to install software and change net-
work settings. The IA Plant Engineers, IA Plant Operators, and IA Plant View Only security
groups do not have this privilege, nor can they log in to the domain controllers.

NOTE
It is not possible to log on to a domain controller with a user account that is not a
member of the Administrators group.

If you wish to change this behavior, you may remove or add whichever user groups you wish to
the Administrators users group, provided you understand and are willing to accept the security
implications of doing so.

38
3. Security Enhancements Installation and Configuration B0700ET – Rev E

Management of Software Ports

Software ports are controlled by the firewall package discussed in Chapter 4 “Security Packages”.

Active Directory Topics

Active Directory Overview
An I/A Series or Foxboro Evo system with the security enhancements installed employs the use of
Microsoft Active Directory for several reasons. For example, the Active Directory:
♦ Makes it possible to manage computer user accounts and group policies from a central
location.
♦ Provides authentication services.
♦ Is a time-tested stable technology.
♦ Is very scalable.
♦ Can work with many third-party software products designed for an Active Directory
environment.
A central and vital component of an Active Directory environment is the Domain Controller
(DC). There must be at least one present, but there can be any number of them. Only one
Domain Controller can take on the role of the “primary” Domain Controller at a particular time.
It is recommended that there be at least one additional “secondary” Domain Controller which can
take over the primary role, if the current primary Domain Controller experiences a failure. Only a
server-class workstation running a server-class Microsoft operating system (such as Windows
Server 2008 R2) can be a Domain Controller.
A simplified network topology of an I/A Series or Foxboro Evo system that uses Active Directory
would typically appear as shown in Figure 3-1 (shown for networks on The Mesh and off-Mesh).

39
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

On-MESH Topology

Primary Domain Secondary Domain

Controller (Server) Controller (Server)

The MESH
Control Network

Foxboro Evo or Foxboro Evo or Foxboro Evo or

I/A Series I/A Series I/A Series
Workstations Servers Control Processors

Off-MESH Topology

L4 Network

Firewall
L3 Network

Off-MESH WSUS*
Domain Firewall (Optional ePO)
Controller Server
L2.1 Network

AW AW AW AW
Hosting Hosting Operator ... Operator
CPs CPs Station Station
L2 MESH Network

FCP FCP FCP

L1 Network

FBM ... FBM FBM ... FBM FBM ... FBM

* WSUS = Microsoft’s Windows Server Update Services, and ePO = McAfee ePolicy Orchestrator

Figure 3-1. I/A Series or Foxboro Evo System Network Topologies

with Active Directory (Simplified)

40
3. Security Enhancements Installation and Configuration B0700ET – Rev E

For the On-Mesh Topology in Figure 3-1, the Domain Controllers are connected directly to The
Mesh network. To ensure proper operation on The Mesh, these servers must have I/A Series soft-
ware or Control Core Services installed on them. Note that only workstations and servers partici-
pate in the Active Directory structure, not controllers or switches.

Active Directory Structure

The Active Directory technology was designed to work for small systems up to very large enter-
prise systems. Its structure allows for organizing computers and users into logical groupings at var-
ious hierarchical levels. At the lowest level are the individual workstations and users. These can be
grouped into domains. Multiple domains can be grouped into a tree and multiple trees can belong
to a forest (the highest level).

Organizational Units (OU)

There are also “Organizational Units” and “sites.” Organizational Units (OU) allow you to set up
logical divisions within a domain, similar to sub-domains. For example, if the domain consisted of
an entire company, each department could have its own organizational unit. Sites allow you to set
up groupings based on geographical location or, more specifically, nodes connected on the same
LAN. Typically, different sites would be connected with WAN links.

Security Groups
The concept of “security groups” is also present in the Active Directory structure. (These were
simply referred to as “user groups” in earlier operating systems such as Windows NT.) Like an
OU, a security group can include users and workstations. However, there is a difference. OUs act
as containers of objects (such as users and workstations), whereas security groups are a collection
of attributes that can be assigned to an object. Using the analogy of a company for example, you
may have divided it up into OUs that represent departments. If you want to designate certain
people as having the ability to control (configure and maintain) each OU, the user accounts of
those designated people would belong to a security group that has the required permissions to
allow them to do the tasks required to control the OU.

NOTE
A user account can be in only one OU but can be a member of any number of secu-
rity groups.

Group Policies and Group Policy Objects

You should understand the concepts of “group policies” and “group policy objects”. While it
seems counterintuitive, group policies are not applied to groups or users. They are applied to
OUs, domains, or sites. Group policies provide central administration of settings that can be
applied to multiple users and workstations. For example, you can have a group policy that deter-
mines which users have permission to perform certain actions, such as shutting down a worksta-
tion or having access to the Task Manager.
Group policies are configured and deployed by building group policy objects (GPOs). GPOs are
containers for a collection of settings (policies) that can be applied to users and machines through-
out the network. The act of assigning a GPO to a domain, OU, or site is called linking. A GPO
can be linked to multiple OUs and multiple GPOs can be assigned to a single OU.

41
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

Group policies can manage computer-specific settings, user-specific settings or both. Computer
policies are applied at boot time. User policies take effect when a user logon occurs. Domain-
based group policies (other than folder redirection and software installation) are not only applied
at logon time, but also reapply themselves periodically to keep current with any changes. There is
a refresh interval specific for Domain Controllers (which typically is every 5 minutes) and a differ-
ent refresh interval for all other computers (which typically is 90 minutes). These refresh intervals
can be controlled via group policy.
Group policies are processed in a hierarchical order. For example, Local Security Policy is first,
then site-level policies, then domain-level policies, and then OU-level policies. Users and worksta-
tions that are both in a domain and an OU receive settings both from the domain-level policy and
from the OU-level policy. If the same policy is configured at multiple levels, the behavior depends
on how the policy is configured at the higher level. For example, it is possible to set a “No Over-
ride” option that prevents a policy from being overridden at a lower-level. Otherwise, normally
the lower level policy (the last one applied) would win.

I/A Series or Control Core Services Specific

Implementation of Active Directory
The I/A Series or Foxboro Evo system implementation of Active Directory uses a single domain
for the entire control network with multiple organizational units (OUs) and group policies. Dur-
ing the I/A Series software or Control Core Services installation of a Domain Controller, it will
automatically create the domain. (You may choose a name for your domain.)
Organizational unit structures, group policies and users and security groups are described below.

42
3. Security Enhancements Installation and Configuration B0700ET – Rev E

Organizational Unit (OU) Structure

For a new Day 0 installation (not a migration), the I/A Series software or Control Core Services
installation creates the OUs shown in Figure 3-2.

Figure 3-2. Active Directory Structure

43
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

Users and Security Groups

Table 3-2 shows the members of the Active Directory containers as configured by the I/A Series
software or Control Core Services installation. The members include security groups and user
accounts. Note that Table 3-2 shows the default names for these groups, such as “IAInstaller” and
“IAManager.” However, these names can be changed when performing the I/A Series software or
Control Core Services installation.

Table 3-2. Active Directory Container and Security Group Associations

Active Directory Container Security Group

Accounts > Groups > Administration Cert Publishers
DnsAdmins
DnsUpdateProxy
Domain Admins
Domain Computers
Domain Controllers
Domain Guests
Domain Users
Enterprise Admins
Group Policy Creator Owners
RAS and IAS Servers
Schema Admins
Accounts > Groups > IA Groups Enable Screen Saver
Exceed_Users
IA FoxView Access
IA Installer
IA Plant Admins
IA Plant Engineers
IA Plant Operators
IA Plant View Only
IA System Access
Accounts > Groups > Remote IA Remote Access
Accounts > Groups > Services <empty>
Accounts > Groups > Standard <empty>
Accounts > Users > Administrators IAInstaller (U)
IADomainAdmin (U)
IAManager (U)
Accounts > Users > Console <customer-created users>
Accounts > Users > Disabled Accounts Guest
Accounts > Users > Remote <customer-created users>
Accounts > Users > Services <empty>
Accounts > Users > Standard <customer-created users>

44
3. Security Enhancements Installation and Configuration B0700ET – Rev E

Table 3-3 lists the I/A Series or Control Core Services groups and users which are members of
each security group.

Table 3-3. Security Group Members

Security Group Members1

BUILTIN\Administrators IA Plant Admins
BUILTIN\Users IADomainAdmin (U)
IAInstaller (U)
Enable Screen Saver IA Plant Admins
IA Plant Engineers
Exceed_Users IA Plant Admins
IA Plant Engineers
IA Plant Operators
IA Plant View Only
IA FoxView Access IA Plant Admins
IA Plant Engineers
IA Plant Operators
IAPlant View Only
IA Installer IAInstaller (U)
IA Remote Access <customer-created users>
IA System Access IA Plant Admins
IA Plant Engineers
IA Plant Operators
IA Plant Admins <customer-created users>
IA Plant Engineers <customer-created users>
IA Plant Operators <customer-created users>
IA Plant View Only <customer-created users>
1. These are groups unless designated as a user account by “(U)”.

Group Policies
Group policies have two sections:
♦ Computer Configuration
♦ User Configuration
The Invensys Plant Admins, Plant Engineers, Plant Operators, and Plant View Only group poli-
cies have the User Configuration section enabled and the Computer Configuration section dis-
abled.
Table 3-4 shows which of these sections are enabled or disabled by default for the group policies
shipped by Foxboro.

45
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

Table 3-4. Group Policy Section and Enabled/Disabled Status

Computer User
Group Policy Configuration Configuration
Invensys Base Non-IA v1.0 Enabled Disabled
Invensys Base Policy v1.0 Enabled Disabled
Invensys Domain Controllers Policy v1.0 Enabled Disabled
Invensys Domain Policy v1.0 Enabled Disabled
Invensys Enhanced Interactive Logon Banner ON v1.0 Enabled Disabled
Invensys Enhanced Screen Saver Enabled Filtered v1.0 Disabled Enabled
Invensys FoxView Environments v1.0 Enabled Disabled
Invensys IA Computers v1.0 Enabled Disabled
Invensys IA Remote Desktop Servers v1.0 Enabled Disabled
Invensys IA Users Filtered v1.0 Disabled Enabled
Invensys Interactive Logon Banner OFF v1.0 Enabled Disabled
Invensys Plant Admins Filtered v1.0 Disabled Enabled
Invensys Plant Engineers Filtered v1.0 Disabled Enabled
Invensys Plant Operators Filtered v1.0 Disabled Enabled
Invensys Plant View Only Filtered v1.0 Disabled Enabled

The Computer Configuration settings include features such as password complexity and screen-
savers.
The User Configuration section allows different group policy settings to be applied based on the
logged-on user such as access to shutting down a station, access to the command prompt, and so
forth.
When either the Computer Configuration or User Configuration section is disabled, the group
policy settings in that section do not set get applied.
These group policies are organized as shown in Figure 3-3.

46
3. Security Enhancements Installation and Configuration B0700ET – Rev E

Figure 3-3. Group Policies Structure

47
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

Group Policy Naming Conventions

Group policies are assigned names based on the following conventions:
1. Foxboro-supplied group policies have “Invensys” at the beginning of their names.
2. All enhanced-level group policies have the word “Enhanced” in them.
3. All group policies have their version set to 1.0 for I/A Series software v8.8 or Control
Core Services v9.0 or later.
4. Including “Filtered” in the name indicates that the group policy applies to specific
users rather than to the default of all “Authenticated Users.”
5. If you create any custom group polices and you are unable to retain the above naming
conventions, it is recommended that you prefix its name with “CS” (to indicate a cus-
tom security policy) to the new policy - for example, “CS Domain Controllers Policy
v1.0.” This will make it easier to keep track of which policies were shipped by Fox-
boro and which were customized after the initial software installation.

Base-Level and Enhanced-Level Security Group Policies

As shown in Figure 3-3 and Table 3-4, the I/A Series or Control Core Services installation creates
two sets of group policies. These policies are listed below.
♦ Base-level security group policies - provide the minimal level of security settings which
should be sufficient for the needs of most users:
♦ Invensys Base Non-IA v1.0
♦ Invensys Base Policy v1.0
♦ Invensys Domain Controllers Policy v1.0
♦ Invensys Domain Policy v1.0
♦ Invensys FoxView Environments v1.0
♦ Invensys IA Computers v1.0
♦ Invensys IA Remote Desktop Servers v1.0
♦ Invensys IA Users Filtered v1.0
♦ Invensys Interactive Logon Banner OFF v1.0
♦ Invensys Plant Admins Filtered v1.0
♦ Invensys Plant Engineers Filtered v1.0
♦ Invensys Plant Operators Filtered v1.0
♦ Invensys Plant View Only Filtered v1.0
♦ Enhanced-level security group policies - provide additional security settings that can
be can optionally installed for systems which require these enhanced settings:
♦ Invensys Enhanced Interactive Logon Banner ON v1.0
♦ Invensys Enhanced Screen Saver Enabled Filtered v1.0
These policies are described in the following subsections.

Base-Level Group Policy Descriptions

The base-level security group policies are described in detail below.

48
3. Security Enhancements Installation and Configuration B0700ET – Rev E

Invensys Base Non-IA v1.0

This is a sample group policy that can be used in place of the default Microsoft policy “Default
Domain” for non-I/A Series or non-Control Core Services workstations.
You may modify this group policy to meet the security requirements for non-I/A Series or non-
Control Core Services workstations.

Invensys Base Policy v1.0

This policy is linked at the base of the Invensys OU to provide group policy settings common to
the sub-containers hierarchically below the Invensys OU.

Invensys Domain Controllers Policy v1.0

This policy is used in place of the default Microsoft “Default Domain Controllers Policy”. This
policy applies additional security settings beyond Microsoft's default group policy.
This policy should not be modified. If changes are needed, create a new group policy.

Invensys Domain Policy v1.0

This policy is used in place of the default Microsoft policy “Default Domain”. This group policy
sets the defaults for the domain. It should be the only group policy used for controlling Password
Policy settings. It also includes:
♦ Account Policies settings
♦ Local Policies settings
This policy should not be modified. If other changes are needed, create a new group policy.

Invensys FoxView Environments v1.0

This policy provides a way to control FoxView environments based on the logged-on users role.
Refer to Table 3-7 “FoxView Environments Accessible to Security Group Members (Default)” on
page 71.

Invensys IA Computers v1.0

This policy is used to set the computer policy settings for all workstations with I/A Series or Con-
trol Core Services on The Mesh (excluding domain controllers).
You should not modify this group policy, as it sets file permissions on workstations with I/A Series
or Control Core Services. Changing or modifying this group policy may cause I/A Series software
or Control Core Services issues or failures.

Invensys IA Remote Desktop Servers v1.0

This policy is used to enable remote sessions. It enables the “Remote Desktop Services” service
and sets the needed permissions to allow non-administrator users to remotely access workstations
with I/A Series software or Control Core Services running Windows Server 2008 R2.
This group policy is used in combination with OUs and security groups to configure remote
access”
♦ Workstations with I/A Series software or Control Core Services running Windows
Server 2008 R2 that will provide Remote Desktop Services (formerly called “Terminal
Services” in Windows Server 2003) should be moved to the “Remote Desktop
Servers” OU located under the “IA Computers” OU.

49
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

♦ Users requiring remote access should be added to the “IA Remote Access” security
group located under the Accounts > Groups > Remote OU.
You should not modify this group policy.

Invensys IA Users Filtered v1.0

This policy is used to set the user policy settings for all I/A Series or Control Core Services user
accounts.
You should not modify this group policy.

Invensys Interactive Logon Banner OFF v1.0

This policy is used to turn off the logon banner. (By default, the logon banner is turned off. How-
ever, if the Invensys Enhanced Interactive Logon Banner ON group policy has been applied at a
high-level in the domain and you want to turn it off at a lower-level OU, then this policy can be
applied to turn it off.)
This group policy is also applied to the Autologon Consoles OU since the banner text feature can-
not be used in conjunction with autologon, as it might delay the autologon function.
You should not modify this group policy.

Invensys Plant Admins Filtered v1.0

This policy is used to provide security settings for user accounts that are members of the IA Plant
Admins security group.
Since the IA Plant Admins security group is a member of the local Administrators group, it pro-
vides access to more Windows features than IA Plant Engineers, e.g., access to registry editing
tools.
You should not modify this group policy.

Invensys Plant Engineers Filtered v1.0

This policy is used to provide security settings for user accounts that are members of the IA Plant
Engineers security group. It provides access to Windows features such as: the desktop, My Com-
puter and the Start menu.
The IA Plant Engineers security group is not a member of the local Administrators group.
You should not modify this group policy.

Invensys Plant Operators Filtered v1.0

This policy is used to provide security settings for user accounts that are members of the IA Plant
Operators security group. It locks down the Windows environment.
You should not modify this group policy.

Invensys Plant View Only Filtered v1.0

This policy is used to provide security settings for user accounts that are members of the IA Plant
View Only security group. It locks down the Windows environment and does not allow changes
to the process being controlled.
You should not modify this group policy.
Appendix A “Comparison of “Invensys Plant” GPOs” shows a comparison of the Invensys Plant
Engineers/Maintenance/Operators group policies listed above.

50
3. Security Enhancements Installation and Configuration B0700ET – Rev E

Enhanced-Level Group Policy Descriptions

The enhanced-level security group policies are described in detail below.

Invensys Enhanced Interactive Logon Banner ON v1.0

This policy can be used by customers to turn on the logon banner. (By default, the logon banner
is turned off.) If you use this policy, you should modify it to provide the banner message text and
message title that are appropriate for your site. Refer to “How to Display a Login Banner” on
page 64.

Invensys Enhanced Screen Saver Enabled Filtered v1.0

This policy is used to turn on screensavers based on membership of a user in a security group. (By
default, screensavers are disabled.)
You should not modify this group policy.

Configuring Group Policies

Among the configuration options for group policies are the following:
♦ Linking operations - in which a group policy is attached (linked) to an Active Direc-
tory container, such as organizational unit. When there are multiple policies linked to
one container, the “inheritance order” of the links becomes important.
♦ Filtering operations - in which you can refine how group policies are applied based on
specific users or groups as opposed to only the container.
Both of these aspects can be viewed in the Group Policy Management Console tool included with
Windows Server 2008 R2.
Table 3-5 shows how the base-level group policies are linked to Active Directory containers by
default.

NOTE
The enhanced-level group policies are not linked by default as these policies are
optional. If you want to use these policies, it is recommended that you link them as
shown in Table 3-5.

Table 3-5. Default Links Between Group Policies and Active Directory Containers

Active Directory Container Linked Group Policies (in order of top to bottom)1
<Top Level of Domain> Invensys Domain Policy
<Top Level of Invensys OU> Invensys Base Policy
Accounts Invensys Enhanced Screen Saver Enabled Filtered (optional)2
Invensys Plant Admins Filtered
Invensys Plant Engineers Filtered
Invensys Plant Operators Filtered
Invensys Plant View Only Filtered
Invensys IA Users Filtered
Invensys Domain Policy
Admin <Block Inheritance>

51
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

Table 3-5. Default Links Between Group Policies and Active Directory Containers (Continued)

Active Directory Container Linked Group Policies (in order of top to bottom)1
Autologon Consoles Invensys Interactive Logon Banner OFF
Invensys FoxView Environments
Invensys IA Computers
Invensys Base Policy
Domain Controllers Invensys Domain Controllers Policy
Invensys Domain Policy
IA Computers Invensys FoxView Environments
Invensys IA Computers GPO
Invensys Base Policy
Remote Desktop Servers Invensys IA Remote Desktop Servers
Invensys FoxView Environments
Invensys IA Computers GPO
Invensys Base Policy
Non-IA Servers Invensys Base Non-IA
Invensys Base Policy
Non-IA Workstations Invensys Base Non-IA
Invensys Base Policy
1.
As observed in the “Group Policy Inheritance” tab in GPMC. Group policies shown in italics are
inherited from an upper-level container rather than being explicitly linked to that container.
2.
Not linked by default. If you want to use this enhanced-level group policy, it is recommended
that you link this policy as shown in this table.

Table 3-6 shows how the user groups for each group policy is filtered by default.

Table 3-6. Group Policy Filters for User Groups

Group Policy Filtering

Default Domain Controllers Policy <none>
Default Domain Policy <none>
Invensys Base Non-IA v1.0 Authenticated Users
Invensys Base Policy v1.0 Authenticated Users
Invensys Domain Controllers Policy v1.0 Authenticated Users
Invensys Domain Policy Authenticated Users
Invensys Enhanced Interactive Logon Banner ON v1.0 Authenticated Users
Invensys Enhanced Screen Saver Enabled Filtered v1.0 Enable Screen Saver
Invensys FoxView Environments Authenticated Users
Invensys IA Computers v1.0 Authenticated Users
Invensys IA Remote Desktop Servers v1.0 Authenticated Users

52
3. Security Enhancements Installation and Configuration B0700ET – Rev E

Table 3-6. Group Policy Filters for User Groups (Continued)

Group Policy Filtering

Invensys IA Users Filtered v1.0 IA Plant Admins
IA Plant Engineers
IA Plant Operators
IA Plant View Only
Invensys Interactive Logon Banner OFF v1.0 Authenticated Users
Invensys Plant Admins Filtered v1.0 IA Plant Admins
Invensys Plant Engineers Filtered v1.0 IA Plant Engineers
Invensys Plant Operators Filtered v1.0 IA Plant Operators
Invensys Plant View Only Filtered v1.0 IA Plant View Only

Group Policy Settings

Information about how to view and configure the group policy settings as provided by Foxboro is
provided below.

How to View Detailed Group Policy Settings

The details of the group policies provided by Foxboro can be viewed on an installed system as fol-
lows:
1. Login to the domain controller with an account that has domain administrator
privileges.
2. Click the Start button and click Control Panel -> Administrative Tools, as
shown in Figure 3-4.

53
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

Figure 3-4. Opening Administrative Tools

54
3. Security Enhancements Installation and Configuration B0700ET – Rev E

3. Double-click Group Policy Management, as shown in Figure 3-5.

Figure 3-5. Opening Group Policy Management

55
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

4. In the Group Policy Management window, expand the nodes in the left pane. Expand
the Group Policy Objects node, as shown in Figure 3-6. This lists all the GPOs in the
domain.

Figure 3-6. Group Policy Management - Group Policy Objects

56
3. Security Enhancements Installation and Configuration B0700ET – Rev E

5. To see the detailed settings of a specific GPO, click on it in the left pane and select the
Settings tab in the right pane, as shown in Figure 3-7.

Figure 3-7. Group Policy Management - Group Policy Object Details

How to Edit Group Policies

The Active Directory environment offers several ways of editing policies using various tools. The
following procedure describes how to use the Group Policy Management Console that is included
with Windows Server 2008 R2.
Proceed as follows:
1. Login to the domain controller with an account that has domain administrator privi-
leges.
2. Open the Group Policy Management console.
a. Click the Start button and click Control Panel -> Administrative Tools,
as shown in Figure 3-4 on page 54.
b. Double-click Group Policy Management, as shown in Figure 3-5 on page 55.
3. In the Group Policy Management console, expand the nodes in the left pane. Expand
the Group Policy Objects node.

57
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

4. Before editing a policy, it is recommended that you create a backup first. To create a
backup, right-click on the GPO and select Back Up..., as shown in Figure 3-8.

Figure 3-8. Selecting to Back Up a GPO

58
3. Security Enhancements Installation and Configuration B0700ET – Rev E

5. In the Back Up Group Policy Object dialog box, specify a location where to save the
GPO backup (and a description) and click Back Up as shown in Figure 3-9.

Figure 3-9. Back Up Group Policy Dialog Box

59
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

6. To edit a policy, right-click on the GPO in the left pane and select Edit.

Figure 3-10. Editing a GPO

60
3. Security Enhancements Installation and Configuration B0700ET – Rev E

7. The Group Policy Management Editor opens as shown in Figure 3-11. Expand the
nodes in the left pane and edit the settings in the right pane.

Figure 3-11. Group Policy Management Editor

8. To have the settings take effect, you can wait until the next group policy update or
type “gpupdate /force” in a command prompt on the station where you want the
changes to be applied immediately.
Be aware that for Computer Configuration changes to occur, you should reboot the
station.

How to Document Group Policies

You can save a report of a group policy as follows:
1. Login to the domain controller with an account that has domain administrator privi-
leges.
2. Open the Group Policy Management console.
a. Click the Start button and click Control Panel -> Administrative Tools,
as shown in Figure 3-4 on page 54.
b. Double-click Group Policy Management, as shown in Figure 3-5 on page 55.
3. In the Group Policy Management console, expand the nodes in the left pane. Expand
the Group Policy Objects node.
4. Right-click on the GPO in the left pane and select Save Report….
5. In the Save GPO Report dialog box, shown in Figure 3-12, specify a location where
the report file is to be stored and click Save.

61
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

Figure 3-12. Save GPO Report Dialog Box

6. To view the report, navigate to that location and double-click the report file to view
the settings.

Group Policies for Microsoft Windows Event Logs

There are group policy settings provided by Microsoft that allow you to control attributes of the
Windows Event Logs, such as their location, maximum size, access rights, and retention settings.
These policy settings are important and should be given serious consideration. It is strongly rec-
ommended that you read the following Microsoft articles:
♦ Threats and Countermeasures Guide: Security Settings in Windows Server 2008 R2
and Windows 7
http://technet.microsoft.com/en-us/library/hh125921(WS.10).aspx
♦ Threats and Countermeasures Guide: Event Log
http://technet.microsoft.com/en-us/library/hh125924(WS.10).aspx
♦ Recommended settings for event log sizes in Windows Server 2003, Windows XP,
Windows Server 2008 R2 and Windows Vista
http://support.microsoft.com/kb/957662/en-us
You could decide to set these policies at the domain level (so that they apply to all computers in
the domain) or at a specific OU level, such as the Invensys IA Computers GPO which will affect
only the computers in the IA Computers OU.

62
3. Security Enhancements Installation and Configuration B0700ET – Rev E

NOTE
First, it is recommended that you save a copy of the existing GPOs before making
any modifications. Also, you should change the name of the modified GPO to make
it distinguishable from the GPO which was provided by Invensys. For example,
replace “Invensys” with your company name and bump up the version level
included in the name of the GPO so that you can easily identify that it was modi-
fied.

There are two sets of Event Log group policy settings:

♦ one set provides support for operating systems older than Windows Vista (such as
Windows XP);
♦ the other set supports Windows Vista and later operating systems (such as Windows 7
and Server 2008 R2).
The older group policy settings are located in the left pane of the Group Policy Management Edi-
tor window under:
Computer Configuration -> Policies -> Windows Settings -> Security Settings ->
Event Log

Figure 3-13. Event Log Group Policy Settings for Operating Systems Prior to Windows Vista

63
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

The newer group policy settings are located in the left pane of the Group Policy Management
Editor window under:
Computer Configuration -> Policies -> Administrative Templates -> Windows Com-
ponents -> Event Log Service

Figure 3-14. Event Log Group Policy Settings for Operating Systems
Newer than Windows Vista

How to Display a Login Banner

The Microsoft Windows operating systems provide the ability to force a logon banner to be dis-
played prior to presenting a user with a logon dialog. Normally, this banner would be used to

64
3. Security Enhancements Installation and Configuration B0700ET – Rev E

inform the potential user that this computer is to be used only by authorized personnel and to dis-
play any usage policy restrictions.
By default, this feature is turned off on Foxboro workstations. However, this feature can be
enabled as described below. Note that this feature should not be used in conjunction with
“autologon” since the autologon will not be allowed to take place until the logon banner display is
dismissed. (This would defeat one of the purposes for using autologon.)
Foxboro provides an enhanced group policy object (GPO) to enable this feature named “Invensys
Enhanced Interactive Logon Banner ON.” This policy is installed on the system to make it avail-
able to those who want this feature but it is not automatically used until the following procedure
is performed.
1. Logon to the domain controller with a domain administrator account.
2. Open the Group Policy Management tool. Click the Start button and then click
Control Panel -> Administrative Tools -> Group Policy Management.
3. Navigate to the Group Policy Objects node in the left pane and expand it.
4. Click on Invensys Enhanced Interactive Logon Banner ON and click on the
Settings tab in the right pane.
You will see that there are two settings that need to be configured for your site. One is
for the text that you want displayed and the other is for the title that appears above the
message.

Figure 3-15. Group Policy Management - Invensys Enhanced Interactive Logon Banner ON

65
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

5. Right-click on the Invensys Enhanced Interactive Logon Banner ON GPO

in the left pane and select Edit.

Figure 3-16. Group Policy Management - Edit

6. In the Group Policy Management Editor window, navigate in the left pane to Com-
puter Configuration -> Policies -> Windows Settings -> Security Set-
tings -> Local Policies and click on Security Options.

66
3. Security Enhancements Installation and Configuration B0700ET – Rev E

7. In the right pane, double-click on the “Interactive logon: Message text for users
attempting to log on” policy. Replace the text in the Security Policy Setting tab and
click OK.

Figure 3-17. Group Policy Management - Message Text

67
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

8. Likewise, double-click on the “Interactive logon: Message title for users attempting to
log on” policy. Replace the title text with your own and click OK.

Figure 3-18. Group Policy Management - Title Text

Now that the GPO has been configured with your specific message and title, it needs
to be linked in at the appropriate organizational unit. For example, to have the logon
banner appear on all the computers in the IA Computers OU, perform the following.
9. Open the Group Policy Management tool.

68
3. Security Enhancements Installation and Configuration B0700ET – Rev E

10. Right-click on the IA Computers OU. Select Link an Existing GPO…

Figure 3-19. Group Policy Management - Link an Existing GPO…

69
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

11. In the Select GPO dialog box, select Invensys Enhanced Interactive Logon
Banner ON and click OK.

Figure 3-20. Select GPO Dialog Box

70
3. Security Enhancements Installation and Configuration B0700ET – Rev E

12. When a GPO is linked to an OU, it is added as the bottom of the link order. The new
GPO needs to be moved up. Click on the IA Computers OU in the left pane. Select
the Linked Group Policy Objects tab in the right pane. Click Invensys
Enhanced Interactive Logon Banner ON and click on one of the up arrow icons
immediately to the left. The double-up arrow will place it at the top of the link order.

Figure 3-21. Group Policy Management - Linked Group Policy Objects

13. To have this policy go into effect, restart the computers that are members of the
IA Computers OU. When Ctrl + Alt + Del is pressed on those computers, the
logon banner will be displayed.

Additional Security for FoxView Environments

The FoxView application provides its own security through the use of password-protected envi-
ronments. While this implementation of security is still supported, this is now supplemented by a
group policy in Active Directory named Invensys FoxView Environments. This group policy
controls access to FoxView environments based on the logged on user account and the security
groups of which it is a member. For example, by default:

Table 3-7. FoxView Environments Accessible to Security Group Members (Default)

Members of these Security Groups Can Access These FoxView Environments

IA Plant Admins Initial, Operator, Process_Eng, Softw_Eng, View_Only
IA Plant Engineers Initial, Operator, Process_Eng, Softw_Eng, View_Only
IA Plant Operators Initial, Operator, View_Only
IA Plant View Only Initial, View_Only

If you have custom environments that you want controlled by group policy, using the Group Pol-
icy Management console, you should clone the Invensys FoxView Environments GPO and edit

71
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

your copy to include your environments. Remember to unlink the Foxboro-supplied GPO from
the IA Computers OU and link your clone in its place.
This new method of providing security for FoxView environments using a group policy requires
that if a user needs access to a more privileged environment, they must log off and log back on
with a user account that has access to those environments. This is an extra layer of protection
since the person logging on would need to know the credentials of a higher-privileged account.
For auditing purposes, it also provides a way to know when a higher-privileged user logs on since
the logon events are recorded in the Windows Event Log.
If you do not want to use this group policy to help secure the FoxView environments, unlink the
Invensys FoxView Environments GPO from the IA Computers OU.

Figure 3-22. Delete Invensys FoxView Environments GPO

72
3. Security Enhancements Installation and Configuration B0700ET – Rev E

Windows Server Backup Error

The Microsoft Windows Server Backup utility allows you to immediately create a backup or to
schedule a backup. You can also specify where you want the backup files to be stored, as shown in
Figure 3-23:

Figure 3-23. Backup Schedule Wizard

If you specify the “Back up to a shared network folder” option and try to schedule a backup, the
following dialog may appear:

Figure 3-24. Windows Server Backup Error

73
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

If this message appears, it is due to a group policy setting that is preventing credentials from being
stored. For better security, this policy is set to Enabled. However, if you wish to use the schedule
feature of the Windows Server Backup utility and are willing to accept the less secure setting, the
following provides information about how to change that group policy setting.
Proceed as follows:
1. Login to the domain controller with an account that has domain administrator privi-
leges.
2. Open the Group Policy Management console.
a. Click the Start button and click Control Panel -> Administrative Tools.
b. Double-click Group Policy Management.
3. In the Group Policy Management console, expand the nodes in the left pane. Expand
the Group Policy Objects node.
4. Before editing a policy, it is recommended that you create a backup first. To create a
backup, right-click on the GPO and select Back Up.... In the Back Up Group Pol-
icy Object dialog box, specify a location where to save the GPO backup (and a
description) and click Back Up.
The GPO to edit depends on where you plan to be running the Windows Server
Backup utility, as follows:
♦ If backing up a domain controller, edit the Invensys Domain Controllers Policy.
♦ If backing up a client server, edit the Invensys Base Policy.
5. To edit the policy, right-click on the GPO in the left pane and select Edit.
6. The Group Policy Management Editor opens. Under the Computer Configuration
section in the left pane, expand the Policies node and navigate to:
Policies -> Windows Settings -> Security Settings -> Local Policies ->
Security Options

Figure 3-25. Group Policy Management Editor - Security Options

74
3. Security Enhancements Installation and Configuration B0700ET – Rev E

7. In the right pane, scroll down to the Network access: Do not allow storage
of passwords and credentials for network authentication setting and
double-click on it.
8. In the pop-up window, uncheck the Define this policy setting checkbox and
click OK.

Figure 3-26. Define This Policy Setting Checkbox

9. To have the settings take effect on the station where you want the changes to be
applied immediately, open a command prompt and type:
gpupdate /force
If you want the changes to occur on a client server, it is typically necessary to reboot
the client server to make sure it receives the Computer Configuration policy updates.
At this point, you should be able to schedule a backup to a network share in the Microsoft Win-
dows Server Backup utility, accessed as follows:
Start -> Control Panel -> Administrative Tools -> Windows Server Backup

Troubleshooting Group Policy Issues

Group policy can be applied at multiple levels in an Active Directory environment. Policy settings
can come from GPOs linked at the domain level or linked at a specific OU or they can come from
local group policy settings. It is not normally obvious from where a particular policy setting is
being derived.
If there is an issue that appears to be related to the application of group policy settings, there are
several tools that can be helpful in identifying which settings are being applied and from where
they are derived. Several of these tools are described below. These tools normally require you to
log in using an account with administrative privileges.

75
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

TIP
If you are changing group policies, remember that they must be applied before they
take effect. Normally, this happens at the normal group policy refresh interval. A
way to force a group policy refresh to occur right away is to open a command
prompt window on the station on which you want the policy applied and type:
gpupdate /force
However, there are other options available with this command.
Typing “gpupdate /?” will list them.

Group Policy Management Console

The same tool that allows you to view and modify group policy settings also provides a useful
troubleshooting feature. When you open up the Group Policy Management Console, in the bot-
tom of the left pane is a node labeled “Group Policy Results.” Right-click on that node and select
the wizard. From there, you will be able to select the user account and computer for which you
want the results. When you complete the wizard, the results will appear in the right pane.
Check the Group Policy Objects section to see what GPOs were applied. Also, check the
Component Status section to make sure there were no issues related to the Security client side
extension. Finally, check the Settings tab.

Resultant Set of Policy Tool

This tool can be started simply by typing “rsop” in a command prompt window. It will perform
an analysis operation and then display the results in a new window. You can navigate to individual
policy settings and it will show from where that setting is being derived.
Also, if you right-click on the Computer Configuration node and select Properties, it will dis-
play a window showing the GPOs that were applied in priority order. It also has an Error Infor-
mation tab that you should look at as well.

Group Policy Results Tool

This tool is run in a command prompt window. To see all the options, type: gpresult
A handy overview of which GPOs are being applied is obtained by typing: gpresult /R

Managing User Accounts and Passwords

One of the major features provided by the I/A Series or Control Core Services security enhance-
ments is to allow you to control the user-created accounts and passwords rather than using fixed
user accounts with fixed passwords. During the I/A Series software or Control Core Services
installation process, you are prompted with default account names but you can change them
either at installation time or later.
In addition to the default user accounts and security groups created as part of the installation, you
will be able to create any additional accounts and groups you require after the installation is com-
plete. For example, if you want each operator to have their own user account, the security
enhancements support this.
Another feature of the security enhancements is that all these user accounts and passwords are part
of the Active Directory so that they can be managed from one place. You must be logged on as a

76
3. Security Enhancements Installation and Configuration B0700ET – Rev E

domain administrator on the domain controllers. The “Active Directory Users and Computers”
tool is the main application used for managing accounts, security groups, and OUs. Group poli-
cies are managed using the Group Policy Management Console as described in “How to Edit
Group Policies” on page 57.
The “Active Directory Users and Computers” tool can be accessed on the domain controller from
the Start menu as follows:
Start button -> Control Panel -> Administrative Tools -> Active Directory Users
and Computers
Figure 3-27 shows an example of the window displaying this tool.

Figure 3-27. Active Directory Users and Computers Tool

You should see the name of the domain name near the top of the left pane. In the left pane, there
is a list of containers and organizational units that were previously created when Active Directory
and the I/A Series software or Control Core Services were installed. When you click on an item in
the left pane, more detailed information is displayed in the right pane.

Creating Domain User Accounts

When adding user accounts, it is important to ensure they are added to the appropriate OU and
security groups so that the correct security policies are applied to them. For example, if you are
adding a user account for an operator, configure it so that it is a member of the “IA Plant Opera-
tors” security group. (This is the default name created during the I/A Series software or Control
Core Services installation.)
To create a new user account, proceed as follows:
1. Right-click on the appropriate OU (e.g., Standard, which is under Invensys ->
Accounts -> Users). Select New, and then User from the context menus.

77
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

Figure 3-28. Active Directory Users and Computers Tool - Selecting User

78
3. Security Enhancements Installation and Configuration B0700ET – Rev E

A wizard will appear and it will display the dialog boxes that you need to fill in to cre-
ate a new user.
2. Enter the name of the user and click Next. The following figures show how to add a
user named “Operator1”.

Figure 3-29. New Object - User Name

79
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

3. Enter a password that complies with the password policy for your site. Check the
boxes that apply. (Note that the domain administrator can reset passwords at any
time.) Click Next.

Figure 3-30. New Object - User Password

4. On the last page of the wizard, click Finish.

80
3. Security Enhancements Installation and Configuration B0700ET – Rev E

5. The user must be added to the appropriate security groups. In this case, Operator1
should be added to the IA Plant Operators group. Right-click on the user account in
the right-pane and select Properties as shown in Figure 3-31:

Figure 3-31. Selecting Operator1 Properties

81
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

6. Select the Member Of tab. It is expected that it will be a member of the Domain Users
group since it is a domain user that was created. Click Add.

Figure 3-32. Operator1 Properties Dialog Box - Selecting “Member Of” Tab

82
3. Security Enhancements Installation and Configuration B0700ET – Rev E

7. Click Advanced.

Figure 3-33. Select Groups Dialog Box

8. In the “Starts with” field, type the first part of the group name, such as IA Plant. Click
Find Now, select the group in the bottom panel, and then click OK.

Figure 3-34. Select Groups Dialog Box - Selecting Group Name

83
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

9. Click OK.

Figure 3-35. Select Groups Dialog Box - Proceeding

10. Click Apply and then click OK.

Figure 3-36. Select Groups Dialog Box - Group Domain Added

84
3. Security Enhancements Installation and Configuration B0700ET – Rev E

The user is now a member of the group you have selected.

Standard Password Complexity

It is often suggested that for security purposes, “strong” passwords should be used to reduce the
probability that a hacker can guess your password (or use a tool to guess it). The definition for
“strong” varies from organization to organization. The typical Microsoft definition of “strong” is
that a password must fit the following criteria:
♦ Must be at least six characters long
♦ Must contain three of the four types of characters: uppercase, lowercase, numbers, or
“special” characters.
♦ Must not contain the username.
Another term used in this context is “password complexity” which relates to these types of pass-
word attributes. One way to enforce password complexity is to use a group policy. The standard
Microsoft password policy is located under the Computer Configuration node:
Policies -> Windows Settings -> Security Settings -> Account Policies ->
Password Policy.
Note that account policies are associated with the domain, not with an OU. There is a “Default
Domain Policy” automatically created for the domain. There is also a “Default Domain Control-
lers Policy” for the domain controller. These are the generic GPOs created when Active Directory
is installed. These are not used by Foxboro. Instead, the following GPOs are created:
♦ Invensys Domain Policy
♦ Invensys Domain Controllers Policy
Since the passwords for domain-wide user accounts are authenticated at the domain controller, it
is the latter that needs to have the appropriate password policy configured. By default, its policies
would override any lower policies in the tree. (If you have enabled the “Passwords Must Meet
Complexity Requirements” policy and it is not taking effect, refer to “Troubleshooting Group
Policy Issues” on page 75 for help.)
If you create local user accounts, the “Invensys Domain Policy” settings also come into effect, so
changes may need to be made in this group policy as well.
To enforce that the standard password complexity must be met, use the tool setup described in
“How to Edit Group Policies” on page 57. Proceed as follows:
1. In the Group Policy Management console, locate the “Invensys Domain Controllers
Policy” group policy object in the left pane. Right-click on it and select Edit…. The
editor window will be displayed.

85
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

Figure 3-37. Editing the Default Domain Controllers Policy

2. In the Group Policy Object Editor, under the Computer Configuration node, navi-
gate to Policies -> Windows Settings -> Security Settings -> Account
Policies -> Password Policy.

86
3. Security Enhancements Installation and Configuration B0700ET – Rev E

Figure 3-38. Password Policy

3. One of the settings in the Password Policy folder is labeled “Passwords Must Meet
Complexity Requirements.” To set this policy, double-click it.
4. Check the “Define This Policy Setting” checkbox.
5. Click the Enabled radio button, click Apply and then click OK.

NOTE
You should also set the other policy settings to match your organizations require-
ments.

6. Make the same changes to the “Invensys Domain Policy” group policy object if you
want that policy to take effect for local user accounts as well as domain user accounts.
7. Close the group policy editor.

Enhanced Password Complexity

As mentioned above, the typical Microsoft definition of “strong” requires three of the four types
of characters. Some organizations may require all four types to be present in their passwords. If
this is the case for your organization, you must also turn on the enhanced password complexity
option provided by Foxboro.

87
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

1. In the Group Policy Management console, navigate to the “Invensys Domain Con-
trollers Policy” in the left pane. Right-click this policy and select Edit. The editor
window is displayed.
2. Navigate to the following node:
Computer Configuration -> Policies -> Administrative Templates ->
Classic Administrative Templates -> Invensys -> Security.
Click Security in the left pane, as shown in Figure 3-39.

Figure 3-39. Selecting Password Complexity

3. In the right pane, double-click on the Password Complexity setting. The Password
Complexity Properties dialog box appears, as shown in Figure 3-40.

88
3. Security Enhancements Installation and Configuration B0700ET – Rev E

Figure 3-40. Password Complexity Properties Dialog Box

4. Click the Enabled radio button.

5. Click Apply and OK.
6. Make the same changes to the “Invensys Domain Policy” group policy object if you
want that policy to take effect for local user accounts as well as domain user accounts.
7. Close the group policy editor.

Changing and Resetting Passwords

You can set up a policy to allow users to change their own passwords.
However, there might be times when an administrator will be required to reset a password (such as
when a user forgets his password or a user no longer works at your organization). To do this, pro-
ceed as follows:
1. Navigate to the user account, and right-click on it.

89
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

2. Select Reset Password… from the menu, as shown in Figure 3-41.

Figure 3-41. Resetting Password

The following dialog box will appear:

90
3. Security Enhancements Installation and Configuration B0700ET – Rev E

Figure 3-42. Reset Password Dialog Box

The administrator does not need to know the old password to set the new one.

The “Administrator” User Account

The “Administrator” user account is a target for hackers. If they can gain access to that account,
they can do virtually anything to your system. You can delete this account. However, one of the
“best practices” from a security perspective is to rename the “Administrator” account, and to cre-
ate a decoy account named “Administrator” that does not have administrative privileges. This is
automated as part of the I/A Series software or Control Core Services installation for the domain
controller(s) and all the client stations. Initially, the Administrator account is renamed to
“IAManager” and the decoy administrator account is named “Administrator.” You can rename
both of these accounts after the installation.

The “Guest” User Account

The “Guest” account can be troublesome. For example, the “Guest” account does not require a
password. Therefore, it is recommended that the “Guest” account be disabled. This disabling
action is automated as part of the I/A Series software or Control Core Services installation.

The “Fox” User Account

When performing an I/A Series or Control Core Services Day 0 installation with security
enhancements, the legacy “Fox” account is deleted. Since this has always been a fixed account with
a fixed password, its existence could present a security risk.

The “ia” User Account

In previous I/A Series software releases that did not have the security enhancements, an account
named “ia” was created by the I/A Series software installation. This account could be used to pro-
vide view-only instances of FoxView for remote viewing. Since having remote access to a system
can present security issues, this account is not created when installing an I/A Series or Foxboro
Evo system with security enhancements.

91
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

The following information is provided as a convenience if you wish to manually recreate that
functionality (formerly available under the “ia” user account). Note that restoring this functional-
ity only works under the following conditions:
♦ You have a server that has the Remote Desktop Services feature enabled. (The Remote
Desktop Services service must be turned on.)
♦ You have purchased and installed a sufficient number of Remote Desktop Client
Access Licenses.
♦ You have the FoxView software installed on the server providing Remote Desktop
Services.
♦ You have purchased a sufficient number of FoxView licenses.
When a remote user logs on with this account, the only application that is run is FoxView. This is
a view-only instance and most of the menu items are disabled by default. When you exit FoxView,
the remote session is automatically logged off.
To manually create a remote user with this functionality, perform the following procedure:
1. At the domain controller, invoke the Active Directory Users and Computer tool as
follows: Start button -> Control Panel -> Administrative Tools -> Active
Directory Users and Computers
2. Navigate to the Remote OU under Invensys -> Accounts -> Users OU.

92
3. Security Enhancements Installation and Configuration B0700ET – Rev E

3. Right-click on Remote and select New, then User.

Figure 3-43. Active Directory Users and Computers - New User

93
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

4. Fill in the name of the account. (It does not have to be “ia.”) Click Next.

Figure 3-44. New Object - User

94
3. Security Enhancements Installation and Configuration B0700ET – Rev E

5. Fill in the password fields using a password that is compliant with your site’s password
policy. (It is strongly recommended that you use a strong password.) Check the boxes
as appropriate. For example, if you do not want remote users to change the password,
you could check “User cannot change password.” (The domain administrator can
always reset the password.) When done, click Next.

Figure 3-45. New Object - User - Password

6. Click Finish.

95
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

7. In the Active Directory Users and Computers tool, right-click the account you created
and select Properties.

Figure 3-46. Active Directory Users and Computers - Properties

96
3. Security Enhancements Installation and Configuration B0700ET – Rev E

8. Select the Environment tab.

Check the box next to Start the following program at logon. In the Program
file name field, type (assuming that the I/A Series software or Control Core Services
are installed on the D:\ drive):
D:\usr\fox\system32\startp /b D:\usr\fox\customer\config\ia_logon.cmd
In the Start in field, type: %TEMP%

Figure 3-47. ia User Properties - Environment Tab

97
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

9. Select the Sessions tab. Change the End a disconnected session drop-down
menu to 1 minute.

Figure 3-48. ia User Properties - Sessions Tab

98
3. Security Enhancements Installation and Configuration B0700ET – Rev E

10. Select the Member Of tab. Using the Add button, add the following groups:
♦ IA Plant View Only (or another group that has the functionality you want to
provide remotely)
♦ IA Remote Access

Figure 3-49. ia User Properties - Member Of Tab

11. After all the groups are added, click OK.

99
B0700ET – Rev E 3. Security Enhancements Installation and Configuration

User Accounts with the Ability to Install Software

In order to install software, certain privileges are required. As shipped, the IA Installer user group
and the IA Plant Admins user group have the necessary privileges. The IA Plant Operators and IA
Plant Engineers groups do not have these privileges. If you want to give a particular user account
the ability to install software, one method of doing so would be to make the user a member of
either the IA Installer group or the IA Plant Admins group. Another option is to use the account
that was used to install the I/A Series software or Control Core Services originally. By default, this
user account is named IAInstaller (with no space - different from the IA Installer group) but a dif-
ferent username could have been chosen by the person who performed the installation.

Backing Up Active Directory

Domain controllers are servers that contain the Active Directory structure. Microsoft recom-
mends that domain controllers should not be backed up using third-party imaging software. The
issue is that restoring domain controllers from an old image can cause Active Directory problems.
For information about how Microsoft recommends backing up Active Directory, refer to the
I/A Series V8.8 Software Installation Guide (B0700SF) or the appropriate Control Core Services v9.x
Software Installation Guide.

100
4. Security Packages
This chapter discusses the security packages provided and affected by the security enhancements.

Overview
Foxboro incorporates globally-recognized third-party security packages to complement the secu-
rity features built into its products. These packages provide additional security features and facili-
tate the management of these features.
An I/A Series or Foxboro Evo system with the security enhancements installed supports the addi-
tion of the following packages from McAfee®:
♦ Virus Scanner Enterprise
♦ AntiSpyware Enterprise
♦ ePolicy Orchestrator
♦ Host Intrusion Prevention
♦ Device Control
♦ Integrity Control
The Virus Scanner and AntiSpyware packages are pre-installed as part of the Foxboro-supplied
OS images described in Chapter 2 “Platform Security”.
The other packages are available via a separate DVD. The installation instructions and more
detailed information about these packages are included in Optional McAfee® Security Products
Installation and Configuration Guide (B0700EX).

Virus Scanner and Anti-Spyware

When a workstation or server is purchased from Foxboro, these packages are configured to run
when the station is booted up.
Virus and anti-spyware signature files are regularly updated by McAfee. The process for updating
these files without using the ePolicy Orchestrator is documented in McAfee VirusScan® and Anti-
Spyware Enterprise 8.8i Installation (B0700EQ).

ePolicy Orchestrator
The ePolicy Orchestrator (ePO) provides a way to centrally monitor and manage the other
McAfee security products. While some tools do not require ePO, such as Virus Scanner and Anti-
Spyware, other tools do require it, such as Host Intrusion Prevention and Device Control. The
ePolicy Orchestrator offers many features that are beneficial even for the tools that do not require
ePO. For example, ePO can be used to keep virus signature (DAT) files up to date from a single
location.
The ePO provides a “console” application that can be used to install the other McAfee packages
on all the managed workstations and servers from one location. For example, in the case of

101
B0700ET – Rev E 4. Security Packages

I/A Series or Foxboro Evo systems, these security packages can be managed from this ePO console
on all the workstations and servers on The Mesh that are in the Active Directory domain.
Not only can these packages be installed from ePO, but their policies and options can be managed
and distributed from the ePO console.
Another major benefit of ePO is the ability to monitor these packages from the ePO console. It is
possible to use predefined reports and dashboards or to create custom ones. Information about
how to do this is provided in Optional McAfee® Security Products Installation and Configuration
Guide (B0700EX).
The ePolicy Orchestrator can be installed on any server that has the bandwidth to handle it. In a
typical I/A Series or Control Core Services installation, it is expected to be installed on either the
Primary Domain Controller or a Secondary Domain Controller. Figure 4-1 depicts a topology
that has the domain controllers on The Mesh. Another option is to install ePO on a separate
server as shown in Figure 3-1 on page 40 for an off-Mesh topology.

ePO should be installed in one of these servers.

Primary Domain Secondary Domain

Controller (Server) Controller (Server)

The MESH
Control Network

Foxboro Evo or Foxboro Evo or Foxboro Evo or

I/A Series I/A Series I/A Series
Workstations Servers Control Processors

Figure 4-1. ePO Installed on Foxboro Servers

Host Intrusion Prevention

Host Intrusion Prevention proactively blocks zero-day and known attacks with patented technol-
ogy. It protects against unauthorized viewing, copying, modifying, and deleting of information
and the compromising of system and network resources and applications that store and deliver
information.
The Host Intrusion Prevention (HIP) package provides features such as:
♦ A configurable firewall
♦ Application blocking
♦ Intrusion detection
The firewall is used to control access to TCP and UDP software ports. From the ePO console, it
is possible to put the firewall into an “adaptive mode” where it will see all the traffic and make cor-
responding rules to allow it.

102
4. Security Packages B0700ET – Rev E

Foxboro has already done this to arrive at the default settings that get installed when you install
the HIP package from the Foxboro-supplied DVD. These default settings allow the
I/A Series/Control Core Services and FCS/the Control Software to run.
If you install any additional software packages and they do not work, it is likely that the firewall is
blocking its traffic. You can check the HIP activity log to verify this. If that is the problem, you
will need to create new policies either manually or by using the adaptive mode.

! CAUTION
The adaptive mode should only be used on a pilot network or a subnet that is
known to be safe. For example, the subnet should not be connected to the Internet,
the virus scanner should be up-to-date and running on all stations, and there should
not be any rogue devices plugged into the subnet.

Application blocking can be used to allow known applications to run (referred to as

“whitelisting”) or to block specific applications (referred to as “blacklisting”).
Intrusion detection will log a message when an unknown device is plugged into The Mesh.
More detailed information about the HIP package is provided in Optional McAfee® Security Prod-
ucts Installation and Configuration Guide (B0700EX).

Device Control
The Device Control feature is provided by installing the Data Loss Prevention package. This pro-
vides control over the access to hardware ports, such as the floppy drive, CD/DVD drive or USB
ports.
When this package is installed from the DVD provided by Foxboro, a number of device blocking
policies are provided. You can enable or disable these policies from the ePO console anytime after
this package is installed.
More detailed information about the Device Control package is provided in Optional McAfee®
Security Products Installation and Configuration Guide (B0700EX).

Integrity Control
The Integrity Control feature enables the ability to ensure that only approved software runs on
specific workstations with I/A Series software or Control Core Services without imposing addi-
tional operational overhead. This feature blocks unauthorized, vulnerable, or malicious applica-
tions that can compromise the integrity of critical systems.
This product also leverages change control technology that can block unwanted, out-of-policy
changes before they occur. This level of protection is linked directly to policy. Changes can be ver-
ified against the change source or time window. Details about every change is captured, including
the exact time of the change, who was logged into the machine at that time, what processes were
running, and whether the change was manual (and if so, who made it) or made by an authorized
program.
The Integrity Control product also maintains a dynamic whitelist of the “authorized code” on the
workstation with I/A Series software or Control Core Services, and prevents the workstation from

103
B0700ET – Rev E 4. Security Packages

running any program or code outside the authorized set, and prevents any unauthorized changes
from being made.
Integrity Control is configured and managed for multiple computers using the ePolicy Orchestra-
tor (ePO) console.
More detailed information about the Integrity Control package is provided in Optional McAfee®
Security Products Installation and Configuration Guide (B0700EX).

Software Services
Table 4-1 provides an example of the McAfee services installed by these security packages and
their startup type.

Table 4-1. McAfee Services Startup Configuration for Stations with Security Enhancements

Startup Type on Startup Type on

Service Name Workstations Servers Description
McAfee DLP Endpoint Automatic Automatic McAfee DLP Endpoint Service
Service
McAfee DLP WCF Ser- - Automatic McAfee DLP WCF Service allows the DLP
vice Policy Manager and DLP Monitor to con-
nect to the DLP Database.
McAfee Engine Service - Automatic McAfee Engine Service
McAfee ePolicy Orches- - Automatic McAfee ePolicy Orchestrator 4.6.1 Appli-
trator 4.6.1 Application cation Server services.
Server
McAfee ePolicy Orches- - Automatic McAfee ePolicy Orchestrator 4.6.1 Event
trator 4.6.1 Event Parser Parser service.
McAfee ePolicy Orches- - Automatic Apache/2.2.9 (Win32) mod_ssl/2.2.9
trator 4.6.1 Server OpenSSL/0.9.8i
McAfee Firewall Core Automatic Automatic Provides firewall services to McAfee prod-
Service ucts
McAfee Framework Ser- Automatic Automatic Shared component framework for McAfee
vice products
McAfee Host Intrusion Automatic Automatic Host-based intrusion prevention compo-
Prevention Service nent that blocks exploits and hacks in real-
time, including malicious buffer overflow
code execution and privilege escalations.
McAfee McShield Automatic Automatic McAfee OnAccess Scanner
McAfee Solidifier Automatic McAfee Solidifier Service
McAfee Task Manager Automatic Automatic Allows scheduling of McAfee scanning
and updating activities.
McAfee Validation Trust Automatic Automatic Provides validation trust protection ser-
Protection Service vices

104
5. Software Updates
This chapter describes how updates to the software discussed in this document are handled.
These software updates can be related to Foxboro-produced software or third-party packages
shipped by Foxboro.
Software updates required for the security enhancements include the following:
♦ Foxboro software fixes (Foxboro Evo or I/A Series Quick Fixes, the Control Software
or FCS Quick Fixes and Service Packs)
♦ Microsoft security updates
♦ McAfee .DAT files
♦ McAfee software patches
There are other third-party packages employed by or shipped by Foxboro. However, updates for
those packages are only provided when they are incorporated in major or maintenance Foxboro
software releases.
The following sections describe how the above software packages are updated. You are encouraged
to periodically visit the Invensys Global Customer Support at https://support.ips.invensys.com to
determine what updates are available.

Foxboro Software Fixes

Foxboro provides updates to the I/A Series software or Control Core Services in the form of Quick
Fixes and Release Updates. Updates to FCS or the Control Software are provided in the form of
Service Packs and Quick Fixes. These are defined below:
♦ Release Updates are employed periodically to encapsulate maintenance fixes or minor
enhancements. These could include updates to third-party software.
♦ Quick Fixes are employed when important fixes need to get to the field before the next
Release Update or major software release.
♦ FCS (or the Control Software) Service Packs are employed when the update is consid-
ered too large to be a Quick Fix.
Each of these has their own separate installation mechanisms.

Microsoft Security Updates

Microsoft releases security patches on a monthly basis. These patches are installed by Foxboro in
the Platform Qualification Lab. Notification is sent after the patches have been run in the Plat-
form Qualification Lab for up to 72 hours with no negative interaction with I/A Series/Control
Core Services or FCS/the Control Software.
In accordance with Microsoft’s policy, Foxboro cannot mirror Microsoft’s download site. Once a
Microsoft security update has been qualified by Foxboro and the corresponding links are updated
on the Invensys Global Customer Support website, you must acquire the security update directly
from Microsoft’s website.

105
B0700ET – Rev E 5. Software Updates

McAfee Updates
McAfee releases updates to the VirusScan (and AntiSpyware) DAT files continuously (as frequent
as multiple times a day).
Since Foxboro is an OEM for specific McAfee products, Foxboro is obligated to provide the
updated DAT files to Foxboro customers. The details for obtaining and installing these patches
are described in McAfee VirusScan® and AntiSpyware Enterprise 8.8i Installation (B0700EQ).
McAfee releases patches to their software packages as necessary. McAfee software patches that are
relevant to the packages shipped by Foxboro will be downloaded and qualified by Foxboro and
then made available at Invensys Global Customer Support at https://support.ips.invensys.com. The
details for obtaining and installing these patches are described in Optional McAfee® Security Prod-
ucts Installation and Configuration Guide (B0700EX).

106
6. Station Assessment Tool
This chapter discusses the Station Assessment Tool, which allows you to audit the contents of a
workstation or server with I/A Series software/Control Core Services or Foxboro Control
Software/the Control Software.
An important part of enhancing the security of a system is the necessity of knowing what is
installed on all stations in your system at any point in time and being able to track any changes
made after that established time reference. This information is also very valuable for helping ser-
vice personnel troubleshoot and diagnose problems. The Station Assessment Tool (SAT) is
designed to address this functionality. It is installed as part of the I/A Series software or Control
Core Services installation.
SAT allows administrative users and service personnel to collect, view, print, and compare infor-
mation about workstations and servers with I/A Series software/Control Core Services or FCS/the
Control Software on The Mesh network which are running a Microsoft Windows operating sys-
tem (such as Windows 7 or Windows Server 2008 R2). It can collect the information locally from
the station on which it is running or from any other remote station.
SAT supports two user interfaces: a command-line interface (CLI) and a graphical user interface
(GUI). The CLI provides an interface that can accept individual commands from a command line
or by running a script. Scripts will facilitate the ability to run unattended station assessments at
scheduled times. The GUI is designed to make it very easy to interactively obtain information
about any workstation or server with I/A Series software/Control Core Services or FCS/the Con-
trol Software.
You can just collect information about a station, which is referred to as performing an assessment.
You can also perform an audit which includes performing a new assessment, comparing it to a
reference assessment, and producing a report of the differences. A reference assessment can be a
baseline profile or a previous assessment that is saved as a station custom profile.
The types of information that can be collected include:
♦ the workstation name (a.k.a., the letterbug)
♦ the I/A Series software/Control Core Services or FCS/the Control Software release
version
♦ the list and running state of services
♦ list of installed I/A Series software/Control Core Services or FCS/the Control Soft-
ware Quick Fixes
♦ list of installed Windows OS Updates
♦ list of installed software packages
♦ list of installed third party patches (if this information is available in the “Add or
Remove Programs” applet)
♦ information about Active Directory.
The reports can be viewed on the screen in the GUI and/or sent to a printer.
More detailed information about this tool is contained in Station Assessment Tool (SAT) User’s
Guide (B0700DZ).

107
B0700ET – Rev E 6. Station Assessment Tool

108
 Appendix A. Comparison of
“Invensys Plant” GPOs
This appendix provides a list of the group policy settings for the IA Plant Admins, IA Plant
Engineers, IA Plant Operators, and IA Plant View Only security groups.
The group policy settings provided by the “Invensys Plant” GPOs for the IA Plant Admins,
IA Plant Engineers, IA Plant Operators, and IA Plant View Only security groups are shown in
Table A-1.

Table A-1. Group Policy Settings for I/A Series Software v8.8 or Foxboro Evo Control Core Services
v9.0 or Later

IA Plant IA Plant IA Plant IA Plant

View Only Operators Engineers Admins
Group Policy Settings Group Group Group Group
Computer Configuration (Disabled)
No settings defined.

User Configuration (Enabled)

Windows Settings
Security Settings
Public Key Policies/Certificate Services Client
- Auto-Enrollment Settings
Policy Setting Setting Setting Setting
Automatic certificate management Disabled Disabled Disabled Disabled
Show certificate expiration notifications Disabled Disabled Disabled Disabled

Administrative Templates
Policy definitions (ADMX files) retrieved from
the local machine.
Control Panel
Policy Setting Setting
Prohibit access to the Control Panel Enabled Enabled
Control Panel/Personalization
Policy Setting
Enable screen saver Disabled Disabled
Password protect the screen saver Disabled Disabled
Screen saver timeout Disabled Disabled
Desktop
Policy Setting Setting
Do not add shares of recently opened Enabled Enabled
documents to Network Locations
Do not save settings at exit Enabled Enabled
Hide and disable all items on the desktop Enabled Enabled
Hide Internet Explorer icon on desktop Enabled Enabled

109
 B0700ET – Rev E Appendix A. Comparison of “Invensys Plant” GPOs

Table A-1. Group Policy Settings for I/A Series Software v8.8 or Foxboro Evo Control Core Services
v9.0 or Later (Continued)

IA Plant IA Plant IA Plant IA Plant

View Only Operators Engineers Admins
Group Policy Settings Group Group Group Group
Hide Network Locations icon on desktop Enabled Enabled
Prevent adding, dragging, dropping and Enabled Enabled
closing the Taskbar's toolbars
Prohibit adjusting desktop toolbars Enabled Enabled
Prohibit User from manually redirecting Enabled Enabled
Profile Folders
Remove Computer icon on the desktop Enabled Enabled
Remove My Documents icon on the desk- Enabled Enabled
top
Remove Properties from the Computer Enabled Enabled
icon context menu
Remove Properties from the Documents Enabled Enabled
icon context menu
Remove Properties from the Recycle Bin Enabled Enabled
context menu
Remove Recycle Bin icon from desktop Enabled Enabled
Remove the Desktop Cleanup Wizard Enabled Enabled
Invensys/Security
Policy Setting Setting Setting Setting
Inhibit Change Actions Enabled Enabled Disabled Disabled
Inhibit Change Actions Enabled Enabled
Network/Network Connections
Policy Setting
Ability to change properties of an all user Disabled Disabled
remote access connection
Ability to delete all user remote access Disabled Disabled
connections
Ability to Enable/Disable a LAN connec- Disabled Disabled
tion
Ability to rename all user remote access Disabled Disabled
connections
Ability to rename LAN connections Disabled Disabled
Ability to rename LAN connections or Disabled Disabled
remote access connections available to all
users
Enable Windows 2000 Network Connec- Disabled Disabled
tions settings for Administrators
Prohibit access to properties of a LAN Enabled Enabled
connection
Prohibit access to properties of compo- Enabled Enabled
nents of a LAN connection
Prohibit access to properties of compo- Enabled Enabled
nents of a remote access connection
Prohibit access to the Advanced Settings Enabled Enabled
item on the Advanced menu
Prohibit access to the New Connection Enabled Enabled
Wizard

110
 Appendix A. Comparison of “Invensys Plant” GPOs B0700ET – Rev E

Table A-1. Group Policy Settings for I/A Series Software v8.8 or Foxboro Evo Control Core Services
v9.0 or Later (Continued)

IA Plant IA Plant IA Plant IA Plant

View Only Operators Engineers Admins
Group Policy Settings Group Group Group Group
Prohibit access to the Remote Access Enabled Enabled
Preferences item on the Advanced menu
Prohibit adding and removing components Enabled Enabled
for a LAN or remote access connection
Prohibit changing properties of a private Enabled Enabled
remote access connection
Prohibit connecting and disconnecting a Enabled Enabled
remote access connection
Prohibit deletion of remote access connec- Enabled Enabled
tions
Prohibit Enabling/Disabling components of Enabled Enabled
a LAN connection
Prohibit renaming private remote access Enabled Enabled
connections
Prohibit TCP/IP advanced configuration Enabled Enabled
Prohibit viewing of status for an active con- Enabled Enabled
nection
Turn off notifications when a connection Enabled Enabled
has only limited or no connectivity
Shared Folders Enabled
Policy Setting Setting
Allow shared folders to be published Disabled Disabled
Start Menu and Taskbar
Policy Settings Settings Settings Settings
Add “Run in Separate Memory Space” Enabled Enabled
check box to Run dialog box
Add Logoff to the Start Menu Enabled Enabled Enabled Enabled
Clear history of recently opened docu- Enabled Enabled
ments on exit
Do not display any custom toolbars in the Enabled Enabled
taskbar
Do not keep history of recently opened Enabled Enabled
documents
Do not use the search-based method Enabled Enabled
when resolving shell shortcuts
Do not use the tracking-based method Enabled Enabled
when resolving shell shortcuts
Force classic Start Menu Enabled Enabled
Gray unavailable Windows Installer pro- Enabled Enabled
grams Start Menu shortcuts
Hide the notification area Enabled Enabled
Lock the Taskbar Enabled Enabled
Prevent changes to Taskbar and Start Enabled Enabled Enabled
Menu Settings
Prevent grouping of taskbar items Enabled Enabled
Remove access to the context menus for Enabled Enabled
the taskbar

111
 B0700ET – Rev E Appendix A. Comparison of “Invensys Plant” GPOs

Table A-1. Group Policy Settings for I/A Series Software v8.8 or Foxboro Evo Control Core Services
v9.0 or Later (Continued)

IA Plant IA Plant IA Plant IA Plant

View Only Operators Engineers Admins
Group Policy Settings Group Group Group Group
Remove All Programs list from the Start Enabled Enabled
menu
Remove and prevent access to the Shut Enabled Enabled Disabled Disabled
Down, Restart, Sleep, and Hibernate com-
mands
Remove Balloon Tips on Start Menu items Enabled Enabled
Remove Clock from the system notification Disabled Disabled
area
Remove common program groups from Enabled Enabled
Start Menu
Remove Default Programs link from the Enabled Enabled
Start menu
Remove Documents icon from Start Menu Enabled Enabled
Remove drag-and-drop and context Enabled Enabled
menus on the Start Menu
Remove Favorites menu from Start Menu Enabled Enabled
Remove frequent programs list from the Enabled Enabled
Start Menu
Remove Help menu from Start Menu Enabled Enabled
Remove links and access to Windows Enabled Enabled
Update
Remove Logoff on the Start Menu Disabled Disabled
Remove Music icon from Start Menu Enabled Enabled
Remove Network Connections from Start Enabled Enabled Enabled
Menu
Remove Network icon from Start Menu Enabled Enabled
Remove Pictures icon from Start Menu Enabled Enabled
Remove pinned programs list from the Enabled Enabled
Start Menu
Remove programs on Settings menu Enabled Enabled
Remove Recent Items menu from Start Enabled Enabled
Menu
Remove Run menu from Start Menu Enabled Enabled Disabled Disabled
Remove Search link from Start Menu Enabled Enabled
Remove the “Undock PC” button from the Enabled Enabled
Start Menu
Remove user folder link from Start Menu Enabled Enabled Enabled
Remove user name from Start Menu Disabled Disabled Enabled Enabled
Remove user's folders from the Start Enabled Enabled
Menu
Turn off notification area cleanup Enabled Enabled
Turn off personalized menus Enabled Enabled
Turn off user tracking Enabled Enabled
System
Policy Setting Setting Setting Setting

112
 Appendix A. Comparison of “Invensys Plant” GPOs B0700ET – Rev E

Table A-1. Group Policy Settings for I/A Series Software v8.8 or Foxboro Evo Control Core Services
v9.0 or Later (Continued)

IA Plant IA Plant IA Plant IA Plant

View Only Operators Engineers Admins
Group Policy Settings Group Group Group Group
Do not display the Getting Started wel- Enabled Enabled Enabled Enabled
come screen at logon
Download missing COM components Disabled Disabled
Prevent access to registry editing tools Enabled Enabled Enabled Disabled
Disable regedit from running silently? Yes Yes Yes
Policy Setting Setting Setting Setting
Prevent access to the command prompt Enabled Enabled Disabled Disabled
Disable the command prompt script No No
processing also?
Policy Setting
Restrict these programs from being Disabled Disabled
launched from Help
Windows Automatic Updates Disabled Disabled
System/Ctrl+Alt+Del Options
Policy Setting Setting
Remove Change Password Enabled Enabled
Remove Lock Computer Enabled Enabled
Remove Logoff Disabled Disabled
Remove Task Manager Enabled Enabled
System/Driver Installation
Policy Setting
Turn off Windows Update device driver Enabled Enabled
search prompt
Windows Components/AutoPlay Policies
Policy Setting Setting Setting Setting
Turn off Autoplay Enabled Enabled Enabled Disabled
Windows Components/Microsoft Management
Console/Restricted/Permitted snap-ins
Policy Setting Setting Setting
Event Viewer Disabled Disabled Enabled
Windows Components/NetMeeting
Policy Setting
Enable Automatic Configuration Disabled Disabled
Windows Components/Windows Explorer
Policy Setting Setting Setting Setting
Do not move deleted files to the Recycle Enabled Enabled Enabled Enabled
Bin
Hide these specified drives in My Com- Enabled Enabled
puter
Pick one of the following combinations Restrict all Restrict all
drives drives
Policy Setting Setting Setting
Hides the Manage item on the Windows Enabled Enabled Enabled
Explorer context menu

113
 B0700ET – Rev E Appendix A. Comparison of “Invensys Plant” GPOs

Table A-1. Group Policy Settings for I/A Series Software v8.8 or Foxboro Evo Control Core Services
v9.0 or Later (Continued)

IA Plant IA Plant IA Plant IA Plant

View Only Operators Engineers Admins
Group Policy Settings Group Group Group Group
No Computers Near Me in Network Loca- Enabled Enabled
tions
No Entire Network in Network Locations Enabled Enabled
Prevent access to drives from My Com- Enabled Enabled
puter
Pick one of the following combinations Restrict all Restrict all
drives drives
Policy Setting Setting Setting
Remove “Map Network Drive” and “Dis- Enabled Enabled
connect Network Drive”
Remove CD Burning features Enabled Enabled
Remove DFS tab Enabled Enabled
Remove File menu from Windows Enabled Enabled
Explorer
Remove Hardware tab Enabled Enabled
Remove Search button from Windows Enabled Enabled
Explorer
Remove Security tab Enabled Enabled
Remove Shared Documents from My Enabled Enabled
Computer
Remove UI to change keyboard navigation Enabled Enabled
indicator setting
Remove UI to change menu animation Enabled Enabled
setting
Remove Windows Explorer's default con- Enabled
text menu
Removes the Folder Options menu item Enabled Enabled
from the Tools menu
Turn off caching of thumbnail pictures Enabled Enabled
Turn off Windows+X hotkeys Enabled Enabled Enabled
Windows Components/Windows Messenger
Policy Setting Setting Setting Setting
Do not allow Windows Messenger to be Enabled Enabled Enabled Enabled
run
Windows Components/Windows Update
Policy Setting Setting
Remove access to use all Windows Enabled Enabled
Update features
Configure notifications
Extra Registry Settings
Display names for some settings cannot
be found. You might be able to resolve this
issue by updating the.ADM files used by
Group Policy Management.
Setting State State State State
Software\Policies\Microsoft\WindowsMov- 1 1 1 1
ieMaker\MovieMaker

114
 Appendix A. Comparison of “Invensys Plant” GPOs B0700ET – Rev E

Table A-1. Group Policy Settings for I/A Series Software v8.8 or Foxboro Evo Control Core Services
v9.0 or Later (Continued)

IA Plant IA Plant IA Plant IA Plant

View Only Operators Engineers Admins
Group Policy Settings Group Group Group Group
Policy Setting Setting Setting
Do not allow Windows Movie Maker to run Enabled Enabled Enabled
Windows Components/Windows Update
Policy Setting
Remove access to use all Windows Update Enabled
features

115
B0700ET – Rev E Appendix A. Comparison of “Invensys Plant” GPOs

116
Index
A
Active Directory 39
Active Directory container 44, 51
ATS xiii

B
BIOS 1, 7

C
Control stations xiii
CP. See also Control stations

D
domain administrator 77
Domain Controllers 39

E
ePO 101

F
FCP270 xiii
FCP280 xiii
Firewall 2
FoxView 71

H
Hardening 2

I
Invensys Global Customer Support xii, 4, 8, 105, 106

O
Object Manager. See also OM
OM xiii
Organizational Units (OU) 41

P
primary domain controller (PDC) 36

117
B0700ET – Rev E Index

R
Reference documents xi
Remote Desktop Services 5, 35
Revision information xi

S
secondary domain controller (SDC) 36
strong password 8, 85

T
The MESH control network 35, 102

W
Workstations xiv

Z
ZCP270 xiv

118
Index B0700ET – Rev E

119
Invensys Systems, Inc.
10900 Equity Drive
Houston, TX 77041
United States of America
http://www.invensys.com

Global Customer Support

Inside U.S.: 1-866-746-6477
Outside U.S.: 1-508-549-2424
Website: https://support.ips.invensys.com