Technical

Information FAST/TOOLS
System Hardening Windows XP SP3/
TI 50A01A10-01EN Windows 2003 SP1

TI 50A01A10-01EN
©Copyright May. 2009 (YK)
1st Edition May. 2009 (YK)
Blank Page
 i

Introduction
■ About This Document
This manual describes System Hardening Windows XP SP3/ Windows 2003 SP1.

All Rights Reserved. Copyright © 2009, Yokogawa Electric Corporation TI 50A01A10-01EN May.12, 2009-00
Blank Page
 iii

FAST/TOOLS
System Hardening Windows XP SP3/
Windows 2003 SP1 TI 50A01A10-01EN

CONTENTS
Introduction................................................................................................i
CONTENTS ...............................................................................................iii
1. Introduction ......................................................................................1
1.1 Purpose ....................................................................................................... 1
1.2 Validity ......................................................................................................... 1
1.3 Definitions, Abbreviations and Acronyms............................................... 1
1.4 References .................................................................................................. 1
2. General..............................................................................................3
3. Windows Firewall .............................................................................5
4. Service packs and security updates...............................................7
5. User account considerations ..........................................................9
6. Antivirus..........................................................................................11
7. Installed services ...........................................................................13
Revision Information .................................................................................i

TI 50A01A10-01EN May.12, 2009-00

Blank Page
 <1. Introduction> 1

1. Introduction
1.1 Purpose
In order to protect systems from network related security vulnerabilities, it is important to
harden the operating system on which the application is running. This document
describes the hardening procedure to be followed for FAST/TOOLS systems running
Microsoft operating systems.

1.2 Validity
This document is primarily intended for internal Yokogawa use when engineering
projects that use FAST/TOOLS on Microsoft operating systems.

1.3 Definitions, Abbreviations and Acronyms

YEF-SCE : Yokogawa System Center Europe B.V.
AV : Antivirus software.

1.4 References
1. McAfee VirusScan Enterprise version 8.7i, YHQ recommended antivirus software.
2. OPC Configuration White Paper, YEF-SCE procedure for setting up OPC
communications on Windows 2003 and Windows XP machines.

TI 50A01A10-01EN May.12, 2009-00

Blank Page
 <2. General> 3

2. General
This document describes the steps that should be taken for hardening the Windows
systems used in your project. The hardening process consists of the following steps:

1. Windows Firewall
2. Disabled applications
3. Service packs
4. Account considerations
5. Antivirus
6. Remote network access
7. Installed services

TIP
This document is specifically related to operating system and network configuration for a Windows
machine. However it may be useful to read the Security White Paper first to get a broader idea of the
security aspects associated with SCADA systems in general.

TI 50A01A10-01EN May.12, 2009-00

Blank Page
 <3. Windows Firewall> 5

3. Windows Firewall
The Microsoft firewall must be activated on each system. All ports and application
exceptions must be blocked expect for those described in this section or any specifically
required by project applications.
Exceptions are required when using:

• OPC
• ODBC
• A redundant server configuration and the high-availability (HAC) software
• Remote desktop services
• TCP/IP based equipment managers

The table below describes which ports should be configured as exceptions where
necessary.
Table Set-TABLE-TITLE
Port number Protocol Description When and where used
3389 TCP Remote desktop connection Only if VNC is required for this machine.
1099 UDP FAST/TOOLS DURM connection On each machine with a DURM connection.
Make exceptions for the port number used for
each DURM line. For example if you are using a
dual redundant network connection, you must
do this twice, once for each line.
10101 TCP FAST/TOOLS DURR line 101 Only on the server machines of a redundant
10102 TCP FAST/TOOLS DURR line 102 server configuration, in case HAC is used. Only
make exceptions for the number of lines you are
10103 TCP FAST/TOOLS DURR line 103 using. For example a dual network connection
10104 TCP FAST/TOOLS DURR line 104 will only require lines 101 and 102.
11000 UDP HAC GUI commands On the servers and all HMI machines, only
when using a redundant server configuration
and the HAC software.
11001 UDP HAC logger On the servers and all HMI machines, only
when using a redundant server configuration
and the HAC software.
11004 UDP HAC watchdog On the servers machines, only when using a
redundant server configuration and the HAC
software.
135 TCP DCOM Only when the machine is used as OPC server
or client.
1538 TCP SimbaServer Only on the server machine and only when
using the ODBC interface of ACCESS/FAST

Allow incoming echo request is enabled. This allows network pings which are useful for
troubleshooting network configurations.
When using TCP/IP based equipment managers, then eqp should be configured as an
application exception in the firewall.
When using OPC connections the following applications should be defined as
application exceptions in the firewall. These settings are not required if you are using the
OPC DCOM tunneler because the tunneler uses the DURM connection for this purpose.

- OPC server (OPC server machine only)

- OPC client (OPC client machine only)
- Microsoft Management Console (located in C:\Windows\Systems32\mmc.exe) (both
client and

TI 50A01A10-01EN May.12, 2009-00

 <3. Windows Firewall> 6
- server machines)
- OPCEnum (OPC server machine only)
- Print and file sharing (tick box)

If using OPC or File and Printer Sharing is enabled, the scope of the following ports 139
& 145 TCP and 137 & 138 UDP should be changed to “Any”.

TIP
- When using OPC, please refer to the OPC Configuration White Paper (ref[2]).
- If you are using a virus scanner then you may want to open the port for automatic updates. It is
advisable to use a managed machine with an internet connection to download new pattern files and
deploy them on the machines rather than having a direct connection to the internet.

● Disabled applications
The following applications should be disabled or uninstalled on all the systems:

- Netmeeting (uninstalled)
- Windows Messenger (uninstalled)
- Windows Movie Maker (disabled)
- Windows Update (disabled)
- Windows Media Player (uninstalled)
- All games (uninstalled)
- Outlook express (uninstalled)
- MSN Explorer (uninstalled)

TI 50A01A10-01EN May.12, 2009-00

 <4. Service packs and security updates> 7

4. Service packs and security updates

Microsoft regularly releases operating system updates and security patches. As a result,
it is not practical to include a list of all updates that need to be installed on the project
machine. The practice for installing Windows updates is as follows:

- Connect the machine to the internet

- Visit http://www.update.microsoft.com using Internet Explorer
- Download the Windows Genuine Advantage program if requested to confirm the
authenticity of your Windows installation
- Install all latest fixes via the online update wizard

In addition to the latest operating system updates, Yokogawa maintains a list of security
updates that have been tested and evaluated (e.g. for Centum). After updating your
system through Windows updates, obtain this list from YHQ or your nearest Yokogawa
center of excellence.
- Open Add/Remove programs from the Control Panel
- Check the option “Show updates”
- The updates are shown in numerical order. Scroll down the list in the Add/Remove
programs dialog and find the last Windows update that is also included in the
Yokogawa list.
- If there are more updates in the Yokogawa list that come after this one then install
only the latest updates that come afterwards. Do not install older updates that come
before since these changes may have been overruled by Windows hot fixes.

TIP
FAST/TOOLS should be installed and tested on a define patch level for the project. If for example the
customer feels the need for additional updates at a later date or critical fixes are released, then
Yokogawa must first determine the relevance of such a fix and test FAST/TOOLS on the patched
system to check that functionality is not adversely affected.

TI 50A01A10-01EN May.12, 2009-00

Blank Page
 <5. User account considerations> 9

5. User account considerations

The following table shows the recommended user definitions.
Table Set-TABLE-TITLE
Name Password Description
Administrator Xxx System Administrator password. This user has no limitations for system
administration. This user is defined for the system custodian.
FT Xxx The FT user has administrator rights and is only used to startup the
FAST/TOOLS service.
FTUSER Xxx The FTUSER has normal USER privileges. The FAST/TOOLS configuration
tools and operator mimics run under this account.

TIP
- If the HMI station is configured to automatically logon with the FTUSER account, then the
USER/FAST software must be started as the OS Shell. This will automatically disable the Windows
Explorer functions like the task bar, desktop and the Windows function keys. Other functions like,
Lock computer, System Shutdown, Change password and Task manager are also disabled for the
FTUSER account.
- If you use remote access software such as VNC then make sure that access can only be acquired
via the Administrator user account and that it is used for maintenance purposes only.

TI 50A01A10-01EN May.12, 2009-00

Blank Page
 <6. Antivirus> 11

6. Antivirus
Antivirus software should be installed on all systems. The recommended antivirus
software used by YHQ is described in ref[1], though the customer may have
standardized on other software. The antivirus should be configured so that real-
time scanning is enabled.
If the virus scanner permits exceptions, then the following FAST/TOOLS directories
should be configured as exceptions to the anti virus software:

C:\Program Files\Yokogawa\FAST TOOLS\TLS\DAT

C:\Program Files\Yokogawa\FAST TOOLS\TLS\SAV
C:\Program Files\Yokogawa\FAST TOOLS\TLS\HIS

TIP
Virus pattern updates should be downloaded via a separate machine. They should be applied either
manually or through automatic updates from a controlled system, preferably from within a demilitarized
zone in the network (DMZ), in order to prevent direct internet access.

TI 50A01A10-01EN May.12, 2009-00

Blank Page
 <7. Installed services> 13

7. Installed services
The following table lists the services that should be activated on disabled for both
services and HMI stations.

NB: If you wish to configure DCOM for OPC, then you must set the “Distributed
Transaction Coordinator” service as Automatic. Otherwise it is not possible to run the
DCOM configuration tool.
Table Set-TABLE-TITLE
Service Description Windows XP Windows 2003
.NET Runtime Microsoft .NET Framework NGEN Disabled N/A
Optimization Service
v2.0.50727_X86
Alerter Notifies selected users and computers of Disabled Disabled
administrative alerts.
APC PBE Agent APC PowerChute Business Edition Agent Automatic Automatic
Only installed on a machine if directly connected to a
ups with an USB cable
Log On: administrator
APC PBE Server APC PowerChute Business Edition Server Automatic Automatic
Only installed on a machine if directly connected to a
ups with an USB cable
Log On: administrator
Application Processes application compatibility lookup requests N/A Automatic
Experience Lookup for applications as they are launched.
Service
Application Layer Provides support for 3rd party protocol plug-ins for Manual Manual
Gateway service Internet Connection Sharing and the Windows
Firewall.
Application Provides software installation services such as Manual Manual
Management Assign, Publish, and Remove.
ASP.NET State Provides support for out-of-process session states for Disabled N/A
Service ASP.NET.
ATI Hotkey Poller N/A Disabled
Automatic Updates Enables the download and installation of critical Disabled Disabled
Windows updates.
Background Transfers data between clients and servers in the Manual Manual
intelligent transfer background.
service
ClipBook Enables ClipBook Viewer to store information and Disabled Disabled
share it with remote computers.
COM+ Supports System Event Notification service (SENS), Manual Manual
Event System which provides automatic distribution of events to
subscribing Component Object Model (COM)
components.
COM+ system Manages the configuration and tracking of Manual Manual
application Component Object Model (COM)+-based
components.
Computer Browser Maintains an updated list of computers on the Disabled Disabled
network and supplies this list to computers
designated as browsers.
Cryptographic Provides three management services: Catalogue Automatic Automatic
Services Database Service, which confirms the signatures of
Windows files; Protected Root Service, which adds
and removes Trusted Root Certification Authority
certificates from this computer; and Key Service,
which helps enroll this computer for certificates.
DCOM Server Provides launch functionality for DCOM services. Automatic Automatic
process launcher

TI 50A01A10-01EN May.12, 2009-00

 <7. Installed services> 14
Table Set-TABLE-TITLE
Service Description Windows XP Windows 2003
DHCP Client Manages network configuration by registering and Disabled Disabled
updating IP addresses and DNS names.
Distributed File Integrates disparate file shares into a single, logical N/A Manual
System namespace and manages these logical volumes
distributed across a local or wide area network
Distributed Link Enables client programs to track linked files that are N/A Automatic
Tracking Server moved within an NTFS volume, to another NTFS
volume on the same computer, or to an NTFS volume
on another computer.
Distributed Link Maintains links between NTFS files within a computer Disabled Disabled
Tracking Client or across computers in a network domain.
Distributed Coordinates transactions that span multiple resource Disabled Disabled
Transaction managers, such as databases, message queues, and
Coordinator file systems.
DNS Client Resolves and caches Domain Name System (DNS) Automatic Automatic
names for this computer. If this service is stopped,
this computer will not be able to resolve DNS names
and locate Active Directory domain controllers.
DVWebViews Manual Manual
Service
Error Reporting Allows error reporting for services and applications Disabled Disabled
Service running in non-standard environments.
Event Log Enables event log messages issued by Windows- Automatic Automatic
based programs and components to be viewed in
Event Viewer.
Fast User Switching Provides management for applications that require Automatic N/A
Compatibility assistance in a multiple user environment.
File Replication Allows files to be automatically copied and N/A Manual
maintained simultaneously on multiple servers.
Help and Support Enables Help and Support Center to run on this Disabled Disabled
computer.
HTTP SSL This service implements the secure hypertext transfer Manual Manual
protocol (HTTPS) for the HTTP service, using the
Secure Socket Layer (SSL).
Human Interface Enables generic input access to Human Interface Disabled Disabled
Device Access Devices (HID), which activates and maintains the use
of predefined hot buttons on keyboards, remote
controls, and other multimedia devices.
IMAPI Manages CD recording using Image Mastering Disabled Disabled
CD-Burning COM Applications Programming Interface (IMAPI).
Service
Indexing Service Indexes contents and properties of files on local and Disabled Disabled
remote computers; provides rapid access to files
through flexible querying language.
Intel NCS Netservice Supports Intel(R) PROSet for Wired Connections. N/A Manual
Intersite messaging Enables messages to be exchanged between N/A Disabled
computers running Windows Server sites.
IPSEC Services Manages IP security policy and starts the Disabled Disabled
ISAKMP/Oakley (IKE) and the IP security driver.
Kerberos Key On domain controllers this service enables users to N/A Disabled
Distribution Center log on to the network using the Kerberos
authentication protocol
License Logging Monitors and records client access licensing for N/A Disabled
portions of the operating system (such as IIS,
Terminal Server and File/Print) as well as products
that aren't a part of the OS, like SQL and Exchange
Server.

TI 50A01A10-01EN May.12, 2009-00

 <7. Installed services> 15

Table Set-TABLE-TITLE
Service Description Windows XP Windows 2003
Logical Disk Manager Detects and monitors new hard disk drives and sends Manual Manual
disk volume information to Logical Disk Manager
Administrative Service for configuration.
Logical Disk Manager Configures hard disk drives and volumes. The service Manual Manual
Administrative only runs for configuration processes and then stops.
Service
Messenger Transmits net send and Alerter service messages Disabled Disabled
between clients and servers. This service is not
related to Windows Messenger.
MS Software Shadow Manages software-based volume shadow copies Disabled Disabled
Copy Provider taken by the Volume Shadow Copy service.
Net Logon Supports pass-through authentication of account Disabled Disabled
logon events for computers in a domain.
NetMeeting Remote Enables an authorized user to access this computer Disabled Disabled
Desktop Sharing remotely by using NetMeeting over a corporate
intranet.
Network Connections Manages objects in the Network and Dial-Up Automatic Automatic
Connections folder, in which you can view both local
area network and remote connections.
Network DDE Provides network transport and security for Dynamic Disabled Disabled
Data Exchange (DDE) for programs running on the
same computer or on different computers.
Network DDE DSDM Manages Dynamic Data Exchange (DDE) network Disabled Disabled
shares.
Network Location Collects and stores network configuration and Disabled Disabled
Awareness (NLA) location information, and notifies applications when
this information changes.
Network Provisioning Manages XML configuration files on a domain basis Manual Manual
Service for automatic network provisioning.
NT LM Security Provides security to remote procedure call (RPC) Disabled Disabled
Support Provider programs that use transports other than named pipes.
OpcEnum Manual Manual
Performance Logs Collects performance data from local or remote Disabled Disabled
and Alerts computers based on preconfigured schedule
parameters, then writes the data to a log or triggers
an alert.
Plug and Play Enables a computer to recognize and adapt to Automatic Automatic
hardware changes with little or no user input.
Portable Media Serial Retrieves the serial number of any portable music Disabled Disabled
Number player connected to your computer.
Print Spooler Loads files to memory for later printing. Automatic Automatic
Protected Storage Provides protected storage for sensitive data, such as Automatic Automatic
private keys, to prevent access by unauthorized
services, processes, or users.
QoS RSVP Provides network signaling and local traffic control Disabled N/A
setup functionality for QoS-aware programs and
control applets.
Remote Access Auto Creates a connection to a remote network whenever Disabled Disabled
Connection Manager a program references a remote DNS or NetBIOS
name or address.
Remote Access Creates a network connection. Disabled Disabled
Connection Manager

TI 50A01A10-01EN May.12, 2009-00

 <7. Installed services> 16

Table Set-TABLE-TITLE
Service Description Windows XP Windows 2003
Remote Desktop Manages and controls Remote Assistance. If this Disabled Disabled
Help Session service is stopped, Remote Assistance will be
Manager unavailable. Before stopping this service, see the
Dependencies tab of the Properties dialog box.
Remote Procedure Provides the endpoint mapper and other Automatic Automatic
Call (RPC) miscellaneous RPC services.

Remote Procedure Manages the RPC name service database. Manual Manual
Call (RPC) Locator
Remote Registry Enables remote users to modify registry settings on Automatic Automatic
this computer. If this service is stopped, the registry
can be modified only by users on this computer.
Removable Storage Used for managing removable media. Manual Manual

Resultant Setup Enables a user to connect to a remote computer, N/A Manual

Policy Provider access the Windows Management Instrumentation
database for that computer, and either verify the
current Group Policy settings made for the computer
or check settings before they are applied.
Routing and Remote Offers routing services to businesses in local area Disabled Disabled
Access and wide area network environments.
Secondary Logon Enables starting processes under alternate Automatic Automatic
credentials.
Security Accounts Stores security information for local user accounts. Automatic Automatic
Manager
Security Center Monitors system security settings and configurations. Manual N/A
Server Supports file, print, and named-pipe sharing over the Automatic Automatic
network for this computer.
Shell Hardware Provides notifications for AutoPlay hardware events. Automatic Automatic
Detection
Smart Card Manages access to smart cards read by this Disabled Disabled
computer.
Special Administrator Allows administrators to remotely access a command N/A Manual
Console Helper prompt using Emergency Management Services.
SSDP Discovery Enables discovery of UPnP devices on your home Disabled N/A
Service network.
Start Fasttools LOG On: FT Manual Manual
System Event Tracks system events such as Windows logon, Automatic Automatic
Notification network, and power events. Notifies COM+ Event
System subscribers of these events.
System Restore Performs system restore functions. To stop service, Disabled N/A
Service turn off System Restore from the System Restore tab
in My Computer, Properties, System Restore tab.
Task Scheduler Enables a user to configure and schedule automated Automatic Automatic
tasks on this computer.
TCP/IP NetBIOS Enables support for NetBIOS over TCP/IP (NetBT) Automatic Automatic
Helper service and NetBIOS name resolution.
Telephony Provides Telephony API (TAPI) support for programs Disabled Disabled
that control telephony devices and IP based voice
connections on the local computer and, through the
LAN, on servers that are also running the service.
Telnet Enables a remote user to log on to this computer and Disabled N/A
run programs, and supports various TCP/IP Telnet
clients, including UNIX-based and Windows-based
computers.

TI 50A01A10-01EN May.12, 2009-00

 <7. Installed services> 17

Table Set-TABLE-TITLE
Service Description Windows XP Windows 2003
Terminal Services Allows multiple users to be connected interactively to Manual Manual
a machine as well as the display of desktops and
applications to remote computers. The underpinning
of Remote Desktop (including RD for Administrators),
Fast User Switching, Remote Assistance, and
Terminal Server.
Terminal Services Enables a user connection request to be routed to the N/A Disabled
Session Directory appropriate terminal server in a cluster.
Themes Provides user experience theme management. Disabled Disabled
Uninterruptible Power Manages an uninterruptible power supply (UPS) Disabled Disabled
Supply connected to the computer.
Universal Plug and Provides support to host Universal Plug and Play Disabled N/A
Play Device Host devices.
Upload Manager Manages synchronous and asynchronous file Disabled N/A
transfers between clients and servers on the network.
Virtual Disk Services Provides software volume and hardware volume N/A Manual
management service.
Volume Shadow Manages and implements Volume Shadow Copies Disabled Disabled
Copy used for backup and other purposes.
WebClient Enables Windows-based programs to create, access, Disabled Disabled
and modify Internet-based files.
WinHTTP Web Proxy Implements the Web Proxy Auto-Discovery (WPAD) N/A Manual
Auto-Discovery protocol for Windows HTTP Services (WinHTTP).
Service WPAD is a protocol to enable an HTTP client to
automatically discover a proxy configuration.
Windows Audio Manages audio devices for Windows-based Automatic Automatic
programs.
Windows Provides network address translation, addressing, Automatic Automatic
Firewall/internet name resolution and/or intrusion prevention services
connection for a home or small office network.
sharing(ICS)
Windows Image Provides image acquisition services for scanners and Disabled Disabled
Acquisition (WIA) cameras.
Windows Installer Installs repairs and removes software according to Manual Manual
instructions contained in .MSI files.
Windows Provides a common interface and object model to Automatic Automatic
Management access management information about operating
Instrumentation system, devices, applications and services.
Windows Provides systems management information to and Manual Manual
Management from drivers.
Instrumentation
Driver Extensions
Windows Time Maintains date and time synchronization on all clients Disabled Disabled
and servers in the network. If this service is stopped,
date and time synchronization will be unavailable.
Windows User mode Enables Windows user mode drivers. Automatic Automatic
driver framework
Wireless Zero Provides automatic configuration for the 802.11 Disabled N/A
Configuration adapters.
Wireless Enables automatic configuration for IEEE 802.11 N/A Disabled
Configuration adapters.
WMI Performance Provides performance library information from WMI Manual Manual
Adapter HiPerf providers.
Workstation Creates and maintains client network connections to Automatic Automatic
remote servers. If this service is stopped, these
connections will be unavailable. If this service is
disabled, any services that explicitly depend on it will
fail to start.
Very important service.

TI 50A01A10-01EN May.12, 2009-00

Blank Page
 i

Revision Information
Title : FAST/TOOLS System Hardening Windows XP SP3/Windows 2003 SP1
Manual No. : TI 50A01A10-01EN

May. 2009/1st Edition

Newly published

Written by Open System Department

Industrial Automation Systems Business Center
Yokogawa Electric Corporation
Published by Yokogawa Electric Corporation
2-9-32 Nakacho, Musashino-shi, Tokyo 180-8750, Japan

Subject to change without notice. TI 50A01A10-01EN May.12, 2009-00