Hardening the PC

Workstation PCs located in the control room are highly exposed to attacks. Those PCs supporting EcoStruxure™ Control Expert or EcoStruxure™ Server Expert need to be hardened.

As these applications all run on the Windows OS, this chapter offers guidelines on how to how to harden a PC by focusing on security for Windows 10.

Hardening the Engineering Workstation

The following key features are used to help secure the workstation. Click on an item for more information about that feature:

Attack Surface Reduction
Security Policy Configuration and Checking
User Account Management
Access Control Management
Securing Network Services, including:
Enable or Install Antivirus Protection Tool
Systematic Patch Management
Backup Management
Confidentiality Management
Audit Management

This topic also includes references to several Windows 10 cybersecurity configuration guides.

Attack Surface Reduction

The attack surface of your networked system is the collection of areas where an intruder can attempt to add or extract data.

To help reduce the potential attack surface:

Disable all software applications, services, and communication ports that are not used.
Disable or restrict access to removable storage devices (for example, USB).
Use the workstation for only a single function (for example, install OPC UA Server Expert and Control Expert on different PCs).

Security Policy Configuration and Checking

Windows Security Policy can be set through Group Policy objects.

A Group Policy Object (GPO) is a set of configuration changes that can be applied to a PC workstation. For more information about Local Group Policy Editor, refer to the security configuration guides from the Center for Internet Security (CIS) referenced below.

Domain GPOs can also be defined in Windows Active Directory.

Security configurations need to be checked regularly and automatically.

User Account Management

Change Default Passwords:

Before deploying any new asset, change all default passwords to values that are consistent with administrative level accounts.

Disable Windows automatic login.

For a description of Windows account password settings, refer to the security configuration guides from the Center for Internet Security (CIS) referenced below.
Setup User Accounts:

The user accounts can be defined either locally (workgroup) on a standalone computer or through a Windows Active Directory domain controller that allow to centralize the management of all users in a system.

Follow these recommendations when setting up user accounts:
- Use a standard individual user account (without Administrator privilege) to run the software applications that are configured to run as standalone applications (for example, Control Expert).
- Use a local system account for the software applications that are configured to run as a Service (for example, OFS UA).
- Use a dedicated Administrative account to install the software applications and to configure IPSec.
- Set up a password manager to manage your passwords (for example, KeyPass).
- Disable all accounts that are not associated to business (for example, Debug accounts). Refer to CIS control 16.8.
- Automatically disable dormant accounts after a set period of inactivity. Refer to CIS control 16.9.
- Automatically lock workstation sessions after a standard period of inactivity. Refer to CIS control 16.11.

Access Control Management

Access to all information stored on systems with file system, network share, claims, application, or database needs to be controlled. These controls enforce the Least Privilege Principle, i.e., that only authorized individuals can access information, and the information they can access is only the information they minimally require given their responsibilities.

Permissions are related to objects. Depending on the objects, permission can be implemented based on:

Windows Active Directory objects.
NTFS Files access through discretionary access control list (DACLs).
Shared folder permissions.
Remote Registry service (enable/disable).

Privileges are user rights that are not tied to an object, but are instead machine-specific. They can be managed through Group Policy settings, for example, “Removable storage access” settings in Local group policy editor can restrict access to USB device storage (read or write).

Helping Secure Network Services

The best way to help secure a service is to uninstall or disable it. We recommend that you disable or uninstall all unnecessary services.

There are several ways to disable a service (Services Tool, Security Template, Group Policy Objet, PowerShell, SC.exe).

In addition, we recommend that you use Windows firewall with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.

Firewall usage:

The Windows firewall is needed for IPSEC configuration on Windows 10. In recent versions of Windows operating systems, including Windows 10, the firewall is enabled by default. More details on Windows Firewall settings refer to the security configuration guides from the Center for Internet Security (CIS) referenced below.
Server Manager tool:

Server Manager lets you view all the dependencies of a feature so you can determine if it is wise to remove it from a Windows Server.

Server roles can be selected (for example, Web Server (IIS), DNS Server, and so forth).

Server features can be selected (for example, BitLocker, .NET Framework, and so forth).
Internet Information Server (IIS) – Web Server Security:

Use a minimal installation of the latest version.

Configure IIS Access Control (TLS and user authentication).

Enable logging and review the logs for hacking signatures.

More details on IIS settings are provided in the CIS benchmark document (Refer to the link, below.
Disabling SMBv1:

Server Message Block version 1 (SMBv1) is a protocol used for sharing services (such as printing, files and communication) between PCs on a network. SMBv1 has been demonstrated to present the vulnerability of allowing remote code execution on the host PC.

We recommend that you disable SMBv1,

Disabling the Remote Desktop Protocol

Schneider Electric’s defense-in-depth approach recommendations include disabling remote desktop protocol (RDP) unless your application requires the RDP. The following steps describe how to disable the protocol:

Step	Action
1	In Windows 10, disable RDP via Computer > System Properties > Advanced System Settings.
2	On the Remote tab, deselect the Allow Remote Assistance Connections to this Computer check box.
3	Select the Don’t Allow Connection to this Computer check box.

Disabling LANMAN and NTLM

We recommend that you disable both the Microsoft LAN Manager protocol (LANMAN and its successor NT LAN Manager (NTLM). Both protocols have vulnerabilities that make their use in control applications inadvisable.

The following steps describe how to disable LANMAN and NTLM in a Windows 10 system:

Step	Action
1	In a command window, execute `secpol.msc` to open the Local Security Policy window.
2	Open Security Settings > Local Policies > Security Options.
3	Select Send NTLMv2 response only. Refuse LM & NTLM in the Network Security: LAN Manger authentication level field.
4	Select the Network Security: Do not store LAN Manager hash value on next password change check box.
5	In a command window, enter `gpupdate` to commit the changed security policy.

Disabling Unused Network Interface Cards

We recommend that network interface cards not required by the application are disabled. For example, if your system has 2 cards and the application uses only one, verify that the other network card (Local Area Connection 2) is disabled.

To disable a network card in Windows 10:

Step	Action
1	Open Control Panel > Network and Internet > Network and Sharing Center > Change Adapter Settings .
2	Right-click the unused connection. Select Disable.

Configuring the Local Area Connection

Various Windows network settings provide enhanced security aligned with the defense-in-depth approach that Schneider Electric recommends.

In Windows 10 systems, access these settings by opening Control Panel > Network and Internet > Network and Sharing Center > Change Adapter Settings > Local Area Connection (x).

This list is an example of the configuration changes you might make to your system on the Local Area Connection Properties screen:

Disable all IPv6 stacks on their respective network cards.
Deselect all Local Area Connection Properties items except for QoS Packet Scheduler and Internet Protocol Version 4.
Under the Wins tab on Advanced TCP/IP Settings , deselect the Enable LMHOSTS and Disable NetBIOS over TCP/IP check boxes.
Enable File and Print Sharing for Microsoft Network.

Schneider Electric’s defense-in-depth recommendations also include the following:

Define only static IPv4 addresses, subnet masks, and gateways.
Do not use DHCP or DNS in the control room.

Enable or Install Antivirus Protection Tools

You can improve the system response against viruses and malicious code using your built-in tools in Windows 10. You can also install additional antivirus software if necessary.

Enterprise editions of Windows 10 include Windows Defender Advanced Threat Protection, a security platform that monitors endpoints, such as Windows 10 PCs using behavioral sensors. Microsoft’s SmartScreen technology is another built-in feature that scans, downloads and blocks the access to websites and downloads that are known to be malicious.

More details on Windows Defender settings are provided in the Center for Internet Security (CIS) document referenced below, including:

Ensure that the organization’s anti-malware software updates its scanning engine and signature database on a regular basis (CIS Control 8.2).
Configure Anti-Malware Scanning of Removable Media: USB (Refer to CIS Control 8.4).
Configure devices to not auto-run content from removable media: USB (Refer to CIS control 8.5).

Systematic Patch Management

Always install the last stable version of any security-related updates of the Operating System, Applications (including web browsers and e-mail client), Drivers.

Enable auto update in Windows 10.

More details are provided in the Center for Internet Security (CIS) document referenced below.

Backup Management

Ensure that:

All system data is automatically backed up on a regular basis (Refer to CIS control 10.1).
The organization’s key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system. (Refer to CIS control 10.2).
Backups are properly protected via physical security or encryption when they are stored, and also when they are moved across the network. This includes remote backups and cloud services. (Refer to CIS control 10.4).
All backups have at least one offline (i.e., not accessible via a network connection) backup destination (Refer to CIS control 10.5).

You can:

Use File History and other free tools in Windows 10 to create file backups.
Create a recovery drive to restore your system from an image backup.
Use a storage-sync-and-share service, to put your backups in the cloud. These are easy to set up, especially some of the most popular ones like OneDrive, Dropbox, or Google Drive.

More details on Windows File History, backup/restore settings are provided in CIS document referenced below.

Confidentiality Management

Remove sensitive data or systems not regularly accessed by the organization from the network. These systems can be used as stand-alone systems (disconnected from the network) of the business unit that needs to occasionally use them, or can be completely virtualized and powered off until needed. Refer to the CIS document referenced below.(Refer to CIS control 13.2).

Turn on disk encryption with Bitlocker. More details on Bitlocker settings are provided in the CIS Document referenced below.

Audit Management

Ensure that local security logging has been configured on Windows hosts. For details on Audit Policy configuration, refer to the CIS Document referenced below.

Windows 10 Cybersecurity Configuration Guides

To have a complete set of Windows 10 Cybersecurity settings it is highly recommended to use Windows configuration guides, including

Security configuration guides from Center for Internet Security – CIS

https://www.cisecurity.org/press-release/cis-controls-microsoft-windows-10-cyber-hygiene-guide/
- IG1 Level:
  
  https://www.cisecurity.org/cis-benchmarks/
  
  https://www.cisecurity.org/benchmark/microsoft_windows_desktop/
  
  https://www.cisecurity.org/benchmark/microsoft_iis/
Security configuration guidelines developed by United States Department of Defense (DISA STIG)

https://www.stigviewer.com/stig/windows_10/2020-06-15/

Both the "CIS benchmarks" document and “STIG Windows 10 Security technical implementation guide” propose optional profiles. Your choice of a profile depends on the criticality of your applications running on Windows.