Professional Documents
Culture Documents
1 Introduction 2
2 Conflicts with Mandatory Standards 2
3 References 2
4 Definitions 3
5 Account & passwords Policies 5
6 Services and applications settings 10
7 Rights and Permission Policies 11
9 Hardening controls 14
10 Logs and Auditing 23
1 Introduction
1.1 Purpose and Intended Users
The purpose of this best practice document is to establish a recommended
methodology to implement advanced security configurations for Industrial
Control Systems (ICS). These guidelines are intended for plant network
administrator(s) and technical support staff for the purpose of prompt risk
mitigation and overall adherence to company’s cyber security regulations,
especially those intended for immediate implementation. The intended users
include engineers and / or technicians working as Process Automation Network
(PAN) Administrators.
1.2 Scope
This best practice defines the methodology to harden the Windows Server 2012
Operating System configurations settings, which might require software /
hardware to ensure “secure configuration” as per SAEP-99 “Process Automation
Networks and Systems Security” procedure.
1.3 Disclaimer
This Best Practice complements other procedures or best practices provided by
vendor and / or consulting agent for the implementation of security configurations
by the PAN administrator(s), and shall not be considered “exclusive” to provide
“comprehensive” compliance to SAEP-99 or any other Saudi Aramco
Engineering’s standards requirements.
The use of this Best Practice does not relieve the PAN administrator(s) from their
responsibility or duties to confirm and verify the accuracy of any information
presented herein and the thorough coordination with respective control system
steering committee chairman and vendor.
3 References
Specific sections of the following documents are referenced within the body of the
document. Material or equipment supplied to this best practice, shall comply with the
referenced sections of the latest edition of these specifications. Where specific sections
are not referenced, the system shall comply with the entire referenced document.
Saudi Aramco References
Saudi Aramco Engineering Procedures
Page 2 of 25
Document Responsibility: Plants Networks Standards Committee SABP-Z-084
Issue Date: 20 April 2016 Operating Systems Hardening
Next Planned Update: 3 May 2020 Guide – Windows Server 2012
4 Definitions
This section contains definitions for acronyms, abbreviations, words, and terms as they
are used in this document.
4.1 Acronyms
DHCP - Dynamic Host Configuration Protocol
HTTPS - HyperText Transfer Protocol Secure
IP - Internet Protocol
NTP - Network Time Protocol
PCS - Process Control Systems
PAN - Process Automation Network
SSH - Secure Shell
SNMP - Simple Network Management Protocol
4.2 Abbreviations
Authentication: A security measure designed to establish the validity of a
transmission, message, or originator, or a means of verifying an individual's
authorization to receive specific categories of information. When humans have
assets that are worth to be protected, the authentication always exists. The initial
step in protecting systems and information is authentication that identifies who.
Process Automation Systems (PAS): PAS include Networks and Systems
hardware and software such as Process Automation Network (PAN), Distributed
Control Systems (DCSs), Emergency Shutdown Systems (ESD), Programmable
Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA)
systems, Terminal Management Systems (TMS), networked electronic sensing
systems, and monitoring (such as VMS AND PMS), diagnostic, and related
industrial automation and control systems. PAS also include associated internal,
human, network, or machine interfaces used to provide control, safety,
maintenance, quality assurance, and other process operations functionalities to
continuous, batch, discrete, and combined processes.
Page 3 of 25
Document Responsibility: Plants Networks Standards Committee SABP-Z-084
Issue Date: 20 April 2016 Operating Systems Hardening
Next Planned Update: 3 May 2020 Guide – Windows Server 2012
Page 4 of 25
Document Responsibility: Plants Networks Standards Committee SABP-Z-084
Issue Date: 20 April 2016 Operating Systems Hardening
Next Planned Update: 3 May 2020 Guide – Windows Server 2012
W12-AP-01
W12-AP-02
12.0.a
Domain Windows Ref. W12-AP-03 BIT
12.0.c
W12-AP-05
W12-AP-06
Target Windows Server 2012 SAEP-99 5.1.6.1.a-f
Mapping
Set mininal password age
Set maximum password age
Set password complexity
Action
Set password length
Set password history
Storing password using Reverse encryption
State Final Version 1.0 Created on 02/02/16
R C
RACI Matrix Priority HIGH
A I
Pre requisite
Dependencies
Page 5 of 25
Document Responsibility: Plants Networks Standards Committee SABP-Z-084
Issue Date: 20 April 2016 Operating Systems Hardening
Next Planned Update: 3 May 2020 Guide – Windows Server 2012
W12-AP-09
Domain Windows Ref. W12-AP-10 BIT 12.0.a
W12-AP-11
Target Windows Server 2012 Mapping SAEP-99 5.1.6.1.a-f
Dependencies
1. Press Windows button + R to bring up the run command window and
type secpol.msc and press ENTER
2. Click on “Security Settings” then “Account Policy” then “Account Lockout
Policy”. Configure the following:
Instruction
3. Account lockout duration is set to 1440 minutes (24 Hours)
4. Account lockout threshold is set to 5 invalid logon attempts.
5. Reset account not applicable
Page 6 of 25
Document Responsibility: Plants Networks Standards Committee SABP-Z-084
Issue Date: 20 April 2016 Operating Systems Hardening
Next Planned Update: 3 May 2020 Guide – Windows Server 2012
Dependencies
2. In the console tree, locate Local Users and Groups, and then click Users.
Instruction
3. In the right pane, right-click Administrator then select Rename
4. Enter new value
• NEW ADMIN NAME (toor_123 for example)
Page 7 of 25
Document Responsibility: Plants Networks Standards Committee SABP-Z-084
Issue Date: 20 April 2016 Operating Systems Hardening
Next Planned Update: 3 May 2020 Guide – Windows Server 2012
1. Press Windows button + R to bring up the run command window and type
compmgmt.msc and press ENTER
2. In the console tree, locate Services and Applications, and then click
Services.
Instruction
3. In the right pane, double-click SNMP Service then select Properties
4. Click the Security tab.
5. In the “Community name” text box, edit public community and change it
accordingly to a new community name that respects at least:
Page 8 of 25
Document Responsibility: Plants Networks Standards Committee SABP-Z-084
Issue Date: 20 April 2016 Operating Systems Hardening
Next Planned Update: 3 May 2020 Guide – Windows Server 2012
6. Click on Security tab. If you already close SNMP Service Properties window, re-open
it.
7. Under “Accepted community names” section, click Add button.
8. Select the appropriate permission level for the community string in the “Community
Rights” drop down list to specify how the host processes SNMP requests from the
selected community.
• Set permissions to READ ONLY
Page 9 of 25
Document Responsibility: Plants Networks Standards Committee SABP-Z-084
Issue Date: 20 April 2016 Operating Systems Hardening
Next Planned Update: 3 May 2020 Guide – Windows Server 2012
W12-SA-17
Domain Windows Ref. BIT 8.5
W12-SA-18
5.3.c
Target Windows Server 2012 Mapping SAEP-99 5.4.2.m
5.1.6.1.o
Disable Simple Network Management
Action
Protocol (SNMP) Service and Trap Service
State Final Version 1.0 Created on 02/02/16
R C
RACI Matrix Priority HIGH
A I
Pre requisite
Dependencies
1. Press Windows button + R to bring up the run command window and type
compmgmt.msc and press ENTER
2. From the Computer Management window, click “Services and Applications”
then click “Services”.
3. Locate “SNMP Service”. Double click and set value of startup type to
manual
Instruction
4. Locate “SNMP Trap”. Double click and set value of startup type to manual
Page 10 of 25
Document Responsibility: Plants Networks Standards Committee SABP-Z-084
Issue Date: 20 April 2016 Operating Systems Hardening
Next Planned Update: 3 May 2020 Guide – Windows Server 2012
Page 11 of 25
Document Responsibility: Plants Networks Standards Committee SABP-Z-084
Issue Date: 20 April 2016 Operating Systems Hardening
Next Planned Update: 3 May 2020 Guide – Windows Server 2012
1. Log onto your Windows Server 2012, click on server manager, then click on
Local Server and under the Properties screen, you will see Remote Desktop
currently disabled
Instruction
2. Click on Disabled. The system properties screen will appear. Select ‘Allow remote
connections to this computer’, leave the Recommended check-box checked
Page 12 of 25
Document Responsibility: Plants Networks Standards Committee SABP-Z-084
Issue Date: 20 April 2016 Operating Systems Hardening
Next Planned Update: 3 May 2020 Guide – Windows Server 2012
Page 13 of 25
Document Responsibility: Plants Networks Standards Committee SABP-Z-084
Issue Date: 20 April 2016 Operating Systems Hardening
Next Planned Update: 3 May 2020 Guide – Windows Server 2012
9 Hardening controls
Domain Windows Ref. W12-HC-66 BIT 22.2.b
Target Windows Server 2012 Mapping SAEP-99 5.3.c
1. Log onto your Windows Server 2012, click on server manager, then click on
Local Server and under the Properties screen
2. Click on Server Remote Desktop the system properties screen will appear.
Instruction
Page 14 of 25
Document Responsibility: Plants Networks Standards Committee SABP-Z-084
Issue Date: 20 April 2016 Operating Systems Hardening
Next Planned Update: 3 May 2020 Guide – Windows Server 2012
Dependencies
Page 15 of 25
Document Responsibility: Plants Networks Standards Committee SABP-Z-084
Issue Date: 20 April 2016 Operating Systems Hardening
Next Planned Update: 3 May 2020 Guide – Windows Server 2012
1. Log onto your Windows Server 2012, click on server manager, then click on
Local Server and under the Properties screen,
2. If you see Remote Desktop currently disabled. Then quit the configuration
Instruction 3. If RDP is not disabled. Click to Open System Properties and check Don’t Allow
remote connections to this computer
Page 16 of 25
Document Responsibility: Plants Networks Standards Committee SABP-Z-084
Issue Date: 20 April 2016 Operating Systems Hardening
Next Planned Update: 3 May 2020 Guide – Windows Server 2012
Dependencies
1. Click Start, Programs, McAfee, VirusScan Console.
2. Double-click Access Protection.
3. Check “Prevent McAfee Services from being stopped” if not enabled
4. Click Apply and OK.
Instruction
Page 17 of 25
Document Responsibility: Plants Networks Standards Committee SABP-Z-084
Issue Date: 20 April 2016 Operating Systems Hardening
Next Planned Update: 3 May 2020 Guide – Windows Server 2012
2. Go to this key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp
Instruction
3. Find the "PortNumber" subkey and notice the value of 00000D3D, hex for (3389).
Modify the port number in Hex and save the new value as
Page 18 of 25
Document Responsibility: Plants Networks Standards Committee SABP-Z-084
Issue Date: 20 April 2016 Operating Systems Hardening
Next Planned Update: 3 May 2020 Guide – Windows Server 2012
Page 19 of 25
Document Responsibility: Plants Networks Standards Committee SABP-Z-084
Issue Date: 20 April 2016 Operating Systems Hardening
Next Planned Update: 3 May 2020 Guide – Windows Server 2012
Dependencies
Page 20 of 25
Document Responsibility: Plants Networks Standards Committee SABP-Z-084
Issue Date: 20 April 2016 Operating Systems Hardening
Next Planned Update: 3 May 2020 Guide – Windows Server 2012
Page 21 of 25
Document Responsibility: Plants Networks Standards Committee SABP-Z-084
Issue Date: 20 April 2016 Operating Systems Hardening
Next Planned Update: 3 May 2020 Guide – Windows Server 2012
Proposal
- Geo location: 3 characters referring to City or Plant (URT, ABQ, DHR ...)
- Admin Area : 3 characters referring to whether it is an Oil or Gas plant
- Device role : 2 or 3 characters indicating the device role
o PLC, DCS..
o WRK stands for workstation
o SRV stands for server
o PRT stands for printer
o FW for Firewall , RT for Router and so on
- Incremental ID : 3 variables
Page 22 of 25
Document Responsibility: Plants Networks Standards Committee SABP-Z-084
Issue Date: 20 April 2016 Operating Systems Hardening
Next Planned Update: 3 May 2020 Guide – Windows Server 2012
Dependencies
1. Start Event Viewer (Control Panel / System and Maintenance / Administrative Tools)
Instruction
2. On Action menu, click Properties and in Maximum log size (KB) use the spinner
control to set the following value you want and click OK .
Specify the Application maximum log file size (KB) to 16384 kilobytes
Specify the Security maximum log file size (KB) to 81920 kilobyte
Specify the System maximum log file size (KB) to 16384 kilobytes
Page 23 of 25
Document Responsibility: Plants Networks Standards Committee SABP-Z-084
Issue Date: 20 April 2016 Operating Systems Hardening
Next Planned Update: 3 May 2020 Guide – Windows Server 2012
2. On Action menu, click Properties and in Maximum log size (KB) use the spinner
control to set the following value you want and click OK .
3. In Enable Logging section of the General tab, select the option that corresponds to
the retention policy you want to set. Do not overwrite events
Instruction
During Monthly audit log reviews, move archived event logs stored at the log path
shown above to external storage to maintain a one year archive
• Repeat this procedure for the following event logs:
1. All PAS workstations and servers
1. System logs
Page 24 of 25
Document Responsibility: Plants Networks Standards Committee SABP-Z-084
Issue Date: 20 April 2016 Operating Systems Hardening
Next Planned Update: 3 May 2020 Guide – Windows Server 2012
2. Application logs
3. Security logs
2. Windows AD server or Domain Controllers:
1. Directory Services.
Page 25 of 25