Professional Documents
Culture Documents
1 Introduction……………………............................ 2
2 Conflicts with Mandatory Standards................... 2
3 References......................................................... 2
4 Definitions........................................................... 3
5 Account & passwords Policies............................ 5
6 Services and applications settings.................... 11
7 Rights and Permission Policies......................... 12
8 Hardening controls............................................ 14
9 Logs and Auditing............................................. 21
1 Introduction
1.1 Purpose and Intended Users
The purpose of this best practice document is to establish a recommended
methodology to implement advanced security configurations for Industrial
Control Systems (ICS). These guidelines are intended for plant network
administrator(s) and technical support staff for the purpose of prompt risk
mitigation and overall adherence to company’s cyber security regulations,
especially those intended for immediate implementation. The intended users
include engineers and / or technicians working as Process Automation Network
(PAN) Administrators.
1.2 Scope
This best practice defines the methodology to harden the Windows 2008
Operating System configurations settings, which might require software /
hardware to ensure “secure configuration” as per SAEP-99 “Process Automation
Networks and Systems Security” procedure.
This implementation of this best practice shall satisfy the audit requirement for
the BIT recommendations and can be assessed using “Performing Security
Compliance Assessment Manual”
1.3 Disclaimer
This Best Practice complements other procedures or best practices provided by
vendor and / or consulting agent for the implementation of security
configurations by the PAN administrator(s), and shall not be considered
“exclusive” to provide “comprehensive” compliance to SAEP-99 or any other
Saudi Aramco Engineering’s standards requirements.
The use of this Best Practice does not relieve the PAN administrator(s) from
their responsibility or duties to confirm and verify the accuracy of any
information presented herein and the thorough coordination with respective
control system steering committee chairman and vendor.
Page 2 of 23
Document Responsibility: Plants Networks Standards Committee SABP-Z-063
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Server 2008
4 Definitions
This section contains definitions for acronyms, abbreviations, words, and terms as they
are used in this document.
4.1 Acronyms
DCS - Distributed Control System
ESD - Emergency Shutdown Systems
IP - Internet Protocol
ISA - The International Society of Automation
PCS - Process Control Systems
PAN - Process Automation Network
PMS - Power Monitoring System
SCADA - Supervisory Control and Data Acquisition
IP - Internet Protocol
TMS - Terminal Management System
VMS - Vibration Monitoring System
4.2 Abbreviations
Authentication: A security measure designed to establish the validity of a
transmission, message, or originator, or a means of verifying an individual's
authorization to receive specific categories of information. When humans have
assets that are worth to be protected, the authentication always exists. The initial
step in protecting systems and information is authentication that identifies who.
Page 3 of 23
Document Responsibility: Plants Networks Standards Committee SABP-Z-063
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Server 2008
Page 4 of 23
Document Responsibility: Plants Networks Standards Committee SABP-Z-063
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Server 2008
W2K8-AP-01
W2K8-AP-02
Windows 12.0.a
Domain Ref. W2K8-AP-03 BIT
Server 2008 12.0.c
W2K8-AP-05
W2K8-AP-06
Target Windows Server 2008 SAEP-99 5.1.6.1.a-f
Mapping
Set mininal password age
Set maximum password age
Set password complexity
Action
Set password length
Set password history
Storing password using Reverse encryption
State Final Version 1.0 Created on 10/29/13
R C
RACI Matrix Priority HIGH
A I
Pre requisite
Dependencies
1. Press Windows button + R to bring up the run command window, type
secpol.msc and press ENTER
Instruction
Page 5 of 23
Document Responsibility: Plants Networks Standards Committee SABP-Z-063
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Server 2008
Automated task no
W2K8-AP-09
Windows
Domain Ref. W2K8-AP-10 BIT #12.0.a
Server 2008
W2K8-AP-11
Target Windows Server 2008 Mapping SAEP-99 5.1.6.1.a-f
Dependencies
1. Press Windows button + R to bring up the run command window and
type secpol.msc and press ENTER
2. Click on “Security Settings” then “Account Policy” then “Account
Lockout Policy”. Configure the following:
3. Account lockout duration is set to 1440 minutes.
4. Account lockout threshold is set to 5 invalid logon attempts.
5. Reset account not applicable
Instruction
Automated task no
Page 6 of 23
Document Responsibility: Plants Networks Standards Committee SABP-Z-063
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Server 2008
Windows
Domain Ref. W2K8-AP-14 BIT
Server 2008
Target Windows Server 2008 Mapping SAEP-99
Dependencies
2. In the console tree, e8and Local Users and Groups, and then click Users.
Instruction
Page 7 of 23
Document Responsibility: Plants Networks Standards Committee SABP-Z-063
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Server 2008
Windows
Domain Ref. W2K8-AP-16 BIT 8.6
Server 2008
Target Mapping SAEP-99 5.1.6.1.l
1. Press Windows button + R to bring up the run command window and type
compmgmt.msc and press ENTER
2. In the console tree, e8and Services and Applications, and then click
Services.
3. In the right pane, double-click SNMP Service then select Properties
Page 8 of 23
Document Responsibility: Plants Networks Standards Committee SABP-Z-063
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Server 2008
6. Click on Security tab. If you already close SNMP Service Properties window, re-open
it.
7. Under “Accepted community names” section, click Add button.
8. Select the appropriate permission level for the community string in the “Community
Rights” drop down list to specify how the host processes SNMP requests from the
selected community.
• Set permissions to READ ONLY
Page 9 of 23
Document Responsibility: Plants Networks Standards Committee SABP-Z-063
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Server 2008
Automated task no
Page 10 of 23
Document Responsibility: Plants Networks Standards Committee SABP-Z-063
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Server 2008
Windows W2K8-SA-17
Domain Ref. BIT 8.5
Server 2008 W2K8-SA-18
5.3.c
Target Windows Server 2008 Mapping SAEP-99 5.4.2.m
5.1.6.1.o
Disable Simple Network Management
Action
Protocol (SNMP) Service and Trap Service
State Final Version 1.0 Created on 10/29/13
R C
RACI Matrix Priority HIGH
A I
Pre requisite
Dependencies
1. Press Windows button + R to bring up the run command window and type
compmgmt.msc and press ENTER
2. From the Computer Management window, click “Services and Applications”
then click “Services”.
3. Locate “SNMP Service”. Double click and set value of startup type to
manual
Instruction
4. Locate “SNMP Trap” service. Double click and set value of startup type to
manual
Page 11 of 23
Document Responsibility: Plants Networks Standards Committee SABP-Z-063
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Server 2008
Windows
Domain Ref. W2K8-RP-54 BIT
Server 2008
Target Mapping SAEP-99
Allow only authorized administrator to access
Action
RDP service
State Final Version 1.0 Created on 10/29/13
R C
RACI Matrix Priority
A I
Pre requisite Users should be pre-defined into group “Remote Desktop Users”
Instruction
Page 12 of 23
Document Responsibility: Plants Networks Standards Committee SABP-Z-063
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Server 2008
5. Press Windows button + R to bring up the run command window and type
secpol.msc and press ENTER
Automated task no
Page 13 of 23
Document Responsibility: Plants Networks Standards Committee SABP-Z-063
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Server 2008
8 Hardening controls
Windows
Domain Ref. W2K8-HC-66 BIT 22.2.b
Server 2008
Target OS Versions Mapping SAEP-99 5.3.c
Instruction
Automated task
Page 14 of 23
Document Responsibility: Plants Networks Standards Committee SABP-Z-063
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Server 2008
Windows 22.2.b
Domain Ref. W2K8-HC-67 BIT
Server 2008
Target Windows Server 2008 Mapping SAEP-99 5.3.c
Instruction
Automated task
Page 15 of 23
Document Responsibility: Plants Networks Standards Committee SABP-Z-063
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Server 2008
Windows
Domain Ref. W2K8-HC-68 BIT 16.3
Server 2008
Target Windows Server 2008 Mapping SAEP-99 5.3
Disable user access to Anti-Virus
Action
Management Settings
State Final Version 1.0 Created on 10/29/13
R C
RACI Matrix Priority HIGH
A I
Pre requisite
Dependencies
1. Click Start, Programs, McAfee, VirusScan Console.
2. Double-click Access Protection.
3. Check “Prevent McAfee Services from being stopped” if not enabled
4. Click Apply and OK.
Instruction
Automated task
Page 16 of 23
Document Responsibility: Plants Networks Standards Committee SABP-Z-063
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Server 2008
Windows
Domain Ref. W2K8-HC-69 BIT
Server 2008
Target Mapping SAEP-99
Change default Terminal Server TCP port
Action
3389
State Final Version 1.0 Created on 10/29/13
R C
RACI Matrix Priority
A I
Applied to only Windows Server 2008
Pre requisite Computer should be restarted to reflect the changes
Client Side should be modified to connect to the new TCP port
Dependencies
1. Press Windows button + R to bring up the run command window and type
Regedt32.exe and press ENTER
2. Go to this key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp
Instruction
3. Find the "PortNumber" subkey and notice the value of 00000D3D, hex for (3389).
Modify the port number in Hex and save the new value as
Page 17 of 23
Document Responsibility: Plants Networks Standards Committee SABP-Z-063
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Server 2008
Automated task no
Page 18 of 23
Document Responsibility: Plants Networks Standards Committee SABP-Z-063
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Server 2008
Windows
Domain Ref. W2K8-HC-72 BIT 8.3
Server 2008
Target OS Versions Mapping SAEP-99 n/a
Dependencies
1. Press Windows button + R to bring up the run command window and type
sysdm.cpl and press ENTER
Instruction
Page 19 of 23
Document Responsibility: Plants Networks Standards Committee SABP-Z-063
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Server 2008
Proposal
- Geo location: 3 characters referring to City or Plant (URT, ABQ, DHR ...)
- Admin Area : 3 characters referring to whether it is an Oil or Gas plant
- Device role : 2 or 3 characters indicating the device role
o PLC, DCS..
o WRK stands for workstation
o SRV stands for server
o PRT stands for printer
o FW for Firewall , RT for Router and so on
- Incremental ID : 3 variables
Ex : ABQ-WKS-005 : means Workstation 5 in Abqaiq plant
Automated task
Page 20 of 23
Document Responsibility: Plants Networks Standards Committee SABP-Z-063
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Server 2008
Windows
Domain Ref. W2K8-LA-12 BIT 18.0.a
Server 2008
Target Windows Server 2008 Mapping SAEP-99 5.5.1.d.iv
Set maximum log size for Application,
Action
security and system events
State Final Version 1.0 Created on 10/29/13
R C
RACI Matrix Priority HIGH
A I
Pre requisite
1. Press Windows button + R to bring up the run command window and type
gpedit.msc and press ENTER
Instruction
3. Select Application folder and set the recommended logs size values as follow:
Page 21 of 23
Document Responsibility: Plants Networks Standards Committee SABP-Z-063
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Server 2008
Specify the Application maximum log file size (KB) to 16384 kilobytes
4. Select Security folder and set the recommended logs size values as follow:
Specify the Security maximum log file size (KB) to 81920 kilobyte
5. Select System folder and set the recommended logs size values as follow:
Specify the System maximum log file size (KB) to 16384 kilobytes
Windows 18.0.a
Domain Ref. W2K8-LA-13 BIT
Server 2008
Target Windows Server 2008 Mapping SAEP-99 5.5.1.d.iv
Set Log Retention for Application, Security
Action
and System
State Final Version 1.0 Created on 10/29/13
R C
RACI Matrix Priority HIGH
A I
Pre requisite
Instruction 2. Browse to the left panel, click on Windows Logs then Application, now right click
on Application and select Properties.
Page 22 of 23
Document Responsibility: Plants Networks Standards Committee SABP-Z-063
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Server 2008
During Monthly audit log reviews, move archived event logs stored at the log path
shown above to external storage to maintain a one year archive
• Repeat this procedure for the following event logs:
1. All PAS workstations and servers
1. System logs
2. Application logs
3. Security logs
2. Windows AD server or Domain Controllers:
1. Directory Services.
Revision Summary
7 May 2015 New Saudi Aramco Best Practice.
Page 23 of 23