Professional Documents
Culture Documents
Revision 1
1 NP Factory, Ltd.
2 Factory Floor
6 Nathan Pocock
7 https://our.intranet/path/to/document.docx
I-ISMS Implementation
Industrial Information Security
Revision 1 (94)
Management System
1 IISMS
2 PRIVATE
NP Factory, Ltd.
[Company Address]
Factory Floor
I-ISMS Implementation
704-491-5840
Manager Pocock
1 Executive Summary
2 Provides high-level guidance on how to configure the Windows desktop computers to provide a greater
3 level of security from attack of local and remote users.
4 Revision History
1 Contents
2 1 Instructions 7
3 2 Overview 8
4 1.1 Documentation 8
5 1.2 Backups 8
13 5 Windows Features 11
3 6 User settings 15
19 7 Desktop preferences 20
2 8 Shared resources 21
10
11 Figures
13
1 The windows operating system is a gigantic framework of various services, components, and applications.
2 Collectively, all of these capabilities make a significant attack surface. The best way to defend from attacks is
3 to reduce the attack-surface and then harden those services that we do want to use.
4 Talk to your IT dept. to see if they have existing policies that you can implement, or use as a baseline for
5 your own policies. This could save an immense amount of time.
6 IMPORTANT This guide will cover only a portion of the Windows capabilities that should be more tightly
7 controlled.
8 More thorough hardening instructions can be found in the United States Department of Defense STIG
9 Windows 7 Security Technical Implementation Guide (Department of Defense, 2016)
1.1 Documentation
12 If you do not have a computer change configuration system, then you could utilize the 06 - Computer
13 Vulnerability and Risk Analysis.dotx template with some minor modifications to store the changes made to the
14 computer.
1.2 Backups
15 Conduct a complete system backup before making ANY changes to the computer system.
16 At the end of the re-configuration process, conduct a thorough system test and then perform another
17 backup.
18 Once complete, assure that automatic system backups are configured and verified as running..
1 While the operating system is the focus of this paper, it is extremely important to assure the BIOS is
2 configured to:
5 Lastly, conduct a visual inspection of the computer and then disconnect and remove any unnecessary
6 devices/components that may be attached.
8 Anti-virus, or Endpoint-protection is a form of defense from known malware and attack-signatures. Some
9 generalized recommendations include:
16 Most modern security suites consist of anti-virus, firewall, and host intrusion detection and prevention. Be
17 sure to review the documentation and enable all of those features.
18 A firewall is required, whether it is the Windows Firewall (see 05b - Guide to Windows Firewall
19 Hardening.docx) or a firewall provided by a security suite (see Install anti-virus / endpoint-protection, above)
1 First, upgrade the O/S to the latest service pack and patches. This is extremely important.
2 Second, disable windows update to prevent unplanned reboots which could affect production:
3 Third, disable Windows Anytime Upgrade to prevent the automatic installation of next-generation operating
4 systems:
5 1. Click START > RUN and then enter “REGEDIT” and press ENTER
6 2. When the registry editor opens, expand the HKEY_LOCAL_MACHINE node
7 3. Navigate to \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\WAU\; if the “WAU” folder
8 does not exist then right-click and create a new KEY called “WAU”
9 4. Locate the setting called “Disabled”, if it does not exist then create a new DWORD called “Disabled” and
10 set the value to “1”.
11 Assure that all connected hard drives are formatted with NTFS, which is a secure file system providing the
12 ability to specify which users/groups can access files/folders, and provides auditing to show which users
13 accessed files/folders:
14 1. Check the file type for each drive by simply opening Windows Explorer, and then right-click > Properties,
15 on a drive and look for the NTFS file system:
16
9 Disable any unused modems, network adapters, USB ports, printers, scanners, or any other type of device
10 that is not required:
5 Windows Features
1.8 Disable file and print sharing
18 1. Right-click the “network” icon in the taskbar (beside the system clock) and choose “Open Network and
19 Sharing Center”
20 2. For each network adapter displayed, do the following:
21 a. Right-click on the adapter and then choose “Properties”
2
3 c. Click OK to save and close the window.
4 Remove unnecessary protocols and bindings from the network adapter by:
5 1. Right-click the “network” icon in the taskbar (beside the system clock) and choose “Open Network and
6 Sharing Center”
7 2. For each network adapter displayed, do the following:
8 a. Right-click on the adapter and then choose “Properties”
9 b. Deselect each protocol and component that is not necessary, for example:
10
11 c. Click OK to save and close the window.
1 1. Click the START menu and then right-click on the Computer and choose Properties
2 2. Click the “Advanced system settings” option
3 3. Click the “Remote” tab
4 4. Clear the settings on-screen to disable remote assistance and remote desktop:
5
6 5. Click OK to save and close the window.
7 1. Click the START menu and then right-click on the Computer and choose Properties
8 2. Click the “Advanced system settings” option
9 3. Click the “Advanced” tab
10 4. Click “Settings” beside the “Performance” section
11 5. Click “Data Execution Tab” and ensure the “Turn on DEP” option is selected.
12 6. Click OK to save and close the window.
13 Auditing will record all computer activities, which can be essential for forensic investigations after a breach
14 has occurred.
15 1. Click START > Control Panel > Administrative Tools > Local Security Policy
16 2. Navigate to Local Policies > Audit Policy
6 Windows contains a large quantity of tasks that are executed on a schedule. Many tasks pre-configured by
7 Windows are not necessary and should be disabled. There may be other tasks that should be disabled too.
8 1. Click START > Control Panel > Administrative Tools > Task Scheduler
9 2. The left-side navigation tree shows a folder structure. Expand each layer and for each folder, do the
10 following:
11 a. Select a folder on the left and the list of tasks will be visible on the right
12 b. For each task, you can open its properties to review it if you wish
13 c. Right-click on the task and either (a) delete it, or (b) disable it.
14 Warning: newer operating systems contain a SIGNIFICANT number of scheduled tasks for spying on user
15 activities and reporting metrics and usage to Microsoft, and should be deleted.
2 1. Click START > Control Panel > Administrative Tools > Services
3 2. For each service that is listed as “running’ verify if it should be; if not, then disable it.
4 3. For each service that is listed with startup as “automatic”, verify if it is needed or not, and if not, then
5 open its properties and change it to startup “manual’ or “disabled”.
6 4. For each service that you know is critically important, such as a SCADA service, then open its properties
7 and click the “Recovery” tab
8 5. Configure the settings as appropriate
9 6. Click OK to save and close the window.
10 1. Click START > Control Panel > Administrative Tools > Services
11 2. Review the list of services and for each service that is identified as not necessary, such as “peer
12 networking, remote registry, search, etc.) you should do the following:
13 a. Right-click on the service and choose “Properties”
14 b. Set the startup mode to “Disabled” (preferred) or “Manual”
15 c. Click “OK” to save and close the window.
6 User settings
1.17 Enable UAC
16 User Account Control is a feature that can prevent applications from conducting administrative tasks even
17 when used by an administrator, by forcing the user to acknowledge the request with an administrative login.
18 This feature can prevent unauthorized or accidental changes to the system.
22 Force users to acknowledge the computer is for official work operations and authorized personnel only:
23 1. Click START > Control Panel > Administrative Tools > Local Security Policy
7 If the computer currently automatically boots-up straight to the desktop without requiring a user to login,
8 then automatic login is enabled and must be disabled as follows:
9 1. Click START > Run, and then enter the command “REGEDIT” and press enter
10 2. Expand HKEY_LCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
11 3. Double-click value “AutoAdminLogon” and set the value to “0”.
12 Do not share user accounts as this will not help investigations in the event of a breach requiring forensic
13 analysis of the system. Create a user account per worker:
19 While in the user accounts window, review the administrative user accounts and prune them where
20 necessary.
21 Avoid using accounts with administrative privileges. Use administrative accounts exclusively for performing
22 administrative tasks only.
1 Renaming administrator accounts that have a default name of “admin” or “administrator” can significantly
2 reduce an attackers chance of brute-force guessing login credentials, as follows:
3 1. Click START > Control Panel > Administrative Tools > Computer Management
4 2. Navigate to and select System Tools > Local User and Groups > Users
5 3. Highlight the administrator account and then right-click and choose “Rename”; provide the new name
6 and hit Enter.
7 While in the advanced user accounts window, prune the database to remove user accounts that should not
8 be there.
9 While in the advanced user accounts window, prune the database to disable all guest accounts:
14 1. Click START > Control Panel > Administrative Tools > Local Security Policy
15 2. Navigate to and select Local Policies > Security Options
16 3. Double-click setting “Network access: Restrict anonymous access to named Pipes and Shares” and set
17 the value to “Enabled”
18 4. Click OK to save and close the dialog.
19 The best defense for the file system is to utilize the default windows security behavior:
1 3. The most important folders to protect are: Program Files, Program Files (x86), Users, and Windows. For
2 each of these, conduct the following:
3 a. Right-click the folder and choose PROPERTIES
4 b. Click the “Security” tab
5 c. Click the “Edit” button
6 d. Make sure CREATOR OWNER, SYSTEM, and Administrators have “Full control”
7 e. Make sure Users have Read & execute, List folder contents, and Read:
8
9 f. Click OK to save and close the dialog
10 g. Now click the “Advanced” button for advanced security settings
11 h. Click “Change Permissions…” button; this will open a more complex window
12 i. Check the box ”Replace all child object permissions with inheritable permissions from this object”
13 j. Click OK to save and close the window
14 Note: the change may require several minutes to complete
15 4. Repeat for the other folders.
16 Are some applications off-limits for some users? If so then you can remove them:
15 To slow-down any attempt at brute-force guessing a password, we will instruct Windows to temporarily
16 deactivate an account after so many failed attempts, in accordance with I-ISMs policy (see 01 - IISMS-
17 CompanyPolicy.docx):
18 1. Click START > Control Panel > Administrative Tools > Local Security Policy
19 2. Navigate to and click on Account Policies > Account Lockout Policy
20 3. The setting in this screen are self-explanatory and should be set in accordance with the I-ISMS policy.
21 In this section you should define password and account policies in accordance with the I-ISMS policy (see
22 01 - IISMS-CompanyPolicy.docx) as follows:
23 1. Click START > Control Panel > Administrative Tools > Local Security Policy
24 2. Navigate to and select Account Policies > Password Policy; the settings will appear to the right
25 3. The settings are self-explanatory; configure them as appropriate.
26 If we do not want users to share resources from this computer, conduct the following:
27 1. Click START > Control Panel > Network and Sharing Center
7 Desktop preferences
1.27 Password protected screensaver
11 Prevent any media from automatically executing if a CD is inserted or USB stick, etc.:
12 1. Click START > Run, and then enter “REGEDIT” and press enter.
13 2. Navigate to and click on HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\
14 policies\Explorer
15 3. Double-click on setting “NoDriveTypeAutoRun” and set the value to “FF” and click OK to save and close
16 the dialog.
17 It is essential that all computers maintain a synchronized clock. This is essential for accurate time-keeping
18 and in the event that forensic analysis is needed in the event of a breach.
19 Ask your IT dept. if a Network Time Server is available on the network and obtain its IP address.
20 Note: the perimeter firewall may require a rule to be added to permit NTP to pass through:
8 Shared resources
1.30 Disable any unnecessary folders and/or printers
6 Remove any shared resources that should not be shared. Ideally, no resources will be shared:
7 1. Click START > Control Panel > Administrative Tools > Computer Management
8 2. Navigate to and select Shared Folders > Shares
9 3. For each shared resource right-click on the shared resource and choose “Stop Sharing”.
10 If shared resources are required, then restrict access to the appropriate users only:
11 1. Click START > Control Panel > Administrative Tools > Computer Management
12 2. Navigate to and select Shared Folders > Shares
13 3. For each shared resource right-click on the shared resource and choose “Properties”
14 4. Click the “Share Permissions” tab and then modify the users/groups that have access to the resource
15 5. Click OK to save and close the window.
17 Permanent: a compete backup of the computer system that is then stored in a safe location. This type
18 of backup is conducted annually or semi-annually in accordance with the I-ISMS policy (see 01 - IISMS-
19 CompanyPolicy.docx)
20 Ongoing: automated backups that are scheduled to run frequently (weekly?) in accordance with the I-
21 ISMS backup policy.
1 Attached backup drives should be physically secured to prevent any form of physical contact.
2 The use of the built-in Windows backup is effective when configured as follows:
9 With backup set, now conduct the initial backup by clicking the “Back up now” button.
10 1. Click the START menu and then right-click on the Computer and choose Properties
11 2. Click the “Advanced system settings” option
12 3. Click the “System Protection” tab
13 4. Ensure that the Local Disk (C:) is protected. If it is not, then select it and then press the “Configure”
14 button
15 5. Click “Turn on system protection”
16 6. Click OK to save and close the dialog; and again.
17 OPC Classic applications use the COM/DCOM framework for Client/Server connectivity. This can be a
18 difficult system to configure to allow these applications to successfully connect and share data with one
19 another. Typically, software vendors provide DCOM instruction guides that remove all of the security safe-
20 guards that protect a system from attack. While this shotgun approach will enable applications to work with
21 each other, the engineers will typically stop right there instead of going back and gradually increasing the
22 security back to a safe state.
23 There are MANY DCOM tutorials online which you can use with the DCOMCNFG.EXE application.
24 However, consider following a tutorial that can help you to achieve the following results:
25 1. Create a dedicated user account for a specific OPC application; that user has limited access rights
26 to the file system (e.g., the application’s binaries and any directory where configurations are saved)
4 With this system in place, regardless of which user actually logs into the computer system, the dedicated
5 user account will limit the capabilities of the application. If any vulnerabilities exist within the application then
6 the potential impacts on the system are severely restricted, particularly if there are remote control capabilities
7 etc.