User’s
Manual
STARDOM
IT Security
IM 34P02Q93-01E
IM 34P02Q93-01E
10th Edition
Blank Page
i
Introduction
This manual is a guide for implementing security in the STARDOM system from the viewpoint of
Information Technology (IT).
It explains security models and setting details of FCN/FCJ. Please read this manual to learn
about the details of security settings.
The intended readers of this manual are engineers who examine construction and operation of
the STARDOM system.
Media No. IM 34P02Q93-01E (DVD)
3rd Edition : Mar. 2014 (YK)
All Rights Reserved Copyright © 2012, Yokogawa Electric Corporation
IM 34P02Q93-01E
3rd Edition : Mar. 24, 2014-00
ii
Safety Precautions
n Safety, Protection, and Modification of the Product
•
In order to protect the system controlled by the product as well as the product itself and
ensure safe operation, observe the safety precautions described in this user’s manual. We
assume no liability for safety if users fail to observe these precautions when operating the
product.
• If this product is used in a manner not specified in this user’s manual, the protection
provided by this product may be impaired.
•
If any protection or safety circuit is required for the system controlled by the product or for
the product itself, prepare it separately and install it outside the product.
•
When replacing parts or consumables, be sure to use the ones approved by Yokogawa
Electric Corporation (hereafter simply referred to as YOKOGAWA).
• Modification of the product is strictly prohibited.
•
Do not use the product for any application not approved by YOKOGAWA.
•
Do not use the accessories (power supply cord set, etc.) that came with the product for any
other products.
IM 34P02Q93-01E
1st Edition : Jun.29,2012-00
iii
n Notes on Handling User’s Manuals
•
Please hand over the user’s manuals to your end users so that they can keep the user’s
manuals on hand for convenient reference.
•
Please read the information thoroughly before using the product.
•
The purpose of these user’s manuals is not to warrant that the product is well suited to any
particular purpose but rather to describe the functional details of the product.
•
YOKOGAWA reserves the right to make improvements in the user’s manuals and product at
any time, without notice or obligation.
• If you have any questions, or you find mistakes or omissions in the user’s manuals, please
contact our sales representative or your local distributor.
n Warning and Disclaimer
The product is provided on an “as is” basis. YOKOGAWA shall have neither liability nor
responsibility to any person or entity with respect to any direct or indirect loss or damage arising
from using the product or any defect of the product that YOKOGAWA can not predict in advance.
n Notes on Software
•
YOKOGAWA makes no warranties, either expressed or implied, with respect to the
software’s merchantability or suitability for any particular purpose, except as specified in the
terms of warranty.
•
This product may be used on a machine only. If you need to use the product on another
machine, you must purchase another product.
•
It is strictly prohibited to reproduce the product except for the purpose of backup.
•
Store the DVD-ROM (the original medium) in a safe place.
•
It is strictly prohibited to perform any reverse-engineering operation, such as reverse
compilation or reverse assembling on the product.
•
No part of the product may be transferred, converted or sublet for use by any third party,
without prior written consent from YOKOGAWA.
IM 34P02Q93-01E
1st Edition : Jun.29,2012-00
iv
Documentation Conventions
n Typographical Conventions
The following typographical conventions are used throughout the user’s manuals:
l Commonly used conventions throughout user’s manuals:
Character string to be entered:
The characters that must be entered are shown in monospace font as follows:
Example:
FIC100.SV=50.0
IM 34P02Q93-01E
1st Edition : Jun.29,2012-00
v
l Conventions used to show key or button operations:
Characters enclosed by brackets ([ ]):
Characters enclosed by brackets within any description on a key or button operation, indicate
either a key on the HIS (Human Interface Station) keyboard, a key on the operation keyboard, a
button name on a window, or an item displayed on a window.
Example:
To alter the function, press the [ESC] key.
l Conventions used in command syntax or program statements:
The following conventions are used within a command syntax or program statement format:
Characters enclosed by angle-brackets:
Indicate character strings that user can specify freely according to certain guidelines.
Example:
#define <Identifier><Character string>
“...” Mark
Indicates that the previous command or argument may be repeated.
Example:
Imax (arg1, arg2, ...)
Characters enclosed by brackets ([ ]):
Indicate those character strings that can be omitted.
Example:
sysalarm format_string [output_value ...]
IM 34P02Q93-01E
1st Edition : Jun.29,2012-00
vi
n Symbol Marks
Throughout this user’s manual, you will find several different types of symbols are used to identify
different sections of text. This section describes these icons.
WARNING
Identifies instructions that must be observed in order to avoid physical injury and electric
shock or death of the operator.
CAUTION
Identifies instructions that must be observed in order to prevent the software or hardware
from being damaged or the system from becoming faulty.
IMPORTANT
Identifies important information required to understand operations or functions.
TIP
Identifies additional information.
SEE
ALSO
Identifies a source to be referred to.
Clicking a reference displayed in green can call up its source, while clicking a reference
displayed in black cannot.
n Drawing Conventions
Some drawings may be partially emphasized, simplified, or omitted, for the convenience of
description.
Some screen images depicted in the user’s manual may have different display positions or
character types (e.g., the upper / lower case). Also note that some of the images contained in this
user’s manual are display examples.
IM 34P02Q93-01E
6th Edition : May.31,2017-00
vii
Copyright and Trademark Notices
n All Rights Reserved
The copyright of the programs and online manuals contained in the DVD-ROM or CD-ROM shall
remain in Yokogawa.
You are allowed to print out the required pages of the online manuals for using the product,
however, you are not allowed to print out the entire document. You can purchase the printed
manual from Yokogawa.
Except as stated above, no part of the online manual may be reproduced, either in electronic
or written form, registered, recorded, transferred, sold or distributed (in any manner including
without limitation, in the forms of paper documents, electronic media, films or transmission via the
network).
n Trademark Acknowledgments
•
STARDOM is a trademark of YOKOGAWA Electric Corporation.
•
CENTUM, Vnet/IP and PRM are registered trademarks of YOKOGAWA Electric
Corporation.
•
Microsoft and Windows are registered trademarks of Microsoft Corporation in the United
States and/or other countries.
•
Ethernet is a registered trademark of XEROX Corporation.
• Java is a registered trademark of Oracle Corporation and/or its affiliates.
•
HART is a registered trademark of the HART Communication Foundation.
•
All other company and product names mentioned in this user’s manual are trademarks or
registered trademarks of their respective companies.
•
We do not use TM or ® mark to indicate those trademarks or registered trademarks in this
user’s manual.
•
We do not use logos and logo marks in this user's manual.
IM 34P02Q93-01E
1st Edition : Jun.29,2012-00
Blank Page
Toc-1
STARDOM
IT Security
IM 34P02Q93-01E 10th Edition
CONTENTS
Introduction...............................................................................................................i
Safety Precautions...................................................................................................ii
Documentation Conventions.................................................................................iv
Copyright and Trademark Notices.......................................................................vii
1.
2.
3.
Overview..................................................................................................... 1-1
1.1
Security Threats to be Handled........................................................................ 1-2
1.2
Security Measures............................................................................................. 1-3
1.3
Operating Environment..................................................................................... 1-8
Security Models and User Management................................................. 2-1
2.1
Security Models................................................................................................. 2-2
2.2
User/Group Management.................................................................................. 2-8
2.3
Access Control................................................................................................. 2-10
Details of Security Measures................................................................... 3-1
3.1
Access Control................................................................................................... 3-1
3.2
Personal Firewall Tuning................................................................................... 3-3
3.3
Disabling NetBIOS over TCP/IP........................................................................ 3-5
3.4
Optimizing Windows Update Delivery............................................................. 3-6
3.5
Group Policy Settings in IT Security Version 2.0..................................................... 3-7
3.5.1
Security Options.................................................................................. 3-8
3.5.2
Applying the Software Restriction Policies....................................... 3-10
3.5.3
Advanced Audit Policy Configuration............................................... 3-11
3.5.4
Administrative Template.................................................................... 3-13
3.5.5
Applying the StorageDevicePolicies Function.................................. 3-23
3.5.6
Disabling USB Storage Devices....................................................... 3-24
3.5.7
User Configuration - Administrative Template.................................. 3-26
3.5.8
Disabling Windows Defender........................................................... 3-27
3.5.9
Disabling Shared experiences.......................................................... 3-28
3.5.10
Enabling SMB Signing...................................................................... 3-29
3.5.11
Prevent illegal dll from loading.......................................................... 3-30
IM 34P02Q93-01E
10th Edition : Oct. 25, 2024-00
Toc-2
3.6
4.
5.
Group Policy Settings in IT Security Version 1.0................................................... 3-31
3.6.1
Hiding the Last Logon User Name ................................................... 3-32
3.6.2
Applying the Software Restriction Policies....................................... 3-33
3.6.3
Applying AutoRun Restrictions......................................................... 3-34
3.6.4
Applying the StorageDevicePolicies Function.................................. 3-35
3.6.5
Disabling USB Storage Devices....................................................... 3-36
3.6.6
Changing the LAN Manager Authentication Level........................... 3-38
3.6.7
Disabling Shared experiences.......................................................... 3-39
3.6.8
Enabling SMB Signing...................................................................... 3-40
3.6.9
Prevent illegal dll from loading.......................................................... 3-41
Selection of Security Functions.............................................................. 4-1
4.1
VDS Environment Configurations................................................................... 4-2
4.2
Domain Environment......................................................................................... 4-4
4.3
Offline Engineering Environment.................................................................... 4-5
IT Security Configuration Procedures.................................................... 5-1
5.1
5.2
5.3
5.4
Configuration Procedure (if only engineering tools are used)..................... 5-2
5.1.1
Deciding on System Configuration and Security Model..................... 5-3
5.1.2
Configuring Environment before Installation (Configuring Windows
environment)....................................................................................... 5-4
5.1.3
Installation........................................................................................... 5-5
5.1.4
IT Security Configuration (for Legacy Model or Standard Model)...... 5-7
5.1.5
Configuring User Accounts (for Standard Model only)..................... 5-10
Configuration Procedure (if OPC Server is used)........................................ 5-11
5.2.1
Deciding on System Configuration and Security Model................... 5-12
5.2.2
Configuring Environment before Installation (Configuring Windows
environment)..................................................................................... 5-13
5.2.3
Installation......................................................................................... 5-14
5.2.4
IT Security Configuration (for Legacy Model or Standard Model).... 5-17
5.2.5
Configuring User Accounts (for Standard Model only)..................... 5-20
5.2.6
Configuring OPC Server................................................................... 5-21
5.2.7
Configuring Duplexed Network Function.......................................... 5-21
5.2.8
Configuring OPC Clients................................................................... 5-22
5.2.9
Testing OPC Server Connection....................................................... 5-24
Configuration for Collaboration with Other Products................................. 5-26
5.3.1
Collaboration with SIOS.................................................................... 5-27
5.3.2
Collaboration with PRM.................................................................... 5-28
Installing on the Same PC as Other Products.............................................. 5-29
5.4.1
Installing on the Same PC as SIOS.................................................. 5-30
5.4.2
Installing on the Same PC as PRM.................................................. 5-31
5.4.3
Installing on the Same PC as VDS................................................... 5-32
IM 34P02Q93-01E
10th Edition : Oct. 25, 2024-00
Toc-3
6.
7.
5.5
IT Security Tool................................................................................................. 5-33
5.6
Adding and Removing Software.................................................................... 5-39
5.7
Changing the Security Model......................................................................... 5-40
5.8
Removing IT Security Tool.............................................................................. 5-41
Utility Programs......................................................................................... 6-1
6.1
StorageDeviceCTL............................................................................................. 6-2
6.2
SdcsChangeOPCAccount................................................................................ 6-4
Related Programs...................................................................................... 7-1
7.1
8.
Related Programs.............................................................................................. 7-2
Troubleshooting........................................................................................ 8-1
8.1
Error Occurs when Server Manager is Started............................................... 8-2
8.2
Cannot Manage User Accounts in the User Accounts Dialog Box of Control
Panel.................................................................................................................... 8-4
8.3
Installed Update Programs are Not Displayed in the Programs and Features
Window of Control Panel.................................................................................. 8-5
8.4
Cannot Install Microsoft Updates.................................................................... 8-6
8.5
Failing to install .NET Framework.................................................................... 8-7
8.6
Cannot Install the Logic Designer.................................................................... 8-8
Revision Information.......................................................................................Rev-1
IM 34P02Q93-01E
10th Edition : Oct. 25, 2024-00
Blank Page
1-1
<1. Overview>
1.
Overview
This manual is a guide for implementing security measures to the system and for its
operation.
By operating the system with security measures implemented, the STARDOM system
is protected from existing security threats, as well as security threats anticipated in the
future.
Among the various security measures, IT security focuses on endpoint security in a PC
environment.
This manual describes how to configure the FCN/FCJ (RTU) to conform to overall IT security when connecting the FCN/FCJ (RTU) to CENTUM VP or PRM.
n Security-related Terms Used in the Manual
The table below lists and explains terms related to security.
Table
Security-related Terms
Term
Explanation
IT security
Security measures considered based on a given IT environment, in order
to protect the system and fight against current and future security threats
including cyber terrorism.
IT environment
A Windows environment where the STARDOM system runs.
PCN
Abbreviation of Process Control Network. Network built for ICS (Industrial
Control System) such as the STARDOM system.
Business Network
Intranets excluding PCNs
DCOM
Abbreviation for Distributed Component Object Model, a distributed object
technology specification defined by Microsoft, which enables communications,
exchange of data and processing requests, etc. between software components known as COM objects via a network.
OPC
Abbreviation for Object Linking and Embedding (OLE) for Process Control,
which is a standard interface supporting system development in measuring
and control systems using Microsoft's COM/DCOM.
Personal firewall
Firewall operating on PC and domain controllers, including firewalls other than
the Windows standard firewall.
FCN/FCJ engineering tools
Engineering tools for STARDOM systems, including Logic Designer, FCN/FCJ
Simulator, Resource Configurator and FCN/FCJ Duolet Application Development Kit.
Terminal
A generic term for devices connected to a network.
Domain server
A server that controls Windows domains.
Fortification
Reducing the vulnerability of PC terminals by using security functions of the
operating system or other means.
IM 34P02Q93-01E
6th Edition : May 31, 2017-00
1.1
1-2
<1.1 Security Threats to be Handled>
Security Threats to be Handled
This section explains the security threats that must be handled STARDOM.
n Security Threats
Security threats that may harm the STARDOM system include the following:
• Attacks over network
Threats to the STARDOM system from people without any rights to the STARDOM system
via networks such as intranets, as well as the resultant threats of leakage of important data
of the STARDOM system.
• Direct attack to a system by operating on a PC
Threats from unauthorized individuals to the STARDOM system by directly operating an HIS
or PC installed with system builders to affect the system for the purpose of stealing important data.
• Theft of a PC or data
Threats where a PC installed with system builders is stolen or data are stolen from it for the
purpose of analyzing the data.
Business Network
Attacks
over network
Direct attack
to a system by
operating on a PC
Firewall
Process Control Network
Theft of a PC
or data
STARDOM
FCN/FCJ OPC server
engineering environment
Control Bus (Ethernet)
FCN/FCJ
Field devices
(AIO, DIO, FF, HART)
FCN/FCJ
PLC
Field devices
(AIO, DIO, FF, HART)
010101J.ai
Figure Security Threats
IM 34P02Q93-01E
1st Edition : Jun.29,2012-00
1.2
1-3
<1.2 Security Measures>
Security Measures
Security measures should be taken against security threats. Identify security measure
items required for the STARDOM system and, from among them, select the required security measures according to the level of security required.
n Security Measures and Handled Threats
In order to fight against security threats, we arranged security measures applied in security
guides for each OS issued by Microsoft and general business network environment and optimized as a set of security measures for the product. Two IT security versions, 2.0 and 1.0, are
available, which provide security measures that cover different ranges. These two versions are
described as follows.
•
IT security version 2.0
This version was designed after reconsidering the IT security version1.0 and includes more
security measures. It supports the Standard security model.
• IT security version 1.0
It supports the Standard security model.
(It dosenot supports the Legacy security model as the security measures of FCN/FCJ revision R4.30 or later.)
IT security version 2.0 and IT security version1.0 can coexist in the same project.
The following tables show the security measures and the threats that each measure handles for
each security version.
l
Security Measures and Handled Threats in IT security version 2.0
Corresponding threats
[1]:
Attacks over network
[2]:
Direct attack to a system by operating on a PC
[3]:
Theft of a PC or data
Table
Security Measures and Handled Threats - IT security version 2.0
Threat handled
Security measure
[1]
[2]
Password Policy-[Minimum password length]
X
X
Password Policy-[Minimum password age]
X
X
Password Policy-[Maximum password age]
X
X
Password Policy-[Enforce password history]
X
X
Disable ‘Password Policy-[Store passwords using reversible encryption]’
X
X
Password Policy-[Password must meet complexity requirements]
X
X
Access Control for files and folders
X
X
Access control for product registry
X
X
Access Control for DCOM (OPC) objects
X
X
Personal firewall tuning
X
Set ‘Personal Firewall-[Allow unicast response]’ to ‘No’
X
Stopping unused Windows services
X
Account Lockout Policy-[Account lockout threshold]
X
X
Account Lockout Policy-[Reset account lockout counter after]
X
X
Account Lockout Policy-[Account lockout duration]
X
X
IM 34P02Q93-01E
[3]
8th Edition : Aug. 25, 2021-00
1-4
<1.2 Security Measures>
Threat handled
Security measure
[1]
[2]
[3]
Applying the StorageDevicePolicies function
X
X
Disabling USB storage devices
X
X
Disabling NetBIOS over TCP/IP
X
Applying the software restriction policies
X
User Rights Assignment-[Access this computer from the network]
X
User Rights Assignment-[Add workstations to domain]
X
X
X
User Rights Assignment-[Allow log on locally]
X
User Rights Assignment-[Deny log on locally]
X
Security Options-[Audit: Force audit policy subcategory settings (Windows Vista or
ater) to override audit policy category settings]
X
Security Options-[Devices: Prevent users from installing printer drivers]
X
X
Security Options-[Devices: Restrict CD-ROM access to locally logged-on user only]
X
Security Options-[Devices: Restrict floppy access to locally logged-on user only]
X
Disable ‘Security Options-[Domain controller: Allow server operators to schedule tasks]’
X
Disable ‘Security Options-[Domain controller: Refuse machine account password
changes]’
X
Security Options-[Domain member: Require strong (Windows 2000 or later) session
key]
X
Set ‘Security Options-[Interactive logon: Display user information when the session is
locked]’ to ‘Do not display user information’
X
Security Options-[Interactive logon: Do not display last user name]
X
Disable ‘Security Options-[Interactive logon: Do not require CTRL+ALT+DEL]’
X
Security Options-[Interactive logon: Machine inactivity limit]
X
Security Options-[Interactive logon: Prompt user to change password before expiration]
X
Security Options-[Microsoft network server: Digitally sign communications (if client
agrees)]
X
Security Options-[Microsoft network server: Server SPN target name validation level]
X
[MSS: (DisableIPSourceRouting) IP source routing protection level (protects against
packet spoofing)]
Disable [MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default
Gateway addresses (could lead to DoS)]
[MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)]
Security Options-[Network access: Do not allow anonymous enumeration of SAM accounts]
Security Options-[Network access: Do not allow anonymous enumeration of SAM accounts and shares]
Security Options-[Network access: Do not allow storage of passwords and credentials
for network authentication]
Security Options-[Network security: Allow Local System to use computer identity for
NTLM]
Disable ‘Security Options-[Network security: Allow LocalSystem NULL session fallback]’
X
X
X
X
X
X
X
X
X
Security Options-[Network security: Force logoff when logon hours expire]
X
Security Options-[Network security: LAN Manager authentication level]
X
Security Options-[Network security: Minimum session security for NTLM SSP based
(including secure RPC) clients]
X
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
1-5
<1.2 Security Measures>
Threat handled
Security measure
[1]
Security Options-[Network security: Minimum session security for NTLM SSP based
(including secure RPC) servers]
Disable ‘Security Options-[Shutdown: Allow system to be shut down without having to
log on]’
Security Options-[User Account Control: Admin Approval Mode for the Built’-in Administrator account]
Security Options-[User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode]
[2]
[3]
X
X
X
X
Advanced Audit Policy Configuration-[Audit Credential Validation]
X
X
Advanced Audit Policy Configuration-[Audit Computer Account Management]
X
X
Advanced Audit Policy Configuration-[Audit Other Account Management Events]
X
X
Advanced Audit Policy Configuration-[Audit Security Group Management]
X
X
Advanced Audit Policy Configuration-[Audit User Account Management]
X
X
Advanced Audit Policy Configuration-[Audit Process Creation]
X
X
Advanced Audit Policy Configuration-[Audit Directory Service Access]
X
X
Advanced Audit Policy Configuration-[Audit Directory Service Changes]
X
X
Advanced Audit Policy Configuration-[Audit Account Lockout]
X
X
Advanced Audit Policy Configuration-[Audit Logoff]
X
X
Advanced Audit Policy Configuration-[Audit Logon]
X
X
Advanced Audit Policy Configuration-[Audit Other Logon/Logoff Events]
X
X
Advanced Audit Policy Configuration-[Audit Special Logon]
X
X
Advanced Audit Policy Configuration-[Audit Removable Storage]
X
X
Advanced Audit Policy Configuration-[Audit Audit Policy Change]
X
X
Advanced Audit Policy Configuration-[Audit Authentication Policy Change]
X
X
Advanced Audit Policy Configuration-[Audit Filtering Platform Policy Change]
X
X
Advanced Audit Policy Configuration-[Audit MPSSVC Rule-Level Policy Change]
X
X
Advanced Audit Policy Configuration-[Audit Other Policy Change Events]
X
X
Advanced Audit Policy Configuration-[Audit Sensitive Privilege Use]
X
X
Advanced Audit Policy Configuration-[Audit IPsec Driver]
X
Advanced Audit Policy Configuration-[Audit Other System Events]
X
X
Advanced Audit Policy Configuration-[Audit Security State Change]
X
X
Advanced Audit Policy Configuration-[Audit Security System Extension]
X
X
Advanced Audit Policy Configuration-[Audit System Integrity]
X
X
Personalization-[Prevent enabling lock screen camera]
X
Personalization-[Prevent enabling lock screen slide show]
X
WLAN Settings-[Allow Windows to automatically connect to suggested open hotspots,
to networks shared by contacts, and to hotspots offering paid services]
X
SCM-[Enable LSA Protection]
X
X
SCM-[Lsass.exe audit mode]
X
X
Group Policy-[Configure registry policy processing]
X
X
Internet Communication settings-[Turn off downloading of print drivers over HTTP]
X
Internet Communication settings-[Turn off Event Viewer “Events.asp” links]
X
Internet Communication settings-[Turn off Internet download for Web publishing and
online ordering wizards]
X
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
1-6
<1.2 Security Measures>
Threat handled
Security measure
[1]
Internet Communication settings-[Turn off printing over HTTP]
X
Internet Communication settings-[Turn off Search Companion content file updates]
X
Internet Communication settings-[Turn off the “Publish to Web” task for files and folders]
Internet Communication settings-[Turn off the Windows Customer Experience Improvement Program]
Internet Communication settings-[Turn off the Windows Messenger Customer Experience Improvement Program]
Logon-[Do not display network selection UI]
[2]
[3]
X
X
X
X
X
Logon-[Do not enumerate connected users on domain-joined computers]
X
Logon-[Do not process the legacy run list]
X
Logon-[ Do not process the run once list]
X
Disable ‘Logon-[Enumerate local users on domainjoined computers]’
X
Logon-[Turn off app notifications on the lock screen]
X
Mitigation Options-[Untrusted Font Blocking]
X
X
Remote Procedure Call-[Enable RPC Endpoint Mapper Client Authentication]
X
X
User Profiles-[Turn off the advertising ID]
X
App Privacy-[Let Windows apps access account information]
X
App Privacy-[Let Windows apps access call history]
X
App Privacy-[Let Windows apps access contacts]
X
App Privacy-[Let Windows apps access email]
X
App Privacy-[Let Windows apps access location]
X
App Privacy-[Let Windows apps access messaging]
X
App Privacy-[Let Windows apps access motion]
X
App Privacy-[Let Windows apps access the calendar]
X
App Privacy-[Let Windows apps access the camera]
X
App Privacy-[Let Windows apps access the microphone]
X
App Privacy-[Let Windows apps access trusted devices]
X
App Privacy-[Let Windows apps control radios]
X
App Privacy-[Let Windows apps sync with devices]
X
App runtime-[Block launching Windows Store apps with Windows Runtime API access
from hosted content]
X
AutoPlay Policies-[Turn off Autoplay]
X
AutoPlay Policies-[Disallow Autoplay for non-volume devices]
X
Data Collection and Preview Builds-[Allow Telemetry]
X
Data Collection and Preview Builds-[Do not show feedback notifications]
X
Event Log Service(Application)-[Specify the maximum log file size (KB)]
X
X
Event Log Service(Security)-[Specify the maximum log file size (KB)]
X
X
Event Log Service(System)-[Specify the maximum log file size (KB)]
X
X
File Explorer-[Turn off heap termination on corruption]
X
HomeGroup-[Prevent the computer from joining a homegroup]
X
OneDrive-[Prevent the usage of OneDrive for file storage]
X
OneDrive-[Save documents to OneDrive by default] (Save documents to the local PC
by default)
X
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
Threat handled
Security measure
[1]
Remote Desktop Connection Client-[Do not allow passwords to be saved]
X
Device and Resource Redirection-[Do not allow drive redirection]
X
Security-[Always prompt for password upon connection]
X
Security-[Require secure RPC communication]
X
Security-[Require user authentication for remote connections by using Network Level
Authentication]
X
Sync your settings-[Do not sync Apps]
X
Sync your settings-[Do not sync start settings]
X
Disable ‘Windows Error Reporting-[Automatically send memory dumps for OS-generated error reports]’
X
[2]
Disable ‘Windows Logon Options-[Sign’-in last interactive user automatically after a
system’-initiated restart]’
X
Notifications-[Turn off toast notifications on the lock screen]
X
Disabling Built-in Administrator Account or Changing User Name
l
1-7
<1.2 Security Measures>
X
[3]
X
HDD password function by BIOS
X
Disabling Shared experiences
X
Enabling SMB signing
X
Prevent illegal dll from loading
X
Security Measures and Handled Threats in IT security version 1.0
Corresponding threats
[1]:
Attacks over network
[2]:
Direct attack to a system by operating on a PC
[3]:
Theft of a PC or data
Table
Security Measures and Handled Threats - IT security version 1.0
Security type
Threat handled
Security measure
[1]
[2]
Access control
X
X
Personal firewall tuning
X
Stopping unused Windows services
X
Changing IT environment settings
Changing Administrator user name
X
X
Hiding the last logon user name
X
X
Applying the software restriction policies
X
X
[3]
Applying AutoRun restrictions
X
Applying the StorageDevicePolicies function
X
X
Disabling USB storage devices
X
X
Disabling NetBIOS over TCP/IP
X
Changing the LAN Manager authentication level
X
Applying the password policy
X
X
Applying the audit policy
X
X
Applying the account lockout policy
X
X
HDD password function by BIOS
X
Disabling Shared experiences
X
Enabling SMB signing
X
Prevent illegal dll from loading
X
IM 34P02Q93-01E
10th Edition : Oct. 25, 2024-00
1.3
1-8
<1.3 Operating Environment>
Operating Environment
n System Overview Image
STARDOM IT Security assumes that the FCN/FCJ is integrated within a large system, say, as a
subsystem of CENTUM, with stringent security requirements.
This manual covers IT security for the FCN/FCJ engineering environment and the FCN/FCJ OPC
server. For information on IT security of other terminals, refer to the IT security guide of individual
products.
Scope of STARDOM IT Security
Business
Network
Scope of
STARDOM IT Security
PRM server
Domain controller
File server
Firewall
Firewall
Process Control Network (Ethernet)
FCN/FCJ
OPC Server
SIOS
SIOS // UGS
UGS
FCN/FCJ
engineering environment
Field communication
server
HIS
HIS
ENG
ENG
Vnet/IP
Control
Ethernet
Bus (Ethernet)
FCN/FCJ
Field devices
(AIO, DIO, FF, HART)
FCN/FCJ
FCS
FCS
PLC
PLC
Field devices
(AIO, DIO, FF, HART)
Field devices
(AIO, DIO, FF, HART)
FCS
FCS
Field devices
(AIO, DIO, FF, HART)
010102E.ai
Figure Scope and System Overview Image of IT Security
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
<1.3 Operating Environment>
1-9
n Operating Environment
The table below shows the operating environment of STARDOM IT Security.
Table Operating Environment of STARDOM IT Security
Category
Terminals
Description
FCN/FCJ engineering terminal: Terminal installed with FCN/FCJ engineering
tools (Logic Designer, Resource Configurator, etc.)
FCN/FCJ OPC Server terminal: Terminal installed with FCN/FCJ OPC Server
OS for the FCN/FCJ engineering terminal:
• Windows 10 (IoT) Enterprise LTSC 2021 (64 bit)
• Windows 10 (IoT) Enterprise LTSC 2019 (64 bit)
OS
OS for the FCN/FCJ OPC Server terminal:
• Windows 10 (IoT) Enterprise LTSC 2021 (64 bit)
• Windows 10 (IoT) Enterprise LTSC 2019 (64 bit)
• Windows Server 2022 Standard (64 bit)
• Windows Server 2019 Standard (64 bit)
Software Packages
Software packages installed on FCN/FCJ engineering terminal:
• Logic Designer
• FCN/FCJ Simulator
• Resource Configurator
• FCN/FCJ Duolet Application Development Kit
Software packages installed on FCN/FCJ OPC Server terminal:
• FCN/FCJ OPC Server
• FCN/FCJ Duplexed Network Package
The FCN/FCJ OPC Server and FCN/FCJ Duplexed Network Package can be
on the same PC as the following products:
Co-existence with other system installed
• PRM
products
• SIOS
• VDS(*1)
*1:
As VDS do not support IT Security, do not install IT Security if VDS/ASTMAC and OPC Server is to be installed on the same PC.
IMPORTANT
For older OS than April 2022, apply the April 2022 cumulative update.
IM 34P02Q93-01E
10th Edition : Oct. 25, 2024-00
<1.3 Operating Environment>
1-10
n Co-existence or Collaboration with Other Software
l
Co-existence
This refers to an environment where the FCN/FCJ OPC Server runs on the same PC as other
software.
The FCN/FCJ OPC Server can be installed on the same PC as VDS, PRM (Plant Resource
Manager) and SIOS (System Integration OPC Station)
Note: The IT security tool can not coexist with Microsoft Office C2R. To coexist, use Microsoft Office MSI.
l
Collaboration
This refers to an environment where the FCN/FCJ OPC Server and other software application
run on separate PCs, which are connected via a network.
Software
PRM
Specifications
Co-existence (*1)(*2)
R4.07
Collaboration
R3.02 or later
SIOS
Co-existence (*1)(*2)
CENTUM VP R6.04 or later for IT Security of
the Standard model
Same requirement as collaborative environment for IT Security of the Legacy model
Collaboration
CENTUM VP R5.01 or later
VDS
Co-existence (*3)(*4)
R9.10
*1:
*2:
*3:
*4:
Configure IT Security so that OPC Server applies the same security model as PRM or SIOS. Application of a different security
model is not allowed.
Moreover, PRM or SIOS, if used with the Strengthened model, cannot be installed on the same PC as FCN/FCJ OPC Server.
PRM or SIOS, if used with domain management, cannot be installed on the same PC as FCN/FCJ OPC Server.
As VDS dose not support IT Security, do not install IT Security if VDS and OPC Server is to be installed on the same PC.
If using the Duplexed Network function, use the Duplexed Network function provided with VDS.
IM 34P02Q93-01E
10th Edition : Oct. 25, 2024-00
2-1
<2. Security Models and User Management>
2.
Security Models and User
Management
Modifying the configuration of a PC to protect against various threats is known as
fortification. This chapter describes fortification of a PC enviroment to protect against
security threats.
Yokogawa system projects (CENTUM VP) provide three types of security models, Legacy
model, Standard model, and Strengthened model, according to the required security
strength, in order to flexibly accommodate system configuration and operation. Required
security measure items are incorporated in the respective security models.
IMPORTANT
•
It is recommended to select Standard model with STARDOM product.
If the Legacy model is used, a problem occurs in Windows function because the Default
Authentication Level of DCOM will be None. For details, see "8 Troubleshooting."
•
The Strengthened model is not available with STARDOM products.
IM 34P02Q93-01E
7th Edition : Jun. 6, 2018-00
2.1
2-2
<2.1 Security Models>
Security Models
Fortification of a PC environment improves security but may also hamper system
operation and functionality. To allow the implementation of appropriate security measures
according to system configuration and operation, three types of security models are
provided.
n Security Models
The features of the security models are shown in the following table.
Table
Features of Security Models
Security model
Feature
Legacy model
The Legacy model maintains compatibility with legacy products. It sets a lower DCOM
authentication level and stops the Windows Firewall service.
Select the Legacy model if the STARDOM product is to be installed on the same PC as
other Yokogawa products using the Legacy model.
Standard model
(Recommended)
The Standard model enhances security while maintaining system operation compability.
It performs access control by user authentication, raises the DCOM authentical level,
enables the firewall and performs other configuration. The Strengthened model implements all security measures.
Strengthened model Although it implements the most stringent security measures, it may affect system
operation and thus should be introduced only after careful consideration.
Note: The Strengthened model is not available with STARDOM products. When using IT security version 2.0, the Legacy model cannot
be used.
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
2-3
<2.1 Security Models>
n Security Models and Security Measures
l Security Models and Security Measures in IT security version 2.0
The following table shows the security measure items against security threats and their
configuration in IT security version 2.0.
Table
Security Measures in IT security version 2.0
Security model
Security measure
Standard
Password Policy-[Minimum password length]
Password Policy-[Minimum password age]
Password Policy-[Maximum password age]
Password Policy-[Enforce password history]
Disable ‘Password Policy-[Store passwords using reversible encryption]’
Password Policy-[Password must meet complexity requirements]
Access Control for files and folders (*1)
X
Access control for product registry (*1)
X
Access Control for DCOM (OPC) objects (*1)
X
Personal firewall tuning (*2)
X
Set ‘Personal Firewall-[Allow unicast response]’ to ‘No’
X
Stopping unused Windows services (*2)
Account Lockout Policy-[Account lockout threshold]
Account Lockout Policy-[Reset account lockout counter after]
Account Lockout Policy-[Account lockout duration]
Disabling NetBIOS over TCP/IP
X
Applying the StorageDevicePolicies function
X
Disabling USB storage devices
X
Applying the software restriction policies
X
User Rights Assignment-[Access this computer from the network]
User Rights Assignment-[Add workstations to domain]
User Rights Assignment-[Allow log on locally]
User Rights Assignment-[Deny log on locally]
X
Security Options-[Audit: Force audit policy subcategory settings (Windows Vista or ater) to
override audit policy category settings]
X
Security Options-[Devices: Prevent users from installing printer drivers]
X
Security Options-[Devices: Restrict CD-ROM access to locally logged-on user only]
X
Security Options-[Devices: Restrict floppy access to locally logged-on user only]
X
Disable ‘Security Options-[Domain controller: Allow server operators to schedule tasks]’
Disable ‘Security Options-[Domain controller: Refuse machine account password changes]’
Security Options-[Domain member: Require strong (Windows 2000 or later) session key]
X
Set ‘Security Options-[Interactive logon: Display user information when the session is locked]’
to ‘Do not display user information’
Security Options-[Interactive logon: Do not display last user name]
X
Disable ‘Security Options-[Interactive logon: Do not require CTRL+ALT+DEL]’
X
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
2-4
<2.1 Security Models>
Security model
Security measure
Standard
Security Options-[Interactive logon: Machine inactivity limit]
Security Options-[Interactive logon: Prompt user to change password before expiration]
X
Security Options-[Microsoft network server: Digitally sign communications (if client agrees)]
X
Security Options-[Microsoft network server: Server SPN target name validation level]
X
[MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet
spoofing)]
Disable [MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default
Gateway addresses (could lead to DoS)]
[MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is
retransmitted (3 recommended, 5 is default)]
X
Security Options-[Network access: Do not allow anonymous enumeration of SAM accounts]
X
Security Options-[Network access: Do not allow anonymous enumeration of SAM accounts
and shares]
X
Security Options-[Network access: Do not allow storage of passwords and credentials for
network authentication]
X
Security Options-[Network security: Allow Local System to use computer identity for NTLM]
X
Disable ‘Security Options-[Network security: Allow LocalSystem NULL session fallback]’
X
X
X
Security Options-[Network security: Force logoff when logon hours expire]
Security Options-[Network security: LAN Manager authentication level]
X
Security Options-[Network security: Minimum session security for NTLM SSP based
(including secure RPC) clients]
Security Options-[Network security: Minimum session security for NTLM SSP based
(including secure RPC) servers]
X
X
Disable ‘Security Options-[Shutdown: Allow system to be shut down without having to log on]’
Security Options-[User Account Control: Admin Approval Mode for the Built’-in Administrator
account]
Security Options-[User Account Control: Behavior of the elevation prompt for administrators in
Admin Approval Mode] (*4)
X
X
X
Advanced Audit Policy Configuration-[Audit Credential Validation]
X
Advanced Audit Policy Configuration-[Audit Computer Account Management]
X
Advanced Audit Policy Configuration-[Audit Other Account Management Events]
X
Advanced Audit Policy Configuration-[Audit Security Group Management]
X
Advanced Audit Policy Configuration-[Audit User Account Management]
X
Advanced Audit Policy Configuration-[Audit Process Creation]
X
Advanced Audit Policy Configuration-[Audit Directory Service Access]
Advanced Audit Policy Configuration-[Audit Directory Service Changes]
Advanced Audit Policy Configuration-[Audit Account Lockout]
Advanced Audit Policy Configuration-[Audit Logoff]
Advanced Audit Policy Configuration-[Audit Logon]
Advanced Audit Policy Configuration-[Audit Other Logon/Logoff Events]
X
Advanced Audit Policy Configuration-[Audit Special Logon]
X
Advanced Audit Policy Configuration-[Audit Removable Storage]
X
Advanced Audit Policy Configuration-[Audit Audit Policy Change]
X
Advanced Audit Policy Configuration-[Audit Authentication Policy Change]
X
IM 34P02Q93-01E
9th Edition : Jan. 26, 2022-00
2-5
<2.1 Security Models>
Security model
Security measure
Standard
Advanced Audit Policy Configuration-[Audit Filtering Platform Policy Change]
X
Advanced Audit Policy Configuration-[Audit MPSSVC Rule-Level Policy Change]
X
Advanced Audit Policy Configuration-[Audit Other Policy Change Events]
X
Advanced Audit Policy Configuration-[Audit Sensitive Privilege Use]
X
Advanced Audit Policy Configuration-[Audit IPsec Driver]
Advanced Audit Policy Configuration-[Audit Other System Events]
X
Advanced Audit Policy Configuration-[Audit Security State Change]
XX
Advanced Audit Policy Configuration-[Audit Security System Extension]
X
Advanced Audit Policy Configuration-[Audit System Integrity]
X
Personalization-[Prevent enabling lock screen camera]
X
Personalization-[Prevent enabling lock screen slide show]
X
WLAN Settings-[Allow Windows to automatically connect to suggested open hotspots, to
networks shared by contacts, and to hotspots offering paid services]
X
SCM-[Enable LSA Protection]
SCM-[Lsass.exe audit mode]
Group Policy-[Configure registry policy processing]
X
Internet Communication settings-[Turn off downloading of print drivers over HTTP]
X
Internet Communication settings-[Turn off Event Viewer “Events.asp” links]
X
Internet Communication settings-[Turn off Internet download for Web publishing and online
ordering wizards]
X
Internet Communication settings-[Turn off printing over HTTP]
X
Internet Communication settings-[Turn off Search Companion content file updates]
X
Internet Communication settings-[Turn off the “Publish to Web” task for files and folders]
X
Internet Communication settings-[Turn off the Windows Customer Experience Improvement
Program]
X
Internet Communication settings-[Turn off the Windows Messenger Customer Experience
Improvement Program]
X
Logon-[Do not display network selection UI]
X
Logon-[Do not enumerate connected users on domain-joined computers]
X
Logon-[Do not process the legacy run list]
Logon-[ Do not process the run once list]
Disable ‘Logon-[Enumerate local users on domainjoined computers]’
X
Logon-[Turn off app notifications on the lock screen]
X
Mitigation Options-[Untrusted Font Blocking]
X
Remote Procedure Call-[Enable RPC Endpoint Mapper Client Authentication]
User Profiles-[Turn off the advertising ID]
X
App Privacy-[Let Windows apps access account information]
X
App Privacy-[Let Windows apps access call history]
X
App Privacy-[Let Windows apps access contacts]
X
App Privacy-[Let Windows apps access email]
X
App Privacy-[Let Windows apps access location]
X
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
2-6
<2.1 Security Models>
Security model
Security measure
Standard
App Privacy-[Let Windows apps access messaging]
X
App Privacy-[Let Windows apps access motion]
X
App Privacy-[Let Windows apps access the calendar]
X
App Privacy-[Let Windows apps access the camera]
X
App Privacy-[Let Windows apps access the microphone]
X
App Privacy-[Let Windows apps access trusted devices]
X
App Privacy-[Let Windows apps control radios]
X
App Privacy-[Let Windows apps sync with devices]
App runtime-[Block launching Windows Store apps with Windows Runtime API access from
hosted content]
X
AutoPlay Policies-[Turn off Autoplay]
X
AutoPlay Policies-[Disallow Autoplay for non-volume devices]
X
Data Collection and Preview Builds-[Allow Telemetry]
X
Data Collection and Preview Builds-[Do not show feedback notifications]
X
Event Log Service(Application)-[Specify the maximum log file size (KB)]
X
Event Log Service(Security)-[Specify the maximum log file size (KB)]
X
Event Log Service(System)-[Specify the maximum log file size (KB)]
X
File Explorer-[Turn off heap termination on corruption]
X
HomeGroup-[Prevent the computer from joining a homegroup]
X
OneDrive-[Prevent the usage of OneDrive for file storage]
X
OneDrive-[Save documents to OneDrive by default] (Save documents to the local PC by
default)
X
Remote Desktop Connection Client-[Do not allow passwords to be saved]
X
Device and Resource Redirection-[Do not allow drive redirection]
X
X
Security-[Always prompt for password upon connection]
Security-[Require secure RPC communication]
X
Security-[Require user authentication for remote connections by using Network Level
Authentication]
X
Sync your settings-[Do not sync Apps]
X
Sync your settings-[Do not sync start settings]
X
Disable ‘Windows Error Reporting-[Automatically send memory dumps for OS-generated
error reports]’
Disable ‘Windows Logon Options-[Sign’-in last interactive user automatically after a system’initiated restart]’
Notifications-[Turn off toast notifications on the lock screen]
X
X
X
Disabling Built-in Administrator Account or Changing User Name (*3)
HDD password function by BIOS (*3)
Disabling Shared experiences
X
Enabling SMB signing (*3)
X
Prevent illegal dll from loading (*5)
X
X:
*1:
*2:
*3:
*4:
*5:
Supported security measure
This security setting item is not affected by group policy
This setting can be controlled by group policy but can also be configured for each computer using the IT Security Tool.
The IT Security Tool does not configure this setting. You must configure it manually.
In Windows Server 2022, Windows Server 2019, if “User Account Control: Prompt behavior when elevating to administrator
in administrator authorization mode” is set to “Request consent on secure desktop”, shut down from the start menu or The
specification has been changed so that the UAC dialog is displayed when the restart operation is performed.
This is set by the installer.
IM 34P02Q93-01E
9th Edition : Jan. 26, 2022-00
SEE
ALSO
2-7
<2.1 Security Models>
•
•
For details of security measures, see “3. Details of Security Measures.”
A security configuration tool is available for security configuration of the Legacy model and Standard model.
For details on the security configuration tool, see “5.5. IT Security Tool.”
l Security Models and Security Measures in IT security version 1.0
The following table shows the security measure items against security threats and their
configuration in IT security version 1.0.
Table
Security Measures in IT security version 1.0
Security type
Security model
Security measure
Legacy
Standard
Access control
file, registry, DCOM (*1)
X
Personal firewall tuning
X
Stopping unused Windows services
Disabling the built-in Administrator account or changing its
user name
Hiding the last logon user name
X
Applying the software restriction policies
X
Applying AutoRun restrictions
Changing IT
environment settings
X
X
X
Applying the StorageDevicePolicies function
X
Disabling USB storage devices
X
Disabling NetBIOS over TCP/IP
X
Changing the LAN Manager authentication level
X
Applying the password policy
Applying the audit policy
Applying the account lockout policy
HDD password function by BIOS
X:
*1:
*3:
Disabling Shared experiences
X
Enabling SMB signing (*2)
X
Prevent illegal dll from loading (*3)
X
Supported security measure
When using FCN/FCJ OPC Server, configure access control of DCOM.
This is set by the installer.
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
2.2
2-8
<2.2 User/Group Management>
User/Group Management
This section explains the relationship between user management of Windows and the
STARDOM system. Access control is defined for each user group as explained in this
section.
n User Management of Windows
Windows provides two methods for managing users, namely, workgroup management
and domain management.
A third user management method called combination management combines workgroup
management and domain management.
Table
User Management Methods
Management
method
TIP
Configuration
Operation
Feature
Operated by
registering user
Workgroup
Configuration of
accounts used in
(standalone) STARDOM system
each and every
management only.
PC used by
system builders.
• Simple configuration not requiring domain controller.
• Suited for small systems.
• Since account management is required for each
PC, all PCs must be updated during user account
maintenance so this method not suited for largescale systems.
• Administrator rights to PCs and maintenance rights
to STARDOM systems are inseparable.
Domain server
Domain
is required for
management non-STARDOM
systems.
Operated by
registering user
accounts used
to the domain
controller.
• Centralized management of users reduces human
errors.
• Administrator rights to PCs and maintenance rights
to STARDOM systems are separable.
• Suited for large-scale systems.
Domain server
Combination is required for
management non- STARDOM
systems.
Operated the
same way
as domain
management in
normal operation
except that
permissions
and rights can
be assigned for
specific PCs.
• Even if a domain controller is not available,
uninterrupted operation is possible by managing
accounts of each PC.
• Administrator rights to PCs and maintenance rights
to STARDOM systems are inseparable.
Combination management is used when operation similar to workgroup management is assumed in normal
operation although the main user management is performed by the domain management.
Specifically, it refers to the following case:
In normal operation, user creation is centralized using domain management. However, it is desired that
assignment of rights to users be enabled on certain PCs on the authority of the person in charge at a site.
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
2-9
<2.2 User/Group Management>
n User Management of STARDOM Products
The following two security models and Windows user management combinations exist in
STARDOM products:
• Type 1: Legacy Model - Workgroup Management
• Type 2: Standard Model - Workgroup Management
Table
Security Model and User Management Method Combinations
Security model
l
User management of Windows
Type
Legacy model
Workgroup management
Type 1
Standard model
Workgroup management
Type 2
Standard model
Domain management
Not supported by STARDOM.
Standard model
Combination management
Strengthened model
Workgroup management
Strengthened model
Domain management
Strengthened model
Combination management
Type 1: Legacy Model - Workgroup Management
No new user or new group is created.
Table
Legacy Model - Workgroup Management
Group name
STM_
MAINTENANCE
*1:
Created on
Administrator rights (*1)
Local PC
No
Explanation
This group is created at the time of installation.
To have Administrator rights on a local PC means to belong to the Administrators group on the local PC.
l Type 2: Standard Model - Workgroup Management
Table
Standard Model - Workgroup Management
Group name
Created on Administrator rights (*1)
Explanation
No
Users belonging to this group have rights to
run STARDOM engineering tools, as well as
browse and edit engineering data. Users not
belonging to this group do not.
STM_MAINTENANCE Local PC
Yes (Administrator rights
on local PC）
Users belonging to this group have rights to
install/uninstall software packages and perform
security configuration (They have Windows
Administrator rights.)
STM_OPC
No
Users belonging this group have rights to
connect to OPC Server.
STM_ENGINEER
*1:
Local PC
Local PC
To have Administrator rights on a local PC means to belong to the Administrators group on the local PC.
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
2-10
<2.3 Access Control>
2.3
Access Control
n FCN/FCJ Engineering Environment
FCN/FCJ engineering tools perform access control as follows:
•
Access control is performed for the Standard model but not for the Legacy model.
•
Only users with engineering rights are permitted to run engineering tools.
•
Only users with engineering rights are permitted to read and edit engineering data such as
control applications.
•
Only users with maintenance rights are permitted to install/uninstall software packages and
perform security configuration.
•
Maintenance rights and engineering rights are separate.
n OPC Server Environment
For each role, users having the role are given access rights by adding them to the Windows
user group designated for that role .as shown in the table below. The user groups are created
automatically when the Standard model is selected using IT Security Tool but adding users to
each group must be done manually by end users.
n User Groups
User groups are created as described in the table below. Users requiring rights are added
to the corresponding group and access control is performed. Users added to the STM_
MAINTENANCE group are also added automatically to the Administrators group.
Table
Standard Model/Strengthened Model - Standalone Management
Group name
Administrator rights
Explanation
No
This user group is created for using STARDOM
engineering tools. (*1)
Users of the group have rights to run the following
software:
・Logic Designer
・FCN/FCJ Simulator
・Resource Configurator
・Duolet Application Development Kit
・OPC-related tools
・Read and write permissions to default destination paths
for saving (the installation path of each tool under C:\
YOKOGAWA\FCN-FCJ\)
STM_MAINTENANCE
Yes
Users belonging to this group have rights to install/uninstall
software packages and perform security configuration
(They have Windows Administrator rights.)
In addition to STM_ENGINEER rights, they have rights
below.
・Changing settings which have an influence on the PC
・IT Security Tool
・FCN/FCJ Connection Configuration Tool
・StorageDeviceCTL
STM_OPC
No
Users belonging this group have rights to connect to OPC
Server.
They have rights to connect OPC server only.
STM_ENGINEER
*1:
Users not belonging to this group cannot run STARDOM engineering tools, browse and edit engineering data.
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
<2.3 Access Control>
2-11
IMPORTANT
Do not use these user groups for other purposes not related to STARDOM products. These
groups may be renamed or deleted without prior notice in response to security model changes or
other reasons.
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
Blank Page
3.
3-1
<3. Details of Security Measures>
Details of Security Measures
This chapter explains individual security measures in detail.
3.1
Access Control
Access control fights against illegal access and leakage, tampering, and destruction of
important data in the STARDOM system, by minimizing rights of individual user accounts.
The access control function of Windows is used in relation to the rights to access files
and registries, and the rights to execute various programs.
Access control is performed for each user group. Users have the access rights that are
granted to the group they belong to.
n DCOM (OPC) and User Groups
The COM security settings in an environment installed with FCN/FCJ OPC Server is described
below.
l Settings for Standard Model
Default authentication level:
Connect
COM security
User/Group
STM_OPC
Access
permissions
Launch and
activation
access
permissions
STM_
ENGINEER
STM_MAIN
TENANCE
STM_
PROCESS
L
R
Limits
L
L
R
Default
Limits
Everyone ANONYMOUS
LOGON
RA
RA
RA
RA
LL
LA
Default
The symbols in the table indicate the folloiwng access rights. An empty cell means no access right.
L: Local Access
LL: Local Launch
R: Remote Access LA: Local Activation
RA: Remote Activation
Limits indicate granted access rights.
IM 34P02Q93-01E
9th Edition : Jan. 26, 2022-00
3-2
<3.1 Access Control>
l Settings for Legacy Model
Default authentication level:
None
COM security
User/Group
Everyone
L
R
Limits
Access permissions
Default
L
R
Limits
LA
LL
RA
RL
Default
LA
LL
RA
RL
Launch and
activation access
permissions
ANONYMOUS LOGON
The symbols in the table indicate the folloiwng access rights. An empty cell means no access right.
L: Local Access
LL: Local Launch
R: Remote Access
RL: Remote Lauch
LA: Local Activation
RA: Remote Activation
Limits indicate access rights granted.
l Cautions
The default initial password is set for the user accounts “EXA” and “STM_PROCESS” prepared
in advance with this product. Be sure to change the password before operating. (Operation with
the initial password may increase the security risk.) Change the password on both the OPC
server PC and the OPC client PC.
To change the password of the user account, use the utility in “6.2 Utility Program”.
IM 34P02Q93-01E
9th Edition : Jan. 26, 2022-00
3.2
3-3
<3.2 Personal Firewall Tuning>
Personal Firewall Tuning
Personal firewall can be used to restrict connections from the network to the host PC so
as to prevent attacks from unknown areas.
Set required communication ports as exceptions so that the STARDOM functions can
operate.
The exception settings of personal firewall are classified into the following four types:
• FCN/FCJ Engineering Tool Related Exception Settings
•
OPC Related Exception Settings
•
Windows Related Exception Settings
• Allow Unicast response (only IT security version 2.0)
All connections not covered by the above settings are blocked by the firewall.
n Settings for Standard Model
l FCN/FCJ Engineering Tool Related Exception Settings
The table below lists the ports used by FCN/FCJ engineering tools.
Table
FCN/FCJ Engineering Tool Related Exception Settings
Executable file
name
Port number
Package name
SdcsResConf.exe
UDP:67 (BOOTP)
Resource Configurator
SdcsPcWin32.exe
TCP:1090 (HSE)
UDP:1090 (HSE)
TCP:20547
(LogicDesigner)
Installation path (Default:
”C:\YOKOGAWA\FCN-FCJ
\ResConf”）
FCN/FCJ Simulator
Installation path (Default:
C:\YOKOGAWA\FCN-FCJ
\FCXSim)
Javaw.exe
Java.exe
UDP: automatic
(DuoletMonitor) (*)
Installation path for JDK
SDNWLre.exe
UDP:1092 (diagnostic
communication)
TCP:34308
(communication to
check status)
FCN/FCJ Duolet
Application Development
Kit
Duplexed Network
Program for FCN/FCJ
OPC Server
Installation path (Default:
C:\YOKOGAWA\FCN-FCJ\LRE)
*:
Path
If using DuoletMonitor, one port is used for each destination controller.
l OPC Related Exception Settings
The table below lists the ports used by OPC Server.
Table
OPC Related Exception Settings
Executable file name
Port number
ZOPDA.exe
ZOPAE.exe
TCP:135 (DCOM)
ZOPHDA.exe
ZOPConnectTest.exe TCP:20501 to 20550 (DCOM)
OPCENUM.exe
Package name
FCN/FCJ OPC
Server
Path
Installation path
(Default: C:\EXA\Program)
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
3-4
<3.2 Personal Firewall Tuning>
l Windows Related Exception Settings
The table below lists the ports used by Windows.
Table
Windows Related Exception Settings
Function
Description
ICMP
ICMP is enabled to allow diagnosis using ping, etc..
RPC
Use of Windows RPC function is allowed.
Note: If using Windows file and folder sharing, remote desktop and other functions, define the exception settings as required.
Define exception settings for the SNTP Server port (UDP: 123) used in time synchronization as required.
TIP
Windows Firewall settings allow both Block and Allow to be defined for the same program. If both are present, the
Block setting takes precedence.
IT Security settings do not change existing Windows Firewall settings. Therefore, a program which is blocked by
Windows Firewall settings will be blocked even if it is allowed by IT Security settings.
You can check whether a program is blocked using [Control Panel]-[Windows Firewall]-[Advanced settings].
In the example shown below, Resource Configuator is blocked.
Figure An Example of Blocking by Firewall
l Allow unicast response (only IT security version 2.0)
In IT security version 2.0, the Allow unicast response option is set to “No.”
[Control Panel] - [System and Security] - [Windows Firewall] - [Detail] - [Windows Firewak
Property]- [Profile] tab - [Customize]
TIP
Applications that use multicasting or broadcasting cannot receive the response.
n Settings for Legacy Model
Windows Firewall is disabled.
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
3.3
<3.3 Disabling NetBIOS over TCP/IP>
3-5
Disabling NetBIOS over TCP/IP
It is recommended to disable NetBIOS because attackers may be able to acquire a list of
services running on the target computer and a list of users by using NetBIOS.
n Cautions
When disabling NetBIOS over TCP/IP, beware that:
• Applying this function will disallow file sharing connection from Windows 95, Windows 98,
Windows ME, and Windows NT.
•
The computer name must be resolvable by DNS or the HOSTS file.
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
3.4
3-6
<3.4 Optimizing Windows Update Delivery>
Optimizing Windows Update Delivery
This function is a function to set a PC on which an update program or application is
installed in addition to the conventional download destination as a download destination
of Windows update program or Windows store application. There is a possibility that
unexpected application of Windows update program and reboot may occur to the PC on
the network, so do not download from other than traditional download destination.
n Optimizing Delivery
l Settings
The following table shows the ports used by Windows.
Table
Optimizing Windows Update Delivery
Function
Download
Description
Enabled
HTTP only
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
3.5
<3.5 Group Policy Settings in IT Security Version 2.0>
3-7
Group Policy Settings in IT Security Version 2.0
This section describes the group policy settings in IT security version 2.0. There may be
cases where it is not possible to implement certain security functions depending on the
conditions of the individual systems. For this reason, examine whether implementation is
possible for each function before the implementation.
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
3.5.1
3-8
<3.5 Group Policy Settings in IT Security Version 2.0>
Security Options
Various security options are enabled or disabled.
l Setting
The following table shows the settings.
Table
Security Options
Policy
Setting
Audit : Force audit policy subcategory settings Enabled
(Windows Vista or later) to overwrite audit policy
category settings
Devices: Prevent users from installing printer drivers
Enabled
Devices: Restrict CD-ROM access to locally loggedon Enabled
user only
Devices: Restrict CD-ROM access to locally loggedon Enabled
user only
Domain controller: Allow server operators to schedule Disabled
tasks(*1)
Domain controller: Refuse machine account password Disabled
hanges(*1)
Domain member: Require strong (Windows 2000 or Enabled
later) session key
Interactive logon: Display user information when the User display name, domain and user names
session is locked
Interactive logon: Do not display last user name
Enabled
Interactive logon: Do not require CTRL+ALT+DEL
Disabled
Interactive logon: Machine inactivity limit
Enabled
900 seconds
Interactive logon: Prompt user to change password Enabled
before expiration
14 days
Microsoft network server: Digitally sign communications Enabled
(if client agrees)
Microsoft network server: Server SPN target name Enabled
validation level
Accept if provided by client
MSS: (AutoReboot) Allow Windows to automatically Disabled
restart after a system crash (recommended except for
highly secure environments)
MSS: (DisableIPSourceRouting) IP source routing Enabled
protection level (protects against packet spoofing)
Highest protection, source routing is completely
disabled
MSS: (PerformRouterDiscovery) Allow IRDP to detect Disabled
and configure Default Gateway addresses (could lead
to DoS)
MSS: (TcpMaxDataRetransmissions) How many Enabled
times unacknowledged data is retransmitted (3 3
recommended, 5 is default)
Network access: Do not allow anonymous enumeration Enabled
of SAM accounts
Network access: Do not allow anonymous enumeration Enabled
of SAM accounts and shares
Network access: Do not allow storage of passwords Enabled
and credentials for network authentication
IM 34P02Q93-01E
3rd Edition : Mar. 24, 2014-00
<3.5 Group Policy Settings in IT Security Version 2.0>
Table
3-9
Security Options
Policy
Setting
Network access: Let Everyone permissions apply to Disabled
anonymous users
Network security: Allow Local System to use computer Enabled
identity for NTLM
Network security: Force logoff when logon hours Enabled
expire(*1)
Network security: Allow LocalSystem NULL session Disabled
fallback
Enabled
Network security: LAN Manager authentication level
Send NTLMv2 response only
Enabled
Network security: Minimum session security for NTLM • Require NTLMv2 session security
SSP based (including secure RPC) clients
• Require 128-bit encryption
Both check boxes are selected.
Enabled
Network security: Minimum session security for NTLM • Require NTLMv2 session security
SSP based (including secure RPC) servers
• Require 128-bit encryption
Both check boxes are selected.
Network security: Do not store LAN Manager hash Enabled
value on next password change
Shutdown: Allow system to be shut down without having Disabled
to log on
User Account Control: Admin Approval Mode for the Enabled
Built’-in Administrator account
User Account Control: Behavior of the elevation prompt Enabled
for administrators in Admin Approval Mode
Prompt for consent on the secure desktop
*1:
This setting is for domain controller only.
l Cautions
•
In Windows Server 2019, if [User Account Control: Administrator Approval Mode for Built-in
Administrator Account] is "Enabled" and UAC is also "Enabled" (enabled by OS default),
the time zone cannot be changed. Specifically, when you open the [Date and Time] screen
of the control panel and click the [Change Time Zone] button, the following error dialog is
displayed.
"Unable to continue. You do not have permission to perform this task.
Please contact your computer adminisrator for help"
Also, even if you change the [Time Zone] drop-down list in the [Start Menu] - [Settings] [Time and Language] screen, it will remain the same when you reopen it.
Workaround
Right-click Start Menu and search for “timedate.cpl” in Search. Right-click “timedate.cpl”
displayed in the search results and run it as an administrator. You can change the time zone
without any error on the displayed [Date and Time] screen.
IM 34P02Q93-01E
10th Edition : Oct. 25, 2024-00
3-10
<3.5 Group Policy Settings in IT Security Version 2.0>
3.5.2
Applying the Software Restriction Policies
The software restriction policies function restricts execution of programs in four ways.
In the STARDOM system, Restriction on path is applied to provide an environment where
only the specified programs can run. This prevents illegal execution of programs even if
harmful programs are copied in a temporary folder or other locations in the PC.
n Types of Restrictions that can be Applied
•
Restriction on path
•
Restriction on hash
• Restriction on certificate
•
Restriction on the Internet zone
n Types of Restriction Supported by IT Security Tool
•
Restriction on path: If this restriction is applied, other coexisting packages may not run.
• Restriction on certificate: If this restriction is applied, performance may be affected by
certificate validation at startup.
n Settings (Standard model)
The following paths are added to the restriction on path.
•
Added paths (Default paths given below may vary with the installation path)
C:\YOKOGAWA\FCN-FCJ\FCXSim
C:\YOKOGAWA\FCN-FCJ\JavaDevelopKit
C:\YOKOGAWA\FCN-FCJ\LogicDesigner
C:\YOKOGAWA\FCN-FCJ\ResConf
C:\YOKOGAWA\FCN-FCJ\LRE
C:\ProgramData\Ade
The following rules are deleted.
•
“lnk” and “mdb” are deleted from [Designated File Types Properties].
Precautions
The following exceptions to the restriction on path must be set by users.
•
If using FCN/FCJ Duolet Development Kit, add the installation path (“C:\j2sdk1.4.2_xx” by
default) of the JDK from Oracle as an exception to the restriction on path.
•
Add installation paths of third-party software products not installed under “C:\Program Files”
as exceptions to the restriction on path.
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
3.5.3
3-11
<3.5 Group Policy Settings in IT Security Version 2.0>
Advanced Audit Policy Configuration
Collected account logon conditions and events related to security serve as data useful
in detecting abnormal system conditions in early stages and to trace causes of troubles
when problems related to security occur. With IT security version 2.0, more detailed audit
policy configuration is possible. Each setting item is described as follows.
n Account Logon
The following table shows the setting.
Table
Account Logon
Policy
Audit Credential Validation
Setting
Both the Success and Failure check boxes are
selected.
n Account Management
The following table shows the setting.
Table
Account Management
Policy
Setting
Audit Computer Account Management
The Success check box is selected.
Audit Other Account Management Events
Both the Success and Failure check boxes are
selected.
Both the Success and Failure check boxes are
selected.
Both the Success and Failure check boxes are
selected.
Audit Security Group Management
Audit User Account Management
n Detailed Tracking
The following table shows the setting.
Table
Detailed Tracking
Policy
Setting
Audit Process Creation
The Success check box is selected.
Audit RPC events
Both the Success and Failure check boxes are
cleared. (*1)
n Logon/Logoff
The following table shows the setting.
Table
Logon/Logoff
Policy
Setting
Audit Account Lockout
The Success check box is selected.
Audit Logoff
The Success check box is selected.
Audit Logon
Both the Success and Failure check boxes are
selected.
Both the Success and Failure check boxes are
selected.
Audit Other Logon/Logoff Events
Audit Special Logon
The Success check box is selected.
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
3-12
<3.5 Group Policy Settings in IT Security Version 2.0>
n Object Access
The following table shows the setting.
Table
Object Access
Policy
Audit Application Generated
Audit Removable Storage
*1:
Setting
Both the Success and Failure check boxes are cleared.
(*1)
Both the Success and Failure check boxes are
selected.
In the case of domain controller and file server, both the Success and Failure check boxes are selected
n Policy Change
The following table shows the setting.
Table
Policy Change
Policy
Audit Policy Change
Audit Authentication Policy Change
Audit Filtering Platform Policy Change
Audit MPSSVC Rule-Level Policy Change
Audit Other Policy Change Events
Setting
Both the Success and Failure check boxes are
selected.
Both the Success and Failure check boxes are
selected.
Both the Success and Failure check boxes are
selected.
Both the Success and Failure check boxes are
selected.
Both the Success and Failure check boxes are
selected.
n Privilege Use
The following table shows the setting.
Table
Privilege Use
Policy
Audit Sensitive Privilege Use
Setting
Both the Success and Failure check boxes are
selected.
n System
The following table shows the setting.
Table
System
Policy
Audit Other System Events
Audit Security State Change
Audit Security System Extension
Audit System Integrity
Setting
Both the Success and Failure check boxes are
selected.
Both the Success and Failure check boxes are
selected.
Both the Success and Failure check boxes are
selected.
Both the Success and Failure check boxes are
selected.
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
3.5.4
<3.5 Group Policy Settings in IT Security Version 2.0>
3-13
Administrative Template
This section describes the group policy settings that are defined in the administrative
template.
n Personalization (Control Panel)
l Setting
The following table shows the setting.
Table
Personalization (Control Panel)
Policy
Setting
Prevent enabling lock screen camera
Enabled
Prevent enabling lock screen slide show
Enabled
n WLAN Settings (Network)
l Setting
The following table shows the setting.
Table
System
Policy
Allow Windows to automatically connect to suggested
open hotspots, to networks shared by contacts,
and to hotspots offering paid services
Setting
Disabled
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
<3.5 Group Policy Settings in IT Security Version 2.0>
3-14
n Audit Process Creation (System)
l Setting
The following table shows the setting.
Table
Audit Process Creation (System)
Policy
Include command line in process creation events
TIP
Setting
Disabled
If this option is enabled, the command line information of each process will be recorded to the security event
log in text format as part of the Audit Process Creation event 4688, “A new process has been created.”
n Group Policy (System)
l Setting
The following table shows the setting.
Table
Group Policy (System)
Policy
Configure registry policy processing
Setting
The check box of Process even if the Group Policy
objects have not changed is selected.
n Internet Communication Management (System)
l Setting
The following table shows the setting.
Table
Internet Communication Management (System)
Policy
Setting
Turn off access to the Store
Enabled
Turn off downloading of print drivers over HTTP
Enabled
Turn off Event Viewer “Events.asp” links
Enabled
Turn off Internet download for Web publishing and Enabled
online ordering wizards
Turn off printing over HTTP
Enabled
Turn off Search Companion content file updates
Enabled
Turn off the “Publish to Web” task for files and folders
Enabled
Tu r n o ff t h e W i n d o w s C u s t o m e r E x p e r i e n c e Enabled
Improvement Program
Turn off the Windows Messenger Customer Experience Enabled
Improvement Program
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
<3.5 Group Policy Settings in IT Security Version 2.0>
3-15
n Logon (System)
l Setting
The following table shows the setting.
Table
Logon (System)
Policy
Do not display network selection UI
Setting
Enabled
Do not enumerate connected users on domainjoined Enabled
computers
Do not process the legacy run list
Not configured
Do not process the run once list
Not configured
Enumerate local users on domain-joined computers
Disabled
Turn off app notifications on the lock screen
Enabled
l Cautions
• If ”Do not process the legacy run list” is enabled, the executable program defined in
¥HKEY_LOCAL_MACHINE¥SOFTWARE¥Microsoft¥Windows¥CurrentVersion¥Run is
ignored. In addition, there are the same setting items in the user configuration, but if you set
both, this setting takes precedence.
• If ”Do not process the run once list” is enabled, the executable program defined in ¥HKEY_
LOCAL_MACHINE¥SOFTWARE¥Microsoft¥Windows¥CurrentVersion¥RunOnce is
ignored. In addition, there are the same setting items in the user configuration, but if you set
both, this setting takes precedence.
n Mitigation Options (System)
l Setting
The following table shows the setting.
Table
Mitigation Options (System)
Policy
Untrusted Font Blocking
Setting
Enabled
Block untrusted fonts and log events
l Cautions
If this setting is enabled, fonts that are not installed in %Windir%\Font (normally, C:\Windows\
Font) cannot be used. For example, websites with embedded fonts may not be displayed
correctly in web pages. In that case, install the fonts to be used in the above folder. You can install
fonts by right-clicking the font and selecting [Install].
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
<3.5 Group Policy Settings in IT Security Version 2.0>
3-16
n Power Management (System)
l Setting
The following table shows the setting.
Table
Power Management (System)
Policy
Setting
Turn Off the Display (On Battery)
Not configured
Turn Off the Display (Plugged In)
Not configured
n Remote Procedure Call (System)
l Setting
The following table shows the setting.
Table
Power Management (System)
Policy
Enable RPC Endpoint Mapper Client Authentication
Setting
- (Not applied)
n User Profile (System)
l Setting
The following table shows the setting.
Table
User Profile (System)
Policy
Turn off the advertising ID
Setting
Enabled
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
<3.5 Group Policy Settings in IT Security Version 2.0>
3-17
n App Privacy (Windows Component)
l Setting
The following table shows the setting.
Table
App Privacy (Windows Component)
Policy
Setting
Let Windows apps access account information
Enabled
Force Deny
Let Windows apps access call history
Enabled
Force Deny
Let Windows apps access contacts
Enabled
Force Deny
Let Windows apps access email
Enabled
Force Deny
Let Windows apps access location
Enabled
Force Deny
Let Windows apps access messaging
Enabled
Force Deny
Let Windows apps access motion
Enabled
Force Deny
Let Windows apps access the calendar
Enabled
Force Deny
Let Windows apps access the camera
Enabled
Force Deny
Let Windows apps access the microphone
Enabled
Force Deny
Let Windows apps access trusted devices
Enabled
Force Deny
Let Windows apps control radios
Enabled
Force Deny
Let Windows apps communicate with unpaired devices Enabled
(for Windows 10 LTSC 2021, Windows 10 LTSC 2019, Force Deny
Windows Server 2022, Windows Server 2019)
n Runtime (Windows Component)
l Setting
The following table shows the setting.
Table
Runtime (Windows Component)
Policy
Setting
Block launching Windows Store apps with Windows Enabled
Runtime API access from hosted content
l Cautions
This policy disables starting of Windows store applications that are directly accessed by Windows
runtime API from Web content.
IM 34P02Q93-01E
10th Edition : Oct. 25, 2024-00
<3.5 Group Policy Settings in IT Security Version 2.0>
3-18
n AutoPlay Policies (Windows Component)
l Setting
The following table shows the setting.
Table
AutoPlay Policies (Windows Component)
Policy
Turn off Autoplay
Disallow Autoplay for non-volume devices
Setting
Enabled
All drives
Enabled
l Cautions
If the AutoRun function for the drive is disabled, the installation menu does not start just by
inserting the software medium of the product.
n Cloud Content (Windows Component)
l Settings
The following table shows the setting.
Table
Cloud Content (Windows Component)
Policy
Setting
Do not show Windows tips
Enabled
Turn off Microsoft consumer experiences
Enabled
n Data Collection and Preview Builds (Windows Component)
l Settings
The following table shows the setting.
Table
Data Collection and Preview Builds (Windows Component)
Policy
TIP
Setting
Allow Telemetry (for Windows Server 2019)
Enabled
Allow diagnostic data (for Windows Server 2022)
Disable pre-release features or settings
Enabled
Diagnostic data off (not recommended)
Disabled
Do not show feedback notifications
Enabled
Toggle user control over Insider builds
Disabled
The Disable Prerelease Features or Settings setting item does not appear in the Local Group Policy Editor in
Windows 10 (IoT) Enterprsze LTSC 2021/Windows 10 (IoT) Enterprise 2019 LTSC/Windows Server 2022/
Windows Server 2019. You can confirm the application in the following registry entry.
Key:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PreviewBuilds
Value:
EnableConfigFlighting
Type:
REG_DWORD
Value data: 0 (invalid), 1 (valid)
IM 34P02Q93-01E
10th Edition : Oct. 25, 2024-00
<3.5 Group Policy Settings in IT Security Version 2.0>
3-19
n Event Log Service (Windows Component)
l Settings
The following table shows the setting.
Table
Event Log Service (Windows Component)
Policy
Specify the maximum log file size (KB)
Setting
Enabled
32768 KB
n File Explorer (Windows Component)
l Settings
The following table shows the setting.
Table
File Explorer (Windows Component)
Policy
Turn off heap termination on corruption
Setting
Disabled
n HomeGroup (Windows Component)
l Settings
The following table shows the setting.
Table
HomeGroup (Windows Component)
Policy
Prevent the computer from joining a homegroup
Setting
Enabled
n OneDrive (Windows Component)
l Settings
The following table shows the setting.
Table
OneDrive (Windows Component)
Policy
Prevent the usage of OneDrive for file storage
Setting
Enabled
Save documents to OneDrive by default (Save Enabled
documents to the local PC by default)
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
<3.5 Group Policy Settings in IT Security Version 2.0>
3-20
n Remote Desktop Service (Windows Component)
l Settings
The following table shows the setting.
Table
Remote Desktop Service (Windows Component)
Policy
Setting
[Remote Desktop Connection Client] \ Do not allow
Enabled
passwords to be saved
[Remote Desktop Session Host] \ [Device and Resource Enabled
Redirection] \ Do not allow drive redirection (*1)
[Remote Desktop Session Host] \ [Security] \ Always Enabled
prompt for password upon connection
[Remote Desktop Session Host] \ [Security] \ Require Enabled
secure RPC communication
[Remote Desktop Session Host] \ [Security] \ Require Enabled
user authentication for remote connections by using
Network Level Authentication
[Remote Desktop Session Host] \ [Session Time Limits] Enabled
\ [Set time limit for active but idle Remote Desktop 1h
Services sessions]
l Cautions
If “[Remote Desktop Session Host] \ [Session Time Limits] \ [Set time limit for active but idle
Remote Desktop Services sessions]” is set, the connection will be disconnected if left connected
for 1 hour without operation.
n Search (Windows Component)
l Settings
The following table shows the setting.
Table
Search (Windows Component)
Policy
Setting
Allow Cortana
Disabled
Don’t search the web or display web results in Search
Enabled
Don’t search the web or display web results in Search Enabled
over metered connections
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
<3.5 Group Policy Settings in IT Security Version 2.0>
3-21
n Software Protection Platform (Windows Component)
l Settings
The following table shows the setting.
Table
Software Protection Platform (Windows Component)
Policy
Turn off KMS Client Online AVS Validation
Setting
Enabled
n Store (Windows Component)
l Settings
The following table shows the setting.
Table
Store (Windows Component)
Policy
Setting
Turn off Automatic Download of updates on Win8 Enabled
machines
Turn off Automatic Download and Install of updates
Enabled
Turn off the offer to update to the latest version of Enabled
Windows
Turn off the Store application
Enabled
n Sync Your Settings (Windows Component)
l Settings
The following table shows the setting.
Table
Sync Your Settings (Windows Component)
Policy
Setting
Do not sync Apps
Enabled
Do not sync start settings
Enabled
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
<3.5 Group Policy Settings in IT Security Version 2.0>
3-22
n Endpoint Protection (Windows Component)
l Settings
The following table shows the setting.
Table
Endpoint Protection (Windows Component)
Policy
Turn off Endpoint Protection
Setting
Enabled
n Windows Error Reporting (Windows Component)
l Settings
The following table shows the setting.
Table
Windows Error Reporting (Windows Component)
Policy
Setting
Automatically send memory dumps for OS-generated Disabled
error reports
n Windows Logon Options (Windows Component)
l Settings
The following table shows the setting.
Table
Windows Logon Options (Windows Component)
Policy
Setting
Sign-in last interactive user automatically after a Disabled
system-initiated restart
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
3.5.5
3-23
<3.5 Group Policy Settings in IT Security Version 2.0>
Applying the StorageDevicePolicies Function
By using the StorageDevicePolicies function of Windows, you can set removable
storage media as read-only devices. You can use this function to prevent theft of data by
unauthorized users. You can use the StorageWriteEnable tools to temporarily grant write
permissions to users.
l Settings
The following table shows the setting.
Table
setting
Policy
Removable Disks: Deny write access
Setting
Enabled
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
3.5.6
3-24
<3.5 Group Policy Settings in IT Security Version 2.0>
Disabling USB Storage Devices
This function disables the use of USB storage devices such as USB memories. You can
use this function to prevent theft of data by unauthorized users.
You can use the StorageDeviceCTL to temporarily grant write permissions to users.
l Settings
The following table shows the setting.
Table
Disabling USB Storage Devices
Policy
Setting
Floppy Drives: Deny execute access
Enabled
Floppy Drives: Deny read access
Enabled
Floppy Drives: Deny write access
Enabled
Removable Disks: Deny execute access
Enabled
Removable Disks: Deny read access
Enabled
Removable Disks: Deny write access
Enabled
WPD Devices: Deny read access
Enabled
WPD Devices: Deny write access
Enabled
l Cautions
To prohibit data export using external storage media without applying this function, security
measures such as covering the USB port with a lid are required.
If you apply this function, you may not be able to access volumes (partitions) other than the
system volume and the internal drive. In this case, take the following actions.
Occurrence condition
A volume (partition) internal drive other than the system volume is recognized by Windows as a
portable device.
Workaround
1.
Open Device Manager. Expand the Portable Devices node and check for any devices other
than the connected USB storage device. If the [Portable Device] node itself does not exist,
or if the corresponding device does not exist in the node, the event does not occur.
2.
If applicable device exists, update BIOS/UEFI.
3.
If the update is not available, or if the event still occurs after the update, do the follow steps
3.1-3.2.
3.1 Enter “diskmgmt.msc” in [Run] from the Start menu to open the disk management screen
(see the figure below). Right-click on the area surrounded by blue in the figure and select
Properties. On the screen that appears, look for the Bus Number n display on the Location:
line in the General tab and check the value of n.
IM 34P02Q93-01E
9th Edition : Jan. 26, 2022-00
3-25
<3.5 Group Policy Settings in IT Security Version 2.0>
If there is only one internal disk, or if all internal disks have the same Bus Number: Use that
value.
If you have multiple internal disks and different Bus Numbers: Use your IT security tools
to disable the USB storage device to see which drives are inaccessible and use the Bus
Number of the disk that contains them. For example, if the F: drive is disabled, open the
properties screen of the disk containing the F: drive to check.
3.2 Run cmd.exe as an administrator and run the following command: n is the value confirmed
above.
<System drive>:\Program Files (x86)\YOKOGAWA\IA\iPCS\Platform\SECURITY\
PROGRAM\TreatAsNonRemovableDisk.cmd n
3.3 Restart the PC after executing the command.
Recovery means
Same as workaround.
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
3.5.7
3-26
<3.5 Group Policy Settings in IT Security Version 2.0>
User Configuration - Administrative Template
n Notifications (Taskbar and Start Menu)
l Settings
The following table shows the setting.
Table
Notifications (Taskbar and Start Menu)
Policy
Turn off toast notifications on the lock screen
Setting
Enabled
IM 34P02Q93-01E
9th Edition : Jan. 26, 2022-00
3.5.8
<3.5 Group Policy Settings in IT Security Version 2.0>
3-27
Disabling Windows Defender
Disable Windows Defender.
The name of Windows Defender displayed in Local Group Policy Editor varies depending
on the OS version and language. Please replace it as appropriate. OS version can be
checked on the System window calling from the Start menu.
The following table shows the Windows Defender name for each OS version.
Table
OS version and Windows Defender name
OS
Name
1703 to 1909
Windows Defender Antivirus
2004 or later
Microsoft Defender Antivirus
l Settings
The following table shows the setting.
Table
Settings
Policy
Turn off Windows Defender
Setting
Enabled
IM 34P02Q93-01E
10th Edition : Oct. 25, 2024-00
3.5.9
3-28
<3.5 Group Policy Settings in IT Security Version 2.0>
Disabling Shared experiences
Shared experiences is a feature of Windows 10 Enterprise LTSC 2021 and Windows 10
Enterprise LTSC 2019.
There are two functions: sharing between devices that open applications on devices to
send and receive messages, and nearby sharing that shares files and web page URL
through Bluetooth or Wi-Fi.
The following table shows the setting.
l Settings
The following table shows the setting.
Table
Settings
Policy
Continue the experience on this device
OS
Setting
Windows 10 Enterprise LTSC 2021
Windows 10 Enterprise LTSC 2019
IM 34P02Q93-01E
Disabled
10th Edition : Oct. 25, 2024-00
<3.5 Group Policy Settings in IT Security Version 2.0>
3.5.10
3-29
Enabling SMB Signing
By enabling SMB signing, packets sent and received by SMB are digitally signed to
prevent tampering and destruction.
l Settings
The following table shows the setting.
Table
Settings
Policy
Setting
Microsoft Network Server: Always digitally sign comm- Enabled
unications
l Cautions
Note the following points when enabling SMB signing.
•
Set only if all products or all product revisions support enabling SMB Signing.
•
Set this item in the Local Group Policy Editor. Follow these steps to set it:
1.
Sign in as an administrative user.
2.
Start the Command Prompt.
3.
Enter gpedit.msc.
Local Group Policy Editor appears.
4.
In the left pane, select [Computer Configuration] > [Windows Settings] > [Security Settings]
> [Local Policies] > [Security Options.]
5.
Enable the setting value of the desired policy.
IM 34P02Q93-01E
10th Edition : Oct. 25, 2024-00
3.5.11
3-30
<3.6 Group Policy Settings in IT Security Version 1.0>
Prevent illegal dll from loading
Setting a value in the registry can mitigate attacks of loading illegal dll. This setting is
configured automatically when installed the OPC server software.
l Settings
The following table shows the setting.
Table
Registry setting information
Item
Description
Setting
Registry ent
CWDIllegalInDllSearch
2
Registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
Session Manage
-
IM 34P02Q93-01E
10th Edition : Oct. 25, 2024-00
3.6
<3.6 Group Policy Settings in IT Security Version 1.0>
3-31
Group Policy Settings in IT Security Version 1.0
Security functions of the IT environment (such as the Windows environment) can be
applied to STARDOM systems.
Depending on the conditions of each system, implementation of specific security
functions may be disallowed. For this reason, check whether implementation is allowed
before implementation of each function.
IM 34P02Q93-01E
10th Edition : Oct. 25, 2024-00
3.6.1
<3.6 Group Policy Settings in IT Security Version 1.0>
3-32
Hiding the Last Logon User Name
You can hide the last logon user name on the logon dialog box to prevent leakage of valid
user names in the system.
n Cautions
You must enter a user name on every logon attempt if you apply this security measure.
IM 34P02Q93-01E
10th Edition : Oct. 25, 2024-00
<3.6 Group Policy Settings in IT Security Version 1.0>
3.6.2
3-33
Applying the Software Restriction Policies
The software restriction policies function restricts execution of programs in four ways.
In the STARDOM system, Restriction on path is applied to provide an environment where
only the specified programs can run. This prevents illegal execution of programs even if
harmful programs are copied in a temporary folder or other locations in the PC.
n Types of Restrictions that can be Applied
•
Restriction on path
•
Restriction on hash
• Restriction on certificate
•
Restriction on the Internet zone
n Types of Restriction Supported by IT Security Tool
•
Restriction on path: If this restriction is applied, other coexisting packages may not run.
• Restriction on certificate: If this restriction is applied, performance may be affected by
certificate validation at startup.
n Settings (Standard model)
The following paths are added to the restriction on path.
•
Added paths (Default paths given below may vary with the installation path)
C:\YOKOGAWA\FCN-FCJ\FCXSim
C:\YOKOGAWA\FCN-FCJ\JavaDevelopKit
C:\YOKOGAWA\FCN-FCJ\LogicDesigner
C:\YOKOGAWA\FCN-FCJ\ResConf
C:\YOKOGAWA\FCN-FCJ\LRE
C:\ProgramData\Ade
Added paths will not be deleted even if the security model is changed from the Standard
Model to the Legacy Model.
The following rules are deleted.
•
“lnk” and “mdb” are deleted from [Designated File Types Properties].
Precautions
The following exceptions to the restriction on path must be set by users.
•
If using FCN/FCJ Duolet Development Kit, add the installation path (“C:\j2sdk1.4.2_xx” by
default) of the JDK from Oracle as an exception to the restriction on path.
•
Add installation paths of third-party software products not installed under “C:\Program Files”
as exceptions to the restriction on path.
n Settings (Legacy model)
Default settings are used.
IM 34P02Q93-01E
10th Edition : Oct. 25, 2024-00
<3.6 Group Policy Settings in IT Security Version 1.0>
3.6.3
3-34
Applying AutoRun Restrictions
This restriction prevents automatic execution of programs when a CD-ROM or other
medium is inserted into the drive or a USB port. This is an effective measure against virus
(USB worm) infecting computers via USB memory.
n Settings
The AutoRun function is disabled for all drives.
n Cautions
Beware that:
•
The installation menu does not start when the software medium is inserted.
IM 34P02Q93-01E
10th Edition : Oct. 25, 2024-00
3.6.4
<3.6 Group Policy Settings in IT Security Version 1.0>
3-35
Applying the StorageDevicePolicies Function
By using the StorageDevicePolicies function of Windows, you can set removable
storage media as read-only devices. You can use this function to prevent theft of data by
unauthorized users. You can use the StorageWriteEnable tools to temporarily grant write
permissions to users.
IM 34P02Q93-01E
10th Edition : Oct. 25, 2024-00
3.6.5
<3.6 Group Policy Settings in IT Security Version 1.0>
3-36
Disabling USB Storage Devices
This function disables the use of USB storage devices such as USB memories. You can
use this function to prevent theft of data by unauthorized users.
You can use the StorageDeviceCTL to temporarily grant write permissions to users.
SEE
ALSO
For details about StorageDeviceCTL, see the following:
“6.1. StorageDeviceCTL”
l Cautions
To prohibit data export using external storage media without applying this function, security
measures such as covering the USB port with a lid are required.
If you apply this function, you may not be able to access volumes (partitions) other than the
system volume and the internal drive. In this case, take the following actions.
Occurrence condition
A volume (partition) internal drive other than the system volume is recognized by Windows as a
portable device.
Workaround
1.
Open Device Manager. Expand the Portable Devices node and check for any devices other
than the connected USB storage device. If the [Portable Device] node itself does not exist,
or if the corresponding device does not exist in the node, the event does not occur.
2.
If applicable device exists, update BIOS/UEFI.
3.
If the update is not available, or if the event still occurs after the update, do the follow steps
3.1-3.2.
3.1 Enter “diskmgmt.msc” in [Run] from the Start menu to open the disk management screen
(see the figure below). Right-click on the area surrounded by blue in the figure and select
Properties. On the screen that appears, look for the Bus Number n display on the Location:
line in the General tab and check the value of n.
IM 34P02Q93-01E
10th Edition : Oct. 25, 2024-00
<3.6 Group Policy Settings in IT Security Version 1.0>
3-37
If there is only one internal disk, or if all internal disks have the same Bus Number: Use that
value.
If you have multiple internal disks and different Bus Numbers: Use your IT security tools
to disable the USB storage device to see which drives are inaccessible and use the Bus
Number of the disk that contains them. For example, if the F: drive is disabled, open the
properties screen of the disk containing the F: drive to check.
3.2 Run cmd.exe as an administrator and run the following command: n is the value confirmed
above.
<System drive>:\Program Files (x86)\YOKOGAWA\IA\iPCS\Platform\SECURITY\
PROGRAM\TreatAsNonRemovableDisk.cmd n
3.3 Restart the PC after executing the command.
Recovery means
Same as workaround.
IM 34P02Q93-01E
10th Edition : Oct. 25, 2024-00
<3.6 Group Policy Settings in IT Security Version 1.0>
3.6.6
3-38
Changing the LAN Manager Authentication Level
Windows has LM authentication, NTLM authentication and NTLMv2 authentication
methods for backward compatibility.
However, we recommend NTLMv2 authentication in STARDOM systems. LM
authentication is not recommended as its method of hashing user’s password (LM hash
algorithm) is very vulnerable.
n Settings
If this security measure is applied, the following settings are configured.
•
For [Network security: LAN Manager authentication level], “Send NTLMv2 response only” is
set.
•
For [Network security: Do not store LAN Manager hash value on next password change],
“Enabled” is set.
•
For [Network security: Minimum session security for NTLM SSP based (including secure
RPC) clients], the [Require NTLMv2 session security] and [Require 128-bit encryption]
check boxes are selected.
•
For [Network security: Minimum session security for NTLM SSP based (including secure
RPC) servers], the [Require NTLMv2 session security] and [Require 128-bit encryption]
check boxes are selected.
n Cautions
When applying this measure, beware that:
•
Connection from Windows 95, Windows 98, Windows ME, Windows NT, and Windows
2000 will fail.
•
You must ensure that the settings of [Network security: Minimum session security for
NTLM SSP based (including secure RPC) clients] and [Network security: Minimum session
security for NTLM SSP based (including secure RPC) servers] are consistent on all PCs.
IM 34P02Q93-01E
10th Edition : Oct. 25, 2024-00
3.6.7
3-39
<3.6 Group Policy Settings in IT Security Version 1.0>
Disabling Shared experiences
Shared experiences is a feature of Windows 10 Enterprise LTSC 2021 and Windows 10
Enterprise LTSC 2019.
There are two functions: sharing between devices that open applications on devices to
send and receive messages, and nearby sharing that shares files and web page URL
through Bluetooth or Wi-Fi.
The following table shows the setting.
l Settings
The following table shows the setting.
Table
Settings
Policy
Continue the experience on this device
OS
Setting
Windows 10 Enterprise LTSC 2021
Windows 10 Enterprise LTSC 2019
IM 34P02Q93-01E
Disabled
10th Edition : Oct. 25, 2024-00
<3.6 Group Policy Settings in IT Security Version 1.0>
3.6.8
3-40
Enabling SMB Signing
By enabling SMB signing, packets sent and received by SMB are digitally signed to
prevent tampering and destruction.
l Settings
The following table shows the setting.
Table
Settings
Policy
Setting
Microsoft Network Server: Always digitally sign comm- Enabled
unications
l Cautions
Note the following points when enabling SMB signing.
•
Set only if all products or all product revisions support enabling SMB Signing.
•
Set this item in the Local Group Policy Editor. Follow these steps to set it:
1.
Sign in as an administrative user.
2.
Start the Command Prompt.
3.
Enter gpedit.msc.
Local Group Policy Editor appears.
4.
In the left pane, select [Computer Configuration] > [Windows Settings] > [Security Settings]
> [Local Policies] > [Security Options.]
5.
Enable the setting value of the desired policy.
IM 34P02Q93-01E
10th Edition : Oct. 25, 2024-00
3.6.9
3-41
<3.6 Group Policy Settings in IT Security Version 1.0>
Prevent illegal dll from loading
Setting a value in the registry can mitigate attacks of loading illegal dll. This setting is
configured automatically when installed the OPC server software.
l Settings
The following table shows the setting.
Table
Registry setting information
Item
Description
Setting
Registry ent
CWDIllegalInDllSearch
2
Registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
Session Manage
-
IM 34P02Q93-01E
10th Edition : Oct. 25, 2024-00
Blank Page
4-1
<4. Selection of Security Functions>
4.
Selection of Security Functions
There are three options for applying IT security functions to a PC terminal:
1.
IT Security Version 2.0 Standard model
Use this option if:
a higher security level is required; or
products running on the same PC uses the IT Security Version 2.0
Standard model.
Note: This version was designed after reconsidering the IT security version1.0 and includes more security
measures.
2.
IT Security Version 1.0 Standard model
Use this option if:
a higher security level is required; or
3.
products running on the same PC uses the IT Security Version 1.0
Standard model.
IT Security Version 1.0 Legacy model
Use this option if:
products running on the same PC uses the Legacy model; or
if a security level lower than the default level for the OS is required.
4.
Not using the IT Security Tool
Use this option if:
prevailing OS settings are to be maintained; or
products running on the same PC do not support IT Security Tool.
IMPORTANT
•
If using FCN/FCJ OPC Server, you must select either the Standard model option or the
Legacy model option.
•
If the Legacy model is used, a problem occurs in Windows function because the Default
Authentication Level of DCOM will be None. For details, see "8 Troubleshooting."
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
4-2
<4.1 VDS Environment Configurations>
4.1
VDS Environment Configurations
This section describes the fortification of a terminal installed with the FCN/FCJ
engineering environment for two different VDS environment configurations: the first
where the FCN/FCJ engineering environment is installed on the same PC and the second
where it is installed on a different PC.
IT Security Tool can be used to improve the security of the FCN/FCJ engineering terminal
in the latter case.
n If FCN/FCJ engineering environment is on a different PC from VDS
IT Security Tool can be used to enhance security (using the Standard model)
Security model: standard
User management: standalone
FCN/FCJ
engineering environment
VDS
VDS
Configured automatically
by IT Security tool
Control
Ethernet
Bus (Ethernet)
FCN/FCJ
Field Devices
(AIO, DIO , FF, HART)
FCN/FCJ
PLC
PLC
Field Devices
(AIO, DIO , FF, HART)
040101E.ai
Figure An Example of Implementation on a Different PC from the VDS Environment
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
<4.1 VDS Environment Configurations>
4-3
n FCN/FCJ engineering environment co-existing with VDS on the same
PC
VDS co-existing with FCN/FCJ
engineering environment
so IT Security Tool cannot be used
VDS
VDS
Control
Ethernet
Bus (Ethernet)
FCN/FCJ
Field Devices
(AIO, DIO , FF, HART)
FCN/FCJ
PLC
PLC
Field Devices
(AIO, DIO , FF, HART)
040102E.ai
Figure An Example of Implementation on the Same PC as the VDS Environment
Note: Do not use IT Security Tool as it is not supported by VDS .
SEE
ALSO
For more information on co-existence of VDS and OPC Server, see "5.4.3. Installing on the Same PC as VDS."
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
4.2
4-4
<4.2 Domain Environment>
Domain Environment
A domain environment refers to an environment where STARDOM products are used
within a large system, for instance, as a CENTUM subsystem. If STARDOM products are
to be used within the domain environment of CENTUM VP, select the Standard model and
workgroup management security options.
In a domain environment, the security model and user management basically need to be
standardized throughout the system. However, as STARDOM supports neither domain
management nor combination managment, workgroup management is applied as an
exception to only STARDOM parts .
STARDOM does not support user management using the domain linkage management
method.
Business
Network
Security model: standard
User management: standalone
Configured automatically
by IT Security tool
PRM server
Domain controller
File server
Firewall
Firewall
Process Control Network (Ethernet)
FCN/FCJ
OPC Server
SIOS
SIOS // UGS
UGS
FCN/FCJ
engineering environment
Field communication
server
HIS
HIS
ENG
ENG
Vnet/IP
Control
Ethernet
Bus (Ethernet)
FCN/FCJ
Field devices
(AIO, DIO, FF, HART)
FCN/FCJ
FCS
FCS
PLC
PLC
Field devices
(AIO, DIO, FF, HART)
Field devices
(AIO, DIO, FF, HART)
FCS
FCS
Field devices
(AIO, DIO, FF, HART)
040201E.ai
Figure An Example of Implementation within a Large System
IM 34P02Q93-01E
9th Edition : Jan. 26, 2022-00
4-5
<4.3 Offline Engineering Environment>
4.3
Offline Engineering Environment
An offline engineering environment refers to an environment where FCN/FCJ engineering
data is created in an office and the created data is then brought to the field in an offline
manner.
Security in an offline engineering environment is not within the scope of this guide. Use IT
Security Tool in accordance with the security policies of the office environment.
Office
Installs Logic Designer,
Resource Configurator
and other tools
File server
Domain controller
Bussiness Network (Ethernet)
Follows security policy
of office
FCN/FCJ
engineering environment
Engineering data
transported offline
Security model: standard
User management: standalone
Factory
FCN/FCJ
engineering environment
Configured automatically
by IT Security tool
Control
Ethernet
Bus (Ethernet)
FCN/FCJ
Field Devices
(AIO, DIO , FF, HART)
FCN/FCJ
PLC
PLC
040301E.ai
Field Devices
(AIO, DIO , FF, HART)
Figure An Example of Implementation in an Offline Engineering Environment
IM 34P02Q93-01E
1st Edition : Jun.29,2012-00
Blank Page
5-1
<5. IT Security Configuration Procedures>
5.
IT Security Configuration Procedures
This chapter describes how to configure IT security according to how STARDOM
products are used.
l Sections 5.1 and 5.2
Sections 5.1 and 5.2 describe respectively IT security configuration procedures if only
FCN/FCJ engineering tools are used and if FCN/FCJ OPC Server is also used.
l Sections 5.3 and 5.4
Sections 5.3 and 5.4 describe respectively IT security configuration procedures for a
collaborative environment where FCN/FCJ OPC Server runs on a different PC from and is
connected to other software via a network and for a co-existing environment where FCN/
FCJ OPC Server runs on the same PC as other software.
l Section 5.5
This section describes IT Security Tool settings in detail.
l Sections 5.6, 5.7 and 5.8
These sections describe respectively procedures related to addition and removal of
software, modification of the security model selection and removal of IT Security Tool.
IMPORTANT
•
If using FCN/FCJ OPC Server, you must select either the Standard model option or the
Legacy model option.
•
If the Legacy model is used, a problem occurs in Windows function because the Default
Authentication Level of DCOM will be None. For details, see “8 Troubleshooting.”
IM 34P02Q93-01E
7th Edition : Jun. 6, 2018-00
5-2
<5.1 Configuration Procedure (if only engineering tools are used)>
5.1
Configuration Procedure (if only
engineering tools are used)
The section describes the workflow for installing the software packages on a new PC
and configuring IT security. This configuration procedure applies to users not using OPC
Server.
(1) Decide on system configuration and security model
(see 5.1.1)
(2) Configure environment before Installation (configure Windows environment)
(see 5.1.2)
(3) Installation
(3-1) Install FCN/FCJ engineering tools
(3-2) Install IT Security Tool
(3-3) Register IT Security Configuration File
(see 5.1.3)
(4) IT security configulation
(see 5.1.4)
(5) Configure user accounts
(see 5.1.5)
Figure IT Security Configuration Workflow (if only engineering tools are used)
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
5-3
<5.1 Configuration Procedure (if only engineering tools are used)>
5.1.1
Deciding on System Configuration and Security Model
Consider and decide on the following items for implementation of security measures.
l IT Security Version
Select the IT Security Version 1.0 or 2.0.
l Security Model
Select the Standard model (recommended) or the Legacy model.
(In IT security version 2.0, the Legacy model cannot be selected.)
l User Management
Select standalone management.
SEE
ALSO
For details on security models and user management methods, see "2.1 Security Models" and "2.2 User/Group
Management."
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
<5.1 Configuration Procedure (if only engineering tools are used)>
5.1.2
5-4
Configuring Environment before Installation
(Configuring Windows environment)
Configure Windows environment as described below before software installation.
l Configuring Power Management Options
Configure power management options so that the PC is never put to sleep.
The actual procedure varies with the operating system used. See the following documents for
details.
SEE
ALSO
・ For details on power options configuration, see “2.1 Configuring Power Management Options” (Windows
10) or “3.1 Configuring Power Management Options” (Windows Server 2019) of "STARDOM FCN/FCJ
Software Installation" (IM 34P02Q91-01E).
l Configuring Password Policy
For the Legacy model, disable the "Password must meet complexity requirements" setting.
1.
From the desktop, select [Start]-[Windows System]-[Control Panel].
2.
In the control panel, click [Administrative Tools].
3.
In the Administrative Tools window, double-click [Local Security Policy].
4.
In the left pane of the Local Security Policy window, click [Account Policies].
5.
In the right pane, double-click [Password Policy].
6.
From the Policy list displayed in the right pane, ensure that the "Password must meet
complexity requirements" option is disabled.
If this option is enabled, perform the following steps:
TIP
a.
Double-click [Password must meet complexity requirements].
b.
Select [Disabled] in the displayed Properties dialog.
c.
Click [OK].
・ Checking the time synchronization setting is not required.
IM 34P02Q93-01E 10th Edition : Sep. 25, 2024-00
5-5
<5.1 Configuration Procedure (if only engineering tools are used)>
5.1.3
Installation
Install the following two types of software.
l
Installing FCN/FCJ engineering tools
Install Logic Designer, Resource Configurator and other software packages.
You must perform installation as a user belonging to the Administrators group.
SEE
ALSO
l
For details on installation of FCN/FCJ engineering tools, see “1. Software” of "STARDOM FCN/FCJ Software
Installation" (IM 34P02Q91-01E)
Installing IT Security Tool
1.
Terminate all software applications.
FCN/FCJ OPC Server and other services are stopped automatically at the time of security
configuration.
TIP
・ Once you apply security settings, you will not be able to restore the PC to the same state before
configuration. For this reason, it is recommended that you do a full backup of the PC before performing
security configuration by creating a system image using commercially available backup software or
Windows functions.
2.
Install IT Security Tool from the FCN/FCJ software media.
You must perform installation as a user belonging to the Administrators group. This user
will be automatically added to the STM_MAINTENANCE group when you apply IT Security
settings.
IMPORTANT
Never try to install the software after logging on as a user not belonging to the Administrator
group. Otherwise, the software will not be installed normally.
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
<5.1 Configuration Procedure (if only engineering tools are used)>
3.
If the following message is displayed, click [OK]. The PC will reboot.
4.
After the PC reboots, log on as the same user.
5-6
The Yokogawa STARDOM Setup window is redisplayed automatically.
5.
Click [OK] with checkboxes for all product names selected.
6.
Proceed by following the screen instructions.
7.
When "Succeeded" is displayed in the Status column, click [Finish].
IM 34P02Q93-01E
7th Edition : Jun. 6,2018-00
5-7
<5.1 Configuration Procedure (if only engineering tools are used)>
5.1.4
IT Security Configuration (for Legacy Model or
Standard Model)
After installing the required software, run IT Security Tool to perform security
configuration for the installed software.
l
Registering IT Security Configuration File
Registering STARDOM Products
Run "IT security configuration file registration” to register the security configuration file. The
procedure is shown below using Resource Configurator as an example.
1.
From Windows Start button, select [YOKOGAWA FCN-FCJ] – [IT security Setting File
Registration].
2.
The IT security configuration file registration tool window is displayed. Click [OK].
3.
The following message is displayed when registration is successful. Click [OK].
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
5-8
<5.1 Configuration Procedure (if only engineering tools are used)>
l
Applying IT Security Settings
1.
From Windows Start menu, select [YOKOGAWA Security] – [IT Security Tool]. The IT
Security Tool window is displayed.
2.
Select [Setup]. The IT Security Settings window is displayed.
Figure Security Settings
IM 34P02Q93-01E
7th Edition : Jun. 6, 2018-00
<5.1 Configuration Procedure (if only engineering tools are used)>
5-9
Selecting Security Model and User Management
3.
In the [Select IT security version] group, select [1.0] or [2.0].
4.
In the [Select security model] group, select [Standard Model] (recommended) or [Legacy
Model].
5.
In the [Select user management] group, select [Standalone Management].
6.
If you need to change the setting items, click [Details].
The Setting Items Selection window is displayed.
Normally, there is no need to change the setting items.
TIP
・ If you have selected IT security version 2.0, only the Standard model can be selected as the security model.
・ If you have selected Legacy Model, user management need not be selected.
・ IT Security Tool provides three user management options but only the standalone management option can
be used with STARDOM products.
Applying Settings
7.
Click [Next]. The Setup Completed window is displayed.
8.
Select the [Restart now] checkbox and click [Finish]. The PC reboots.
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
<5.1 Configuration Procedure (if only engineering tools are used)>
5.1.5
5-10
Configuring User Accounts (for Standard Model only)
If you have selected Standard Model as the security model, add each user to the group
granted with the appropriate rights.
TIP
1
Log on as a user belonging to the STM_MAINTENANCE group.
2
Add user accounts that need to perform FCN/FCJ engineering to the STM_ENGINEER
user group.
3
Add user accounts that need to maintain the FCN/FCJ engineering PC to both the STM_
MAINTENANCE and Administrators user groups.
4
Logoff so that settings can be applied.
You must add users performing maintenance to both the STM_MAINTENANCE and Administrators user
groups. Users who are added to only one of the two groups will not have sufficient access rights
to perform maintenance.
IM 34P02Q93-01E
1st Edition : Jun.29,2012-00
5-11
<5.2 Configuration Procedure (if OPC Server is used)>
5.2
Configuration Procedure (if OPC Server is
used)
This chapter describes the workflow for installing FCN/FCJ OPC server and configuring
IT security on a PC for the first time. This configuration procedure is applicable to OPC
Server users.
Follow the description given below to perform installations and configuration.
(1) Decide on system configuration and security model
(see 5.2.1)
(2) Configure environment before Installation (configure Windows environment)
(see 5.2.2)
(3) Installation
(3-1) Install OPC Server
(3-2) Install Duplexed Network Function
(3-3) Install IT Security Tool
(3-4) Register IT Security Configuration File
(see 5.2.3)
(4) IT security configulation
(see 5.2.4)
(5) Configure user accounts
(see 5.2.5)
(6) Configure OPC server
(see 5.2.6)
(7) Configure Duplexed Network function
(see 5.2.7)
(8) Configure OPC clients
(see 5.2.8)
(9) Perform OPC server connection test
(see 5.2.9)
Figure IT Security Configuration Workflow (if OPC Server is used)
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
5-12
<5.2 Configuration Procedure (if OPC Server is used)>
5.2.1
Deciding on System Configuration and Security Model
Consider and decide on the following items for implementation of security measures.
l
Network Configuration
Connecting to OPC Server and Client
1.
Decide whether the server and the client is to be installed on the same or different PCs.
If they are installed on different PCs, "(8) Configuring OPC Clients" is required.
Connecting to FCN/FCJ
2.
Decide whether to use duplexed network connection between FCJ/FCJ and OPC Server.
For duplexed network connection, "(3-2) Installing Duplexed Network Function" and "(7)
Configuring Duplexed Network Function" are required.
l
IT Security Version
Select the IT Security Version 1.0 or 2.0.
l
Security Model
Select the Standard model (recommended) or the Legacy model.
l
User Management
Select standalone management.
SEE
ALSO
TIP
・ For details on network configuration, see "1.3. Operating Environment.”
・ For details on security models and user management methods, see "2.1. Security Models” and "2.2. User/
Group Management.”
Although access control using domain management is not supported, OPC Server can be used on PCs
participating in a domain.
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
<5.2 Configuration Procedure (if OPC Server is used)>
5.2.2
5-13
Configuring Environment before Installation
(Configuring Windows environment)
Configure Windows environment as described below before software installation.
l
Configuring Power Management Options
Configure power management options so that the computer is never put to sleep.
The actual procedure varies with the operating system used. See the following documents for
details.
SEE
ALSO
l
For details on power management options configuration, see “2.1 Configuring Power Management Options”
(Windows 10) or “3.1 Configuring Power Management Options” (Windows Server 2022/2019) of “STARDOM
FCN/FCJ Software Installation” (IM 34P02Q91-01E).
Configuring Password Policy
If applying the Legacy model for IT security, disable the “Password must meet complexity
requirements” setting.
1.
From the desktop, select [Start]-[Windows System]-[Control Panel].
2.
In the control panel, click [Administrative Tools].
3.
In the Administrative Tools window, double-click [Local Security Policy].
4.
In the left pane of the Local Security Policy window, click [Account Policies].
5.
In the right pane, double-click [Password Policy].
6.
From the Policy list displayed in the right pane, ensure that the “Password must meet
complexity requirements” option is disabled.
If this option is enabled, perform the following steps:
TIP
a.
Double-click [Password must meet complexity requirements].
b.
Select [Disabled] in the displayed Properties dialog.
c.
Click [OK].
・ Checking the time synchronization setting is not required.
IM 34P02Q93-01E 10th Edition : Sep. 25, 2024-00
5-14
<5.2 Configuration Procedure (if OPC Server is used)>
5.2.3
Installation
Install the following three types of software.
・ FCN/FCJ OPC Server for Windows
・ Duplexed Network Program for FCN/FCJ OPC Server
・ FCN/FCJ IT Security Tool
IMPORTANT
・ Additional licenses are required for installing the FCN/FCJ OPC Server for Windows and the
Duplexed Network Program for OPC Server software. You need to acquire these licenses
before installing these two applications.
The required licenses can be acquired by accessing Yokogawa's license management
system over the Internet using a Web browser.
・ If using the Plant Resource Manager (PRM) software, see “STARDOM Plant Resource
Manager” (IM 34P02Q52-01E).
・ Do not install the Duplexed Network Program for FCN/FCJ OPC Server on a PC installed
with VDS software as it will conflict with equivalent VDS functions.
SEE
ALSO
l
l
For details on licenses, see "D1. Licenses" of "STARDOM FCN/FCJ Guide" (IM 34P02Q01-01E).
Installing OPC Server
1.
Log on as a user belonging to the Administrators group and insert the FCN/FCJ software
media (DVD-ROM) into the DVD-ROM drive.
2.
From the installation menu, select [Products]-[Install FCN/FCJ OPC Server for Windows].
3.
Proceed by following the screen instructions.
Installing the Duplexed Network Program
If using the Duplexed Network function, install the Duplexed Network Program from the FCN/FCJ
software media after installing OPC Server.
TIP
1.
From the installation menu, select [Products]-[Install Duplexed Network Program for FCN/
FCJ OPC Server].
2.
Proceed by following the screen instructions.
If Duplexed Network function is installed before OPC Server or if it is installed on its own at some later time, you
need to set the security model again using IT Security Tool. Otherwise, IT security configuration for the Duplexed
Network function will not be done.
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
<5.2 Configuration Procedure (if OPC Server is used)>
l
5-15
Installing IT Security Tool
Preparing for Installation
1.
Terminate all software applications.
FCN/FCJ OPC Server and other services are stopped automatically at the time of security
configuration.
TIP
・ Once you apply security settings, you will not be able to restore the PC to the same state before
configuration. For this reason, it is recommended that you do a full backup of the PC before performing
security configuration by creating a system image using commercially available backup software or
Windows functions.
Installation
2.
Install IT Security Tool from the FCN/FCJ software media.
You must perform installation as a user belonging to the Administrators group. This user
will be automatically added to the STM_MAINTENANCE group when you apply IT Security
settings.
IMPORTANT
Never try to install the software after logging on as a user not belonging to the Administrator
group. Otherwise, the software will not be installed normally.
3.
If the following message is displayed, click [OK]. The PC will reboot.
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
<5.2 Configuration Procedure (if OPC Server is used)>
4.
5-16
After the PC reboots, log on as the same user.
The Yokogawa STARDOM Setup window is redisplayed automatically.
5.
Click [OK] with checkboxes for all product names selected.
6.
Proceed by following the screen instructions.
7.
When “Succeeded” is displayed in the Status column, click [Finish].
IM 34P02Q93-01E
7th Edition : Jun. 6,2018-00
5-17
<5.2 Configuration Procedure (if OPC Server is used)>
5.2.4
IT Security Configuration (for Legacy Model or
Standard Model)
After installing the required software, run IT Security Tool to perform security
configuration for the installed software.
l
Registering IT Security Configuration File
Execute IT security configuration file registration to register the security configuration file. The
procedure is shown below using FCN/FCJ OPC Server as an example.
1.
From Windows Start button, select [YOKOGAWA FCN-FCJ] – [IT security Setting File
Registration].
2.
The IT security configuration file registration tool window is displayed. Click [OK].
3.
The following message is displayed when registration is successful. Click [OK].
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
5-18
<5.2 Configuration Procedure (if OPC Server is used)>
l
Applying IT Security Settings
1.
From Windows Start menu, select [YOKOGAWA Security] – [IT Security Tool]. The IT
Security Tool window is displayed.
2.
Select [Setup]. The IT Security Settings window is displayed.
Figure Security Settings
IM 34P02Q93-01E
7th Edition : Jun. 6, 2018-00
<5.2 Configuration Procedure (if OPC Server is used)>
5-19
Selecting Security Model and User Management
3.
In the [Select IT security version] group, select [1.0] or [2.0].
4.
In the [Select security model] group, select [Legacy Model] (recommended) or [Standard
Model].
5.
In the [Select user management] group, select [Standalone Management].
6.
If you need to change the setting items, click [Details].
The Setting Items Selection window is displayed.
Normally, there is no need to change the setting items.
TIP
・ If you have selected IT security version 2.0, only the Standard model can be selected as the security model.
・ If you have selected Legacy Model, user management need not be selected.
・ IT Security Tool provides three user management options but only standalone management can be used
with STARDOM products.
Applying Settings
7.
Click [Next]. The Setup Completed window is displayed.
8.
Select the [Restart now] checkbox and click [Finish]. The PC reboots.
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
5-20
<5.2 Configuration Procedure (if OPC Server is used)>
5.2.5
Configuring User Accounts (for Standard Model only)
If you have selected Standard model as the security model, add users of each role to the
group granted with the appropriate rights.
1
Log on as a user belonging to the Administrators group.
2
Add user accounts that need to run the OPC client program (hereafter referred to as the
OPC client user) to the STM_OPC user group on the OPC Server PC.
For a workgroup environment:
1） On the server PC, create a user having the same name and password as the OPC
client user created on the client PC.
2） Add the OPC client user to the STM_OPC group on the OPC server PC.
For a domain environment:
This is the case where the OPC client user is a domain user.
1） Ensure that the OPC Server PC and the client PC are in the same domain.
2） Add the OPC client user to the STM_OPC group on the OPC Server PC.
When the server and client co-exists on the same PC:
Add the OPC client user to the STM_OPC group.
SEE
ALSO
3
Add user accounts that need to perform FCN/FCJ engineering to the STM_ENGINEER
user group.
4
Add user accounts that need to maintain OPC Server, as well as engineer and maintain
the Duplexed Network function to both the STM_MAINTENANCE and Administrators user
groups.
5
Logoff so that settings can be applied.
For details on duplexed network settings, see "1.5. Installing FCN/FCJ OPC Server for Windows and Duplexed
Network Program" of "STARDOM FCN/FCJ Software Installation" (IM 34P02Q91-01E).
IM 34P02Q93-01E
1st Edition : Jun.29,2012-0
5-21
<5.2 Configuration Procedure (if OPC Server is used)>
5.2.6
Configuring OPC Server
Configure the OPC server for connection to the FCN/FCJ.
1
For the Standard model, log on as a user belonging to the STM_ENGINEER group or
STM_MAINTENANCE group.
For the Legacy model, you can log on as any user.
2
Define the node ID and IP address of the FCN/FCJ to be connected in the %installation
path%\Config\fcxcnf.csv file.
3
After saving the changes made, reboot the PC.
If you are configuring the Duplexed Network function next, you need not reboot the PC at
this point.
Example
[Node]
FCX01, 192.168.0.1
TIP
・ A useful example of a setting in step 2 is described in the fcxcnf.csv file as follows.
[Node]
;FCX01, XXX.XXX.X.X
For use, delete a semicolon (';') character at the head of a node identifier.
・ An item ID consists of a node identifier. For example: FCX01!Main.Flag1
5.2.7
Configuring Duplexed Network Function
Defining IP addresses
1
Log on as a user with Administrator rights. Define the three IP addresses (VIP, PIP-A and
PIP-B) used for Duplexed Network in Windows network settings.
Configuring FCN/FCJ Connection
2
For the Legacy model, log on as a user with Administrator rights.
For the Standard model, log on as a user of the STM_MAINTENANCE group.
SEE
ALSO
3
Select [YOKOGAWA FCN-FCJ]-[FCN FCJ Connection Setting] from Windows Start menu
to run the connection configuration tool and set up VIP of FCN/FCJ.
Check "Enable Redundant Network Service.", and click the [OK] button.
4
Reboot the PC.
For details on duplexed network configuration, see the online-help.
Select [YOKOGAWA FCN-FCJ]-[Duplexed Network Help] from Windows Start button to run the online-help.
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
5-22
<5.2 Configuration Procedure (if OPC Server is used)>
5.2.8
Configuring OPC Clients
To connect to the OPC server from an OPC client connected to the network, you need to
run a setup command on the client PC to configure the environment (installation of dll and
other files, registry registration and DCOM configuration) as required for connecting to
the OPC server .
IMPORTANT
This configuration is not required if the OPC server and OPC client are installed on the same PC.
l
l
Running Client Setup Command
1.
Log on as a user with Administrator rights on the client PC.
2.
Insert the FCN/FCJ software media (DVD-ROM) in the DVD-ROM drive.
Run the \Pkg_OPCDAServer\ClientSetup\Setup.exe file.
3.
Follow the screen instructions to perform installation and then reboot the PC.
Creating User account Required for Connection to Server (for Standard model)
1.
Log on as a user with Administrator rights on the client PC.
2.
Create the required user account on the client PC. To do so:
Insert the FCN/FCJ software media (DVD-ROM) into the DVD-ROM drive.
Run the "\Pkg_OPCDAServer\ClientSetup\CreateStardomOpcProcess.exe” file.
The STM_PROCESS user account is created.
3.
TIP
Reboot the client PC.
The following DCOM authentications are performed when a connection is made to the OPC server.
・ Connection from a client to the server
DCOM authentication of the account running the client program is performed by the server.
See the "Users permitted to connect to server" column in the table below.
For the Standard model, users running client programs must be added to the STM_OPC group on the
server side.
・ Callback connection from the server to the client
DCOM authentication of the account running the server process is performed on the client PC.
The account given in the "User account running server process" column in the table below must be created
on the client PC.
Table
DCOM Authentications
Security model
User account running
server process
Password
Users permitted to
connect to server
Legacy Model
EXA
EXA
All users
Standard Model
STM_PROCESS
Confidential
Users belonging to
STM_OPC group
IM 34P02Q93-01E
6th Edition : May 31, 2017-00
5-23
<5.2 Configuration Procedure (if OPC Server is used)>
l
Configuring Windows Environment
A ）If OPC server adopts the Legacy model and the client is a Yokogawa product:
No Windows environment configuration is required.
B）If OPC server adopts the Legacy model and the client is not a Yokogawa product:
If the security model of the OPC server is set to the Legacy model, perform the following
configuration on the client PC running the non-Yokogawa product.
・Disable Windows Firewall.
1.
Open [Control Panel]-[Windows Firewall]-[Turns Windows Firewall on or off].
2.
Turn off Windows Firewall.
1.
Run the dcomcnfg.exe file. Open the Properties window of My Computer.
2.
Set Default Authentication Level on the Default Properties tab screen to None.
3.
Click the [Edit Default] button under Access Permissions on the COM Security tab
screen.
・Modify DCOM configuration
Grant local access and remote access permissions to Everyone.
4.
Click the [Edit Limits] button under Access Permissions on the COM Security tab
screen.
Allow remote access by ANONYMOUS LOGON.
・Modify local security policy
1.
Open [Control Panel]-[Administrative Tools]-[Local Security Policy].
2.
Click [Local Policies]-[Security Options]. Enable "Network access: Let Everyone
permissions apply to anonymous users."
C ）If OPC server adopts the Standard model and the client is a Yokogawa product:
Configure user account
Add STM_PROCESS (the user for callback connection) to the group permitted to use OPC.
TIP
The table below lists the group permitted to use OPC for each product.
Table
Group permitted to use OPC
Product name
Group permitted to use OPC
Plant Resource Manager (PRM)
PRM_OPC
System Integration OPC Station (SIOS)
CTM_OPC
D）If OPC server adopts the Standard model and the client is not a Yokogawa product:
・Define Firewall exceptions
1.
Open [Control Panel]-[Windows Firewall]-[Allow a program or feature through Windows
Firewall].
2.
Set required client applications and [File and Printer Sharing] as Firewall exceptions.
1.
Run "dcomcnfg.exe". Open the Properties window of My Computer.
2.
Click the [Edit Default] button under Access Permissions on the COM Security tab
screen.
・DCOM Configuration
Grant local access and remote access permissions to STM_PROCESS (user for
callback connection)
IM 34P02Q93-01E
1st Edition : Jun.29,2012-00
5-24
<5.2 Configuration Procedure (if OPC Server is used)>
5.2.9
Testing OPC Server Connection
Use the OPC Connection Test Tool to test OPC server connection.
・For Standard model:
Log on as a user belonging to the STM_ENGINEER or STM_MAINTENANCE group.
The following configuration is required on the server PC for the user account running
the OPC Connection Test Tool (hereafter referred to as the test user)
1) On the server PC, create a user having the same name and password as the test
user created on the client PC.
2) Add the test user to the STM_OPC group on the OPC server PC.
・For Legacy model:
You can log on as any user.
l
OPC DA Interface
1.
Select [Start]-[Exaopc]-[OPC Connection Test Tool] from Windows Start button. The OPC
Connection Test Tool window is displayed.
2.
Click the ProgID tab. Select [DA] of the OPC Server group, and specify "Yokogawa.
ExaopcDASTARDOMFCX” for [ProgID].
3.
Click the [StartTest] button.
4.
If the following message dialog is displayed, click [OK].
(You can ignore the message as it relates to a data file for Exaopc).
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
5-25
<5.2 Configuration Procedure (if OPC Server is used)>
5.
Leave the ItemID field empty and click [OK]. The first item ID found by browsing is
displayed.
(If you know the Item ID, you may also enter the value before clicking [OK].)
4.
Check all program steps and terminate the Tool.
In particular, check for any error messages, which are displayed in red.
l
OPC A&E Interface
Follow the same procedure described above for OPC DA Interface except that you should
replace step 2 as follows:
2.
TIP
Click the ProgID tab. Select [A&E] of the OPC Server group, and specify "Yokogawa.
ExaopcAESTARDOMFCX” for [ProgID].
The OPC Connection Test Tool is also installed when you install FCN/FCJ OPC Server for Windows.
The OPC Connection Test Tool is installed on the client PC when you perform client setup.
IM 34P02Q93-01E
7th Edition : Jun. 6, 2018-00
5-26
<5.3 Configuration for Collaboration with Other Products>
5.3
Configuration for Collaboration with Other
Products
This section describes the IT security configuration procedure for a collaborative
environment where FCN/FCJ OPC Server is installed on a different PC from other
products.
n Collaboration with Other System Products
Apply the same security model for the OPC server and collaborative subsystems.
For user management, if the OPC server is installed within an environment using domain
management, define standalone management only for the PC installed with OPC Server.
n Security Settings for the PC Installed with OPC Server
The table below lists combinations of collaborative products and the IT Security Settings for the
PC to be installed with OPC Server.
Table
Combinations for Collaborative Environment
Collaborative product (OPC client)
SIOS
PRM
Third-party products
*1:
TIP
IT Security settings of PC installed with OPC server
Security model
User management
Legacy model
Standard model
Legacy model
Standard model
Standalone management
Legacy model
Standard model (*1)
If connecting with third-party products, there will be a mixture of security models (including Standard model and not defined)
within the same system.
Even if you follow the configuration procedures described here, some clients may fail to connect.
If this happens, select the Legacy model for the OPC Server.
・ It is recommended to use the same security model throughout a system as mixing different security models
creates vulnerable parts.
・ If mixed security models are present, implement security measures for PCs not configured with the
Standard model by splltting the network segment or other means.
・ The Standard model supports connection with YOKOGAWA products (PRM and SIOS)
IM 34P02Q93-01E
1st Edition : Jun.29,2012-00
<5.3 Configuration for Collaboration with Other Products>
5.3.1
5-27
Collaboration with SIOS
n Configuration on SIOS side
Follow the procedure described in "5.2.8. Configuring OPC Clients."
n Configuration on OPC Server side
l
For Standard Model
Creating the CTM_PROCESS Account
1.
Run the following program on the CENTUM VP software media.
DVD-ROM drive:
\CENTUM\SECURITY\Yokogawa.IA.iPCS.Platform.Security.CreateCentumProcess.exe
2.
Add CTM_PROCESS to the STM_OPC user group.
Creating CENTUM Launch Account
l
1.
Create an account with the same name as the account running CENTUM.
2.
Define the same password too.
3.
Add the created account to the STM_OPC group.
4.
Reboot the PC.
For Legacy Model
No configuration is required.
n Configuration on CENTUM side
If managing STARDOM alarms using CAMS for HIS running on HIS, create a user account
on the HIS PC.
1.
Insert the FCN/FCJ software media (DVD-ROM) into the DVD-ROM drive.
Run "\Pkg_OPCDAServer\ClientSetup\CreateStardomOpcProcess.exe”.
The STM_PROCESS user account is created.
2.
Reboot the HIS PC.
IM 34P02Q93-01E
1st Edition : Jun.29,2012-00
<5.3 Configuration for Collaboration with Other Products>
5.3.2
5-28
Collaboration with PRM
n Configuration on PRM side
Follow the procedure described in "5.2.8. Configuring OPC Clients."
n Configuration on OPC Server side
l
For Standard Model:
Creating the PRM_PROCESS Account
1.
Run the following program on the PRM software media.
DVD-ROM drive:
\PRM\SecuritySettingUtility\CreateInternalUserAccount.exe
2.
l
Add PRM_PROCESS to the STM_OPC group.
For Legacy Model:
No configuration is required.
IM 34P02Q93-01E
5th Edition : Apr.28,2016-00
5-29
<5.4 Installing on the Same PC as Other Products>
5.4
Installing on the Same PC as Other
Products
This section describes the procedure for installing OPC Server on the same PC as PRM,
SIOS and VDS.
The table below shows the possible configuration combinations for installing OPC Server on the
same PC as the above software products,
Co-existing product
SIOS
PRM
IT security settings when using co-existing product
Security model
User management
Legacy model
Standard model
Legacy model
Standard model
VDS
Not defined
Third-party products
Legacy model
Standalone management
IMPORTANT
If installing OPC Server on the same PC as VDS, do not install IT Security Tool. Modify the
security settings manually to match the operating environment of VDS. For details, see :5.4.3.
Installing on the Same PC as VDS."
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
5.4.1
5-30
<5.4 Installing on the Same PC as Other Products>
Installing on the Same PC as SIOS
This subsection describes the installation and configuration procedures for installing
SIOS and OPC Server on the same PC and connecting from SIOS to OPC Server.
n Installation Procedure
1.
Install SIOS.
2.
If installation is successful, the IT Security Settings dialog is displayed. Click [Cancel]
without changes.
3.
Follow the procedures described in "5.2.2. Configuring Environment before Installation" to
"5.2.7. Configuring Duplexed Network Function."
4.
For the Standard model, add CTM_PROCESS to the STM_OPC group.
(This is to allow connection from SIOS to OPC Server as described in “5.2.5. Configuring
User Accounts.")
5.
Create CENTUM launch account.
- Create an account with the same name as the account running CENTUM.
- Define the same password too.
- Add the created account to the STM_OPC group.
6.
Reboot the SIOS PC.
7.
Perform OPC server connection test.
n Configuration on CENTUM Side
If managing STARDOM alarms using CAMS for HIS running on HIS, create the required user
account on the HIS PC.
1.
Insert the FCN/FCJ software media (DVD-ROM) into the DVD-ROM drive.
Run "\Pkg_OPCDAServer\ClientSetup\CreateStardomOpcProcess.exe”.
The STM_PROCESS user account is created.
2.
Reboot the HIS PC.
IM 34P02Q93-01E
5th Edition : Apr.28,2016-00
5-31
<5.4 Installing on the Same PC as Other Products>
5.4.2
Installing on the Same PC as PRM
This subsection describes the installation and configuration procedures for installing
PRM and OPC Server on the same PC and connecting from PRM to OPC Server.
n Installation Procedure
1.
Install PRM.
2.
If installation is successful, the IT Security Settings dialog is displayed. Click [Cancel]
without changes.
3.
Follow the procedures described in "5.2.2. Configuring Environment before Installation" to
"5.2.7. Configuring Duplexed Network Function."
4.
For the Standard model, add PRM_PROCESS to the STM_OPC group.
(This is to allow connections from PRM to OPC Server as described in “5.2.5. Configuring
User Accounts.")
TIP
5.
Reboot the PRM PC.
6.
Perform OPC server connection test.
Registry configuration by editing the “PRMInternalAccount.reg” file is not required.
n Configuring OPC Clients
The configuration of OPC clients connecting to OPC Server co-existing with PRM on the same
PC is described here.
Follow the procedure described in Subsection 5.2.8, "Configuring OPC Clients" but with the
difference described below.
l
Callback connection user
The table below shows the user account running the server process on the OPC Server coexisting with PRM on the same PC.
Security model
User account running
server process
Password
Users permitted to connect to
server
Legacy model
PRMUSER
PRMUSER
All users
Standard model
PRM_PROCESS
Confidential
Users belonging to the STM_OPC
group
If using the Standard model, use the PRM internal user account creation tool (CreateInternalUser
Account.exe) to create PRM internal user account “PRM_PROCESS” on the client PC.
TIP
For details on the PC internal user account creation tool, see "Plant Resource Manager Installation" (IM
33Y05Q12-11E).
IM 34P02Q93-01E
5th Edition : Apr.28,2016-00
5-32
<5.4 Installing on the Same PC as Other Products>
5.4.3
Installing on the Same PC as VDS
This subsection describes the procedure for installing VDS and OPC Server on the same
PC.
n Conditions for Installing VDS and OPC Server on the Same PC
・ Do not install IT Security Tool.
(This is because VDS does not support IT Security Tool.)
・ If using the Duplexed Network Function, use the duplexed network function included in
VDS.
n Installation Procedure
l
TIP
If Installing OPC Server in an Environment Already Installed with VDS
1.
Log on using the Administrator account. (Logging on using an account with Administrator
rights is not sufficient.)
2.
Stop the Duplexed Network service.
3.
Install OPC Server.
4.
Reconfigure DCOM of VDS.
Installing OPC Server overwrites previous DCOM configuration so it is necessary to redo DCOM configuration
for VDS.
IMPORTANT
・Do not install IT Security Tool.
・Do not install the Duplexed Network program for FCN/FCJ OPC server.
l
If Performing a New Installation of VDS and OPC Server on a PC:
Install OPC Server first.
1.
Install OPC Server.
2.
Configure the environment of the OPC server.
3.
Install VDS.
4.
Configure the environment of VDS.
IM 34P02Q93-01E
6th Edition : May 31,2017-00
5.5
5-33
<5.5 IT Security Tool>
IT Security Tool
IT Security Tool is a common security configuration tool for all STARDOM system
products.
It allows security configuration of all installed STARDOM system products to be defined
and modified collectively.
As such, the same security model must be used for all products installed on the same PC.
n Overview
IT Security Tool is stored on the FCN/FCJ installation media (DVD) and can be used for all FCN/
FCJ engineering tools (Logic Designer, Resource Configurator, etc.)
The table below summarizes the functions of IT Security Tool.
Table
Summary of IT Security Tool functions
Function
Configuration
Setting Item
Description
Selection and modification of
security model
The following security model options are available:
・Standard model
・Legacy model
The Strengthened model cannot be selected for STARDOM.
Co-existence with other systems configured with the
Strengthened model on the same PC is not allowed.
Selection of user management
You can select whether access rights of users shown in
"User rights in Standard mode" are to be managed for
standalone (workgroup) users or domain users..
IM 34P02Q93-01E
5th Edition : Apr.28,2016-00
5-34
<5.5 IT Security Tool>
n IT Security Version 2.0 Setting Items and Default Settings
Click the “Details” button on the “IT Security Settings” window, the following items can be
selected.
l
Settings for Standard Model
Setting item
Default check box
state
Modification
Creating local users and groups
Selected
Fixed
Access control for files and folders
Selected
Fixed
Access control for product registry
Selected
Fixed
Access Control for DCOM (OPC) objects
Selected
Fixed
Personal firewall tuning
Selected
Fixed
Set ‘Personal Firewall-[Allow unicast response]’ to ‘No’
Selected
Editable
Disabling NetBIOS over TCP/IP
Clear
Editable
Applying the StorageDevicePolicies function
Clear
Editable
Disabling USB storage devices
Clear
Editable
Applying the software restriction policies
User Rights Assignment-[Access this computer from the
network]
User Rights Assignment-[Deny log on locally]
Clear
Editable
Clear
Editable
Selected
Fixed
Security Options-[Audit: Force audit policy subcategory settings
(Windows Vista or later) to override audit policy category settings]
Selected
Editable
Security Options-[Devices: Prevent users from installing printer
drivers]
Selected
Editable
Security Options-[Devices: Restrict CD-ROM access to locally
logged-on user only]
Selected
Editable
Security Options-[Devices: Restrict floppy access to locally
logged-on user only]
Selected
Editable
Security Options-[Domain member: Require strong (Windows
2000 or later) session key]
Selected
Editable
Security Options-[Interactive logon: Do not display last user
name]
Selected
Fixed
Disable ‘Security Options-[Interactive logon: Do not require
CTRL+ALT+DEL]’
Selected
Editable
Security Options-[Interactive logon: Machine inactivity limit]
Clear
Editable
Security Options-[Interactive logon: Prompt user to change
password before expiration]
Selected
Editable
Security Options-[Microsoft network server: Digitally sign
communications (if client agrees)]
Selected
Editable
Security Options-[Microsoft network server: Server SPN target
name validation level]
Selected
Editable
[MSS: (DisableIPSourceRouting) IP source routing protection
level (protects against packet spoofing)]
Selected
Editable
Disable [MSS: (PerformRouterDiscovery) Allow IRDP to detect
and configure Default Gateway addresses (could lead to DoS)]
Selected
Editable
[MSS: (TcpMaxDataRetransmissions) How many times
unacknowledged data is retransmitted (3 recommended, 5 is
default)]
Selected
Editable
Security Options-[Network access: Do not allow anonymous
enumeration of SAM accounts]
Selected
Editable
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
5-35
<5.5 IT Security Tool>
Setting item
Default check box
state
Modification
Security Options-[Network access: Do not allow anonymous
enumeration of SAM accounts and shares]
Selected
Editable
Security Options-[Network access: Do not allow storage of
passwords and credentials for network authentication]
Selected
Editable
Security Options-[Network security: Allow Local System to use
computer identity for NTLM]
Selected
Editable
Disable ‘Security Options-[Network security: Allow Local- System
NULL session fallback]’
Selected
Editable
Security Options-[Network security: LAN Manager authentication
level]
Selected
Fixed
Security Options-[Network security: Minimum session security for
NTLM SSP based (including secure RPC) clients]
Selected
Editable
Security Options-[Network security: Minimum session security for
NTLM SSP based (including secure RPC) servers]
Selected
Editable
Disable ‘Security Options-[Shutdown: Allow system to be shut
down without having to log on]’
Security Options-[User Account Control: Admin Approval Mode for
the Built’-in Administrator account]
Security Options-[User Account Control: Behavior of the elevation
prompt for administrators in Admin Approval Mode]
Advanced Audit Policy Configuration-[Audit Credential Validation]
Selected
Editable
Selected
Editable
Selected
Editable
Selected
Editable
Advanced Audit Policy Configuration-[Audit Computer Account
Management]
Selected
Editable
Advanced Audit Policy Configuration-[Audit Other Account
Management Events]
Selected
Editable
Advanced Audit Policy Configuration-[Audit Security Group
Management]
Selected
Editable
Advanced Audit Policy Configuration-[Audit User Account
Management]
Selected
Editable
Advanced Audit Policy Configuration-[Audit Process Creation]
Selected
Editable
Advanced Audit Policy Configuration-[Audit Account Lockout]
Selected
Editable
Advanced Audit Policy Configuration-[Audit Logoff]
Selected
Editable
Advanced Audit Policy Configuration-[Audit Logon]
Selected
Editable
Advanced Audit Policy Configuration-[Audit Other Logon/ Logoff
Events]
Selected
Editable
Advanced Audit Policy Configuration-[Audit Special Logon]
Selected
Editable
Advanced Audit Policy Configuration-[Audit Removable Storage]
Selected
Editable
Advanced Audit Policy Configuration-[Audit Audit Policy Change]
Selected
Editable
Advanced Audit Policy Configuration-[Audit Authentication Policy
Change]
Selected
Editable
Advanced Audit Policy Configuration-[Audit Filtering Platform
Policy Change]
Selected
Editable
Advanced Audit Policy Configuration-[Audit MPSSVC Rule- Level
Policy Change]
Selected
Editable
Advanced Audit Policy Configuration-[Audit Other Policy Change
Events]
Selected
Editable
Advanced Audit Policy Configuration-[Audit Sensitive Privilege
Use]
Selected
Editable
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
5-36
<5.5 IT Security Tool>
Setting item
Default check box
state
Modification
Advanced Audit Policy Configuration-[Audit Other System Events]
Selected
Editable
Advanced Audit Policy Configuration-[Audit Security State
Change]
Selected
Editable
Advanced Audit Policy Configuration-[Audit Security System
Extension]
Selected
Editable
Advanced Audit Policy Configuration-[Audit System Integrity]
Selected
Editable
Personalization-[Prevent enabling lock screen camera]
Selected
Editable
Personalization-[Prevent enabling lock screen slide show]
Selected
Editable
WLAN Settings-[Allow Windows to automatically connect to
suggested open hotspots, to networks shared by contacts, and to
hotspots offering paid services]
Selected
Editable
Group Policy-[Configure registry policy processing]
Internet Communication settings-[Turn off downloading of print
drivers over HTTP]
Internet Communication settings-[Turn off Event Viewer “Events.
asp” links]
Selected
Editable
Selected
Editable
Selected
Editable
Internet Communication settings-[Turn off Internet download for
Web publishing and online ordering wizards]
Selected
Editable
Internet Communication settings-[Turn off printing over HTTP]
Selected
Editable
Internet Communication settings-[Turn off Search Companion
content file updates]
Selected
Editable
Internet Communication settings-[Turn off the “Publish to Web”
task for files and folders]
Selected
Editable
Internet Communication settings-[Turn off the Windows Customer
Experience Improvement Program]
Selected
Fixed
Internet Communication settings-[Turn off the Windows
Messenger Customer Experience Improvement Program]
Selected
Fixed
Logon-[Do not display network selection UI]
Selected
Editable
Logon-[Do not enumerate connected users on domainjoined
computers]
Selected
Editable
Disable ‘Logon-[Enumerate local users on domain-joined
computers]’
Selected
Editable
Logon-[Turn off app notifications on the lock screen]
Selected
Editable
Mitigation Options-[Untrusted Font Blocking]
Selected
Editable
User Profiles-[Turn off the advertising ID]
Selected
Editable
App Privacy-[Let Windows apps access account information]
Selected
Editable
App Privacy-[Let Windows apps access call history]
Selected
Editable
App Privacy-[Let Windows apps access contacts]
Selected
Editable
App Privacy-[Let Windows apps access email]
Selected
Editable
App Privacy-[Let Windows apps access location]
Selected
Editable
App Privacy-[Let Windows apps access messaging]
Selected
Editable
App Privacy-[Let Windows apps access motion]
Selected
Editable
App Privacy-[Let Windows apps access the calendar]
Selected
Editable
App Privacy-[Let Windows apps access the camera]
Selected
Editable
App Privacy-[Let Windows apps access the microphone]
Selected
Editable
App Privacy-[Let Windows apps access trusted devices]
Selected
Editable
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
5-37
<5.5 IT Security Tool>
Setting item
Default check box
state
Modification
App Privacy-[Let Windows apps control radios]
Selected
Editable
App Privacy-[Let Windows apps sync with devices]
Selected
Editable
App runtime-[Block launching Windows Store apps with
Windows Runtime API access from hosted content]
Selected
Editable
AutoPlay Policies-[Turn off Autoplay]
Selected
Editable
AutoPlay Policies-[Disallow Autoplay for non-volume devices]
Selected
Editable
Cloud Content-[Do not show Windows Tips]
Selected
Editable
Cloud Content-[Turn off Microsoft consumer experiences]
Selected
Editable
Data Collection and Preview Builds-[Allow Telemetry]
Selected
Editable
Data Collection and Preview Builds-[Disable pre-release features
or settings]
Selected
Editable
Data Collection and Preview Builds-[Do not show feedback
notifications]
Selected
Editable
Data Collection and Preview Builds-[Toggle user control over
Insider builds]
Selected
Editable
Event Log Service(Application)-[Specify the maximum log file size
(KB)]
Selected
Editable
Event Log Service(Security)-[Specify the maximum log file size
(KB)]
Selected
Editable
Event Log Service(System)-[Specify the maximum log file size
(KB)]
Selected
Editable
File Explorer-[Turn off heap termination on corruption]
Selected
Editable
HomeGroup-[Prevent the computer from joining a homegroup]
Selected
Editable
OneDrive-[Prevent the usage of OneDrive for file storage]
Selected
Editable
OneDrive-[Save documents to OneDrive by default] (Save
documents to the local PC by default)
Selected
Editable
Remote Desktop Connection Client-[Do not allow passwords to
be saved]
Selected
Editable
Device and Resource Redirection-[Do not allow drive redirection]
Selected
Editable
Security-[Always prompt for password upon connection]
Clear
Editable
Security-[Require secure RPC communication]
Selected
Editable
Security-[Require user authentication for remote connections by
using Network Level Authentication]
Selected
Editable
Session Time Limits-[Set time limit for active but idle Remote
Desktop Services sessions]
Clear
Editable
Disable ‘Search-[Allow Cortana]’
Selected
Editable
Software Protection Platform-[Turn off KMS Client Online AVS
Validation]
Selected
Editable
Sync your settings-[Do not sync Apps]
Selected
Editable
Sync your settings-[Do not sync start settings]
Selected
Editable
Disable ‘Windows Error Reporting-[Automatically send memory
dumps for OS-generated error reports]’
Selected
Fixed
Disable ‘Windows Logon Options-[Sign’-in last interactive user
automatically after a system’-initiated restart]’
Selected
Editable
Notifications-[Turn off toast notifications on the lock screen]
Selected
Editable
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
5-38
<5.5 IT Security Tool>
n IT Security Version 1.0 Setting Items and Default Settings
Click the “Details” button on the “IT Security Settings” window, the following items can be
selected.
l
Settings for Legacy Model
Setting item
l
Modification
Creating local users and groups
Selected
Fixed
Access control for files and folders
Selected
Fixed
Access control for product registry
Selected
Fixed
Access control for DCOM (OPC) objects
Selected
Fixed
Personal firewall tuning
Selected
Fixed
Local security
Selected
Fixed
Changing IT environment settings - Hiding the last logon user
name
Selected
Editable
Changing IT environment settings - Applying AutoRun restrictions
Selected
Editable
Settings for Standard Model
Setting item
TIP
Default check box
state
Default check box
state
Modification
Creating local users and groups
Selected
Fixed
Access control for files and folders
Selected
Fixed
Access control for product registry
Selected
Fixed
Access control for DCOM (OPC) objects
Selected
Fixed
Personal firewall tuning
Selected
Fixed
Local security
Selected
Fixed
Changing IT environment settings - Hiding the last logon user
name
Selected
Editable
IChanging IT environment settings - Applying the software
restriction policies (Path)
Selected
Editable
Changing IT environment settings - Applying AutoRun restrictions
Changing IT environment settings - Applying the
StorageDevicePolicies function
Changing IT environment settings - Disabling USB storage
devices
Changing IT environment settings - Disabling NetBIOS over TCP/
IP
Selected
Editable
Clear
Editable
Clear
Editable
Clear
Editable
Changing IT environment settings - Changing the LAN Manager
authentication level
Clear
Editable
You can modify these settings by clicking on the Description column in the IT Security Settings window.
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
5.6
5-39
<5.6 Adding and Removing Software>
Adding and Removing Software
n Adding Software
After installing the software, reconfigure security using IT Security Tool.
In this way, IT security is reconfigured with the newly added software included.
1.
Log on as a user of the Administrators group for the Legacy model or as a user of the
STM_MAINTENANCE group for the Standard model.
2.
Terminate all applications. The FCN/FCJ OPC Server and other services will be stopped
automatically at the time of security configuration.
3.
Note down all the current IT security settings.
Reconfiguring IT Security and Registering Configuration File
4.
Add or remove software as required.
5.
Run "IT security configuration file registration" from Windows start menu to register the IT
security configuration file.
6.
Apply IT security settings using IT Security Tool.
To restore any IT security settings, do so manually by referring to the note made in step 4
above.
TIP
IT security settings may be cleared by software addition or removal. To protect against such a possibility, you
should note down all currrent IT security settings including:
・ the security model; and
・ selected setting items (if default selections have been modified). To do so, click the [Details] button to open
the Setting Items Selection window and note down the list of selected checkboxes..
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
5-40
<5.7 Changing the Security Model>
5.7
Changing the Security Model
n Procedure
TIP
l
1.
Log on as a user of the Administrators group for the Legacy model or as a user of the
STM_MAINTENANCE group for the Standard model.
2.
Terminate all applications. The FCN/FCJ OPC Server and other services will be stopped
automatically at the time of security configuration.
3.
Modify IT Security settings using IT Security Tool.
The following users and groups that are automatically created at the time of security configuration are not deleted
even if you change the security model. Delete them manually if they are no longer required.
User Created Automatically for Legacy Model
User
l
EXA (*1)
Users Created automatically for Standard Model
User
STM_PROCESS (*1)
Group
STM_OPC (*1)
STM_ENGINEER
STM_MAINTENANCE
*1：
The above users and groups are created automatically only if FCN/FCJ OPC Server is installed.
IM 34P02Q93-01E
6th Edition : May 31, 2017-00
5.8
5-41
<5.8 Removing IT Security Tool>
Removing IT Security Tool
n Procedure
To remove IT Security Tool, run the “\Pkg_ITSecurity\DeleteFCN-FCJ_ITSecurity.cmd” file on the
FCN/FCJ Software media as a user with Administrator rights.
IMPORTANT
Security settings are not restored even if you remove IT Security Tool. To restore security
settings, restore a full backup of the PC.
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
Blank Page
6.
6-1
<6. Utility Programs>
Utility Programs
This chapter describes the StorageDeviceCTL and SdcsChangeOPCAccount utility
program.
IM 34P02Q93-01E
9th Edition : Jan. 26, 2022-00
<6.1 StorageDeviceCTL>
6.1
6-2
StorageDeviceCTL
n StorageDeviceCTL
This utility temporarily cancels the following disabling of storage devices.
•
Disabling of write permissions set by applying the StorageDevicePolicies function
•
Disabling set by applying “Disabling USB storage devices”
l Detailed Explanation
When you cannot write to storage devices due to application of the StorageDevicePolicies
function or disabling of USB storage devices, you can execute StorageDeviceCTL to cancel
the effect of these security measures temporarily. Writing to storage devices is enabled while
StorageDeviceCTL is running.
Start this tool, insert a USB memory into the PC, and then perform writing tasks. The STM_
MAINTENANCE right is required to execute the tool.
Use this tool only on PCs for which the StorageDevicePolicies function or disabling of USB
storage devices is set.
IMPORTANT
Be sure to make the PC recognize the storage device after starting this tool.
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
6-3
<6.1 StorageDeviceCTL>
l Start Method
The tool is started with the procedure below.
1.
Use Windows Explorer to open the following folder.
If the program is in C: drive, the location is:
C:\Program Files\Yokogawa\IA\iPCS\Platform\SECURITY\PROGRAM\
However, the location for Windows 7 and Windows Server 2008 R2 is:
C:\Program Files (x86)\Yokogawa\IA\iPCS\Platform\SECURITY\PROGRAM\
2.
Double click the following program file in the folder
Yokogawa.IA.iPCS.Platform.Security.StorageDeviceCTL.exe
The task is displayed only in the task bar immediately after startup.
StorageDeviceCTL
start
060201E.ai
Figure Task Bar
TIP
3.
Plug a USB memory to a USB port of the PC.
4.
Read/write necessary data from/to the USB memory.
5.
Remove the USB memory.
To remove a USB memory, right-click the [Safely Remove Hardware and Eject Media] icon from the task tray and
select [Eject USB strage].
6.
Click [StorageDeviceCTL] from the task bar and then click [WriteStop] to end the task.
StorageDeviceCTL
Write stop
060202E.ai
Figure StorageDeviceCTL Dialog Box
SEE
ALSO
For details of the StorageDevicePolicies function and disabling of USB storage devices, see:
3.4.5, “Applying the StorageDevicePolicies Function”
3.4.6, “Disabling USB Storage Devices”
IM 34P02Q93-01E
8th Edition : Aug. 25, 2021-00
6.2
6-4
<6.2 SdcsChangeOPCAccount>
SdcsChangeOPCAccount
n SdcsChangeOPCAccount
This tool is used to change the passwords for the operating accounts “EXA” and “STM_
PROCESS” of the services used by STARDOM. FCN/FCJ OPC Server for Windows is a
package that uses the EXA account and STM_PROCESS account.
l Detailed Explanation
An EXA account is created when applying the conventional model of IT security, and an STM_
PROCESS account is created when applying the standard model (V1.0, V2.0). These accounts
are the operating accounts of the service programs used by STARDOM. Use this tool to change
the passwords for these accounts.
l Password change procedure
Follow the steps below to change your account password.
First, use the functions of the OS to change the password of the account. After that, use this tool
to re-register the operating account of the service used in STARDOM.
1.
Sign in as a user with administrator privileges (belonging to the Administrators group).
Click the [Start] menu - [Windows System Tools] - [Control Panel] - [System and Security] [Administrative Tools].
The “Administrative Tools” window is opened.
2.
Double-click [Computer Management].
The “Computer Management” window is opened.
3.
Right-click [System Tools] - [Local Users and Groups] - [Users] - [STM_PROCESS].
Click [Change Password] in the context menu.
4.
The “Set Password for STM_PROCESS” dialog is displayed.
Click [Continue].
5.
Enter your new password and click the [OK] button.
When “Password has been set” is displayed, click the [OK] button.
6.
Open the following folder at the command prompt. The following is an example of C drive.
Example)
C:\Program Files (x86)\Yokogawa\STARDOM\ITSecurity
7.
At the command prompt, type the following command and press ENTER.
SdcsChangeOPCAccount/U STM_PROCESS/P <Password>
For conventional models:
SdcsChangeOPCAccountΔ/UΔEXAΔ/PΔ<Password>
For standard model (V1.0 or V2.0):
SdcsChangeOPCAccountΔ/UΔSTM_PROCESSΔ/PΔ<Password>
Note:
8.
<Password>:
Δ:
Restart the PC.
Password changed on the user group screen
Space
IM 34P02Q93-01E
9th Edition : Jan. 26, 2022-00
TIP
<6.2 SdcsChangeOPCAccount>
6-5
-
If you specify a non-existent account, or if you enter a password in the SdcsChangeOPCAccount command
that is different from the new password you set in the Set Password for “STM_PROCESS” dialog, an error
dialog is displayed. Check the command contents again.
-
The EXA account and STM_PROCESS account will not be deleted by the revision upgrade installation /
version upgrade installation of this product. Reconfiguring IT security tools does not revert to the default
password.
After changing the password in this procedure, if you make security settings again with the IT security
tool, the above dialog will be displayed during the security settings. Click the OK button to close the dialog
and continue with the IT security settings. After that, reset the operating account according to step 6 and
subsequent steps.
-
IM 34P02Q93-01E
9th Edition : Jan. 26, 2022-00
Blank Page
7.
<7. Related Programs>
7-1
Related Programs
IM 34P02Q93-01E
1st Edition : Jun.29,2012-00
7.1
7-2
<7.1 Related Programs>
Related Programs
This section explains the following related programs.
• Windows security patches
•
Antivirus software
n Windows Security Patches
It is recommended to promptly apply tested security patches Yokogawa acknowledged as
required on the STARDOM system. To deal with the attacks like zero-day attack, or the attacks
that take advantage of the software vulnerability right after the disclosure of the vulnerability
(security hole), the prompt actions are required.
Moreover, when security patches and service packs are applied to the STARDOM system,
existing security settings (firewall setting and local security setting) may be changed. If security
patches and service packs are applied, make sure that the existing security settings are valid.
n Antivirus Software
It is recommended to install antivirus software tested by Yokogawa on PCs and domain
controllers within the STARDOM system before starting the operation.
If search engines and pattern files of antivirus software are updated, it may have unexpected
influence on rebooting and other operations of PC. Exercise sufficient cautions when updating
antivirus software, such as checking the operation beforehand using a test purpose PC.
IM 34P02Q93-01E
1st Edition : Jun.29,2012-00
8.
8-1
<7. Related Programs>
Troubleshooting
This section describes the causes of and remedies for problems that may occur.
IM 34P02Q93-01E
7th Edition : Jun.6, 2018-00
8.1
8-2
<7.1 Related Programs>
Error Occurs when Server Manager is
Started
An error may occur when the server manager is started.
n Condition for Occurrence
The Default Authentication Level of DCOM is configured to None.
TIP
For example, the Default Authentication Level of DCOM is configured to None in the following cases:
• Security model is configured to Legacy model.
• The Default Authentication Level of DCOM is configured to None to enable communication with other
computers.
n Workaround
You can avoid this problem with the following procedure. However, if you perform this procedure,
revert to the original setting after working with the server manager.
1.
Open Control Panel.
2.
Select [System and Security] - [Administrative Tools] - [Component Services].
The Component Services window appears.
3.
Select [Console Root] - [Component Services] - [Computers] - [My Computer], then select
[Properties] from the context menu.
The My Computer Properties dialog box appears.
Figure Component Services
IM 34P02Q93-01E
7th Edition : Jun.6, 2018-00
4.
<7.1 Related Programs>
8-3
From the Default Authentication Level drop-down list, select [Connect], and then click [OK].
Figure My Computer Properties
IM 34P02Q93-01E
7th Edition : Jun.6, 2018-00
8.2
8-4
<7.1 Related Programs>
Cannot Manage User Accounts in the User
Accounts Dialog Box of Control Panel
You may not be able to create user accounts or perform other user account managing
operations in the User Accounts dialog box of Control Panel.
n Condition for Occurrence
The Default Authentication Level of DCOM is configured to None.
TIP
For example, the Default Authentication Level of DCOM is configured to None in the following cases:
• Security model is configured to Legacy model.
• The Default Authentication Level of DCOM is configured to None to enable communication with other
computers.
n Workaround
Follow these steps to avoid this problem:
1.
Open Control Panel.
2.
Select [System and Security] - [Administrative Tools] - [Computer Management].
The Computer Management window appears.
3.
In the left pane, select [Computer Management] > [System Tools] > [Local Users and
Groups].
4.
In the center pane, create a user or perform other operations.
IM 34P02Q93-01E
7th Edition : Jun.6, 2018-00
8.3
8-5
<7.1 Related Programs>
Installed Update Programs are Not
Displayed in the Programs and Features
Window of Control Panel
Update programs installed on the computer may not be displayed in the Programs and
Features window of Control Panel.
n Condition for Occurrence
The Default Authentication Level of DCOM is configured to None.
TIP
For example, the Default Authentication Level of DCOM is configured to None in the following cases:
• Security model is configured to Legacy model.
• The Default Authentication Level of DCOM is configured to None to enable communication with other
computers.
n Workaround
Follow these steps to avoid this problem:
TIP
1.
Log on as an administrative user.
2.
Open Command Prompt.
3.
Run the following command.
wmic qfe list full
Information about the update programs installed on the computer is displayed.
4.
In the center pane, create a user or perform other operations.
If you enter the command as follows, information about the installed update programs is output to a file in the
html format. This file is created in the folder where you run the command.
wmic qfe list full /format:htable > results.html
IM 34P02Q93-01E
7th Edition : Jun.6, 2018-00
8.4
8-6
<7.1 Related Programs>
Cannot Install Microsoft Updates
Installation of Microsoft updates may fail with Error 80070543.
n Condition for Occurrence
The Default Authentication Level of DCOM is configured to None.
TIP
For example, the Default Authentication Level of DCOM is configured to None in the following cases:
• Security model is configured to Legacy model.
• The Default Authentication Level of DCOM is configured to None to enable communication with other
computers.
n Workaround
You can avoid this problem with the following procedure.
SEE
ALSO
1.
Change the default authentication level of DCOM from [None] to [Connect].
2.
Restart the computer.
3.
IInstall the Microsoft updates.
4.
Change the default authentication level of DCOM from [Connect] back to [None].
5.
Restart the computer.
For more information about how to change the default authentication level of DCOM, refer to:
8.1, “Error Occurs when Server Manager is Started”
IM 34P02Q93-01E
7th Edition : Jun.6, 2018-00
8.5
8-7
<7.1 Related Programs>
Failing to install .NET Framework
An attempt to install .NET Framework may fail.
n Condition for Occurrence
The Default Authentication Level of DCOM is configured to None.
TIP
For example, the Default Authentication Level of DCOM is configured to None in the following cases:
• Security model is configured to Legacy model.
• The Default Authentication Level of DCOM is configured to None to enable communication with other
computers.
n Workaround
You can avoid this problem with the following procedure.
SEE
ALSO
1.
Change the default authentication level of DCOM from [None] to [Connect].
2.
Restart the computer.
3.
Install the .NET Framework.
For more information about how to change the default authentication level of DCOM, refer to:
8.1, “Error Occurs when Server Manager is Started”
IM 34P02Q93-01E
7th Edition : Jun.6, 2018-00
8.6
<7. Related Programs>
8-8
Cannot Install the Logic Designer
Installation of the Logic Designer may fail when Installation of the when Installation of the
Microsoft Visual C++ 2005 Redistributable with Error
n Condition for Occurrence
The Default Authentication Level of DCOM is configured to None.
TIP
For example, the Default Authentication Level of DCOM is configured to None in the following cases:
• FCN/FCJ OPC Server for Windows is installed and IT security is not set.
• Security model is configured to Legacy model.
• The Default Authentication Level of DCOM is configured to None to enable communication with other
computers.
n Workaround
You can avoid this problem with the following procedure.
SEE
ALSO
1.
Change the default authentication level of DCOM from [None] to [Connect].
2.
Restart the computer.
3.
Install the Logic Designer.
4.
Change the default authentication level of DCOM from [Connect] back to [None].
5.
Restart the computer.
For more information about how to change the default authentication level of DCOM, refer to:
8.1, “Error Occurs when Server Manager is Started”
IM 34P02Q93-01E
10th Edition : Jun.00, 2024-00
<7. Related Programs>
IM 34P02Q93-01E
8-9
10th Edition : Oct. 25, 2024-00
Blank Page
Rev-1
Revision Information
l Title
l Manual No.
: STARDOM IT Security
: IM 34P02P93-01E
Jun. 2012/1st Edition/R3.20 or later
Newly published.
Mar. 2013/2nd Edition/R3.30 or later
Revised
Addition of an example of configuration for OPC server.
Mar. 2014/3rd Edition/R3.40 or later
Revised
• Support for Windows 7 64-bit.
• Windows XP was deleted.
Mar. 2015/4th Edition/R3.50 or later
Revised
• Errors are corrected.
Apr. 2016/5th Edition/R4.02 or later
Revised
• Suport for R3.30.
May 2017/6th Edition/R4.10 or later
Revised
• Windows Server 2008 was deleted.
Jun. 2018/7th Edition/R4.20 or later
Revised
• Support for Windows 10.
Aug. 2021/8th Edition/R4.30 or later
Revised
• Support IT security version 2.0.
• Support for Windows Server 2016.
Jan. 2022/9th Edition/R4.31 or later
Revised
• Support for Windows 10 (IoT) Enterprise 2019 LTSC and Windows Server 2019.
Oct. 2024/10th Edition/R4.40 or later*
Revised
• Support for Windows 10 (IoT) Enterprise LTSC 2021 and Windows Server 2022.
* : Denotes the release number of the software corresponding to the contents of this user’s manual.
The revised contents are valid until the next edition is issued.
IM 34P02Q93-01E
10th Edition : Oct.25, 2024-00
Rev-2
n For Questions and More Information
If you have any questions, you can send an E-mail to the following address.
E-mail:stardom_info@cs.jp.yokogawa.com
n Written by
Yokogawa Electric Corporation
n Published by Yokogawa Electric Corporation
2-9-32 Nakacho, Musashino-shi, Tokyo 180-8750, JAPAN
IM 34P02Q93-01E
10th Edition : Oct. 25, 2024-00