Professional Documents
Culture Documents
Security Guide
Security Guide
Security Guide
IM 33K01C30-50E
IM 33K01C30-50E
4th Edition
i
Introduction
This manual is a guide for implementing security in the CENTUM VP system from the viewpoint
of Information Technology (IT).
It explains security models and setting details of CENTUM VP. Please read this manual to learn
about the details of security settings.
The intended readers of this manual are engineers who examine construction and operation of
the CENTUM VP system.
Media No. IM 33K01C30-50E (DVD) 4th Edition : Jun. 2012 (YK) IM 33K01C30-50E 4th Edition : Jun.29,2012-00
All Rights Reserved Copyright © 2011, Yokogawa Electric Corporation
ii
Engineering
Consolidated Alarm
Engineering Engineering Management Software Batch Management
Reference Vol. 2 Reference Vol. 3 Reference System Reference
IM 33K03G22-50E IM 33K03G23-50E IM 33K03H20-50E IM 33K03J10-50E
Engineering
Engineering CENTUM FOUNDATION
FOUNDATION fieldbus
Tutorial APCS Data Access Library fieldbus Reference
Reference
Tutorial
IM 33K02E10-50E IM 33K15U10-50E IM 33K15P10-50E IM 33K20T10-50E
FOUNDATION fieldbus
Engineering Guide
IM 33K20T20-50E
Hardware
Peripherals Field Control Stations Input & Output Modules Turbomachinery I/O Modules
IM 33K50C10-50E IM 33K50E40-50E IM 33K50G10-50E IM 33K10U10-50E
Safety Precautions
• In order to protect the system controlled by the product as well as the product itself and
ensure safe operation, observe the safety precautions described in this user’s manual. We
assume no liability for safety if users fail to observe these precautions when operating the
product.
• Do not use the product for any application not approved by YOKOGAWA.
• Do not use the accessories (power supply cord set, etc.) that came with the product for any
other products.
• The following symbols are used in the product and user’s manual to indicate that there are
precautions for safety:
Indicates that caution is required for operation. This symbol is placed on the product to refer
the user to the user’s manual in order to protect the operator and the equipment. In the
Indicates an AC supply.
Indicates a DC supply.
Notes on Software
• YOKOGAWA makes no warranties, either expressed or implied, with respect to the
terms of warranty.
• This product may be used on a machine only. If you need to use the product on another
machine, you must purchase another product.
• It is strictly prohibited to reproduce the product except for the purpose of backup.
• Store the DVD-ROM (the original medium) in a safe place.
• It is strictly prohibited to perform any reverse-engineering operation, such as reverse
compilation or reverse assembling on the product.
• No part of the product may be transferred, converted or sublet for use by any third party,
without prior written consent from YOKOGAWA.
Documentation Conventions
The following typographical conventions are used throughout the user’s manuals:
The characters that must be entered are shown in monospace font as follows:
Example:
FIC100.SV=50.0
This symbol indicates the description for an item for which you should make a setting in the
product’s engineering window.
While operating an engineering window, the help information for the selected item can be
Example:
Characters enclosed by brackets within any description on a key or button operation, indicate
The following conventions are used within a command syntax or program statement format:
Indicate character strings that user can specify freely according to certain guidelines.
Example:
Indicate those character strings that can be selected from more than one option.
Example:
opeguide <format_character_string> [, <output_value> ...]
OG,<element number>
CAUTION
WARNING
IMPORTANT
TIP
SEE
ALSO
Clicking a reference displayed in green can call up its source, while clicking a reference
displayed in black cannot.
Drawing Conventions
description.
Some screen images depicted in the user’s manual may have different display positions or
character types (e.g., the upper / lower case). Also note that some of the images contained in this
user’s manual are display examples.
The copyright of the programs and online manuals contained in the DVD-ROM or CD-ROM shall
remain in Yokogawa.
You are allowed to print out the required pages of the online manuals for using the product,
however, you are not allowed to print out the entire document. You can purchase the printed
manual from Yokogawa.
Except as stated above, no part of the online manual may be reproduced, either in electronic
or written form, registered, recorded, transferred, sold or distributed (in any manner including
network).
• CENTUM, ProSafe, Vnet/IP, PRM, Exaopc and STARDOM are registered trademarks of
YOKOGAWA.
• All other company and product names mentioned in this user’s manual are trademarks or
registered trademarks of their respective companies.
• We do not use TM or ® mark to indicate those trademarks or registered trademarks in this
user’s manual.
• We do not use logos and logo marks in this user's manual.
CONTENTS
....................................................................................................
....................................................................... 2
............................................................................................ 3
2. Security Models ........................................................................................
................................................................................................ 2
2.2 User/Group Management .................................................................................
2.2.1 User Management Methods .............................................................. 2-5
2.2.2 CENTUM VP User Authentication Modes ......................................... 2-6
2.2.3 Users/Groups with Respect to the Combination of
User Management and Security Model ............................................. 2-9
2.2.4 User Name and Password Policies ................................................. 2-14
2.2.5 Special User ..................................................................................... 2-15
3. Details of Security Measures ..................................................................
.................................................................................................. 2
3.1.1 Access Rights to File/Folder ............................................................. 3-3
............................................ 3-8
3.1.3 DCOM (OPC) and User/Group ........................................................ 3-12
3.1.4 Local Security and User/Group........................................................ 3-13
3.2 Personal Firewall Tuning................................................................................
3.3 Stopping Unused Window Services ............................................................. 7
............................................................... 8
3.4.1 Changing or Disabling the User Name of “Administrator” .............. 3-19
.................................................. 3-20
3.4.3 Applying the Software Restriction Policies ...................................... 3-21
3.4.4 Applying AutoRun Restrictions ........................................................ 3-23
3.4.5 Applying the StorageDevicePolicies Function................................. 3-24
...................................................... 3-25
...................................................... 3-26
3.4.8 Changing the LAN Manager Authentication Level .......................... 3-27
3.4.9 Applying the Password Policies ....................................................... 3-28
3.4.10 Applying the Audit Policy.................................................................. 3-29
3.4.11 Applying the Account Lockout Policy ............................................... 3-30
................................................... 3-31
product.
Term Explanation
Security measures considered based on given IT environment, in order to
IT security protect the system and handle current and future security threats including
cyber terrorism.
A function that prescribes user management method of Windows user and
User authentication mode users used in CENTUM VP. There are two modes: Windows authentication
mode and CENTUM authentication mode.
One of user authentication modes. In this mode, users used in CENTUM VP
CENTUM authentication mode as well as their access permissions are managed independently in CENTUM
VP.
One of user authentication modes. This mode links credentials of Windows
Windows authentication mode
A user sign on type that when Windows authentication mode is selected as the
dialog box.
A user sign on type that when Windows authentication mode is selected as
Windows Type Single Sign On the user authentication mode, the user sign on will be performed on Windows
logon dialog box.
The default authentication method of Windows domain and it is used in a
domain environment where the server and client PCs are mixed for single
Kerberos authentication
sign on. Once a user is authenticated; the authentication will be valid for entire
system.
important data.
1. Attacks
over network
Intranet
Ethernet
Control bus
3. Theft of an HIS or PC
installed with system
builders or theft of data
FCS FCS
010101E.ai
following table shows the security measures and the security threats handled by them.
–: Not applicable
IMPORTANT
Please consult Yokogawa if IT security of the Strengthened model is required.
Security Models
The features of the security models are shown in the following table.
SEE
ALSO • For details of security measures, see the following:
3, “Details of Security Measures”
• A security setting tool is available for setup legacy model and standard model of security settings, for more
information, see the following:
6.1, “IT Security Tool”
Management
Operation Feature
Operated by
• Since account management is required for each
registering user
Workgroup PC, all PCs must be maintained at user account
accounts used
(standalone) of CENTUM VP maintenance, making this method not suited for
in each of all the
management system only. large-scale systems.
• It is not possible to separate administrator rights to
system builders.
PC and maintenance rights to CENTUM VP system.
Construction of Operated by
• Centralized management of users is possible,
domain controller, registering user
Domain allowing less human errors.
in addition to accounts used
management • It is possible to separate administrator rights to PC
CENTUM VP to the domain
and maintenance rights to CENTUM VP system.
system, is required. controller.
Construction of Operated the • Even if a domain controller is not available,
domain controller, same way as continuous operation is possible by managing
Combination
in addition to for the domain accounts of each PC.
management
CENTUM VP management in • It is not possible to separate administrator rights to
system, is required. normal operation. PC and maintenance rights to CENTUM VP system.
TIP
The combination management is used when operation similar to workgroup management is assumed in normal
operation although the main user management is performed by the domain management.
assignment of rights to users is enabled on certain PCs on the authority of the person in charge at a site.
The CENTUM VP users need to be authenticated are the following group users.
Users who use the operation and monitoring function. These users are registered using the
Users and builders that manage the users are shown in the table below.
When Windows authentication mode is set, user authentication is performed when a user log on
to Windows. And when the user tries to use the operation and monitoring functions or builders,
the authentication is internally performed with the Windows logon user name, allowing the user to
continue tasks without entering a user name and password again.
• When the Windows authentication mode is used, the user management method needs to
be standardized to either domain management (combination management) or workgroup
management.
Information on user
PC installed with authentication mode
system builders
Project
Download Control bus
is required after the setting. The information of the downloaded user authentication mode
(CENTUM authentication mode or Windows authentication mode) is used as follows.
authentication mode is different from the current user authentication mode while the
operation and monitoring functions are running, a system alarm will occur. The user
authentication mode is the Windows authentication mode, a system alarm will occur. The
Single Sign On
is referred to single sign on. There are two following types of single sign on.
• Windows Type Single Sign On
If a user logs on from the Windows logon dialog box, this user will automatically logon the
operation and monitoring console, i.e., the user becomes user-in status of the Operation
and Monitoring Functions. On the user-in dialog box, you can switch user. When you set a
user to user-out status, the user you previously logged on the Windows will become user-in
status.
When a PC is started, this function automatically makes the user log onto the Windows and
starts the operation and monitoring function as OFFUSER (default user). After automatic
TIP
In CENTUM authentication mode, anonymous user be used to sign on the operation and monitoring console due
is restricted for singing on so as to improve the operation traceability and securer operation.
In the case of ENG group users, the affected range of user authentication mode setting is each
Information on user
authentication mode
Engineers’ account file
or users’ account file
020202E.ai
The user authentication modes are set using the Access Control Utilities.
user authentication.
TIP
No matter what security model is applied, CENTUM VP installer will create a CTM_MAINTENANCE group and
After running the IT Security Tool, the following users and user groups will be automatically
created.
Created
User name User/group Explanation
location
User created when the system is
installed, in the same way as for CS
CENTUM User Local PC Users 3000. Note that the default password is
set to “Yokogawa1” and it is requested to
IMPORTANT
These user accounts should be used for running CENTUM products only.
IMPORTANT
• These user accounts should be used for running CENTUM products only.
• When changing security model, the group name may be changed or groups may be deleted
IMPORTANT
• These user accounts should be used for running CENTUM products only.
• When changing security model, the group name may be changed or groups may be deleted
IMPORTANT
• These user accounts should be used for running CENTUM products only.
• When changing security model, the group name may be changed or groups may be deleted
Up to 16 characters
TIP
case sensitive, but it is recommended to use the capital letters.
Password
There are the following rules for passwords.
32 alpha-numeric characters.
The password of a Windows user used in Windows authentication mode can be
TIP
These users are authenticated in the PCs used by these users in the Windows authentication
mode. These users are used at emergency, for example when a domain controller is down while
the users of the PC are managed is domain management or combination management type.
The special user accounts are not used under normal circumstances. Moreover, for standalone
management, there is no need to create these users.
A special user can be used on the User-in dialog box of the operation and monitoring functions,
• When the domain management is functioning and access to the domain controller is
unimpeded
Under this circumstance, an emergency user account is used even though the user
authentication processing on the domain is normally performed. Since it may weaken the security
OFFUSER
OFFUSER in the Windows authentication mode has the following characteristics.
authentication mode.
• It is created as a local user regardless of the domain or standalone management.
• The initial password contains 32 characters and is not disclosed (the password can be
VP system).
Security installed.
*2: %ProgramData% refers to the following folders. These examples are when the system drive is drive C.
*3: %windir% refers to the following folder. This example is when the system drive is drive C.
*5: This folder is only provided in Windows 7 and Windows Server 2008 R2.
F F F F F F – F
Applicable to the sub-folders as well.
CENTUMVP
RX RX RX RX F RX – F
Applicable to the sub-folders as well.
(Except for the following folders)
RX F F – F F – F
F F F F F F – F
RX RX RX RX F RX – F
CENTUMVP
RX F F RX F F – F
RX F F RX F F – F
R R R R RWD R RW RWD
RX RX RX RX F RX – F
[Other]
Folders for CENTUM created by the option functions F F F F F F – F
F F F F F F – F
F F F F F F F F
– F F – F – – F
– F F – F – – F
– F F – F – – F
– F F – F – – F
*1: User/Group
[1]: CTM_OPERATOR/CTM_OPERATOR_LCL/OFFUSER
[2]: CTM_ENGINEER/CTM_ENGINEER_LCL
[3]: CTM_ENGINEER_ADM/CTM_ENGINEER_ADM_LCL
[4]: CTM_OPC/CTM_OPC_LCL
[5]: CTM_MAINTENANCE/CTM_MAINTENANCE_LCL
[6]: CTM_PROCESS
[7]: LIC_PROCESS
[8]: SYSTEM (Local System Account)
Types of access rights
F: Full access control
R: Read right and list display of folder details
RX: Read right, execution right, and list display of folder details
RW: Write right, read right, and list display of folder details
RWD: Write right, read right, delete right, and list display of folder details
–: Unauthorized
Name Description
CENTUM Related CENTUM related registries
DCOM Related DCOM communication(OPC)related registries
Registry Keys
The table below shows the registry keys whose access can be controlled.
Name Description
Registry created at installation of
CENTUM Registry
YOKOGAWA] CENTUM VP
Registry used by programs of
CS3000 Registry
CENTUM VP
CentumProductInfo Registry in which product information
Registry of CENTUM VP is stored
Name Registry
SlaveDTM]
Registry
CENTUM Registry – – – – – – – F F
CS3000 Registry F F F F F F – R F
CentumProductInfo Registry – – – – F – – F F
CENTUMVP Registry – – – – F – – F F
CS3K Registry F F F F F F F R F
F F F F F F – R F
Exaopc Registry F F F F F F F – F
EXA Registry F F F F F F F – F
*1: User/Group
[1]: CTM_OPERATOR/CTM_OPERATOR_LCL/OFFUSER
[2]: CTM_ENGINEER/CTM_ENGINEER_LCL
[3]: CTM_ENGINEER_ADM/CTM_ENGINEER_ADM_LCL
[4]: CTM_OPC/CTM_OPC_LCL
[5]: CTM_MAINTENANCE/CTM_MAINTENANCE_LCL
[6]: CTM_PROCESS
[7]: LIC_PROCESS
[8]: Everyone
[9]: SYSTEM
Types of access permissions
F: Full access control
R: Read right
–: Unauthorized
Registry
OpcEnum Registry F F F F F F – – F R
OPC Alarms Registry F F F F F F – – F R
F F F F F F – – F R
F F F F F F – – F R
CS DCOM Server Registry F F F F F F – – F R
OPC Server Registry F F F F F F – – F R
F F F F F F – – F R
F F F F F F – – F R
CSSEM Alarm & Events
F F F F F F – – F R
Automation Server Registry
F F F F F F – – F R
*1: User/Group
[1]: CTM_OPERATOR/CTM_OPERATOR_LCL/OFFUSER
[2]: CTM_ENGINEER/CTM_ENGINEER_LCL
[3]: CTM_ENGINEER_ADM/CTM_ENGINEER_ADM_LCL
[4]: CTM_OPC/CTM_OPC_LCL
[5]: CTM_MAINTENANCE/CTM_MAINTENANCE_LCL
[6]: CTM_PROCESS
[7]: LIC_PROCESS
[8]: Everyone
[9]: SYSTEM
[10]: SERVICE
Types of access permissions
F: Full access control
R: Read right
–: Unauthorized
*2: Access permission is R for OFFUSER.
– F F – F – – – F
– F F – F – – – F
– F F – F – – – F
– F F – F – – – F
– F F – F – – – F
*1: User/Group
[1]: CTM_OPERATOR/CTM_OPERATOR_LCL/OFFUSER
[2]: CTM_ENGINEER/CTM_ENGINEER_LCL
[3]: CTM_ENGINEER_ADM/CTM_ENGINEER_ADM_LCL
[4]: CTM_OPC/CTM_OPC_LCL
[5]: CTM_MAINTENANCE/CTM_MAINTENANCE_LCL
[6]: CTM_PROCESS
[7]: LIC_PROCESS
[8]: Everyone
[9]: SYSTEM
[10]: SERVICE
Types of access permissions
F: Full access control
– : Unauthorized
Name Description
CENTUM Related Communication ports used by CENTUM related programs to communicate
Communication ports used by programs using DCOM communication
DCOM Related
(including OPC communication)
File Sharing Related
Windows Related
Required when
CENTUM VP is
Standard Operation and
TCP:20109 communicating
Monitoring Function
with CENTUM CS
system
Standard Operation and
TCP:20171 None
Monitoring Function
Standard Operation and
TCP:20110 None
Monitoring Function
Standard Operation and
TCP:20183 None
Monitoring Function
Standard Operation and
MnsServer.exe UDP:32301 None
Monitoring Function
Process Management
TCP:20111 None
Package
Process Management
TCP:20174 None
Package
Process Management
TCP:20177 None
Package
Process Management
TCP:20178 None
Package
Process Management
TCP:20179 None
Package
Expanded Test Functions
TCP:34205 FCS Simulator Package None
TCP:20101 None
Package
TCP:20102 None
Package
TCP:20105 None
Package
TCP:20184 APCS Control function APCS/GSGW
SOE
sqlservr.exe TCP:1433 SOE Server Package
SQLServer
UDP:34325 SOE Server Package SOE
TCP:34333 SIOS SIOS related
TCP:8819 Consolidated Alarm
CAMSServer.exe TCP:8820 Management Software for CAMS
UDP:8819
Consolidated Alarm
CAMSLogSvr.exe UDP:8820 Management Software for CAMS
TCP:38020
Yokogawa.IA.iPCS.CENTUMVP.
TCP:40112 UGS None
UGS.System.Service.exe
TCP:40116
Yokogawa.IA.iPCS.CENTUMVP.
TCP:40117 UGS None
Yokogawa.IA.iPCS.CENTUMVP.
TCP:38030 UGS None
Service name/
name
Programs using OPC
DCOM service TCP:135 When OPC connection is used
communication
Programs using OPC
DCOM service When OPC connection is used
communication
Service name/
Function name
TCP:139
UDP:137 None
printers
UDP:138
TCP:445
printers
and registration to DNS, is required.
Service name/
Server/Station
*1: This item may be ICMP, ICMPv4, or ICMPv6, depending on the OS.
Service Comment
2003 Vista 7 2008 2008 R2
are not used within the CENTUM VP Unused Unused Unused Unused Unused
system.
Error Reporting Not required within the CENTUM VP
Unused – – – –
Service system.
Not required within the CENTUM VP
– Unused Unused Unused Unused
system.
Not required within the CENTUM VP
IPsec Policy Agent – Unused – Unused –
system.
Not required within the CENTUM VP
IPSEC Services Unused – – – –
system.
Not required because DDE services
Network DDE Unused – – – –
via the network are not used.
Network DDE Not required because DDE services
Unused – – – –
DSDM via the network are not used.
Not required within the CENTUM VP
– Unused Unused Unused –
system.
Not required because the functions
Remote Registry are not used and there are problems Unused Unused – Unused –
in terms of security.
Not required because the functions
Unused Unused Unused Unused Unused
Detection are not used.
Not required because the functions
WebClient Unused Unused – – –
are not used.
Windows Error Not required within the CENTUM VP
– Unused – Unused –
Reporting Service system.
Wireless Not required within the CENTUM VP
Unused – – – –
system.
*1: Windows OS
Keep the following points in mind when changing the user name of “Administrator.”
• Create a user with administrator rights for normal maintenance.
name to be changed and the name of user with administrator rights to be created.
• Securely control users with administrator rights.
Restriction on path: If this restriction is applied, other coexisting packages may not run.
Settings
The restriction on path of CENTUM VP is added to the restriction on path.
• %ProgramFiles% (*2)
• %ProgramFiles(x86)% (*3) (for Windows 7 and Windows Server 2008 R2)
• %ProgramW6432% (*4) (for Windows 7 and Windows Server 2008 R2)
*2: %ProgramFiles% refers to the following folder. This example is when the system drive is drive C.
*3: %ProgramFiles(x86)% refers to the following folder. This example is when the system drive is drive C.
*4: %ProgramW6432% refers to the following folder. This example is when the system drive is drive C.
*5: %SystemRoot% refers to the following folder. This example is when the system drive is drive C.
*6: CENTUM VP installation folder refers to the following folder. This example is when the system drive is drive C.
IT Security Tool.
When you run an FCS simulator using the test function, you cannot enable the following functions
when software restriction policies are applied.
• Plant training system (Exatif)
• Off-site blocks, enhanced switch instrument blocks, and valve pattern monitors
Observe the following points when software restriction policies are applied.
• When you install CENTUM VP software or third party software from removable storage
media, log on to the PC as an administrative user and run the setup program by right-
clicking the program and choosing [Run as Administrator].
• When you run a program with an extension .bat, .cmd, or .vbs, start the command prompt
from the start menu by right-clicking the Command Prompt (cmd.exe) and choosing [Run as
Administrator]. Then, run the program from the command prompt window.
• Microsoft Excel, Microsoft SQL Server, OPC server used for GSGW or SIOS, and third party
software must be installed under %ProgramFiles% or %ProgramFiles(x86)%.
• Updating programs for display drivers may be installed immediately under the C drive.
When you update the driver, log on to the PC as an administrative user and run the updating
program by right-clicking the program and choosing [Run as Administrator].
• When you install an OPC client, log on to the PC as an administrative user and run the OPC
client setup program by right-clicking the program and choosing [Run as Administrator].
users.
Cautions
Please observe the following point.
• The installation menu does not start when the CENTUM VP software medium is inserted.
SEE
ALSO For details about the StorageDeviceCTL, see the following:
6.2, “Other Utility Programs”
Cautions
This function is not available with Windows Server 2003 and Windows Server 2003 R2.
If this function is applied to Windows Server 2008 R2, you cannot use StorageDeviceCTL to
temporarily cancel the effect of StorageDevicePolicies. To cancel, you need to clear the [Applying
the StorageDevicePolicies function] check box of the IT Security Tool’s detailed settings and run
the tool again. Note that, to disable taking out of data using removable storage media without
SEE
ALSO For details about the StorageDeviceCTL, see the following:
6.2, “Other Utility Programs”
Cautions
If this function is applied to Windows Server 2008 R2, you cannot use StorageDeviceCTL to
tool again. Note that, to disable taking out of data using removable storage media without using
• For [Network security: LAN Manager authentication level], “Send NTLMv2 response only” is
set.
• For [Network security: Do not store LAN Manager hash value on next password change],
“Enabled” is set.
• For [Network security: Minimum session security for NTLM SSP based (including secure
RPC) clients], the [Require NTLMv2 session security] and [Require 128-bit encryption]
check boxes are selected.
• For [Network security: Minimum session security for NTLM SSP based (including secure
RPC) servers], the [Require NTLMv2 session security] and [Require 128-bit encryption]
check boxes are selected.
Cautions
Please observe the following points when applying this measure.
• It becomes impossible to connect from Windows 95, Windows 98, Windows ME, Windows
NT, and Windows 2000.
• You must ensure that the settings of [Network security: Minimum session security for
NTLM SSP based (including secure RPC) clients] and [Network security: Minimum session
security for NTLM SSP based (including secure RPC) servers] are consistent on all PCs.
Settings
The following table shows the settings.
Policy Settings
Minimum password length 12 characters or more
Change prohibition period of password One day
Validity period of password 90 days
24 passwords remembered
Storage of password history
(25 password types or more are required)
Password must meet complexity
Enabled
requirements
Store password using reversible encryption
Disabled
for all users in the domain
Cautions
If the password policies are made stricter, not only the load of password management on users
but also the load of operation administrators to manage user’s passwords increases.
Settings
The following table shows the settings.
Policy Settings
Audit account logon events Success, failure
Audit account management Success, failure
Failure
Audit system events Success, failure
Audit directory service access Success, failure
Audit process tracking Success
Audit policy change Success, failure
Audit logon events Success, failure
Audit privilege use Success, failure
Cautions
Please observe the following points.
• If the number of event types collected is increased, the system performance is affected.
• The number of generated events varies depending on the types of collected events and
system operations. Determine the event collection size appropriate for the system operation
conditions.
Policy Settings
Account lockout threshold 10 invalid logon attempts
Reset account lockout counter after 15 minutes
Account lockout duration 15 minutes
Cautions
If this policy is applied, you may not be able to logon in an emergency situation if lockout occurs
as a result of hasty operation.
Security Model
A security model needs to be selected from the following three types.
Yokogawa products not supporting IT security and when sharing Windows users
Legacy Model among multiple operators.
This model can be selected upon your understanding that it is vulnerable against
information leak and attacks by worms and viruses.
Standard Model
is a model that provides a minimum security set for the CENTUM VP system as well
(Recommended)
as the systems collaborating with CENTUM VP system.
Select this model when security level higher than the Standard model is required.
Strengthened Model
Consult Yokogawa agent when implementing this model.
Selection Criterion
Mode
This mode performs the same authentications as the CENTUM systems prior
CENTUM
version R4.03. Select this mode when the Windows users and CENTUM users are
Authentication Mode
authenticated separately.
Select this mode when the Windows users, CENTUM operation and monitoring users
Windows
Authentication Mode
This mode is suitable for the system that the higher level security is applied.
When Windows authentication mode is selected, only one authentication is required before
Type
Windows Type Single
Sign On account to log on.
On
example, permissions to manipulate Start Menu items) are retained to the privilege of
the user (OFFUSER) who automatically logged on Windows.
Moreover, if the OFFUSER logs off Windows, for logging on Windows again, you
need to restart the PC.
The following table lists the precautions to be observed when setting security measures.
Security function
*2: .NET Framework 3.5 SP1 is included in the CENTUM VP install media.
File Server
(standalone management) as IT security.
Domain controller Not required
File Server
Standard model (domain/combination management) as IT
security.
Construct anew (apply the Standard model (domain/
Domain controller
combination management) as IT security).
Systems
File Server
Standard model (domain/combination management) as IT
security.
File Server
system builders. IT security is not required.
Domain controller Not required
When constructing a system prioritizing security, examine the security taking the operation fully
into consideration.
Screen Saver Function [On resume, password protected] option should be checked.
Account
management Operation form Convenience of operation
Use of Accounts
If the common accounts are used, it is recommended to group accounts by rights of users and
prohibit operations on the CENTUM VP system by users without rights and to narrow down
user groups when tracing the trouble occurrence. It is considered that more usable trace data is
obtained compared to when common accounts are used among all users.
Password Management
Considering security, it is recommended to change passwords periodically. It is possible to
handle password cracking attacks by periodically changing passwords. If common accounts are
used, it is recommended to change passwords at the timing when members using the common
is prevented.
by users who used to have rights before and/or unexpected attacks from attackers. For example,
Password Management
Considering security, it is recommended to change passwords periodically. Password cracking
can be prevented by periodically changing the user passwords.
System Audit
system abnormalities in early stages, which leads to early discovery of signs of troubles and
accidents. If any abnormalities are found, consult network administrators or experts to take
appropriate measures.
When managing accounts by standalone management, it is not only necessary to create the
same user account for all PCs used by users and PCs installed with system builders on which
changing passwords as well, it is necessary to change passwords of all PCs in which the same
accounts are registered to common new passwords.
different from each other (5 minutes or longer by default), the authentication function does not
work properly under the domain environment. Pay attention to the time deviation between the
domain controller and each PC.
CTM_MAINTENANCE Group
CTM_MAINTENANCE, which is a group for maintenance, has very powerful rights, including
administrator rights. It is desired to treat accounts belonging to CTM_MAINTENANCE as invalid
accounts under normal operation and enable the accounts when they are in need. Moreover,
setting valid periods for accounts at the timing to enable the accounts is also an effective security
measure.
Users who can use OPC can use the DCOM function on remote sites, so it is desired to minimize
Moreover, if target users use only programs, deleting the logon right is also an effective measure.
patches and service packs are applied, make sure that the existing security settings are valid.
Antivirus Software
It is recommended to install antivirus software tested by Yokogawa on PCs and domain
controllers within the CENTUM VP system before starting the operation.
antivirus software, such as checking the operation beforehand using a test purpose PC.
SEE
ALSO For more information about how to use the IT Security Tool, see the following:
CENTUM VP Installation (IM 33K01C10-50E)
devices
temporarily connected even if this setting is enabled.
over TCP/IP
Changing the
Disable the authentication protocol used for communicating with prior
LAN Manager
Windows NT 4.0 Windows software.
authentication level
IMPORTANT
After applying the software restriction policy by IT Security Tool, you can lift the restriction as
follows:
• For starting installer in a DVD media, right click the icon and then choose [Run as
administrator].
• For running programs other than CENTUM VP programs(such as the installer of graphic
card driver), right click the icon and then choose [Run as administrator].
TIP
StorageDeviceCTL Utility cannot be used in Windows Server 2008 R2 environment. In Windows Server 2008 R2
SEE
ALSO • For more information about creating user or user group with IT Security Tool, refer to:
2.2.3, “Users/Groups with Respect to the Combination of User Management and Security Model”
• For more information about StorageDeviceCTL Utility, refer to:
6.2, “Other Utility Programs”
• For more information about notices regarding to applying software restriction policies, refer to:
3.4.3, “Applying the Software Restriction Policies”
For the selected model, you can specify whether to apply the security measure items with check
items.
060101E.ai
Tool, the check boxes show the settings that were set last if you haven’t changed the security
model or user management type.
If you have changed the security model or user management type, the check boxes show the
default settings of the selected security model.
Setting item
Creating local users and groups Selected No None
Add Full access control to the
Everyone group.
For some tools’ folders under
Selected No
folders the Windows folder, reverts
to the access permissions of
parent folders.
Access control for product Adds Full access control to
Selected No
registry the Everyone group.
Access control for DCOM (OPC) Add Full access control to the
Selected No
Everyone group.
Selected No
Grants access permissions to
Local security Selected No
the Everyone group.
Changing IT environment settings
Selected Yes None
SEE
ALSO For details of the users and groups created, see the following:
2.2.3, “Users/Groups with Respect to the Combination of User Management and Security Model”
Setting item
Creating local users and groups Selected No
Selected No
Access control for product registry Selected No
Selected No
Selected No
Local security Selected No
Changing IT environment settings - Changing the LAN Manager
Selected Yes
authentication level
Selected Yes
name
Changing IT environment settings - Applying AutoRun restrictions Selected Yes
Clear Yes
TCP/IP
Changing IT environment settings - Applying the
Clear Yes
StorageDevicePolicies function
Clear Yes
devices
Changing IT environment settings - Applying the software
Clear Yes
restriction policies (*1)
SEE
ALSO For details of the users and groups created, see the following:
2.2.3, “Users/Groups with Respect to the Combination of User Management and Security Model”
Setting item
Creating local users and groups (*1) Selected No
Creating domain users and groups (*2) Selected No
Selected No
Access control for product registry Selected No
Selected No
Selected No
Local security Selected No
Changing IT environment settings - Changing the LAN Manager
Selected Yes
authentication level
Selected Yes
name
Changing IT environment settings - Applying AutoRun restrictions Selected Yes
Selected Yes
TCP/IP
Changing IT environment settings - Applying the
Clear Yes
StorageDevicePolicies function
Clear Yes
devices
Changing IT environment settings - Applying the software
Clear Yes
restriction policies (*3)
*1: CTM_OPC_LCL and CTM_MAINTENANCE are created in the local computer.
*2: The accounts and groups other than CTM_OPC_LCL and CTM_MAINTENANCE are created in the domain controller computer.
SEE
ALSO For details of the users and groups created, see the following:
2.2.3, “Users/Groups with Respect to the Combination of User Management and Security Model”
Setting item
Creating local users and groups Selected No
Creating domain users and groups Selected No
Selected No
Access control for product registry Selected No
Selected No
Selected No
Local security Selected No
Changing IT environment settings - Changing the LAN Manager
Selected Yes
authentication level
Selected Yes
name
Changing IT environment settings - Applying AutoRun restrictions Selected Yes
Selected Yes
TCP/IP
Changing IT environment settings - Applying the
Clear Yes
StorageDevicePolicies function
Clear Yes
devices
Changing IT environment settings - Applying the software
Clear Yes
restriction policies (*1)
SEE
ALSO For details of the users and groups created, see the following:
2.2.3, “Users/Groups with Respect to the Combination of User Management and Security Model”
Setting item
Creates the CTM_PROCESS
Creating local users and groups Selected No
user.
For some tools’ folders under
the Windows folder, reverts
to the access permissions of
Selected No parent folders.
folders
Add Full access control to the
Everyone group.
Selected No
Grants access permissions to
Local security Selected No
the Everyone group.
Setting item
Creating local users and groups Selected No
Selected No
Selected No
Local security Selected No
Changing IT environment settings - Applying the audit policy Selected Yes
Changing IT environment settings - Changing the LAN Manager
Selected Yes
authentication level
Changing IT environment settings - Applying AutoRun restrictions Selected Yes
Clear Yes
TCP/IP
Changing IT environment settings - Applying the
Clear Yes
StorageDevicePolicies function
Clear Yes
devices
SEE
ALSO For details of the users and groups created, see the following:
2.2.3, “Users/Groups with Respect to the Combination of User Management and Security Model”
Setting item
Creating local users and groups (*1) Selected No
Creating domain users and groups (*2) Selected No
Selected No
Selected No
Local security Selected No
Changing IT environment settings - Applying the audit policy Selected Yes
Changing IT environment settings - Changing the LAN Manager
Selected Yes
authentication level
Changing IT environment settings - Applying AutoRun restrictions Selected Yes
Selected Yes
TCP/IP
Changing IT environment settings - Applying the
Clear Yes
StorageDevicePolicies function
Clear Yes
devices
*1: CTM_OPC_LCL and CTM_MAINTENANCE are created in the local computer.
*2: The accounts and groups other than CTM_OPC_LCL and CTM_MAINTENANCE are created in the domain controller computer.
SEE
ALSO For details of the users and groups created, see the following:
2.2.3, “Users/Groups with Respect to the Combination of User Management and Security Model”
Setting item
Creating local users and groups Selected No
Creating domain users and groups Selected No
Selected No
Selected No
Local security Selected No
Changing IT environment settings - Applying the audit policy Selected Yes
Changing IT environment settings - Changing the LAN Manager
Selected Yes
authentication level
Changing IT environment settings - Applying AutoRun restrictions Selected Yes
Selected Yes
TCP/IP
Changing IT environment settings - Applying the
Clear Yes
StorageDevicePolicies function
Clear Yes
devices
SEE
ALSO For details of the users and groups created, see the following:
2.2.3, “Users/Groups with Respect to the Combination of User Management and Security Model”
Setting item
Creating domain users and groups (*1) Selected No
Selected Yes
Selected No
Selected No
Changing IT environment settings - Applying the audit policy Selected Yes
Changing IT environment settings - Changing the LAN Manager
Selected Yes
authentication level
Changing IT environment settings - Applying AutoRun restrictions Selected Yes
Selected Yes
TCP/IP
Changing IT environment settings - Applying the
Clear Yes
StorageDevicePolicies function
Clear Yes
devices
*1: The accounts and groups other than CTM_OPC_LCL and CTM_MAINTENANCE are created in the domain controller computer.
TIP
When using IT Security Tool to create users and groups, only the domain user groups can be created.
SEE
ALSO For details of the users and groups created, see the following:
2.2.3, “Users/Groups with Respect to the Combination of User Management and Security Model”
%ProgramData%\Yokogawa\IA\iPCS\Platform\Security\Log\Log.txt
TIP
%ProgramData% stands for the followings in case that the system drive is C drive.
In Windows Server 2003 or Windows Server 2003 R2 environment:
In Windows Vista, Windows7, Windows Server 2008 or Windows Server 2008 R2 environment:
TIP
conventions:
<Product name>-<Installation type>_<Security model>_<User management type>.csf
TIP
Legacy model: CTM-FileServer_Legacy_Standalone.csf
Standard model and standalone user management type: CTM-FileServer_Standard_Standalone.csf
Standard model and domain user management type: CTM-FileServer_Standard_Domain.csf
Standard model and combined user management type: CTM-FileServer_Standard_Combination.csf
• StorageDeviceCTL
CreateCentumProcess
This utility creates CTM_PROCESS users.
Detailed Explanation
This utility creates CTM_PROCESS users using predetermined passwords (not disclosed).
CreateCentumProcess.exe
This utility creates a CTM_PROCESS user. If CTM_PROCESS already exists, the password is
initialized to a predetermined password at the execution of the command. When the password is
initialized, the passwords for Windows services registered by the CTM_PROCESS user are also
initialized.
If the CTM_PROCESS user does not exist, it will be created and an arbitrary password is set.
If the user already exists, the password is changed to the arbitrary password. Moreover, the
passwords for Windows services registered by the CTM_PROCESS user are also changed.
IMPORTANT
When changing the password of CTM_PROCESS, it is necessary to change the password in all
the stations so as to make sure all the stations are using the same password.
Detailed Explanation
When an administrative user runs OFFUSEREnabler command, the password of OFFUSER
will be changed to “!centumvp123” and the OFFUSER account can be used to log on Windows.
To reset the password of OFFUSER account to the initial password (not disclosed), you need
to run the OFFUSERDisabler command. If a standard model or strengthened model of security
settings is applied in the PC, running the OFFUSEREnabler command requires the privilege of
CTM_MAINTENANCE group.
Yokogawa.IA.iPCS.Platform.Security.OFFUSEREnabler.exe
Detailed Explanation
When an administrative user runs OFFUSERDisabler command, the password of OFFUSER will
be changed to the initial password (not disclosed).
If a standard model or strengthened model of security settings is applied in the PC, running the
OFFUSERDisabler command requires the privilege of CTM_MAINTENANCE group.
Yokogawa.IA.iPCS.Platform.Security.OFFUSERDisabler.exe
Detailed Explanation
When you cannot write to storage devices due to application of the StorageDevicePolicies
the effect of these security measures temporarily. Writing to storage devices is enabled while
StorageDeviceCTL is running.
IMPORTANT
Windows Server 2008 R2, you cannot use this utility to cancel the disabling.
• When you start this utility on a PC running Windows Server 2008 which is not installed with
Yokogawa.IA.iPCS.Platform.Security.StorageDeviceCTL.exe
The task is displayed only in the task bar immediately after the start.
start StorageDeviceCTL
060201E.ai
TIP
For Windows Vista and Windows Server 2008, right-click the [Safely remove hardware] icon from the task tray
and select [Safely remove hardware].
6. Click [StorageDeviceCTL] from the task bar and then [WriteStop] to end the task.
StorageDeviceCTL
Write stop
060202E.ai
SEE
ALSO
3.4.5, “Applying the StorageDevicePolicies Function”
* : Denotes the release number of the software corresponding to the contents of this user’s manual. The
revised contents are valid until the next edition is issued.
1.2 Descriptions on “
2.2.2 Description on “
2.2.3 Descriptions on CTM_ENGINEER_ADM, CTM_ENGINEER_ADM_LCL, CTM_MAINTENANCE and
CTM_MAINTENANCE_LCL administrative privileges are deleted.
2.2.3 Descriptions on OFFUSER, CTM_PROCESS, LIC_PROCESS are added.
2.2.3 Notice texts on changing security models are added.
2.2.4 Overall change
6.1 “ Find out the applied security model and user management type” is added.
Newly published.