Security Guide

CENTUM VP
Security Guide
IM 33K01C30-50E
IM 33K01C30-50E
4th Edition
i
Introduction
This manual is a guide for implementing security in the CENTUM VP system from the viewpoint
of Information Technology (IT).
It explains security models and setting details of CENTUM VP. Please read this manual to learn
about the details of security settings.
The intended readers of this manual are engineers who examine construction and operation of
the CENTUM VP system.
Media No. IM 33K01C30-50E (DVD) 4th Edition : Jun. 2012 (YK) IM 33K01C30-50E 4th Edition : Jun.29,2012-00
All Rights Reserved Copyright © 2011, Yokogawa Electric Corporation
ii
CENTUM VP Document Map

Installation
CENTUM VP Licence CENTUM VP
Installation Management Security Guide
IM 33K01C10-50E IM 33K01C20-50E IM 33K01C30-50E
Engineering
Field Control Stations Function Blocks Function Blocks Function Blocks

Reference Overview Reference Vol.1 Reference Vol.2
IM 33K03E10-50E IM 33K03E21-50E IM 33K03E22-50E IM 33K03E23-50E
Function Blocks Human Interface Human Interface Engineering

Reference Vol. 3 Stations Reference Vol. 1 Stations Reference Vol. 2 Reference Vol. 1
IM 33K03E24-50E IM 33K03F21-50E IM 33K03F22-50E IM 33K03G21-50E
Consolidated Alarm
Engineering Engineering Management Software Batch Management
Reference Vol. 2 Reference Vol. 3 Reference System Reference
IM 33K03G22-50E IM 33K03G23-50E IM 33K03H20-50E IM 33K03J10-50E
SEBOL Communication with Communication with Communication

Reference Subsystems Using RIO Subsystems Using FIO Devices Reference
IM 33K03K10-50E IM 33K03L10-50E IM 33K03L20-50E IM 33K03M10-50E
Optional Functions Communication with Compliance with Generic Subsystem

Reference PROFIBUS Systems FDA: 21CFR Part 11 Gateway Reference
IM 33K03N10-50E IM 33K03P10-50E IM 33K03Q10-50E IM 33K03R10-50E
System Integration Unified Gateway Engineering Test

OPC Station Reference Station Reference Vnet/IP Guide
IM 33K03R20-50E IM 33K03R30-50E IM 33K10A10-50E IM 33K10H20-50E
Engineering
Engineering CENTUM FOUNDATION
FOUNDATION fieldbus
Tutorial APCS Data Access Library fieldbus Reference
Reference
Tutorial
IM 33K02E10-50E IM 33K15U10-50E IM 33K15P10-50E IM 33K20T10-50E
FOUNDATION fieldbus
Engineering Guide
IM 33K20T20-50E
Operation and Monitoring
HIS Operation Operating Messages

IM 33K02D10-50E IM 33K02D20-50E
Hardware
Peripherals Field Control Stations Input & Output Modules Turbomachinery I/O Modules
IM 33K50C10-50E IM 33K50E40-50E IM 33K50G10-50E IM 33K10U10-50E
Communication Devices Migrated-FCS(FIO)

IM 33K50D10-50E IM 33K55W10-50E
IM 33K01C30-50E 1st Edition : Sep.22,2011-00

iii
Safety Precautions
• In order to protect the system controlled by the product as well as the product itself and
ensure safe operation, observe the safety precautions described in this user’s manual. We
assume no liability for safety if users fail to observe these precautions when operating the
product.
provided by this product may be impaired.

• If any protection or safety circuit is required for the system controlled by the product or for
the product itself, prepare it separately and install it outside the product.
• When replacing parts or consumables, be sure to use the ones approved by Yokogawa
Electric Corporation (hereafter simply referred to as YOKOGAWA).
• Do not use the product for any application not approved by YOKOGAWA.
• Do not use the accessories (power supply cord set, etc.) that came with the product for any
other products.
• The following symbols are used in the product and user’s manual to indicate that there are
precautions for safety:
Indicates that caution is required for operation. This symbol is placed on the product to refer
the user to the user’s manual in order to protect the operator and the equipment. In the
including electrical shocks.
Indicates an AC supply.
Indicates a DC supply.
Indicates that the main switch is ON.
Indicates that the main switch is OFF.

iv
Notes on Handling User’s Manuals
• Please hand over the user’s manuals to your end users so that they can keep the user’s
manuals on hand for convenient reference.
• Please read the information thoroughly before using the product.
• The purpose of these user’s manuals is not to warrant that the product is well suited to any
particular purpose but rather to describe the functional details of the product.
• YOKOGAWA reserves the right to make improvements in the user’s manuals and product at
any time, without notice or obligation.
contact our sales representative or your local distributor.
Warning and Disclaimer

The product is provided on an “as is” basis. YOKOGAWA shall have neither liability nor
responsibility to any person or entity with respect to any direct or indirect loss or damage arising
from using the product or any defect of the product that YOKOGAWA can not predict in advance.
Notes on Software
• YOKOGAWA makes no warranties, either expressed or implied, with respect to the
terms of warranty.
• This product may be used on a machine only. If you need to use the product on another
machine, you must purchase another product.
• It is strictly prohibited to reproduce the product except for the purpose of backup.
• Store the DVD-ROM (the original medium) in a safe place.
• It is strictly prohibited to perform any reverse-engineering operation, such as reverse
compilation or reverse assembling on the product.
• No part of the product may be transferred, converted or sublet for use by any third party,
without prior written consent from YOKOGAWA.

v
Documentation Conventions
The following typographical conventions are used throughout the user’s manuals:
The characters that must be entered are shown in monospace font as follows:
Example:
FIC100.SV=50.0
This symbol indicates the description for an item for which you should make a setting in the
product’s engineering window.
While operating an engineering window, the help information for the selected item can be
Example:
Indicates a space between character strings that must be entered.

Example:
Indicates an option that can be omitted.

Example:

vi
Characters enclosed by brackets within any description on a key or button operation, indicate
button name on a window, or an item displayed on a window.

Example:
To alter the function, press the [ESC] key.
The following conventions are used within a command syntax or program statement format:
Indicate character strings that user can specify freely according to certain guidelines.
Example:
Indicates that the previous command or argument may be repeated.

Example:
Imax (arg1, arg2, ...)
Indicate those character strings that can be omitted.

Example:
sysalarm format_string [output_value ...]
Indicate those character strings that can be selected from more than one option.
Example:
opeguide <format_character_string> [, <output_value> ...]
OG,<element number>

vii
different sections of text. This section describes these icons.
CAUTION
shock or death of the operator.
WARNING
from being damaged or the system from becoming faulty.
IMPORTANT
TIP
SEE
ALSO
Clicking a reference displayed in green can call up its source, while clicking a reference
displayed in black cannot.
Drawing Conventions
description.
Some screen images depicted in the user’s manual may have different display positions or
character types (e.g., the upper / lower case). Also note that some of the images contained in this
user’s manual are display examples.

viii
The copyright of the programs and online manuals contained in the DVD-ROM or CD-ROM shall
remain in Yokogawa.
You are allowed to print out the required pages of the online manuals for using the product,
however, you are not allowed to print out the entire document. You can purchase the printed
manual from Yokogawa.
Except as stated above, no part of the online manual may be reproduced, either in electronic
or written form, registered, recorded, transferred, sold or distributed (in any manner including
network).
• CENTUM, ProSafe, Vnet/IP, PRM, Exaopc and STARDOM are registered trademarks of
YOKOGAWA.
registered trademarks or trademarks of Microsoft Corporation in the United States and/or

other countries.
• Adobe, Acrobat and Acrobat Reader are either registered trademarks or trademarks of
Adobe Systems Incorporated in the United States and/or other countries.
• Ethernet is a registered trademark of XEROX Corporation.
• Java is a registered trademark of Sun Microsystems,Inc.
• MELSEC is a registered trademark of Mitsubishi Electric Corporation.
• Modicon and Modbus are registered trademarks of Schneider Electric SA.
• Memocon-SC is a registered trademark of Yaskawa Electric Corporation.
• PLC is a registered trademark of Rockwell Automation, Inc.
• SYSMAC is a registered trademark of OMRON Corporation.
• SIEMENS and SIMATIC are registered trademarks of Siemens Industrial Automation Ltd.
• FOUNDATION in FOUNDATION
• SmartPlant is a registered trademark of Intergraph Corporation.
• All other company and product names mentioned in this user’s manual are trademarks or
registered trademarks of their respective companies.
• We do not use TM or ® mark to indicate those trademarks or registered trademarks in this
user’s manual.
• We do not use logos and logo marks in this user's manual.
IM 33K01C30-50E 4th Edition : Jun.29,2012-00

CENTUM VP
Security Guide
CONTENTS
....................................................................................................
....................................................................... 2
............................................................................................ 3
2. Security Models ........................................................................................
................................................................................................ 2
2.2 User/Group Management .................................................................................
2.2.1 User Management Methods .............................................................. 2-5
2.2.2 CENTUM VP User Authentication Modes ......................................... 2-6
2.2.3 Users/Groups with Respect to the Combination of
User Management and Security Model ............................................. 2-9
2.2.4 User Name and Password Policies ................................................. 2-14
2.2.5 Special User ..................................................................................... 2-15
3. Details of Security Measures ..................................................................
.................................................................................................. 2
3.1.1 Access Rights to File/Folder ............................................................. 3-3
............................................ 3-8
3.1.3 DCOM (OPC) and User/Group ........................................................ 3-12
3.1.4 Local Security and User/Group........................................................ 3-13
3.2 Personal Firewall Tuning................................................................................
3.3 Stopping Unused Window Services ............................................................. 7
............................................................... 8
3.4.1 Changing or Disabling the User Name of “Administrator” .............. 3-19
.................................................. 3-20
3.4.3 Applying the Software Restriction Policies ...................................... 3-21
3.4.4 Applying AutoRun Restrictions ........................................................ 3-23
3.4.5 Applying the StorageDevicePolicies Function................................. 3-24
...................................................... 3-25
...................................................... 3-26
3.4.8 Changing the LAN Manager Authentication Level .......................... 3-27
3.4.9 Applying the Password Policies ....................................................... 3-28
3.4.10 Applying the Audit Policy.................................................................. 3-29
3.4.11 Applying the Account Lockout Policy ............................................... 3-30
................................................... 3-31

.............................................................
......................... 2
......................................................................................................
.....................................................................
..................................................................... 2
5.1.1 Common Account Management ........................................................ 5-3
5.1.2 Individual Account Management ....................................................... 5-4
5.1.3 Common Precautions for Common Account Management/
Individual Account Management ....................................................... 5-5
............................................................................................. 6
6. Utility Programs for Security Settings ...................................................
.................................................................................................. 2
....................................................................................

operation.
product.
The table below lists and explains terms related to security.
Term Explanation
Security measures considered based on given IT environment, in order to
IT security protect the system and handle current and future security threats including
cyber terrorism.
A function that prescribes user management method of Windows user and
User authentication mode users used in CENTUM VP. There are two modes: Windows authentication
mode and CENTUM authentication mode.
One of user authentication modes. In this mode, users used in CENTUM VP
CENTUM authentication mode as well as their access permissions are managed independently in CENTUM
VP.
One of user authentication modes. This mode links credentials of Windows
Windows authentication mode
A user sign on type that when Windows authentication mode is selected as the
dialog box.
A user sign on type that when Windows authentication mode is selected as
Windows Type Single Sign On the user authentication mode, the user sign on will be performed on Windows
logon dialog box.
The default authentication method of Windows domain and it is used in a
domain environment where the server and client PCs are mixed for single
Kerberos authentication
sign on. Once a user is authenticated; the authentication will be valid for entire
system.

The security threats that may harm the CENTUM VP system are as follows:
1. Attacks over network
Threats to the CENTUM VP system from people without any rights to the CENTUM VP
system via networks such as intranets, as well as the resultant threats of leakage of
important data of the CENTUM VP system.
Threats from unauthorized individuals to the CENTUM VP system by directly operating an
important data.
for the purpose of analyzing the data.
1. Attacks
over network
Intranet
2. Direct attack to a system Firewall

by operating on an HIS or
on PC installed with system
builders
Ethernet
HIS PC installed with Domain controller/

system builders file server
Control bus
3. Theft of an HIS or PC
installed with system
builders or theft of data
FCS FCS
010101E.ai

In order to handle security threats, we arranged security measures applied in security guides for
following table shows the security measures and the security threats handled by them.
Security type Security measure

[1] [2] [3]
Access control –
– –
Stopping unused Windows services – –
Changing Administrator user name –
–
Applying the software restriction policies –
Applying AutoRun restrictions – –
Applying the StorageDevicePolicies function –
Changing IT –
environment settings – –
Changing the LAN Manager authentication level – –
Applying the password policy –
Applying the audit policy –
Applying the account lockout policy –
– –
*1: [1]: Attacks over network
–: Not applicable

2. Security Models
IMPORTANT
Please consult Yokogawa if IT security of the Strengthened model is required.

provided.
Security Models
The features of the security models are shown in the following table.
Security model Feature

This model does not strengthen security. Use this model when you connect the system
Legacy model
with Yokogawa products that do not support security measures.
This model places importance on operation of CENTUM VP systems and collaboration
with other systems (Exaopc, ProSafe-RS, etc.) to guard against “attacks over network”
Standard model
deployment of CENTUM VP systems, the risk of this threat is relatively low.

This model takes all measures against any security treats. If all security measures
are taken, operation and so on may be affected. Take measures according to the
characteristics of each system for non-mandatory items.

Security Models and Security Measures
The table below shows the relationship between each security model and security measures it
takes.
Security type Security measure

Legacy Standard
Access control – Support Support
– Support Support
Stopping unused Windows services – – Support
Changing Administrator user name – – Support
Support Support Support
Applying the software restriction policies – Support Support
Applying AutoRun restrictions Support Support Support
Applying the StorageDevicePolicies function – Support Support
Changing IT – Support Support
environment settings – Support Support
Changing the LAN Manager authentication level – Support Support
Applying the password policy – – Support
Applying the audit policy – – Support
Applying the account lockout policy – – Support
– – Support
*1: Support: Supports the security measure.
–: Does not support the security measure.
SEE
ALSO • For details of security measures, see the following:
3, “Details of Security Measures”
• A security setting tool is available for setup legacy model and standard model of security settings, for more
information, see the following:
6.1, “IT Security Tool”

2.2 User/Group Management

management and domain management.
Management
Operation Feature
Operated by
• Since account management is required for each
registering user
Workgroup PC, all PCs must be maintained at user account
accounts used
(standalone) of CENTUM VP maintenance, making this method not suited for
in each of all the
management system only. large-scale systems.
• It is not possible to separate administrator rights to
system builders.
PC and maintenance rights to CENTUM VP system.
Construction of Operated by
• Centralized management of users is possible,
domain controller, registering user
Domain allowing less human errors.
in addition to accounts used
management • It is possible to separate administrator rights to PC
CENTUM VP to the domain
and maintenance rights to CENTUM VP system.
system, is required. controller.
Construction of Operated the • Even if a domain controller is not available,
domain controller, same way as continuous operation is possible by managing
Combination
in addition to for the domain accounts of each PC.
management
CENTUM VP management in • It is not possible to separate administrator rights to
system, is required. normal operation. PC and maintenance rights to CENTUM VP system.
TIP
The combination management is used when operation similar to workgroup management is assumed in normal
operation although the main user management is performed by the domain management.
assignment of rights to users is enabled on certain PCs on the authority of the person in charge at a site.

IMPORTANT
The Windows authentication mode is available only when Standard security model or
strengthened security model is applied.
The CENTUM VP users need to be authenticated are the following group users.
Users who use the operation and monitoring function. These users are registered using the
• ENG group users

A collective term for system engineers, recipe engineers, and report users who are
registered at installation of the Access Control Package or the Access Administrator
Package (FDA:21 CFR Part 11 compliant).
Users and builders that manage the users are shown in the table below.
User Builder managing user Explanation

Users of the operation and monitoring
function
Engineers’ Engineers who perform engineering
System engineer tasks in the System View and various
system engineers builders started from the System View
ENG Group User Engineers’
ENG group
Recipe engineer Registration Engineers who use the recipe function
user
recipe engineers
Users’ Account
Report user Users of the report function
users
When Windows authentication mode is set, user authentication is performed when a user log on
to Windows. And when the user tries to use the operation and monitoring functions or builders,
the authentication is internally performed with the Windows logon user name, allowing the user to
continue tasks without entering a user name and password again.
The user authentication mode can be applied to the following identities:

Do the following settings to unify user management and password among CENTUM VP systems.
• When the Windows authentication mode is used, the user management method needs to
be standardized to either domain management (combination management) or workgroup
management.
Information on user
PC installed with authentication mode
system builders
Project
Download Control bus
HIS HIS HIS
Applying user authentication mode

when HIS starts
020201E.ai
is required after the setting. The information of the downloaded user authentication mode
(CENTUM authentication mode or Windows authentication mode) is used as follows.
authentication mode is different from the current user authentication mode while the
operation and monitoring functions are running, a system alarm will occur. The user
authentication mode is the Windows authentication mode, a system alarm will occur. The
or revert to CENTUM authentication mode.

IMPORTANT
user cannot be used.

For gradually migrating the system from the CENTUM authentication mode to the Windows
Single Sign On
is referred to single sign on. There are two following types of single sign on.
• Windows Type Single Sign On
If a user logs on from the Windows logon dialog box, this user will automatically logon the
operation and monitoring console, i.e., the user becomes user-in status of the Operation
and Monitoring Functions. On the user-in dialog box, you can switch user. When you set a
user to user-out status, the user you previously logged on the Windows will become user-in
status.
When a PC is started, this function automatically makes the user log onto the Windows and
starts the operation and monitoring function as OFFUSER (default user). After automatic
TIP
In CENTUM authentication mode, anonymous user be used to sign on the operation and monitoring console due
is restricted for singing on so as to improve the operation traceability and securer operation.
In the case of ENG group users, the affected range of user authentication mode setting is each
Information on user
authentication mode
Engineers’ account file
or users’ account file
Scope of user Reference

authentication mode Ethernet
PC installed with PC installed with PC installed with

system builders system builders system builders
020202E.ai
The user authentication modes are set using the Access Control Utilities.
user authentication.

User Management and Security Model
management to create users and groups.
TIP
No matter what security model is applied, CENTUM VP installer will create a CTM_MAINTENANCE group and
CTM_MAINTENANCE group should not be used.

Moreover, if domain management type or combination management type is used for user management, the
CTM_MAINTENANCE group in the domain should be used instead of CTM_MAINTENANCE group in the local
PC.
After running the IT Security Tool, the following users and user groups will be automatically
created.
Created
User name User/group Explanation
location
User created when the system is
installed, in the same way as for CS
CENTUM User Local PC Users 3000. Note that the default password is
set to “Yokogawa1” and it is requested to
User for executing CENTUM VP

processes (Windows services) who
CTM_PROCESS User Local PC Users does not have Windows logon rights.
The password of CTM_PROCESS is not
disclosed.
User for running license management
processes (Windows services) that
does not have Windows logon rights.
LIC_PROCESS User Local PC Users
The password of LIC_PROCESS is
not disclosed. You must not change the
password.
IMPORTANT
These user accounts should be used for running CENTUM products only.

management
created.
User name/ Created

User/group Explanation
group name location
CTM_OPERATOR Group Local PC Users (*1) Group of users for operators.
Group of users who use the System View
CTM_ENGINEER Group Local PC Users (*1) and so on for engineering of CENTUM
VP.
CTM_ENGINEER_ Administrators and so on for engineering of CENTUM
Group Local PC
ADM (*1) VP with stronger rights than CTM_
ENGINEER.
Group of users for performing OPC
CTM_OPC Group Local PC Users (*1)
communication with CENTUM VP.
Group of users who perform system
CTM_ Administrators
Group Local PC installation and CENTUM VP
MAINTENANCE (*1)
maintenance.
User used to automatically log on with
OFFUSER User Local PC Users authentication mode. It has minimum

rights for the Windows environment. The
password of OFFUSER is not disclosed.
User for performing processes of
CENTUM VP (Windows services) who
disclosed.
password.
*1: You need to add the users who belong to the created group to the group shown in the Right group column.
IMPORTANT
• These user accounts should be used for running CENTUM products only.
• When changing security model, the group name may be changed or groups may be deleted

created.
User name/ Created

group name location
Domain Domain Users
CTM_OPERATOR Group Group of users for operators.
controller (*1)
Domain Domain Users
CTM_ENGINEER Group and so on for engineering of CENTUM
controller (*1)
VP.
CTM_ENGINEER_ Domain Domain and so on for engineering of CENTUM
Group
ADM controller Admins (*1) VP with stronger rights than CTM_
ENGINEER.
Domain Domain Users Group of users for performing OPC
CTM_OPC Group
controller (*1) communication with CENTUM VP.
Supplementary group for users not
supporting domain management, such
CTM_OPC_LCL Group Local PC Users (*1) as users embedded in the EXA package,
having the same rights as CTM_OPC. It is
not used in normal operation.
CTM_ Domain Domain
Group installation and CENTUM VP
MAINTENANCE controller Admins (*1)
maintenance.
Emergency group used when the domain
environment is abnormal, having the
same rights as CTM_MAINTENANCE.
CTM_ It is not used in normal operation.
Administrators
MAINTENANCE_ Group Local PC After the installation of CENTUM VP is
(*1)
LCL completed in the domain environment, the
administrator user of each PC (local user)
should be manually added to this local
group.

disclosed.
password.
IMPORTANT

Management
created.
User name/ Created

group name location
Domain Domain Users
CTM_OPERATOR Group Group of users for operators.
controller (*1)
CTM_ Group of users for operators used in PC
Group Local PC Users (*1)
OPERATOR_LCL of a workgroup.
Domain Domain Users
CTM_ENGINEER Group and so on for engineering of CENTUM
controller (*1)
VP.
CTM_ENGINEER_
Group Local PC Users (*1) and so on for engineering of CENTUM VP
LCL
and are used in PC of a workgroup.
CTM_ENGINEER_ Domain Domain Admins and so on for engineering of CENTUM
Group
ADM controller (*1) VP with stronger rights than CTM_
ENGINEER.
Group of users who use the System
View and so on for engineering of
CTM_ENGINEER_ Administrators
Group Local PC CENTUM VP with stronger rights than
ADM_LCL (*1)
CTM_ENGINEER and are used in PC of
a workgroup.
Domain Domain Users Group of users for performing OPC
CTM_OPC Group
controller (*1) communication with CENTUM VP.
Supplementary group for users not
supporting domain management, such
CTM_OPC_LCL Group Local PC Users (*1) as users embedded in the EXA package,
having the same rights as CTM_OPC. It is
not used in normal operation.
CTM_ Domain Domain Admins
Group installation and CENTUM VP
MAINTENANCE controller (*1)
maintenance.
Emergency group used when the domain
environment is abnormal, having the
same rights as CTM_MAINTENANCE.
CTM_ It is not used in normal operation.
Administrators
MAINTENANCE_ Group Local PC After the installation of CENTUM VP is
(*1)
LCL completed in the domain environment, the
administrator user of each PC (local user)
should be manually added to this local
group.

User name/ Created
group name location

disclosed.
password.
IMPORTANT

User Name
The user name convention is as follows.
Up to 16 characters
Double-byte character is invalid

Capital letters only
Restriction
A period character cannot be put at the last place.
TIP
case sensitive, but it is recommended to use the capital letters.
Password
There are the following rules for passwords.
32 alpha-numeric characters.
The password of a Windows user used in Windows authentication mode can be
Restriction Restricted by password policies set in Windows
TIP

As a locally authenticated user, the following user name can be used:
User names starting with “_” (underscore)
These users are authenticated in the PCs used by these users in the Windows authentication
mode. These users are used at emergency, for example when a domain controller is down while
the users of the PC are managed is domain management or combination management type.
The special user accounts are not used under normal circumstances. Moreover, for standalone
management, there is no need to create these users.
A special user can be used on the User-in dialog box of the operation and monitoring functions,
• When the domain management is functioning and access to the domain controller is
unimpeded
Under this circumstance, an emergency user account is used even though the user
authentication processing on the domain is normally performed. Since it may weaken the security
OFFUSER
OFFUSER in the Windows authentication mode has the following characteristics.
authentication mode.
• It is created as a local user regardless of the domain or standalone management.
• The initial password contains 32 characters and is not disclosed (the password can be
VP system).

3. Details of Security Measures

TIP

Target Folders
The table below lists the main folders whose access is controlled.
Target folder Description

The folder in which CENTUM VP packages are installed.
License management programs are installed.

The folder in which license management programs are
Program installed.
SECURITY The folder in which IT Security Tool, etc. are installed.
The folder storing CENTUM VP programs, which is

installed under the Program Files folder.
The folder in which the log server, etc. are installed.
The folder in which license management data, etc. are

License installed.
Security installed.
The folder in which CENTUM VP logs etc. are created.
The folder in which online manuals’ management data etc.

are created.
The folder in which Windows maintenance tools are

installed. (*4)
The folder in which Windows maintenance tools are
installed. (*4)
installed with system builders.
location other than the default folder.

*1: %ProgramFiles% refers to the following folder. This example is when the system drive is drive C.
*2: %ProgramData% refers to the following folders. These examples are when the system drive is drive C.
*3: %windir% refers to the following folder. This example is when the system drive is drive C.
*5: This folder is only provided in Windows 7 and Windows Server 2008 R2.

Folder
F F F F F F – F
Applicable to the sub-folders as well.
CENTUMVP
RX RX RX RX F RX – F
Applicable to the sub-folders as well.
(Except for the following folders)
RX F F – F F – F
F F F F F F – F
R R R R RWD RWD R RWD

CENTUMVP
RX F F RX F F – F
RX F F RX F F – F
R R R R RWD R RW RWD
[Other]
Folders for CENTUM created by the option functions F F F F F F – F
F F F F F F – F
F F F F F F F F
– F F – F – – F
– F F – F – – F
– F F – F – – F
– F F – F – – F
*1: User/Group
[1]: CTM_OPERATOR/CTM_OPERATOR_LCL/OFFUSER
[2]: CTM_ENGINEER/CTM_ENGINEER_LCL
[3]: CTM_ENGINEER_ADM/CTM_ENGINEER_ADM_LCL
[4]: CTM_OPC/CTM_OPC_LCL
[5]: CTM_MAINTENANCE/CTM_MAINTENANCE_LCL
[6]: CTM_PROCESS
[7]: LIC_PROCESS
[8]: SYSTEM (Local System Account)
Types of access rights
F: Full access control
R: Read right and list display of folder details
RX: Read right, execution right, and list display of folder details
RW: Write right, read right, and list display of folder details
RWD: Write right, read right, delete right, and list display of folder details
–: Unauthorized

Functions each user can use are restricted by setting the access right to each function (program)
of CENTUM for each user/group.
The table below shows the access rights to programs registered in the Start menu.
Items on Start Menu
Access Access (*4) – (*4) – –

– – – – Access – –
Access Control Utilities – – Access – Access – –
Access (*3) Access Access – Access – –
Graphic File Converter – Access Access – Access – –
Graphic Compatibility Check Tool – Access Access – Access – –
System View – Access Access – Access – –
– Access Access – Access – –
Linked-Part List Window – Access Access – Access – –
Device Panel – Access Access – Access – –
Recipe View – Access Access – Access – –
Report Package – Access Access – Access – –
Logic Test Tool – Access Access – Access – –
Maintenance] - [Command Prompt] Access Access Access – Access – –
[Maintenance] - [Logsave] Access Access Access – Access – –
SEM OPC Interface Settings – Access Access – Access – –
– – Access – Access – –
SOE Database Property – Access Access – Access – –
SOE Database Restore – – Access – Access – –
SOE Server Monitoring Settings – Access Access – Access – –
Specify SOE Trigger – Access Access – Access – –
SOE Viewer Access Access Access – Access – –
License Manager Access Access Access – Access – Access
IT Security Tool – – – – Access – –
*1: User/Group
[6]: CTM_PROCESS
[7]: LIC_PROCESS
Access: Permit access
–: Does not permit access
*2: Functions not started from the Start menu
*4: Can be started only by Administrator.

IMPORTANT
Administrative users belonging to the Administrators group, except for Administrator, cannot
start the operation and monitoring functions and test functions. This restriction applies to
administrative users who belong to the CTM_ENGINEER_ADM, CTM_ENGINEER_ADM_LCL,
CTM_MAINTENANCE, or CTM_MAINTENANCE_LCL group.

Registry Types
There three types of Access Control registries:
Name Description
CENTUM Related CENTUM related registries
DCOM Related DCOM communication(OPC)related registries
Registry Keys
The table below shows the registry keys whose access can be controlled.
Name Description
Registry created at installation of
CENTUM Registry
YOKOGAWA] CENTUM VP
Registry used by programs of
CS3000 Registry
CENTUM VP
CentumProductInfo Registry in which product information
Registry of CENTUM VP is stored
CENTUMVP Registry Registry used by the installer
CS3K Registry Registry used by the installer
Registry related to control bus
Exaopc Registry Registry related to Exaopc
EXA Registry Registry related to Exa products

Name Registry Key Description
OpcEnum Registry DCOM related registry for OpcEnum
DCOM related registry for Yokogawa

OPC Alarms Registry

Registry
CS DCOM Server DCOM related registry for Yokogawa
Registry CS DCOM Server
OPC Server Registry

Registry
Registry
CSSEM Alarm & DCOM related registry for Yokogawa
Events Automation CSSEM Alarm & Events Automation
Server Registry Server
Registry
Name Registry
SlaveDTM]

Access Permissions to Registries
The table below shows access permissions to registries.
Registry
CENTUM Registry – – – – – – – F F
CS3000 Registry F F F F F F – R F
CentumProductInfo Registry – – – – F – – F F
CENTUMVP Registry – – – – F – – F F
CS3K Registry F F F F F F F R F
F F F F F F – R F
Exaopc Registry F F F F F F F – F
EXA Registry F F F F F F F – F
*1: User/Group
[6]: CTM_PROCESS
[7]: LIC_PROCESS
[8]: Everyone
[9]: SYSTEM
Types of access permissions
R: Read right
–: Unauthorized
Registry
OpcEnum Registry F F F F F F – – F R
OPC Alarms Registry F F F F F F – – F R
F F F F F F – – F R
CS DCOM Server Registry F F F F F F – – F R
OPC Server Registry F F F F F F – – F R
CSSEM Alarm & Events
Automation Server Registry
*1: User/Group
[6]: CTM_PROCESS
[7]: LIC_PROCESS
[8]: Everyone
[9]: SYSTEM
[10]: SERVICE
R: Read right
–: Unauthorized
*2: Access permission is R for OFFUSER.

Registry
– F F – F – – – F
– F F – F – – – F
– F F – F – – – F
– F F – F – – – F
– F F – F – – – F
*1: User/Group
[6]: CTM_PROCESS
[7]: LIC_PROCESS
[8]: Everyone
[9]: SYSTEM
[10]: SERVICE
– : Unauthorized

[1]: CTM_OPERATOR/CTM_OPERATOR_LCL
[5]: CTM_MAINTE NANCE/CTM_MAINTENANCE_LCL
[6]: CTM_PROCESS
[7]: SYSTEM

Policies
Yes Yes Yes Yes Yes Yes Yes Yes

Debug programs Yes Yes Yes Yes Yes Yes Yes Yes
Yes Yes Yes Yes Yes Yes Yes Yes
Log on as a service No No No No No No Yes Yes
Deny log on locally Yes (*2) No No No No No Yes Yes
*1 : User/Group
[1]: OFFUSER
[2]: CTM_OPERATOR/CTM_OPERATOR_LCL
[7]: CTM_PROCESS
[8]: LIC_PROCESS
Yes: Authorized
No: Unauthorized

3.2 Personal Firewall Tuning
Exception Setting Type

Set required communication ports as exception so that the CENTUM VP functions can operate.
Name Description
CENTUM Related Communication ports used by CENTUM related programs to communicate
Communication ports used by programs using DCOM communication
DCOM Related
(including OPC communication)
File Sharing Related
Windows Related
CENTUM Related Exceptional Settings

The table below lists CENTUM related exceptional settings.
Service name/ Port No.
Required when
CENTUM VP is
Standard Operation and
TCP:20109 communicating
Monitoring Function
with CENTUM CS
system
TCP:20171 None
Monitoring Function
TCP:20110 None
Monitoring Function
TCP:20183 None
Monitoring Function
MnsServer.exe UDP:32301 None
Monitoring Function
Process Management
TCP:20111 None
Package
Process Management
TCP:20174 None
Package
Process Management
TCP:20177 None
Package
Process Management
TCP:20178 None
Package
Process Management
TCP:20179 None
Package
Expanded Test Functions
TCP:34205 FCS Simulator Package None
Expanded Test Functions

FCS Simulator Package None

Service name/ Port No.
Server for Remote Operation

Remote desktop service TCP:3389 None
and Monitoring Function
Only required in
one PC within
TCP:20181
Package the CENTUM VP
system
TCP:20101 None
Package
TCP:20102 None
Package
TCP:20105 None
Package
TCP:20184 APCS Control function APCS/GSGW
SOE
sqlservr.exe TCP:1433 SOE Server Package
SQLServer
UDP:34325 SOE Server Package SOE
TCP:34333 SIOS SIOS related
TCP:8819 Consolidated Alarm
CAMSServer.exe TCP:8820 Management Software for CAMS
UDP:8819
Consolidated Alarm
CAMSLogSvr.exe UDP:8820 Management Software for CAMS
Yokogawa.IA.iPCS.CENTUMVP. Standard Operation and

TCP:34419 None
Monitoring Function
Yokogawa.IA.iPCS.Platform.
License Management
License.LicenseManager.Service. TCP:34417 None
Function
exe
Yokogawa.IA.iPCS.CENTUMVP.
TCP:38000 UGS None
UGS.Facade.Service.exe
Yokogawa.IA.iPCS.
CENTUMVP.UGS.ENG. UGS None
FileTransferServiceDispatcher.exe
Yokogawa.IA.iPCS.CENTUMVP. TCP:40111
UGS None
TCP:38020
TCP:40112 UGS None
UGS.System.Service.exe
TCP:40116
TCP:40117 UGS None
TCP:38030 UGS None
durm_udp.exe UDP:1099 UGS None

opxdas.exe TCP:135 UGS None
eqpmdc.exe TCP:502 UGS None
eqpfcx.exe TCP:1090 UGS None
eqpabc.exe TCP:44818 UGS None
For UGS
IIS(FTP) TCP:38040 UGS
redundancy
Yokogawa.IA.iPCS.CENTUMVP. Standard Operation and
TCP:34420 None
Monitoring Function

DCOM Related Exceptional Settings
The table below lists DCOM related exceptional settings.
Service name/
name
Programs using OPC
DCOM service TCP:135 When OPC connection is used
communication
Programs using OPC
DCOM service When OPC connection is used
communication
The table below lists File Sharing related exceptional settings.
Service name/
Function name
TCP:139
UDP:137 None
printers
UDP:138
TCP:445
printers
and registration to DNS, is required.
Windows Related Exceptional Settings

The table below lists Windows related exceptional settings.
Service name/
Server/Station
Domain controller, File server,

Enabling ICMP (*1) ICMP
CENTUM VP station
TCP:88
Kerberos Authentication Domain controller
UDP:88
TCP:389
LDAP(Active Directory) Domain controller
UDP:389
TCP:53
DNS Domain controller
UDP:53
Windows Time UDP:123 UGS
*1: This item may be ICMP, ICMPv4, or ICMPv6, depending on the OS.

3.3 Stopping Unused Window Services
Unused Windows Services

The table below lists unused Windows services.
Service Comment
2003 Vista 7 2008 2008 R2
are not used within the CENTUM VP Unused Unused Unused Unused Unused
system.
Error Reporting Not required within the CENTUM VP
Unused – – – –
Service system.
Not required within the CENTUM VP
– Unused Unused Unused Unused
system.
IPsec Policy Agent – Unused – Unused –
system.
IPSEC Services Unused – – – –
system.
Not required because DDE services
Network DDE Unused – – – –
via the network are not used.
Network DDE Not required because DDE services
DSDM via the network are not used.
– Unused Unused Unused –
system.
Not required because the functions
Remote Registry are not used and there are problems Unused Unused – Unused –
in terms of security.
Unused Unused Unused Unused Unused
Detection are not used.
WebClient Unused Unused – – –
are not used.
Windows Error Not required within the CENTUM VP
– Unused – Unused –
Reporting Service system.
Wireless Not required within the CENTUM VP
system.
*1: Windows OS
Vista: Windows Vista

7: Windows 7
2008: Windows Server 2008
2008 R2: Windows Server 2008 R2
Unused: Services that can be stopped
–: Services that do not exist in the OS, or services required in the system

Administrator is recommended.
• For Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2,
for Windows maintenance.
Keep the following points in mind when changing the user name of “Administrator.”
• Create a user with administrator rights for normal maintenance.
name to be changed and the name of user with administrator rights to be created.
• Securely control users with administrator rights.
Keep the following points in mind when disabling “Administrator.”

• Disable “Administrator” after creating a user with administrator rights.
name of user with administrator rights.

• Securely control users with administrator rights because they are required for operations.

Cautions
You must enter a user name on every logon attempt if you apply this security measure.

• Restriction on path
• Restriction on hash
• Restriction on the Internet zone
Restriction on path: If this restriction is applied, other coexisting packages may not run.
Settings
The restriction on path of CENTUM VP is added to the restriction on path.
• %ProgramFiles% (*2)
• %ProgramFiles(x86)% (*3) (for Windows 7 and Windows Server 2008 R2)
• %ProgramW6432% (*4) (for Windows 7 and Windows Server 2008 R2)
and Windows Server 2008 R2)

• %SystemRoot% (*5)
• CENTUM VP installation folder (*6)
The following rules are deleted.

• “Ink” and “mdb” are deleted from [Designated File Types Properties].
*1: %ALLUSERSPROFILE% refers to the following folder. This example is when the system drive is drive C.
*2: %ProgramFiles% refers to the following folder. This example is when the system drive is drive C.
*3: %ProgramFiles(x86)% refers to the following folder. This example is when the system drive is drive C.
*4: %ProgramW6432% refers to the following folder. This example is when the system drive is drive C.
*5: %SystemRoot% refers to the following folder. This example is when the system drive is drive C.
*6: CENTUM VP installation folder refers to the following folder. This example is when the system drive is drive C.

Cautions
IT Security Tool.
Restriction Policies are Applied

You cannot use the following tools when software restriction policies are applied:
• Fieldbus engineering tool
• Device management tool
When you run an FCS simulator using the test function, you cannot enable the following functions
when software restriction policies are applied.
• Plant training system (Exatif)
• Off-site blocks, enhanced switch instrument blocks, and valve pattern monitors
Observe the following points when software restriction policies are applied.
• When you install CENTUM VP software or third party software from removable storage
media, log on to the PC as an administrative user and run the setup program by right-
clicking the program and choosing [Run as Administrator].
• When you run a program with an extension .bat, .cmd, or .vbs, start the command prompt
from the start menu by right-clicking the Command Prompt (cmd.exe) and choosing [Run as
Administrator]. Then, run the program from the command prompt window.
• Microsoft Excel, Microsoft SQL Server, OPC server used for GSGW or SIOS, and third party
software must be installed under %ProgramFiles% or %ProgramFiles(x86)%.
• Updating programs for display drivers may be installed immediately under the C drive.
When you update the driver, log on to the PC as an administrative user and run the updating
program by right-clicking the program and choosing [Run as Administrator].
• When you install an OPC client, log on to the PC as an administrative user and run the OPC
client setup program by right-clicking the program and choosing [Run as Administrator].
users.
Precautions for Applying Software Restriction Policies

Observe the following points before you apply software restriction policies.
• Microsoft Excel, Microsoft SQL Server, OPC server used for GSGW or SIOS, user-created
ActiveX controls, and third party software must be installed in folders under the path that
is to be added as software restriction policies. If these items are already installed in other
folders, you need to reinstall them.

Settings
The AutoRun function is disabled for all drives.
Cautions
Please observe the following point.
• The installation menu does not start when the CENTUM VP software medium is inserted.

temporarily grant write permissions to users.
SEE
ALSO For details about the StorageDeviceCTL, see the following:
6.2, “Other Utility Programs”
Cautions
This function is not available with Windows Server 2003 and Windows Server 2003 R2.
If this function is applied to Windows Server 2008 R2, you cannot use StorageDeviceCTL to
temporarily cancel the effect of StorageDevicePolicies. To cancel, you need to clear the [Applying
the StorageDevicePolicies function] check box of the IT Security Tool’s detailed settings and run
the tool again. Note that, to disable taking out of data using removable storage media without

permissions to users.
SEE
ALSO For details about the StorageDeviceCTL, see the following:
Cautions
If this function is applied to Windows Server 2008 R2, you cannot use StorageDeviceCTL to
tool again. Note that, to disable taking out of data using removable storage media without using

Cautions
• It is necessary that the computer name and station name match.
Windows 95, Windows 98, Windows ME, and Windows NT.

Settings
• For [Network security: LAN Manager authentication level], “Send NTLMv2 response only” is
set.
• For [Network security: Do not store LAN Manager hash value on next password change],
“Enabled” is set.
• For [Network security: Minimum session security for NTLM SSP based (including secure
RPC) clients], the [Require NTLMv2 session security] and [Require 128-bit encryption]
check boxes are selected.
• For [Network security: Minimum session security for NTLM SSP based (including secure
RPC) servers], the [Require NTLMv2 session security] and [Require 128-bit encryption]
check boxes are selected.
Cautions
Please observe the following points when applying this measure.
• It becomes impossible to connect from Windows 95, Windows 98, Windows ME, Windows
NT, and Windows 2000.
• You must ensure that the settings of [Network security: Minimum session security for
NTLM SSP based (including secure RPC) clients] and [Network security: Minimum session
security for NTLM SSP based (including secure RPC) servers] are consistent on all PCs.

password policies.
Settings
The following table shows the settings.
Policy Settings
Minimum password length 12 characters or more
Change prohibition period of password One day
Validity period of password 90 days
24 passwords remembered
Storage of password history
(25 password types or more are required)
Password must meet complexity
Enabled
requirements
Store password using reversible encryption
Disabled
for all users in the domain
Cautions
If the password policies are made stricter, not only the load of password management on users
but also the load of operation administrators to manage user’s passwords increases.

Collected account logon conditions and events related to security serve as data useful
Settings
Policy Settings
Audit account logon events Success, failure
Audit account management Success, failure
Failure
Audit system events Success, failure
Audit directory service access Success, failure
Audit process tracking Success
Audit policy change Success, failure
Audit logon events Success, failure
Audit privilege use Success, failure
Cautions
Please observe the following points.
• If the number of event types collected is increased, the system performance is affected.
• The number of generated events varies depending on the types of collected events and
system operations. Determine the event collection size appropriate for the system operation
conditions.

Settings
Policy Settings
Account lockout threshold 10 invalid logon attempts
Reset account lockout counter after 15 minutes
Account lockout duration 15 minutes
Cautions
If this policy is applied, you may not be able to logon in an emergency situation if lockout occurs
as a result of hasty operation.

Security Functions
Considerations on Determining Security Functions

The following items need to be considered according to the actual implementations.
These items should be determined before installing CENTUM VP.
• Security model
• Type of Windows user management
• User authentication mode
Security Model
A security model needs to be selected from the following three types.
Security Model Selection Criterion
Yokogawa products not supporting IT security and when sharing Windows users
Legacy Model among multiple operators.
This model can be selected upon your understanding that it is vulnerable against
information leak and attacks by worms and viruses.
Standard Model
is a model that provides a minimum security set for the CENTUM VP system as well
(Recommended)
as the systems collaborating with CENTUM VP system.
Select this model when security level higher than the Standard model is required.
Strengthened Model
Consult Yokogawa agent when implementing this model.
Type of Windows User Management
the following three types.
User Management Selection Criterion

Workgroup
This type is suitable for relatively small-scale systems because the user accounts and
(Standalone)
passwords of all PCs of a system need to be kept consistent.
Management
This type is suitable for the system that centralized user management is implemented.
Domain Management When this type is selected, it is recommended to set a new,dedicated domain
controller when constructing the system.
Combination This type is suitable for the system where user management is centralized but some
Management users are allowed to be independently managed in local PCs.

Select a user authentication model according to the operation conditions and security policies
from the followings.
Selection Criterion
Mode
This mode performs the same authentications as the CENTUM systems prior
CENTUM
version R4.03. Select this mode when the Windows users and CENTUM users are
Authentication Mode
authenticated separately.
Select this mode when the Windows users, CENTUM operation and monitoring users
Windows
Authentication Mode
This mode is suitable for the system that the higher level security is applied.
When Windows authentication mode is selected, only one authentication is required before
select the single sign on as follows:
Type
Windows Type Single
Sign On account to log on.
and logging on Windows.
On
example, permissions to manipulate Start Menu items) are retained to the privilege of
the user (OFFUSER) who automatically logged on Windows.
Moreover, if the OFFUSER logs off Windows, for logging on Windows again, you
need to restart the PC.
The following table lists the precautions to be observed when setting security measures.
Security function
Screen Saver Function

resume, password protected] option should not be checked.
If passwords of CTM_PROCESS/OFFUSER (*1) are changed, it is necessary
CTM_PROCESS/
to match passwords of all PCs in which CTM_PROCESS/OFFUSER (*1) exist
OFFUSER Password
regardless of the user management type.
If access control for each user utilizing the Windows authentication mode as the
Operation Keyboard user authentication mode is being examined, it is necessary to consider use of the
User Switch Function operation keyboard user switch function upon understanding that it is not suited for
access control of each user because user rights can be upgraded temporarily.
Setting IT Security for
File Server/Domain
servers and/or domain controllers. (*2)
controller
*2: .NET Framework 3.5 SP1 is included in the CENTUM VP install media.

system
Security function Recommended setting

Security model Standard model
Windows user management Standalone management
User authentication mode Windows authentication mode
Software Restriction Policies N/A
[On resume, password protected] option should not be
checked.
CTM_PROCESS/OFFUSER Password Not required to change password
Operation Keyboard User Switch Function Enable the user switch function
File Server
(standalone management) as IT security.
Domain controller Not required

Software Restriction Policies Apply
checked.
File Server Standard model (standalone management)

System Only

Windows user management Domain management
checked.
Operation Keyboard User Switch Function Disable the user switch function
File Server
Standard model (domain/combination management) as IT
security.
Construct anew (apply the Standard model (domain/
Domain controller
combination management) as IT security).
Systems

Windows user management Combination management
checked.
File Server
Standard model (domain/combination management) as IT
security.
Reuse an existing server (apply the Standard model (domain/

Domain controller combination management) as IT security. Alternatively, conform
to the security policies of the implemented users).

Security model Legacy model
User authentication mode CENTUM authentication mode
Software Restriction Policies N/A
checked.
File Server
system builders. IT security is not required.
When constructing a system prioritizing security, examine the security taking the operation fully
into consideration.

Security model Strengthened model
Windows user management Domain management
Screen Saver Function [On resume, password protected] option should be checked.
CTM_PROCESS/OFFUSER Password Required to change password

File Server Strengthened model (domain/combination management)
Construct anew (apply the Strengthened model (domain/
Domain controller
combination management) as IT security).

For account management of Windows, two types of management, common account
CENTUM user often used in conventional CENTUM VP systems.
Common Account Management and Individual Account Management

The table below shows the differences between the common account management and
individual account management.
Account
management Operation form Convenience of operation
Common Single Windows The same operability as

account account is shared by conventional CENTUM VP Low
disadvantageous.
management multiple users. systems.
Windows log off/log on is
Individual Single Windows Advantageous because
required at personnel shift, and
account account is assigned Low access control of each
thus cumbersome compared to
management to single user. user is possible.
conventional operation.

environment fully into consideration.
Use of Accounts
If the common accounts are used, it is recommended to group accounts by rights of users and
prohibit operations on the CENTUM VP system by users without rights and to narrow down
user groups when tracing the trouble occurrence. It is considered that more usable trace data is
obtained compared to when common accounts are used among all users.
Password Management
Considering security, it is recommended to change passwords periodically. It is possible to
handle password cracking attacks by periodically changing passwords. If common accounts are
used, it is recommended to change passwords at the timing when members using the common
is prevented.
Automatic Logon Function

If the automatic logon function is used, it is recommended to assign accounts belonging to the
CTM_OPERATOR group to users to whom the automatic logon function is applied. If accounts
belonging to other user groups are set, people without rights to the CENTUM VP system might
inadvertently use system builders, etc.

Account Maintenance
If user rights are changed, it is recommended to promptly change account rights.
by users who used to have rights before and/or unexpected attacks from attackers. For example,
personnel is changed, change the group to which the personnel belongs.
Password Management
Considering security, it is recommended to change passwords periodically. Password cracking
can be prevented by periodically changing the user passwords.

Management/Individual Account Management
individual account management.
System Audit
system abnormalities in early stages, which leads to early discovery of signs of troubles and
accidents. If any abnormalities are found, consult network administrators or experts to take
appropriate measures.
When managing accounts by standalone management, it is not only necessary to create the
same user account for all PCs used by users and PCs installed with system builders on which
changing passwords as well, it is necessary to change passwords of all PCs in which the same
accounts are registered to common new passwords.
different from each other (5 minutes or longer by default), the authentication function does not
work properly under the domain environment. Pay attention to the time deviation between the
domain controller and each PC.
CTM_MAINTENANCE Group
CTM_MAINTENANCE, which is a group for maintenance, has very powerful rights, including
administrator rights. It is desired to treat accounts belonging to CTM_MAINTENANCE as invalid
accounts under normal operation and enable the accounts when they are in need. Moreover,
setting valid periods for accounts at the timing to enable the accounts is also an effective security
measure.
Users who can use OPC can use the DCOM function on remote sites, so it is desired to minimize
Moreover, if target users use only programs, deleting the logon right is also an effective measure.
When creating a user belonging to CTM_ENGINEER_ADM, CTM_ENGINEER_ADM_LCL,

CTM_MAINTENANCE, or CTM_MAINTENANCE_LCL, it is necessary to add the user to either
the Administrators group or the Domain Admins group as well.

• Antivirus software
It is recommended to promptly apply tested security patches Yokogawa acknowledged as

required on the CENTUM VP system. To deal with the attacks like zero-day attack, or the attacks
that take advantage of the software vulnerability right after the disclosure of the vulnerability
(security hole), the prompt actions are required.
Moreover, when security patches and service packs are applied to the CENTUM VP system,
patches and service packs are applied, make sure that the existing security settings are valid.
Antivirus Software
It is recommended to install antivirus software tested by Yokogawa on PCs and domain
controllers within the CENTUM VP system before starting the operation.
antivirus software, such as checking the operation beforehand using a test purpose PC.

6. Utility Programs for Security Settings

server and domain controller.
SEE
ALSO For more information about how to use the IT Security Tool, see the following:
CENTUM VP Installation (IM 33K01C10-50E)
Security Setting Items

The security items to be set by IT Security Tool are shown below.
Category Setting Item Description

Creation Local User
and Groups
Creation Domain User
Access and Groups controller when users are managed in domain environment.
Control
and folders folders, and on executing programs.
Access Control for Restrict permissions of each user or user group on accessing
product registry Windows registry keys.
DCOM Access Control for Grant permissions to the users of OPC user group only for starting
setting and connecting DCOM.
Personal Firewall
Firewall
tuning communication links only with recognized destinations.
Local security
Local security Set a privilege required for running CENTUM VP.
policies

Category Setting Item Description
user name On to Windows] dialog box.
programs other than CENTUM VP applications may be restricted

when this feature is enabled.
Applying the Software
Thus, further setups may be required to grant permissions to run
Restriction Policies
those software programs.
This is available in Windows 7, Windows Server 2008 R2 environment
only.
Applying AutoRun
Disable AutoRun on connecting an external device to the PC.
restrictions
Changing IT
environment
Applying the
settings enabled. This is not available in Windows Server 2003 environment.
StorageDevicePolicies
function
temporarily granted even if the restriction is enabled.
devices
temporarily connected even if this setting is enabled.
over TCP/IP
Changing the
Disable the authentication protocol used for communicating with prior
LAN Manager
Windows NT 4.0 Windows software.
authentication level
IMPORTANT
After applying the software restriction policy by IT Security Tool, you can lift the restriction as
follows:
• For starting installer in a DVD media, right click the icon and then choose [Run as
administrator].
• For running programs other than CENTUM VP programs(such as the installer of graphic
card driver), right click the icon and then choose [Run as administrator].
TIP
StorageDeviceCTL Utility cannot be used in Windows Server 2008 R2 environment. In Windows Server 2008 R2
with IT IT Security Tool, the PC needs to be restarted
SEE
ALSO • For more information about creating user or user group with IT Security Tool, refer to:
2.2.3, “Users/Groups with Respect to the Combination of User Management and Security Model”
• For more information about StorageDeviceCTL Utility, refer to:
• For more information about notices regarding to applying software restriction policies, refer to:
3.4.3, “Applying the Software Restriction Policies”

IT Security Tool can provide the following security models.
• CENTUM VP Legacy Model
• CENTUM VP Standard Model - Standalone management
• CENTUM VP Standard Model - Domain Management
• CENTUM VP Standard Model - Combination Management
• File Server Legacy Model
• File Server Standard Model - Standalone management
• File Server Standard Model - Domain Management
• File Server Standard Model - Combination Management
• Domain Controller Standard Model - Domain/Combination Management
For the selected model, you can specify whether to apply the security measure items with check
items.
060101E.ai
Figure Select Setting Items Dialog Box
Tool, the check boxes show the settings that were set last if you haven’t changed the security
model or user management type.
If you have changed the security model or user management type, the check boxes show the
default settings of the selected security model.

Setting Items for Legacy Model
The following table shows the available settings for the Legacy model.
Setting item
Creating local users and groups Selected No None
Add Full access control to the
Everyone group.
For some tools’ folders under
Selected No
folders the Windows folder, reverts
to the access permissions of
parent folders.
Access control for product Adds Full access control to
Selected No
registry the Everyone group.
Access control for DCOM (OPC) Add Full access control to the
Selected No
Everyone group.
Selected No
Grants access permissions to
Local security Selected No
the Everyone group.
Changing IT environment settings
Selected Yes None
Changing IT environment settings

Selected Yes None
- Applying AutoRun restrictions
SEE
ALSO For details of the users and groups created, see the following:

The following table shows the available settings for the Standard model applying Standalone
management.
Setting item
Creating local users and groups Selected No
Selected No
Access control for product registry Selected No
Selected No
Selected No
Changing IT environment settings - Changing the LAN Manager
Selected Yes
Selected Yes
name
Changing IT environment settings - Applying AutoRun restrictions Selected Yes
Clear Yes
TCP/IP
Changing IT environment settings - Applying the
Clear Yes
StorageDevicePolicies function
Clear Yes
devices
Changing IT environment settings - Applying the software
Clear Yes
restriction policies (*1)
SEE

The following table shows the available settings for the Standard model applying Domain
management.
Setting item
Creating local users and groups (*1) Selected No
Creating domain users and groups (*2) Selected No
Selected No
Selected No
Selected No
Selected Yes
Selected Yes
name
Selected Yes
TCP/IP
Clear Yes
Clear Yes
devices
Clear Yes
*1: CTM_OPC_LCL and CTM_MAINTENANCE are created in the local computer.
*2: The accounts and groups other than CTM_OPC_LCL and CTM_MAINTENANCE are created in the domain controller computer.
SEE

The following table shows the available settings for the Standard model applying Combination
management.
Setting item
Creating domain users and groups Selected No
Selected No
Selected No
Selected No
Selected Yes
Selected Yes
name
Selected Yes
TCP/IP
Clear Yes
Clear Yes
devices
Clear Yes
SEE
Setting item
Creates the CTM_PROCESS
user.
For some tools’ folders under
the Windows folder, reverts
to the access permissions of
Selected No parent folders.
folders
Add Full access control to the
Everyone group.
Selected No
Grants access permissions to
the Everyone group.

Management
The following table shows the available settings for the Standard model applying Standalone
Setting item
Selected No
Selected No
Changing IT environment settings - Applying the audit policy Selected Yes
Selected Yes
Clear Yes
TCP/IP
Clear Yes
Clear Yes
devices
SEE

The following table shows the available settings for the Standard model applying Domain
Setting item
Creating local users and groups (*1) Selected No
Selected No
Selected No
Selected Yes
Selected Yes
TCP/IP
Clear Yes
Clear Yes
devices
*1: CTM_OPC_LCL and CTM_MAINTENANCE are created in the local computer.
SEE

Management
The following table shows the available settings for the Standard model applying Combination
Setting item
Creating domain users and groups Selected No
Selected No
Selected No
Selected Yes
Selected Yes
TCP/IP
Clear Yes
Clear Yes
devices
SEE

The following table shows the available settings for the Standard model applying Domain or
Combination management on a domain controller.
Setting item
Selected Yes
Selected No
Selected No
Selected Yes
Selected Yes
TCP/IP
Clear Yes
Clear Yes
devices
TIP
When using IT Security Tool to create users and groups, only the domain user groups can be created.
SEE

The procedure is as follows:
1. From Start menu, choose [All Programs]-[YOKOGAWA Security]-[IT Security Tool].
The IT Security Tool will be started.
2. Click [Setup] button.
[IT Security Settings] will be displayed.
3. On [IT Security Settings], the selected security model and the user management type can
be visualized.
The radio buttons of [IT Security Settings] for the applied options are selected.
The procedure is as follows:
%ProgramData%\Yokogawa\IA\iPCS\Platform\Security\Log\Log.txt
TIP
%ProgramData% stands for the followings in case that the system drive is C drive.
In Windows Server 2003 or Windows Server 2003 R2 environment:
In Windows Vista, Windows7, Windows Server 2008 or Windows Server 2008 R2 environment:
latest time stamp should be used.

YYYY/MM/DD hh:mm:ss:<STN>:<USER> INFO File name(<path>\<name>.csf
TIP
conventions:
<Product name>-<Installation type>_<Security model>_<User management type>.csf
TIP
Legacy model: CTM-FileServer_Legacy_Standalone.csf
Standard model and standalone user management type: CTM-FileServer_Standard_Standalone.csf
Standard model and domain user management type: CTM-FileServer_Standard_Domain.csf
Standard model and combined user management type: CTM-FileServer_Standard_Combination.csf

• CreateCentumProcess
• StorageDeviceCTL
CreateCentumProcess
This utility creates CTM_PROCESS users.
Detailed Explanation
This utility creates CTM_PROCESS users using predetermined passwords (not disclosed).
Logon using an administrative user account.

Insert the CENTUM VP software media to the drive and then run the following command on the
command prompt window.
CreateCentumProcess.exe
This utility creates a CTM_PROCESS user. If CTM_PROCESS already exists, the password is
initialized to a predetermined password at the execution of the command. When the password is
initialized, the passwords for Windows services registered by the CTM_PROCESS user are also
initialized.
Moreover, if the CreateCentumProcess command is executed with parameter attached, it is

possible to set an arbitrary password.
CreateCentumProcess.exe -p (arbitrary password)
If the CTM_PROCESS user does not exist, it will be created and an arbitrary password is set.
If the user already exists, the password is changed to the arbitrary password. Moreover, the
passwords for Windows services registered by the CTM_PROCESS user are also changed.
IMPORTANT
When changing the password of CTM_PROCESS, it is necessary to change the password in all
the stations so as to make sure all the stations are using the same password.

This utility changes the password of OFFUSER temporarily to “!centumvp123.”
When an administrative user runs OFFUSEREnabler command, the password of OFFUSER
will be changed to “!centumvp123” and the OFFUSER account can be used to log on Windows.
To reset the password of OFFUSER account to the initial password (not disclosed), you need
to run the OFFUSERDisabler command. If a standard model or strengthened model of security
settings is applied in the PC, running the OFFUSEREnabler command requires the privilege of
CTM_MAINTENANCE group.
The program can be started as follows.

1. Logon the PC using an administrative user account.
2. Use Windows Explorer to open the following folder.
If the program is in C: drive, the location is:
Yokogawa.IA.iPCS.Platform.Security.OFFUSEREnabler.exe
This program resets the password of OFFUSER to initial password.
When an administrative user runs OFFUSERDisabler command, the password of OFFUSER will
be changed to the initial password (not disclosed).
If a standard model or strengthened model of security settings is applied in the PC, running the
OFFUSERDisabler command requires the privilege of CTM_MAINTENANCE group.
The program can be started as follows.

1. Logon the PC using an administrative user account.
Yokogawa.IA.iPCS.Platform.Security.OFFUSERDisabler.exe

StorageDeviceCTL
This utility temporarily cancels the following disabling of storage devices.
• Disabling of write permissions set by applying the StorageDevicePolicies function
When you cannot write to storage devices due to application of the StorageDevicePolicies
the effect of these security measures temporarily. Writing to storage devices is enabled while
StorageDeviceCTL is running.
MAINTENANCE right is required to execute the tool.
storage devices is set.
IMPORTANT
Windows Server 2008 R2, you cannot use this utility to cancel the disabling.
• When you start this utility on a PC running Windows Server 2008 which is not installed with
click the [Close] of the dialog box.

The tool is started with the procedure below.
Yokogawa.IA.iPCS.Platform.Security.StorageDeviceCTL.exe
The task is displayed only in the task bar immediately after the start.
start StorageDeviceCTL
060201E.ai
TIP
For Windows Vista and Windows Server 2008, right-click the [Safely remove hardware] icon from the task tray
and select [Safely remove hardware].
6. Click [StorageDeviceCTL] from the task bar and then [WriteStop] to end the task.
StorageDeviceCTL
Write stop
060202E.ai
Figure StorageDeviceCTL Dialog Box
SEE
ALSO
3.4.5, “Applying the StorageDevicePolicies Function”

Revision Information
Title : CENTUM VP Security Guide
Manual No. : IM 33K01C30-50E
* : Denotes the release number of the software corresponding to the contents of this user’s manual. The
revised contents are valid until the next edition is issued.
1.2 Descriptions on “
2.2.2 Description on “
2.2.3 Descriptions on CTM_ENGINEER_ADM, CTM_ENGINEER_ADM_LCL, CTM_MAINTENANCE and
CTM_MAINTENANCE_LCL administrative privileges are deleted.
2.2.3 Descriptions on OFFUSER, CTM_PROCESS, LIC_PROCESS are added.
2.2.3 Notice texts on changing security models are added.
2.2.4 Overall change
6.1 “ Find out the applied security model and user management type” is added.
2.2.1 A text of IMPORTANT is added in “ User Authentication Modes.”

2.2.2 A text of TIP is added.
3.2 Firewall setting for UGS redundancy is added.
3.1.1 Descriptions about WER folder are deleted.
Newly published.
For Questions and More Information

If you have any questions, you can send an E-mail to the following address.
Written by Yokogawa Electric Corporation

Published by Yokogawa Electric Corporation
2-9-32 Nakacho, Musashino-shi, Tokyo 180-8750, JAPAN

Security Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security Guide

Uploaded by

Copyright:

Available Formats

CENTUM VP

CENTUM VP Document Map

Field Control Stations Function Blocks Function Blocks Function Blocks

Function Blocks Human Interface Human Interface Engineering

SEBOL Communication with Communication with Communication

Optional Functions Communication with Compliance with Generic Subsystem

System Integration Unified Gateway Engineering Test

Operation and Monitoring

HIS Operation Operating Messages

Communication Devices Migrated-FCS(FIO)

IM 33K01C30-50E 1st Edition : Sep.22,2011-00

provided by this product may be impaired.

including electrical shocks.

Indicates that the main switch is ON.

Indicates that the main switch is OFF.

IM 33K01C30-50E 1st Edition : Sep.22,2011-00

contact our sales representative or your local distributor.

Warning and Disclaimer

IM 33K01C30-50E 1st Edition : Sep.22,2011-00

Indicates a space between character strings that must be entered.

Indicates an option that can be omitted.

IM 33K01C30-50E 1st Edition : Sep.22,2011-00

button name on a window, or an item displayed on a window.

Indicates that the previous command or argument may be repeated.

Indicate those character strings that can be omitted.

IM 33K01C30-50E 1st Edition : Sep.22,2011-00

different sections of text. This section describes these icons.

shock or death of the operator.

from being damaged or the system from becoming faulty.

IM 33K01C30-50E 1st Edition : Sep.22,2011-00

registered trademarks or trademarks of Microsoft Corporation in the United States and/or

IM 33K01C30-50E 4th Edition : Jun.29,2012-00

IM 33K01C30-50E 4th Edition : Jun.29,2012-00

IM 33K01C30-50E 4th Edition : Jun.29,2012-00

The table below lists and explains terms related to security.

IM 33K01C30-50E 4th Edition : Jun.29,2012-00

Threats from unauthorized individuals to the CENTUM VP system by directly operating an

for the purpose of analyzing the data.

2. Direct attack to a system Firewall

HIS PC installed with Domain controller/

IM 33K01C30-50E 1st Edition : Sep.22,2011-00

Security type Security measure

IM 33K01C30-50E 4th Edition : Jun.29,2012-00

IM 33K01C30-50E 1st Edition : Sep.22,2011-00

Security model Feature

deployment of CENTUM VP systems, the risk of this threat is relatively low.

IM 33K01C30-50E 4th Edition : Jun.29,2012-00

Security type Security measure

IM 33K01C30-50E 4th Edition : Jun.29,2012-00

IM 33K01C30-50E 1st Edition : Sep.22,2011-00

IM 33K01C30-50E 4th Edition : Jun.29,2012-00

• ENG group users

User Builder managing user Explanation

The user authentication mode can be applied to the following identities:

IM 33K01C30-50E 4th Edition : Jun.29,2012-00

HIS HIS HIS

Applying user authentication mode

or revert to CENTUM authentication mode.

IM 33K01C30-50E 4th Edition : Jun.29,2012-00

user cannot be used.

Scope of user Reference

PC installed with PC installed with PC installed with

IM 33K01C30-50E 4th Edition : Jun.29,2012-00

CTM_MAINTENANCE group should not be used.

Access Access (4) – (4) – –