Sabp Z 065

Best Practice
SABP-Z-065 7 May 2015

Operating Systems Hardening Guide – Windows Vista
Document Responsibility: Plants Networks Standards Committee
Saudi Aramco DeskTop Standards

Table of Contents
1 Introduction……………………............................ 2
2 Conflicts with Mandatory Standards................... 2
3 References......................................................... 2
4 Definitions........................................................... 3
5 Account & passwords Policies............................ 5
6 Services and applications settings.................... 13
7 Rights and Permission Policies......................... 16
8 Hardening controls............................................ 23
9 Logs and Auditing............................................. 31
Previous Issue: New Next Planned Update: 7 May 2020

Page 1 of 34
Primary contact: Ouchn, Nabil J (ouchnnj) on +966-3-8801365
Copyright©Saudi Aramco 2015. All rights reserved.

Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
1 Introduction
1.1 Purpose and Intended Users
The purpose of this best practice document is to establish a recommended
methodology to implement advanced security configurations for Industrial
Control Systems (ICS). These guidelines are intended for plant network
administrator(s) and technical support staff for the purpose of prompt risk
mitigation and overall adherence to company’s cyber security regulations,
especially those intended for immediate implementation. The intended users
include engineers and / or technicians working as Process Automation Network
(PAN) Administrators.
1.2 Scope
This best practice defines the methodology to harden the Windows Vista
Operating System configurations settings, which might require software /
hardware to ensure “secure configuration” as per SAEP-99 “Process Automation
Networks and Systems Security” procedure.
This implementation of this best practice shall satisfy the audit requirement for
the BIT recommendations and can be assessed using “Performing Security
Compliance Assessment Manual”
1.3 Disclaimer
This Best Practice complements other procedures or best practices provided by
vendor and / or consulting agent for the implementation of security
configurations by the PAN administrator(s), and shall not be considered
“exclusive” to provide “comprehensive” compliance to SAEP-99 or any other
Saudi Aramco Engineering’s standards requirements.
The use of this Best Practice does not relieve the PAN administrator(s) from
their responsibility or duties to confirm and verify the accuracy of any
information presented herein and the thorough coordination with respective
control system steering committee chairman and vendor.
2 Conflicts with Mandatory Standards

In the event of a conflict between this Best Practice and other Mandatory Saudi Aramco
Engineering Requirements, the Mandatory Saudi Aramco Engineering Requirements
shall govern.
3 References
Specific sections of the following documents are referenced within the body of the
document. Material or equipment supplied to this best practice, shall comply with the
referenced sections of the latest edition of these specifications. Where specific sections
are not referenced, the system shall comply with the entire referenced document.
Page 2 of 34
 Saudi Aramco References

Saudi Aramco Engineering Procedures
SAEP-99 Process Automation Networks and Systems
Security
SAEP-302 Instructions for Obtaining a Waiver of a
Mandatory Saudi Aramco Engineering
Requirement
Saudi Aramco Engineering Standards
SAES-Z-001 Process Control Systems
SAES-Z-010 Process Automation Networks
General Instruction
GI-0710.002 Classification of Sensitive Information
4 Definitions
This section contains definitions for acronyms, abbreviations, words, and terms as they
are used in this document.
4.1 Acronyms
DCS - Distributed Control System
ESD - Emergency Shutdown Systems
IP - Internet Protocol
ISA - The International Society of Automation
PCS - Process Control Systems
PAN - Process Automation Network
PMS - Power Monitoring System
SCADA - Supervisory Control and Data Acquisition
IP - Internet Protocol
TMS - Terminal Management System
VMS - Vibration Monitoring System
4.2 Abbreviations
Authentication: A security measure designed to establish the validity of a
transmission, message, or originator, or a means of verifying an individual's
authorization to receive specific categories of information. When humans have
assets that are worth to be protected, the authentication always exists. The initial
step in protecting systems and information is authentication that identifies who.
Page 3 of 34
Process Automation Systems (PAS): PAS include Networks and Systems

hardware and software such as Process Automation Network (PAN), Distributed
Control Systems (DCSs), Emergency Shutdown Systems (ESD), Programmable
Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA)
systems, Terminal Management Systems (TMS), networked electronic sensing
systems, and monitoring (such as VMS AND PMS), diagnostic, and related
industrial automation and control systems. PAS also include associated internal,
human, network, or machine interfaces used to provide control, safety,
maintenance, quality assurance, and other process operations functionalities to
continuous, batch, discrete, and combined processes.
Logs: Files or prints of information in chronological order.
PAN: Process Automation Network, or sometimes referred to as Plant
Information Network (PIN), is a plant-wide network (switches, routers,
firewalls, computers, etc. interconnecting process control system and provides
an interface to the corporate network. PAN Administrator: Process Automation
Networks (PAN) Administrator administers and performs system configuration
and monitoring and coordinating with Process Control System Administrator, if
different, as designated by the plant management. The PAN Administrator
assumes the ownership of the IA&CS including the PAN Firewall and has the
function of granting, revoking, and tracking access privileges and
communications of users on ICS including the Firewall.
Password: A form of secret authentication data that is used to control access to
a resource. Password authentication determines authenticity based on testing for
a device or a user that is requesting access to systems using for example a
personal identification number (PIN) or password. Password authentication
scheme is the simplest and most common mechanism.
Server: A dedicated un-manned data provider.
Page 4 of 34
5 Account & passwords Policies
WVI-AP-01
WVI-AP-02
12.0.a
Domain Windows Vista Ref. WVI-AP-03 BIT
12.0.c
WVI-AP-05
WVI-AP-06
Target Vista versions SAEP-99 5.1.6.1.a-f
Mapping
Set mininal password age
Set maximum password age
Set password complexity
Action
Set password length
Set password history
Storing password using Reverse encryption
State Final Version 1.0 Created on 10/29/13
R C
RACI Matrix Priority HIGH
A I
Pre requisite
Dependencies
1. Click Start Menu then click Control Panel. From Control Panel, double click
on “System and Maintenance” then select “Administrative Tools.” In
administrative tools, select “Local Security Policy”
Instruction
2. Select “Account Policy” then “Password Policy.” Password parameters

settings and Configure the following:
• Enforce password history is set to 3 passwords remembered.
• Maximum password age is set to 180 days
Page 5 of 34
• Minimum password age is set 0 days

• Minimum password length is set to at least 6 characters
• Password must meet complexity requirements is enabled
• Store using reversible encryption is set to Disabled
Automated task no
Page 6 of 34
WVI-AP-09
Domain Windows VISTA Ref. WVI-AP-10 BIT #12.0.a
WVI-AP-11
Target VISTA versions Mapping SAEP-99 5.1.6.1.a-f
Action Set account Lockout duration and threshold

R C
A I
Pre requisite
Dependencies
on “System and Maintenance” then select “Administrative Tools” In
administrative tools, select “Local Security Policy”
2. Click on “Account Policy” then “Account Lockout Policy”. Configure the
following in this order:
3. Account lockout threshold is set to 5 invalid logon attempts.
4. Account lockout duration is set to 1440 minutes.
5. Reset account not applicable [cannot set to not applicable in VISTA]
Instruction
Automated task no
Page 7 of 34
Domain Windows VISTA Ref. WVI-AP-14 BIT

Target VISTA versions Mapping SAEP-99
Action Rename Administrator Account

R C
RACI Matrix Priority
A I
Pre requisite
Dependencies
1. Click Start Menu then click Control Panel. From Control Panel, double click on
“System and Maintenance” then select “Administrative Tools” and then click
Computer Management.
Instruction
2. In the console tree, expand Local Users and Groups, and then click Users.
3. In the right pane, right-click Administrator then select Rename
Page 8 of 34
4. Enter new value

• root_admin_2013
Automated task yes
Domain Windows VISTA Ref. WVI-AP-16 BIT 8.6

Target Mapping SAEP-99 5.1.6.1.l
Action Change SNMP default credentials

R C
A I
SNMP should be authorized and enabled
Pre requisite
If SNMP is disabled skip this control
Dependencies
Instruction “System and Maintenance” then select “Administrative Tools.” In
administrative tools, select “Services”
Page 9 of 34
2. In the right pane, double-click SNMP Service.
3. Click the Traps tab.
Page 10 of 34
4. In the “Community name” text box, edit public community and change it to a new
community, if it does not exist create a new community. The change of name
respects, at least:
• Minimum password length is set to at least 6 characters
• Password must meet complexity requirements
5. Click on Security tab. If you already close SNMP Service Properties window, re-open
it.
Page 11 of 34
6. Under “Accepted community names” section, click Add button.

7. Select the appropriate permission level for the community string in the “Community
Rights” drop down list to specify how the host processes SNMP requests from the
selected community.
• Set permissions to READ ONLY
Automated task no
Page 12 of 34
6 Services and applications settings
Domain Windows VISTA Ref. WVI-SA-13 BIT 22.2.b

Target VISTA versions Mapping SAEP-99 5.3.c
Disable Remote Desktop Help Session
Action
Manager
R C
A I
Pre requisite
1. Click Start and then Control Panel. From the Control Panel, double click
“Administrative Tools” then double click “Services”.
2. Locate “Remote Access Connection Manager”. [There is also Remote

Access Auto Connection Manager.]
Instruction
3. Double click it and set value of
• Startup type to manual
Page 13 of 34
Automated task yes
Page 14 of 34
WVI-SA-17
Domain Windows VISTA Ref. BIT 8.5
WVI-SA-18
5.3.c
Target VISTA Versions Mapping SAEP-99 5.4.2.m
5.1.6.1.o
Disable Simple Network Management
Action
Protocol (SNMP) Service and Trap Service
R C
A I
Pre requisite
Dependencies
1. Click Start and then Control Panel. From the Control Panel, double click
“Administrative Tools” then double click “Services”.
2. Locate “SNMP Service” and “SNMP Trap”.
Instruction
3. Double click one at a time and set value of startup type to manual
Page 15 of 34
Automated task yes
Page 16 of 34
7 Rights and Permission Policies
Domain Windows VISTA Ref. WVI-RP-53 BIT
Target SAEP-99
Mapping
Application, System and Security Logs:
Action
Restrict Guest Access
R C
A I
Pre requisite
Dependencies WVI-LA-12: Application/Security/System Logs: Maximum Event Log Size

1. Run Regedt32
2. Move to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
Instruction
3. Move to the subkey Application

4. On the right pane, select RestrictGuestAccess. If that value does not
exist, go to the Edit menu select New - DWORD value. Enter a name of
RestrictGuestAccess. click OK
Page 17 of 34
OR
5. Double click RestrictGuestAccess and set to 1
Page 18 of 34
6. Repeat steps 3,4 and 5 for the Security and System sub-keys.
Automated task N/A
Page 19 of 34
Domain Windows VISTA Ref. WVI-RP-54 BIT

Target Mapping SAEP-99
Allow only authorized administrator to access
Action
RDP service
R C
A I
Pre requisite Users should be pre-defined into group “Remote Desktop Users”
Dependencies WVI-HC-70 : Set client connection 128-bit encryption level

“System and Maintenance” then select “System”
2. Click on Remote settings in the left panel
Instruction
3. Enable “Allow users to connect remotely to this computer running any

version of remote desktop” or “running remote desktop with network
level authentication”?
4. Click "Select Users…" Then what do they do. If there are no users, they
should ignore, no?
Page 20 of 34
5. Under Local Policies - User Rights Assignment, "Allow logon through Terminal
Services." And just next to it is "Administrators, Remote Desktop Users."
Page 21 of 34
Automated task no
Page 22 of 34
8 Hardening controls
Domain Windows VISTA Ref. WVI-HC-66 BIT 22.2.b

Target OS Versions Mapping SAEP-99 5.3.c
Action Disable Remote Assistance

R C
A I
Pre requisite
Dependencies WVI-SA-13: Disable Remote Desktop Help Session Manager

WVI-HC-67 : Do not allow Remote Desktop services
on “System and Maintenance” then select “System”
Instruction
3. Ensure this option is not enabled by unchecking “Allow Remote

Assistance”
Automated task
Page 23 of 34
Domain Windows VISTA Ref. WVI-HC-67 BIT 22.2.b
Target VISTA Versions SAEP-99 5.3.c

Mapping
Action Do not allow Remote Desktop services (RDP)

R C
A I
Pre requisite Hardening RDP protocol if enabled. Other skip.
WVI-SA-12: Disable NetMeeting Remote Desktop Sharing

WVI-SA-13: Disable Remote Desktop Help Session Manager
Dependencies WVI-HC-66: Disable Remote Assistance
WVI-AP-14: Rename administrator account
WVI-HC-69: Change default Terminal Server TCP port 3389
“System and Maintenance” then select “System”
Instruction
3. Be sure to select the checkbox “Don’t allow connections to this computer”.

What? Didn’t we just add users?
Automated task
Page 24 of 34
Domain Windows VISTA Ref. WVI-HC-68 BIT 16.3

Target VISTA Versions Mapping SAEP-99 5.3
Disable user access to Anti-Virus
Action
Management Settings
R C
A I
Pre requisite
Dependencies
1. Click Start, Programs, McAfee, VirusScan Console.
2. Double-click Access Protection.
3. Check “Prevent McAfee Services from being stopped” if not enabled
4. Click Apply and OK.
Instruction
Automated task
Page 25 of 34
Domain Windows VISTA Ref. WVI-HC-69 BIT

Change default Terminal Server TCP port
Action
3389
R C
A I
Applied to only Windows VISTA with Service Pack 3
Pre requisite Computer should be restarted to reflect the changes
Client Side should be modified to connect to the new TCP port
Dependencies
1. Run Regedt32, Registry Editor Utility, and go to this key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp
Instruction
Page 26 of 34
2. Find the "PortNumber" subkey and notice the value of 00000D3D, hex for (3389).
Modify the port number in Hex and save the new value as
• 0000344D which stands for 13389
Automated task no
Page 27 of 34
Domain Windows VISTA Ref. WVI-HC-70 BIT

Action Set client connection 128-bit encryption level
State Alpha Version 1.0 Created on 10/29/13

R C
A I
Pre requisite
Dependencies WVI-RP-54: Allow only authorized administrator/privileged users to access RDP service
Instruction
Should be updated
Automated task no
Page 28 of 34
Domain Windows VISTA Ref. WVI-HC-72 BIT 8.3

Target OS Versions Mapping SAEP-99 n/a
Action Configure the Host Name

R C
A I
Pre requisite Naming convention procedure should exists. Router/Switch should reflect the type and role.
Dependencies
on “System and Maintenance” then select “System”
2. Select Change Settings on the lower right corner
Instruction
3. Select Change to provide a new name. Provide a new name abiding to the
following proposal.
Page 29 of 34
Proposal
4. Geo location: 3 characters referring to City or Plant (URT, ABQ, DHR ...)
5. Admin Area : 3 characters referring to whether it is an Oil or Gas plant
6. Device role : 2 or 3 characters indicating the device role
a. PLC, DCS..
b. WRK stands for workstation
c. SRV stands for server
d. PRT stands for printer
e. FW for Firewall , RT for Router and so on
7. Incremental ID : 3 variables
Ex : ABQ-WKS-005 : means Workstation 5 in Abqaiq plant
Automated task
Page 30 of 34
9 Logs and Auditing
Domain Windows VISTA Ref. WVI-LA-12 BIT 18.0.a

Target VISTA Versions Mapping SAEP-99 5.5.1.d.iv
Set maximum log size for Application,
Action
security and system events
R C
A I
Pre requisite
Dependencies WVI-RP-53 : Restrict access to logs files
1. Click Start, point to Control Panel, point to Administrative Tools, and then click
Event Viewer.
2. Browse to the left panel, right-click on windows Logs -> Application or
Applications and Services logs then select Properties.
Instruction
3. Set the recommended logs size values as follow:

• Application event set to 16384 kilobytes
Page 31 of 34
4. Repeat steps 2 & 3 for Security and System, with the following values:
• Security event set to 81920 kilobyte
• System event set to 16384 kilobytes
The maximum event log could not exceed 4GB
Automated task N/A
Page 32 of 34
Domain Windows VISTA Ref. WVI-LA-13 BIT 18.0.a
Target VISTA versions Mapping SAEP-99 5.5.1.d.iv

Set Log Retention for Application, Security
Action
and System
R C
A I
Pre requisite
Dependencies WVI-LA-12: Application/Security/System Logs: Maximum Event Log Size
1. Click Start, point to Control Panel, point to Administrative Tools, and then click
Event Viewer. Browse to the left panel, right-click on Application then select
Properties.
Instruction
2. Check the options

• Do not overwrite events
Page 33 of 34
During Monthly audit log reviews, move archived event logs stored at the log path
shown above to external storage to maintain a one year archive
• Repeat this procedure for the following event logs:
1. All PAS workstations and servers
1. System logs
2. Application logs
3. Security logs
2. Windows AD server or Domain Controllers:
1. Directory Services.
Automated task N/A
Revision Summary
7 May 2015 New Saudi Aramco Best Practice.
Page 34 of 34

Sabp Z 065

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sabp Z 065

Uploaded by

Copyright:

Available Formats

Best Practice

SABP-Z-065 7 May 2015

Saudi Aramco DeskTop Standards

Previous Issue: New Next Planned Update: 7 May 2020

Copyright©Saudi Aramco 2015. All rights reserved.

2 Conflicts with Mandatory Standards

 Saudi Aramco References

Process Automation Systems (PAS): PAS include Networks and Systems

5 Account & passwords Policies

2. Select “Account Policy” then “Password Policy.” Password parameters

• Minimum password age is set 0 days

Action Set account Lockout duration and threshold

State Final Version 1.0 Created on 10/29/13

Domain Windows VISTA Ref. WVI-AP-14 BIT

Action Rename Administrator Account

State Final Version 1.0 Created on 10/29/13

4. Enter new value

Automated task yes

Domain Windows VISTA Ref. WVI-AP-16 BIT 8.6

Action Change SNMP default credentials

State Final Version 1.0 Created on 10/29/13

2. In the right pane, double-click SNMP Service.

3. Click the Traps tab.

6. Under “Accepted community names” section, click Add button.

6 Services and applications settings

Domain Windows VISTA Ref. WVI-SA-13 BIT 22.2.b

2. Locate “Remote Access Connection Manager”. [There is also Remote

3. Double click it and set value of

• Startup type to manual

Automated task yes

2. Locate “SNMP Service” and “SNMP Trap”.

Automated task yes

7 Rights and Permission Policies

Domain Windows VISTA Ref. WVI-RP-53 BIT

Dependencies WVI-LA-12: Application/Security/System Logs: Maximum Event Log Size

3. Move to the subkey Application

5. Double click RestrictGuestAccess and set to 1

Automated task N/A

Domain Windows VISTA Ref. WVI-RP-54 BIT

Dependencies WVI-HC-70 : Set client connection 128-bit encryption level

3. Enable “Allow users to connect remotely to this computer running any

Domain Windows VISTA Ref. WVI-HC-66 BIT 22.2.b

Action Disable Remote Assistance

State Final Version 1.0 Created on 10/29/13

Dependencies WVI-SA-13: Disable Remote Desktop Help Session Manager

3. Ensure this option is not enabled by unchecking “Allow Remote

Domain Windows VISTA Ref. WVI-HC-67 BIT 22.2.b

Target VISTA Versions SAEP-99 5.3.c

State Final Version 1.0 Created on 10/29/13

WVI-SA-12: Disable NetMeeting Remote Desktop Sharing

3. Be sure to select the checkbox “Don’t allow connections to this computer”.

Domain Windows VISTA Ref. WVI-HC-68 BIT 16.3

Domain Windows VISTA Ref. WVI-HC-69 BIT

• 0000344D which stands for 13389

Domain Windows VISTA Ref. WVI-HC-70 BIT

Action Set client connection 128-bit encryption level

State Alpha Version 1.0 Created on 10/29/13

Domain Windows VISTA Ref. WVI-HC-72 BIT 8.3

Action Configure the Host Name

State Final Version 1.0 Created on 10/29/13

9 Logs and Auditing

Domain Windows VISTA Ref. WVI-LA-12 BIT 18.0.a

Dependencies WVI-RP-53 : Restrict access to logs files