Professional Documents
Culture Documents
Sabp Z 065
Sabp Z 065
1 Introduction……………………............................ 2
2 Conflicts with Mandatory Standards................... 2
3 References......................................................... 2
4 Definitions........................................................... 3
5 Account & passwords Policies............................ 5
6 Services and applications settings.................... 13
7 Rights and Permission Policies......................... 16
8 Hardening controls............................................ 23
9 Logs and Auditing............................................. 31
1 Introduction
1.1 Purpose and Intended Users
The purpose of this best practice document is to establish a recommended
methodology to implement advanced security configurations for Industrial
Control Systems (ICS). These guidelines are intended for plant network
administrator(s) and technical support staff for the purpose of prompt risk
mitigation and overall adherence to company’s cyber security regulations,
especially those intended for immediate implementation. The intended users
include engineers and / or technicians working as Process Automation Network
(PAN) Administrators.
1.2 Scope
This best practice defines the methodology to harden the Windows Vista
Operating System configurations settings, which might require software /
hardware to ensure “secure configuration” as per SAEP-99 “Process Automation
Networks and Systems Security” procedure.
This implementation of this best practice shall satisfy the audit requirement for
the BIT recommendations and can be assessed using “Performing Security
Compliance Assessment Manual”
1.3 Disclaimer
This Best Practice complements other procedures or best practices provided by
vendor and / or consulting agent for the implementation of security
configurations by the PAN administrator(s), and shall not be considered
“exclusive” to provide “comprehensive” compliance to SAEP-99 or any other
Saudi Aramco Engineering’s standards requirements.
The use of this Best Practice does not relieve the PAN administrator(s) from
their responsibility or duties to confirm and verify the accuracy of any
information presented herein and the thorough coordination with respective
control system steering committee chairman and vendor.
Page 2 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
4 Definitions
This section contains definitions for acronyms, abbreviations, words, and terms as they
are used in this document.
4.1 Acronyms
DCS - Distributed Control System
ESD - Emergency Shutdown Systems
IP - Internet Protocol
ISA - The International Society of Automation
PCS - Process Control Systems
PAN - Process Automation Network
PMS - Power Monitoring System
SCADA - Supervisory Control and Data Acquisition
IP - Internet Protocol
TMS - Terminal Management System
VMS - Vibration Monitoring System
4.2 Abbreviations
Authentication: A security measure designed to establish the validity of a
transmission, message, or originator, or a means of verifying an individual's
authorization to receive specific categories of information. When humans have
assets that are worth to be protected, the authentication always exists. The initial
step in protecting systems and information is authentication that identifies who.
Page 3 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
Page 4 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
WVI-AP-01
WVI-AP-02
12.0.a
Domain Windows Vista Ref. WVI-AP-03 BIT
12.0.c
WVI-AP-05
WVI-AP-06
Target Vista versions SAEP-99 5.1.6.1.a-f
Mapping
Set mininal password age
Set maximum password age
Set password complexity
Action
Set password length
Set password history
Storing password using Reverse encryption
State Final Version 1.0 Created on 10/29/13
R C
RACI Matrix Priority HIGH
A I
Pre requisite
Dependencies
1. Click Start Menu then click Control Panel. From Control Panel, double click
on “System and Maintenance” then select “Administrative Tools.” In
administrative tools, select “Local Security Policy”
Instruction
Page 5 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
Automated task no
Page 6 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
WVI-AP-09
Domain Windows VISTA Ref. WVI-AP-10 BIT #12.0.a
WVI-AP-11
Target VISTA versions Mapping SAEP-99 5.1.6.1.a-f
Dependencies
1. Click Start Menu then click Control Panel. From Control Panel, double click
on “System and Maintenance” then select “Administrative Tools” In
administrative tools, select “Local Security Policy”
2. Click on “Account Policy” then “Account Lockout Policy”. Configure the
following in this order:
3. Account lockout threshold is set to 5 invalid logon attempts.
4. Account lockout duration is set to 1440 minutes.
5. Reset account not applicable [cannot set to not applicable in VISTA]
Instruction
Automated task no
Page 7 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
Dependencies
1. Click Start Menu then click Control Panel. From Control Panel, double click on
“System and Maintenance” then select “Administrative Tools” and then click
Computer Management.
Instruction
2. In the console tree, expand Local Users and Groups, and then click Users.
3. In the right pane, right-click Administrator then select Rename
Page 8 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
1. Click Start Menu then click Control Panel. From Control Panel, double click on
Instruction “System and Maintenance” then select “Administrative Tools.” In
administrative tools, select “Services”
Page 9 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
Page 10 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
4. In the “Community name” text box, edit public community and change it to a new
community, if it does not exist create a new community. The change of name
respects, at least:
• Minimum password length is set to at least 6 characters
• Password must meet complexity requirements
5. Click on Security tab. If you already close SNMP Service Properties window, re-open
it.
Page 11 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
Automated task no
Page 12 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
1. Click Start and then Control Panel. From the Control Panel, double click
“Administrative Tools” then double click “Services”.
Instruction
Page 13 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
Page 14 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
WVI-SA-17
Domain Windows VISTA Ref. BIT 8.5
WVI-SA-18
5.3.c
Target VISTA Versions Mapping SAEP-99 5.4.2.m
5.1.6.1.o
Disable Simple Network Management
Action
Protocol (SNMP) Service and Trap Service
State Final Version 1.0 Created on 10/29/13
R C
RACI Matrix Priority HIGH
A I
Pre requisite
Dependencies
1. Click Start and then Control Panel. From the Control Panel, double click
“Administrative Tools” then double click “Services”.
Instruction
3. Double click one at a time and set value of startup type to manual
Page 15 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
Page 16 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
Target SAEP-99
Mapping
Application, System and Security Logs:
Action
Restrict Guest Access
State Final Version 1.0 Created on 10/29/13
R C
RACI Matrix Priority
A I
Pre requisite
Instruction
Page 17 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
OR
Page 18 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
6. Repeat steps 3,4 and 5 for the Security and System sub-keys.
Page 19 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
Instruction
Page 20 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
5. Under Local Policies - User Rights Assignment, "Allow logon through Terminal
Services." And just next to it is "Administrators, Remote Desktop Users."
Page 21 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
Automated task no
Page 22 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
8 Hardening controls
Instruction
Automated task
Page 23 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
Instruction
Automated task
Page 24 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
Dependencies
1. Click Start, Programs, McAfee, VirusScan Console.
2. Double-click Access Protection.
3. Check “Prevent McAfee Services from being stopped” if not enabled
4. Click Apply and OK.
Instruction
Automated task
Page 25 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
Instruction
Page 26 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
2. Find the "PortNumber" subkey and notice the value of 00000D3D, hex for (3389).
Modify the port number in Hex and save the new value as
Automated task no
Page 27 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
Dependencies WVI-RP-54: Allow only authorized administrator/privileged users to access RDP service
Instruction
Should be updated
Automated task no
Page 28 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
Dependencies
1. Click Start Menu then click Control Panel. From Control Panel, double click
on “System and Maintenance” then select “System”
2. Select Change Settings on the lower right corner
Instruction
3. Select Change to provide a new name. Provide a new name abiding to the
following proposal.
Page 29 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
Proposal
4. Geo location: 3 characters referring to City or Plant (URT, ABQ, DHR ...)
5. Admin Area : 3 characters referring to whether it is an Oil or Gas plant
6. Device role : 2 or 3 characters indicating the device role
a. PLC, DCS..
b. WRK stands for workstation
c. SRV stands for server
d. PRT stands for printer
e. FW for Firewall , RT for Router and so on
7. Incremental ID : 3 variables
Ex : ABQ-WKS-005 : means Workstation 5 in Abqaiq plant
Automated task
Page 30 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
1. Click Start, point to Control Panel, point to Administrative Tools, and then click
Event Viewer.
2. Browse to the left panel, right-click on windows Logs -> Application or
Applications and Services logs then select Properties.
Instruction
Page 31 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
4. Repeat steps 2 & 3 for Security and System, with the following values:
• Security event set to 81920 kilobyte
• System event set to 16384 kilobytes
The maximum event log could not exceed 4GB
Page 32 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
1. Click Start, point to Control Panel, point to Administrative Tools, and then click
Event Viewer. Browse to the left panel, right-click on Application then select
Properties.
Instruction
Page 33 of 34
Document Responsibility: Plants Networks Standards Committee SABP-Z-065
Issue Date: 7 May 2015 Operating Systems Hardening
Next Planned Update: 7 May 2020 Guide – Windows Vista
During Monthly audit log reviews, move archived event logs stored at the log path
shown above to external storage to maintain a one year archive
• Repeat this procedure for the following event logs:
1. All PAS workstations and servers
1. System logs
2. Application logs
3. Security logs
2. Windows AD server or Domain Controllers:
1. Directory Services.
Revision Summary
7 May 2015 New Saudi Aramco Best Practice.
Page 34 of 34