| Remote Servicing Suite

REMOTE SERVICING SUITE

Security Manual
Revision History

Revision Date Description

A 09/08/2021 First release of document.

Copyright Notice

This document contains Honeywell proprietary information.

Information contained herein is to be used solely for the purpose submitted, and no
part of this document or its contents shall be reproduced, published, or disclosed to
a third party without the express permission of Honeywell International.

While this information is presented in good faith and believed to be accurate,

Honeywell disclaims the implied warranties of merchantability and fitness for a
purpose and makes no express warranties except as may be stated in its written
agreement with and for its customer.

In no event is Honeywell liable to anyone for any direct, special, or consequential

damages. The information and specifications in this document are subject to
change without notice.

Copyright © 2021 Honeywell International Inc.

Doc-Version-A_RSS Security Manual 3

Table of Contents
1 ABOUT THIS DOCUMENT.................................................................................... 7
1.1 Introduction................................................................................................................................................. 7

1.2 Intended Audience ................................................................................................................................... 7

1.3 Scope .............................................................................................................................................................. 7

1.4 Related Documents ................................................................................................................................. 7

1.5 Assumptions and Prerequisites ........................................................................................................ 7

2 UPON RECEIVING THE GOODS ........................................................................... 8
3 INSTALLING REMOTE SERVICING SUITE ............................................................. 9
3.1 General Instructions ............................................................................................................................... 9

3.2 Wiring........................................................................................................................................................... 18

3.3 Securing Wiring ...................................................................................................................................... 18

3.4 Network ....................................................................................................................................................... 19

3.4.1 Network Firewall Settings ...................................................................................................... 19

3.5 Encryption and Authentication ...................................................................................................... 20

4 CONFIGURATION .............................................................................................. 21
4.1 Settings TLS1.2 Communication for RSS – DB Server ....................................................... 21
4.1.1 Settings for TLS1.2 reflected under the following registry key ........................... 23

4.2 Update and Configure. Dot Net Framework to support TLS1.2..................................... 23

4.2.1 How to determine .NET Framework version installed .............................................. 24

4.3 Configure for strong Cryptography .............................................................................................. 24

4.4 Update windows and WinHTTP ...................................................................................................... 25

4.5 SQL Server Settings and Importing Certificate ...................................................................... 26

4.6 Steps to import Self signed certificate or Digi-certificate(Client & Server Machine)
......................................................................................................................................................................... 30

4.7 Steps to configure SQL Server ........................................................................................................ 34

4.8 SQL Server Driver recommended for TLS1.2 (Client and Server Machines) ........... 37

4.9 Supported Operating System .......................................................................................................... 37

4.10 SQL Driver version (17.3)................................................................................................................... 37

5 REFERENCES: .................................................................................................. 38
6 DAILY USE ....................................................................................................... 39
6.1 Monitoring the Remote Servicing Suite ..................................................................................... 39

6.2 Other Parameters to Monitor .......................................................................................................... 39

6.3 Setting Up an Event Response Team .......................................................................................... 39

6.4 Data Privacy ............................................................................................................................................. 39

Doc-Version-A_RSS Security Manual 5

7 MAINTENANCE ................................................................................................ 40
7.1 Updating to Latest Software ............................................................................................................ 40

7.2 Installing security packages: ........................................................................................................... 40

7.3 Security Recommendations for SQL Server: ........................................................................... 41

8 UNINSTALLING REMOTE SERVICING SUIT......................................................... 42
 1 About This Document

1.1 Introduction
This Security Manual provides information for optimizing the secure deployment and
operations of the Remote Servicing Suite.

1.2 Intended Audience

This document is primarily intended for the following stakeholders:

• Installers

• Security managers

• Site owners

• IT staff.

1.3 Scope
This document covers the following parameters of the Remote Servicing Suite:

• Client / Front shell

• Comm Server

• Event Monitor

1.4 Related Documents

• RSS Installer Manual.

1.5 Assumptions and Prerequisites

To assure optimal implementation, this document assumes a high degree of
technical knowledge and familiarity with the following concepts:

• Networking systems and concepts

• Security issues and concepts.

As you develop a security program for your Security system, make sure to
protect all information from an unauthorized access, either from within or
CAUTION outside your company. Keep the information on your control system and
process operations safe from any individual or organization that may
have harmful intentions.

Doc-Version-A_RSS Security Manual 7

2 Upon Receiving the Goods
Before installing any Remote Servicing Suite modules ensure that the received
packaged goods is in good condition, and the seal has not been tampered with.

If you find any damage to the package or its seals, then the product may have been
tampered with. This may compromise the integrity of the product. The product may
have been changed from specs and it may not work as expected.

Do not install and use damaged goods. If you continue to use damaged
goods, the risk is transferred to you.
CAUTION

Return any damaged goods to your supplier.

3 Installing Remote Servicing Suite

3.1 General Instructions

For TLS 1.2,

• Install RSS in a network setup Front Shell

• Comm Server and Database in different machines or

(Comm Server & Database) in a single machine and Front Shell in another
machine.

1. For Standalone installation - Select the check box for all three Modules Front
shell, Comm Server and Database installed in a single machine as shown in the
below screen.

2. For Network installation - Select the required check box accordingly Front shell,
(Comm Server & Database) in two different machines or all the three (Front
Shell, Comm Server and database) in separate machines.

3. Click Next. The Welcome screen is displayed.

Doc-Version-A_RSS Security Manual 9

4. Click Next. The License Agreement screen is displayed.

5. Read the license agreement and then click I accept the terms of the license
agreements option.

6. Click Next. The Customer Information screen is displayed.

7. Enter the username and Company name in the boxes provided.

8. Click Next. The Choose Destination Location screen is displayed.

9. Click Change to browse and select the folder where setup should install files.

10. Click Next. The Select Installation screen is displayed.

Doc-Version-A_RSS Security Manual 11

11. For RSS Standalone installation select all the options (Client, Event Monitor,
Communication Server and FrontShell).

12. Click Next. The Select Default Language screen is displayed.

13. Select the required language(s) and then click Next. The USB Driver screen is
displayed.
14. Read the instruction on the screen

15. Select the Honeywell USB Driver check box and verify the options you have
selected.

16. Click Next. The Information screen is displayed.

Doc-Version-A_RSS Security Manual 13

17. Verify the information provided on the screen and then click Next. The Ready to
install screen is displayed.

18. Click Install to begin the installation.

19. For TLS 1.2, enter SQL Server Machine Name you are connecting to in FQDN
(Fully Qualified Domain Name) format as shown below.

20. Click Next. The Edit Data screen is displayed.

21. Type the remote address and port of Communication Server.

22. Click Next. The Shortcuts screen is displayed.

23. Select the required check box for Desktop Shortcut and then click Next. The
Run applications screen is displayed.

Doc-Version-A_RSS Security Manual 15

24. Select the required applications to run after installation and then click Next.
The Force Encryption screen is displayed.

25. For TLS1.2 support, select the Use Force Encryption. Click Next, the Encryption
Key screen is displayed.
26. Click Use Generated Key option and then type the key.

27. Click Next. The Manager Password screen is displayed.

28. Type the password and then click Next for Front shell user

Doc-Version-A_RSS Security Manual 17

 29. Click Finish to complete the installation.

3.2 Wiring
The below image displays the Wiring diagram for Galaxy Control Panel.

3.3 Securing Wiring

The Remote Servicing Suite supports the below protocols:

Protocol Medium Description Encrypted

RS-232 USB RSS - Comm Server and Galaxy no
Ethernet Module
RS232 serial interface cable (see RS232 instruction guide for details).

The maximum length of the RS232 serial interface cable is 15 meters.

NOTE
3.4 Network
Protocol Medium Description Encrypted
TLS1.2 Internet TLS1.2 communication between Yes.
Comm Server and Database (MS
SQL)
Front Shell and Database (MS
SQL)
Panel App and Database (MS
SQL)

SOAP Protocol Internet Communication between Front No

Shell and Comm Server

MDX Protocol RS-232 Comm Server and Galaxy AES 128-bit encryption
Ethernet Module

The Remote Servicing Suite is not designed to get exposed to internet directly. Any port which are
required for the communication must be blocked in the firewall. It is recommended to use virtual
CAUTION private network when it is required to access application component remotely. This is Applicable to
RSS Comm Server, RSS front shell, SQL server.

IPSEC is recommended in between Comm Server and Front Shell machines when these communicate
over a private network.

While communicating with Galaxy panel. it is recommended to use virtual private network. Refer to
the Galaxy Ethernet module security manual for more information.

The end user will own the risk, if the Remote Servicing Suite is assessed via any unprotected or
untrusted network.

3.4.1 Network Firewall Settings

Set the following items in the firewall of the network to ensure network
ccommunication to/from Remote Servicing Suite. Also to limit the access to the
Galaxy control panel:

• Inbound allowed: Yes.

• Inbound denied: No.

• Outbound allowed: Yes

Doc-Version-A_RSS Security Manual 19

Requirement Permission Protocol Source Destination Port Connection
RSS – Comm Server ALLOW TCP/IP RSS Panel IP 10001 Inbound
listening for Galaxy Installed
Panel machine IP

RSS – Callback ALLOW TCP/IP Panel IP RSS Machine IP 10001 Outbound

Mechanism from configured at
Panel Panel

Event/Alarm ALLOW TCP/IP Panel IP Configured at 10002 Outbound

Monitoring Panel

3.5 Encryption and Authentication

• The communication server always runs in the background and provides the
interface to allow the other applications to communicate with the Galaxy
Panels.

• Communication server with Database (MS SQL Server) is fully authenticated

and encrypted using TLS1.2. HTTPS with both client and server certificate
validations.

• Communication server with Front Shell is not encrypted using TLS1.2. HTTPS
with both client and server certificate validations.

• Communication server with Ethernet Module which uses MDX Protocol is

encrypted.
4 Configuration

4.1 Settings TLS1.2 Communication for RSS – DB Server

• Supported SQL Server versions:

 SQL Server 2016

 SQL Server 2017

 SQL Server 2019

Support TLS1.2 by default and currently RSS supports TLS1.2 the above SQL Server
versions. Please install any one of the versions for RSS – DB Server TLS1.2
communication.

• https://support.microsoft.com/en-us/topic/kb3135244-tls-1-2-support-for-
microsoft-sql-server-e4472ef8-90a9-13c1-e4d8-44aad198cdbe

1. For RSS TLS 1.2 support. Select Use Force Encryption check box to install
RSS..

Doc-Version-A_RSS Security Manual 21

 2. To enable TLS1.2 settings at registry level, download and install IISCrypto tool
from the below link.
https://www.nartac.com/Products/IISCrypto/Download

For TLS1.2 secure communication,

• Click the“Best Practices” button to enable the IIS Crypto best practices as
shown in the IIS Crypto 3.2 GUI for both client and server machines.

• After enabling TLS1.2, select the reboot checkbox and then click apply button
which will restart the computer for the changes to take effect.
4.1.1 Settings for TLS1.2 reflected under the following registry key

4.2 Update and Configure. Dot Net Framework to support TLS1.2

Download and Install latest dotnet Framework. netframework 4.7 or .netframework
4.8 .

https://dotnet.microsoft.com/download/dotnet-framework/net48

Doc-Version-A_RSS Security Manual 23

4.2.1 How to determine .NET Framework version installed
https://docs.microsoft.com/en-us/troubleshoot/dotnet/framework/determine-
dotnet-versions-service-pack-levels

• Check the .Net Framework version under the following registry key as shown
below.

4.3 Configure for strong Cryptography

For 32-bit/64 bit applications that are running on 32-bit/64-bit Operating Systems,
if the keys found under the following registry path then update the following subkey
values or add it newly as shown in below figure. After changing the values, restart the
computer.
 For 32-bit applications that are running on 64-bit OSs, update the following subkey
values. After changing the values, restart the computer.

4.4 Update windows and WinHTTP

Add or update the registry keys as below. If you change the value, restart the
computer.

Doc-Version-A_RSS Security Manual 25

For 64-bit machines

For 32-bit machines

4.5 SQL Server Settings and Importing Certificate

Steps to Export Self signed certificate or Digi-certificate(Client & Server Machine)

1. Open the Certlm.msc console screen.

2. Right-click the personal sub tree node and then navigate to All Tasks Export
as shown below. The Certificate Export Wizard is displayed.

3. Click Next

Doc-Version-A_RSS Security Manual 27

4. Click Yes, Export the private key option and then click Next. The Export File
format screen is displayed.

5. Click Personal Information Exchange- PKCS#12(.PFX) option and then click

Next.
6. Select the Password checkbox and enter the password when prompted.

7. Click Next.

8. Click the Browse button and then select the location to enter the name and to
save the certificate.

Doc-Version-A_RSS Security Manual 29

 9. Click Finish.

4.6 Steps to import Self signed certificate or Digi-certificate(Client &

Server Machine)
1. Open the Certlm.msc console window.
 .

2. Right-click the personal sub tree node and then navigate to All Tasks Import
as shown below. The Certificate Export Wizard is displayed.

3. Follow the Certificate Import Wizard instructions to import the certificate with
default options and when prompted for password enter the password.

Doc-Version-A_RSS Security Manual 31

4. Click the Browse button and select the certificate to import. The Private Key
Protection screen is displayed.

5. Enter the password and click Next. The Certificate store screen is displayed.
6. Click Next. The Completing The certificate Import Wizard is displayed.

7. Click Finish. A confirmation message box appears when certificate is imported

successfully.
Follow the same steps above to import a certificate under Trusted Root
Certification Authorities.

Doc-Version-A_RSS Security Manual 33

4.7 Steps to configure SQL Server
1. Open the SQL Server configuration manager window.

2. Right click Protocols for MSSQLSERVER and then select properties sub menu
option. The Protocols dialog box is displayed.
3. Under Flags tab, select Yes from the drop down for force encryption.

4. Under Certificate Tab, select the certificate to configure with SQL server and
click apply  OK.

5. Restart the SQL Server service when prompted as shown below.

Doc-Version-A_RSS Security Manual 35

The below registry values get updated automatically when SQL Server Instance
configured with certificate and Force Encryption = yes.

After performing these configurations, launch Comm Server and test RSS with and
without certificate imported in client machine. Repeat the steps as performed for
RSS.
 4.8 SQL Server Driver recommended for TLS1.2 (Client and Server
Machines)
SQL Version Compatibility

ODBC Azure Azure Azure SQL SQL SQL SQL SQL SQL SQL SQL
Driver17 SQL Synapse SQL Server Server Server Server Server Server Server Server
for SQL Data Analytics Managed 2019 2017 2016 2014 2012 2008 2008 2005
Server base Instance R2
(Driver
Version)
17.3 Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes -

4.9 Supported Operating System

ODBC Window Window Window Window Window Window Window Window Window
Driver1 s Server s Server s Server s Server s Server s 10 s 8.1 s7 s Vista
7 for 2019 2016 2012 R2 2012 2008 R2 SP2
SQL
Server -
(Driver
Version)
17.3 Yes Yes Yes Yes Yes Yes Yes Yes -

4.10 SQL Driver version (17.3)

For more information please go through the below link

System Requirements, Installation, and Driver Files - ODBC Driver for SQL Server |
Microsoft Docs

Version 17.3 Download

https://www.microsoft.com/en-US/download/details.aspx?id=57341

Doc-Version-A_RSS Security Manual 37

5 References:
• https://docs.microsoft.com/en-us/mem/configmgr/core/plan-
design/security/enable-tls-1-2-client

• https://docs.microsoft.com/en-us/mem/configmgr/core/plan-
design/security/enable-tls-1-2

• https://docs.microsoft.com/en-us/mem/configmgr/core/plan-
design/security/enable-tls-1-2-client#bkmk_net

• https://www.youtube.com/watch?v=KrPp-G_1aAk

• Enable Schannel event logging in Windows - Internet Information Services |

Microsoft Docs

• Restrict cryptographic algorithms and protocols - Windows Server | Microsoft

Docs

• Common issues when enabling TLS 1.2 - Configuration Manager | Microsoft

Docs

• Microsoft Security Advisory 2960358 | Microsoft Docs

• System cryptography Use FIPS compliant algorithms for encryption, hashing,

and signing (Windows 10) - Windows security | Microsoft Docs
6 Daily Use

6.1 Monitoring the Remote Servicing Suite

To discover any unintended activities, it is recommended to perform a periodic audit
to make sure the Remote Servicing Suite is being used as configured and intended.
The Remote Servicing Suite Control Panels capture all user and system events
(tampers, access requests…):

• To view the full event log, including access events, use RSS.

6.2 Other Parameters to Monitor

Check the network firewall logs periodically for any unwanted or unusual events.

6.3 Setting Up an Event Response Team

An Event Response Team should be ready to handle any security breach as it occurs.
Their role is to identify the attack, prevent further damage, recover from the damage,
and capture evidence which could be used in prosecutions. In many instances the IT
department will already have such a team. Make them aware of all specific
requirements of the security system.

6.4 Data Privacy

Remote Servicing Suite is intended to provide information which will help a business
owner identify authorised users that have performed actions on the security system.
Within that scope the system will use a name label, ID number, and PIN which are
allocated to each authorised user.

As a customer, you have control and responsibility over the implementation of what,
if any, personal data can be utilized in the name label and PIN data elements. Please
ensure users are advised as to what information is processed and stored in each of
the data elements. This data is managed using the RSS interface, which has been
designed to comply with the GDPR.

Doc-Version-A_RSS Security Manual 39

7 Maintenance

7.1 Updating to Latest Software

Check for new releases of the Galaxy RSS Software and update your panels to use
the latest versions. This ensures the latest changes and security improvements are
installed.

7.2 Installing security packages:

Windows Operating System:

• Keep windows operating system updated with all the security updates on
priority.

• Install important security update for Microsoft XML core services

vulnerabilities according to the applicable operating system ( This step not
required if windows system is up to date with security updates )

 https://docs.microsoft.com/en-us/security-
updates/securitybulletins/2006/ms06-061
 https://docs.microsoft.com/en-us/security-
updates/SecurityBulletins/2012/ms12-043
 https://docs.microsoft.com/en-us/security-
updates/securitybulletins/2007/ms07-042
 https://docs.microsoft.com/en-us/security-
updates/securitybulletins/2013/ms13-002
 https://docs.microsoft.com/en-us/security-
updates/securitybulletins/2015/ms15-084
 https://docs.microsoft.com/en-us/security-
updates/securitybulletins/2014/ms14-033
 https://docs.microsoft.com/en-us/security-
updates/securitybulletins/2008/ms08-069

SQL Server 2017:

• Install following Microsoft security updates to mitigate risks in MS SQL Server

2017

 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-
2019-1068
 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-
2021-1636
  https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-
2019-0819

• Install all the latest service pack available for the SQL server to keep all the
risks mitigated.

7.3 Security Recommendations for SQL Server:

• Ensure the ‘sa’ login is disabled after installation is complete.

• Ensure Single-function member servers are used. (Use a dedicated server of

SQL server)

• Ensure ‘Hide Instance’ option is set to ‘Yes’ for SQL server instance.

• Disable unnecessary SQL server protocols like shared memory/named pipes

in network installations setups.

• The service account and/or service SID used by the MSSQLSERVER service
for a default instance or MSSQL$<InstanceName> service for a named
instance should not be a member of the Windows Administrator group either
directly or indirectly (via a group). This also means that the account known as
LocalSystem (aka NT AUTHORITY\SYSTEM) should not be used for the
MSSQL service as this account has higher privileges than the SQL Server
service requires.

• If using the auto restart feature, then the SQLAGENT service must be an
Administrator.

Ensure the SQL Server's Full-Text Service Account is Not an Administrator: The
service account and/or service SID used by the MSSQLFDLauncher service for a
default instance or MSSQLFDLauncher$_<InstanceName>_ service for a named
instance should not be a member of the Windows Administrator group either directly
or indirectly (via a group). This also means that the account known
as LocalSystem (aka NT AUTHORITY\SYSTEM) should not be used for the Full-Text
service as this account has higher privileges than the SQL Server service requires.

Doc-Version-A_RSS Security Manual 41

8 Uninstalling Remote Servicing Suit
1. To uninstall Remote Servicing Suite, navigate to Control Panel  Program and
Features  Right Click Galaxy RS and Uninstall.

2. Follow the on screen instructions to uninstall

3. Click Yes to completely remove RSS.

4. Select the required components to uninstall and then click Next.

Doc-Version-A_RSS Security Manual 43

 5. Click Finish to complete uninstallation

RSS database “Dimension” is not deleted after uninstalling RSS. Follow the steps to delete the database
manually. Please take all precautionary steps (Ex. Database Backup etc.) before deleting the database.

1. Launch SQL Server Management Studio and connect to the server by providing
credentials.

2. Expand Databases Node and Right Click Dimension Database. Click delete
from Sub Menu Item.
3. Check “Close Existing Connections” and click ok button to delete the
database.

Doc-Version-A_RSS Security Manual 45

 Honeywell Security Group
Aston Fields Road
Whitehouse Industrial Estate
Runcorn
Cheshire
WA7 3DL
Tel: +44 (0)8448 000 235
Copyright © 2021 Honeywell International Inc.
www.security.honeywell.com