Professional Documents
Culture Documents
Remote Servicing Suite Security Manual Version a (1)
Remote Servicing Suite Security Manual Version a (1)
Security Manual
Revision History
Copyright Notice
Information contained herein is to be used solely for the purpose submitted, and no
part of this document or its contents shall be reproduced, published, or disclosed to
a third party without the express permission of Honeywell International.
3.2 Wiring........................................................................................................................................................... 18
4.6 Steps to import Self signed certificate or Digi-certificate(Client & Server Machine)
......................................................................................................................................................................... 30
4.8 SQL Server Driver recommended for TLS1.2 (Client and Server Machines) ........... 37
1.1 Introduction
This Security Manual provides information for optimizing the secure deployment and
operations of the Remote Servicing Suite.
• Installers
• Security managers
• Site owners
• IT staff.
1.3 Scope
This document covers the following parameters of the Remote Servicing Suite:
• Comm Server
• Event Monitor
As you develop a security program for your Security system, make sure to
protect all information from an unauthorized access, either from within or
CAUTION outside your company. Keep the information on your control system and
process operations safe from any individual or organization that may
have harmful intentions.
If you find any damage to the package or its seals, then the product may have been
tampered with. This may compromise the integrity of the product. The product may
have been changed from specs and it may not work as expected.
Do not install and use damaged goods. If you continue to use damaged
goods, the risk is transferred to you.
CAUTION
1. For Standalone installation - Select the check box for all three Modules Front
shell, Comm Server and Database installed in a single machine as shown in the
below screen.
2. For Network installation - Select the required check box accordingly Front shell,
(Comm Server & Database) in two different machines or all the three (Front
Shell, Comm Server and database) in separate machines.
5. Read the license agreement and then click I accept the terms of the license
agreements option.
9. Click Change to browse and select the folder where setup should install files.
13. Select the required language(s) and then click Next. The USB Driver screen is
displayed.
14. Read the instruction on the screen
15. Select the Honeywell USB Driver check box and verify the options you have
selected.
19. For TLS 1.2, enter SQL Server Machine Name you are connecting to in FQDN
(Fully Qualified Domain Name) format as shown below.
23. Select the required check box for Desktop Shortcut and then click Next. The
Run applications screen is displayed.
25. For TLS1.2 support, select the Use Force Encryption. Click Next, the Encryption
Key screen is displayed.
26. Click Use Generated Key option and then type the key.
28. Type the password and then click Next for Front shell user
3.2 Wiring
The below image displays the Wiring diagram for Galaxy Control Panel.
NOTE
3.4 Network
Protocol Medium Description Encrypted
TLS1.2 Internet TLS1.2 communication between Yes.
Comm Server and Database (MS
SQL)
Front Shell and Database (MS
SQL)
Panel App and Database (MS
SQL)
MDX Protocol RS-232 Comm Server and Galaxy AES 128-bit encryption
Ethernet Module
The Remote Servicing Suite is not designed to get exposed to internet directly. Any port which are
required for the communication must be blocked in the firewall. It is recommended to use virtual
CAUTION private network when it is required to access application component remotely. This is Applicable to
RSS Comm Server, RSS front shell, SQL server.
IPSEC is recommended in between Comm Server and Front Shell machines when these communicate
over a private network.
While communicating with Galaxy panel. it is recommended to use virtual private network. Refer to
the Galaxy Ethernet module security manual for more information.
The end user will own the risk, if the Remote Servicing Suite is assessed via any unprotected or
untrusted network.
• Communication server with Front Shell is not encrypted using TLS1.2. HTTPS
with both client and server certificate validations.
Support TLS1.2 by default and currently RSS supports TLS1.2 the above SQL Server
versions. Please install any one of the versions for RSS – DB Server TLS1.2
communication.
• https://support.microsoft.com/en-us/topic/kb3135244-tls-1-2-support-for-
microsoft-sql-server-e4472ef8-90a9-13c1-e4d8-44aad198cdbe
1. For RSS TLS 1.2 support. Select Use Force Encryption check box to install
RSS..
• Click the“Best Practices” button to enable the IIS Crypto best practices as
shown in the IIS Crypto 3.2 GUI for both client and server machines.
• After enabling TLS1.2, select the reboot checkbox and then click apply button
which will restart the computer for the changes to take effect.
4.1.1 Settings for TLS1.2 reflected under the following registry key
https://dotnet.microsoft.com/download/dotnet-framework/net48
• Check the .Net Framework version under the following registry key as shown
below.
3. Click Next
7. Click Next.
8. Click the Browse button and then select the location to enter the name and to
save the certificate.
2. Right-click the personal sub tree node and then navigate to All Tasks Import
as shown below. The Certificate Export Wizard is displayed.
3. Follow the Certificate Import Wizard instructions to import the certificate with
default options and when prompted for password enter the password.
5. Enter the password and click Next. The Certificate store screen is displayed.
6. Click Next. The Completing The certificate Import Wizard is displayed.
2. Right click Protocols for MSSQLSERVER and then select properties sub menu
option. The Protocols dialog box is displayed.
3. Under Flags tab, select Yes from the drop down for force encryption.
4. Under Certificate Tab, select the certificate to configure with SQL server and
click apply OK.
After performing these configurations, launch Comm Server and test RSS with and
without certificate imported in client machine. Repeat the steps as performed for
RSS.
4.8 SQL Server Driver recommended for TLS1.2 (Client and Server
Machines)
SQL Version Compatibility
ODBC Azure Azure Azure SQL SQL SQL SQL SQL SQL SQL SQL
Driver17 SQL Synapse SQL Server Server Server Server Server Server Server Server
for SQL Data Analytics Managed 2019 2017 2016 2014 2012 2008 2008 2005
Server base Instance R2
(Driver
Version)
17.3 Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes -
System Requirements, Installation, and Driver Files - ODBC Driver for SQL Server |
Microsoft Docs
https://www.microsoft.com/en-US/download/details.aspx?id=57341
• https://docs.microsoft.com/en-us/mem/configmgr/core/plan-
design/security/enable-tls-1-2
• https://docs.microsoft.com/en-us/mem/configmgr/core/plan-
design/security/enable-tls-1-2-client#bkmk_net
• https://www.youtube.com/watch?v=KrPp-G_1aAk
• To view the full event log, including access events, use RSS.
As a customer, you have control and responsibility over the implementation of what,
if any, personal data can be utilized in the name label and PIN data elements. Please
ensure users are advised as to what information is processed and stored in each of
the data elements. This data is managed using the RSS interface, which has been
designed to comply with the GDPR.
• Keep windows operating system updated with all the security updates on
priority.
https://docs.microsoft.com/en-us/security-
updates/securitybulletins/2006/ms06-061
https://docs.microsoft.com/en-us/security-
updates/SecurityBulletins/2012/ms12-043
https://docs.microsoft.com/en-us/security-
updates/securitybulletins/2007/ms07-042
https://docs.microsoft.com/en-us/security-
updates/securitybulletins/2013/ms13-002
https://docs.microsoft.com/en-us/security-
updates/securitybulletins/2015/ms15-084
https://docs.microsoft.com/en-us/security-
updates/securitybulletins/2014/ms14-033
https://docs.microsoft.com/en-us/security-
updates/securitybulletins/2008/ms08-069
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-
2019-1068
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-
2021-1636
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-
2019-0819
• Install all the latest service pack available for the SQL server to keep all the
risks mitigated.
• Ensure ‘Hide Instance’ option is set to ‘Yes’ for SQL server instance.
• The service account and/or service SID used by the MSSQLSERVER service
for a default instance or MSSQL$<InstanceName> service for a named
instance should not be a member of the Windows Administrator group either
directly or indirectly (via a group). This also means that the account known as
LocalSystem (aka NT AUTHORITY\SYSTEM) should not be used for the
MSSQL service as this account has higher privileges than the SQL Server
service requires.
• If using the auto restart feature, then the SQLAGENT service must be an
Administrator.
Ensure the SQL Server's Full-Text Service Account is Not an Administrator: The
service account and/or service SID used by the MSSQLFDLauncher service for a
default instance or MSSQLFDLauncher$_<InstanceName>_ service for a named
instance should not be a member of the Windows Administrator group either directly
or indirectly (via a group). This also means that the account known
as LocalSystem (aka NT AUTHORITY\SYSTEM) should not be used for the Full-Text
service as this account has higher privileges than the SQL Server service requires.
RSS database “Dimension” is not deleted after uninstalling RSS. Follow the steps to delete the database
manually. Please take all precautionary steps (Ex. Database Backup etc.) before deleting the database.
1. Launch SQL Server Management Studio and connect to the server by providing
credentials.
2. Expand Databases Node and Right Click Dimension Database. Click delete
from Sub Menu Item.
3. Check “Close Existing Connections” and click ok button to delete the
database.