FAST/TOOLS Windows IT Security Guide

Technical
Information FAST/TOOLS Windows IT

Security Guide
TI 50A01A10-04EN
TI 50A01A10-04EN
©Copyright Sep. 2019 (YK)
1st Edition Sep. 2019 (YK)
i
Introduction
The FAST/TOOLS Windows Security Guide describes the detailed security settings when
implementing IT security on a computer with FAST/TOOLS R10.04. IT security protects
YOKOGAWA products from existing and future security threats.
This FAST/TOOLS Windows Security Guide consists of the following sections:
• Overview
• Security models and user management types
• Details of security measures
• Precautions on operations
• Working with the IT Security Tool
• Other utility programs
• Connecting other Yokogawa products
• Optional IT security settings
 Target audience
The intended readers of the FAST/TOOLS Windows Security Guide are FAST/TOOLS
engineers who want to strengthen the IT security for FAST/TOOLS R10.04 systems running
on Microsoft operating systems.
TI 50A01A10-04EN 1st Edition : Sep. 18,2019-00

1st Edition : Sep. 2019 (YK)
All Rights Reserved. Copyright © 2019, Yokogawa Electric Corporation
ii
Safety precautions
 Safety, protection, and modification of the product
• To protect the system controlled by the product and the product itself and ensure safe
operation, observe the safety precautions described in this user's manual. Yokogawa
Electric Corporation (hereinafter referred to as YOKOGAWA) assumes no liability for
safety if users fail to observe the safety precautions and instructions when operating the
product.
• If this product is used in a manner not specified in this user's manual, the protection
provided by this product may be impaired.
• If any protection or safety circuit is required for the system controlled by the product or for
the product itself, install it externally.
• Be sure to confirm the specifications and required settings of the devices that are used in
combination with the product by referring to the instruction manual or other documents of
the devices.
• Use only spare parts that are approved by YOKOGAWA when replacing parts or
consumables of the product.
• Do not use the product and accessories of the product such as power cords on devices
that are not approved by YOKOGAWA. Do not use the product and its accessories for
other purposes.
• Modification of the product is strictly prohibited.
• The following symbols are used in the product and user's manual to indicate the
accompanying safety precautions:
Indicates that caution is required. This symbol for the Product indicates the possibility
of dangers such as electric shock on personnel and equipment, and also indicates that
the user must refer to the user's manuals for necessary actions. In the user's manuals,
this symbol is used together with a word "CAUTION" or "WARNING" at the locations
where precautions for avoiding dangers are described.
Indicates that caution is required for hot surfaces. Note that the devices with this
symbol become hot. The risk of burn injury or some damages exists if the devices are
touched or contacted.
Identifies a protective grounding terminal. Before using the product, ground the
terminal.
Identifies a functional grounding terminal. Before using the product, ground the
terminal.
Indicates an AC supply.
Indicates a DC supply.
Indicates that a component such as a power supply switch is turned ON.
Indicates that a component such as a power supply switch is turned OFF.

iii
 Notes on handling user's manuals
• Hand over the user's manuals to your end users so that they can keep the user's manuals
on hand for reference.
• Read and understand the information in the user's manual thoroughly before using the
product.
• For the avoidance of any doubt, the purpose of these user's manuals is not to warrant
that the product is suitable for any particular purpose but to describe the functional details
of the product.
• YOKOGAWA reserves the right to make improvements in the user's manuals and product
at any time, without notice or obligation.
• Every effort has been made to ensure the accuracy of contents in the user's manuals.
However, should you have any questions or find any errors, contact our sales
representative or your local distributor. The user's manuals with unordered pages or
missing pages will be replaced.
 Warning and disclaimer

• The product is provided on an "as is" basis.
• YOKOGAWA shall have neither liability nor responsibility to any person or entity with
respect to any direct or indirect loss or damage arising from using the product or any
defect of the product that YOKOGAWA cannot predict in advance.
 Notes on software
• YOKOGAWA makes no warranties, either expressed or implied, with respect to the
software’s merchantability or suitability for any particular purpose, except as strictly
provided in the terms of warranty.
• The software may be used only on the specified computer. If you need to use the
software on another computer, you must purchase another software.
• It is strictly prohibited and an infringement of YOKOGAWA's Intellectual Property rights to
reproduce the software except for the purpose of backup.
• Store all the original media that comes with the product in a safe place.
• It is strictly prohibited and an infringement of YOKOGAWA's Intellectual Property rights to
reverse engineer, reverse compile, reverse assemble, or reduce the software to human-
readable form.
• No part of the software may be transferred, converted, or sublet for use by any third-party,
without prior written consent from YOKOGAWA, failing which any warranty statements
provided for the product and/or software shall be rendered void.

iv
Documentation conventions
 Symbols
The following symbols identify various sections of text in this user's manual.
Indicates precautions to avoid a danger that may lead to death or

WARNING severe injury.
Indicates precautions to avoid a danger that may lead to minor or

CAUTION moderate injury or property damage.
IMPORTANT Indicates important information required to understand operations or

functions.
Indicates additional information.
Indicates referenced content.
In online manuals, you can view the referenced content by clicking

the links that are in green text. However, this action does not apply
to the links that are in black text.
 Typographical conventions
The following typographical conventions are used throughout the user's manuals.
 Commonly used conventions throughout user's manuals

• Character string to be entered
The characters that must be entered are shown in monospace font as follows:
Example:
FIC100.SV=50.0
 Conventions used to show key or button operations

• Characters enclosed by brackets ([ ])
In descriptions of key or button operations, words enclosed in brackets indicate a key on
the HIS (Human Interface Station) keyboard, a key on the operation keyboard, a button
name in a window, or an item in a box displayed in a window.
Example:
To alter the function, press the [ESC] key.

v
 Conventions used in command syntax or program statements
The following conventions are used within a command syntax or program statement format.
• Characters enclosed by angle-brackets
Indicate character strings that user can specify freely according to certain guidelines.
Example:
#define <Identifier><Character string>
• "..."
Indicates that the previous command or argument may be repeated.
Example:
Imax (arg1, arg2, ...)
• Characters enclosed by brackets ([ ])
Indicate those character strings that can be omitted.
Example:
sysalarm format_string[output_value ...]
• Characters enclosed by separators (| |)
Indicate those character strings that can be selected from more than one option.
Example:
opeguide <format_character_string> [, <output_value> ...]
OG,<element number>
 Drawing conventions
Some drawings may be partially emphasized, simplified, or omitted for the convenience of
description.
In the user's manual, the parts in some drawings may be placed in different positions or have
different font settings. Note that some of the images in user's manuals are display examples.

vi
Copyright and trademark notices
 All rights reserved

The copyright of the programs and online manuals contained in the software media shall
remain with YOKOGAWA.
You are allowed to print the required pages of the online manuals for the purposes of using
and/or operating the product. However, you are not allowed to print or reproduce the entire
document. You can purchase the printed manual from YOKOGAWA.
Except as stated above, no part of the online manual may be reproduced, either in electronic
or written form, registered, recorded, transferred, sold, or distributed (in any manner including
without limitation, in the forms of paper documents, electronic media, films, or transmission
via the network). Any in-action and/or silence by YOKOGAWA with regard to any breach of
the above shall not be taken as any waiver of its rights whatsoever and YOKOGAWA
reserves all its rights until expressly waived by written notification and no other occasions.
 Trademark acknowledgments
• CENTUM, ProSafe, Vnet/IP, PRM, InsightSuite, STARDOM, Exaopc, Exapilot,
Exaquantum, Exasmoc, Exarqe, StoryVIEW, FAST/TOOLS, and FieldMate are the
registered trademarks or trademarks of Yokogawa Electric Corporation.
• The names of corporations, organizations, products and logos herein are either
registered trademarks or trademarks of Yokogawa Electric Corporation and their
respective holders.

Toc-1
FAST/TOOLS Windows IT Security Guide

CONTENTS
TI 50A01A10-04EN 1st Edition
1. Overview. .............................................................................................. 1-1

1.1 Security threats............................................................................................. 1-3
1.2 Security measures ........................................................................................ 1-4
1.3 Scope of IT security settings..................................................................... 1-10
1.4 Positioning of IT security settings ............................................................ 1-11
2. Security models and user management types .................................. 2-1
2.1 Security models. ........................................................................................... 2-2
2.2 Windows user and group management types ........................................... 2-9
2.2.1 Created users and groups ............................................................ 2-10
3. Details of security measures .............................................................. 3-1
3.1 Access Control. ............................................................................................ 3-2
3.1.1 Access Control for files and folders................................................ 3-3
3.1.2 Access Control for product registry ................................................ 3-8
3.1.3 Access Control for DCOM (OPC) objects ...................................... 3-9
3.2 Personal firewall tuning ............................................................................. 3-11
3.3 Stopping unused Windows services ........................................................ 3-16
3.4 OPC configuration ...................................................................................... 3-17
3.5 IT environment settings ............................................................................. 3-18
3.5.1 NetBIOS over TCP/IP .................................................................. 3-19
3.5.2 Hard disk password ...................................................................... 3-20
3.6 Group Policy settings ................................................................................ 3-21
3.6.1 Password policies ........................................................................ 3-22
3.6.2 Account lockout policies ............................................................... 3-23
3.6.3 Security Options. .......................................................................... 3-24
3.6.4 Software restriction policies ......................................................... 3-26
3.6.5 Advanced Audit Policy Configuration ........................................... 3-27
3.6.6 Administrative Templates .................................................................. 3-30
4. Precautions on operations.................................................................. 4-1
4.1 When running FAST/TOOLS Server ........................................................... 4-2
4.2 When running the FAST/TOOLS OPC Server ............................................ 4-3
4.3 When disabling NetBIOS over TCP/IP ........................................................ 4-4
4.4 When setting the display language ............................................................ 4-5

Toc-2
4.5 When changing the display language ........................................................ 4-6
4.6 When using Remote Desktop Connection (RDC) ...................................... 4-7
4.7 When using the Start menu on Windows 10 and Windows Server 2016......
........................................................................................................................4-8
5. Working with the IT Security Tool .......................................................... 5-1
5.1 Configuring IT security settings ................................................................. 5-2
5.2 Saving IT security settings. ......................................................................... 5-6
5.3 Restoring IT security settings. .................................................................... 5-8
5.4 Changing the security setting file password (Encryption Key) ............. 5-10
5.5 Exporting and importing the IT security setting file ............................... 5-11
5.6 Viewing the summary of IT security settings .......................................... 5-13
5.7 Reapplying IT security settings ................................................................ 5-14
5.7.1 For FAST/TOOLS Server and Remote Connect. ......................... 5-15
5.7.2 For Mobile Client and Domain Controller ..................................... 5-16
5.8 Changing the FAST/TOOLS user account ............................................... 5-17
6. Other utility programs ......................................................................... 6-1
6.1 CreateFasttoolsProcess utility .................................................................... 6-2
6.2 StorageDeviceCTL utility. ............................................................................ 6-3
6.3 ITSecuritySettingItemExport utility............................................................. 6-4
7. Connecting YOKOGAWA products .................................................... 7-1
7.1 FAST/TOOLS and STARDOM ............................................................................ 7-2
7.1.1 Coexistence.................................................................................... 7-3
7.1.2 Collaboration .................................................................................. 7-4
7.2 FAST/TOOLS and ProSafe-RS..................................................................... 7-5
7.2.1 Collaboration .................................................................................. 7-6
7.3 FAST/TOOLS and Matrikon OPC Server .................................................... 7-7
7.3.1 Collaboration .................................................................................. 7-8
7.4 FAST/TOOLS and Exaquantum ................................................................. 7-10
7.4.1 Collaboration .................................................................................7-11
7.5 Coexistence with FAST/TOOLS Client and other products ................... 7-13
8. Optional IT security settings............................................................... 8-1
8.1 Security measures for Windows 10 and Windows Server 2016 .............. 8-2
8.2 Disabled Windows applications .................................................................. 8-3
8.3 Audit policies ................................................................................................ 8-5
8.3.1 Applying Audit Policy settings ........................................................ 8-6
8.3.2 Defining maximum event log size .................................................. 8-7
8.4 Disabling recovery console. ........................................................................ 8-8
8.5 Setting user rights for internal system objects ......................................... 8-9
8.6 Verifying user rights assignments. ........................................................... 8-10
8.7 Disabling the Guest account ..................................................................... 8-11
8.8 Restricting access to audit logs. .............................................................. 8-12
8.9 Configuring advanced audit policy settings ............................................ 8-13

Toc-3
8.10 Restricting access to removable media ................................................... 8-14
8.11 Making the screen saver password protection immediate. ................... 8-15
8.12 Configuring the SNMP service settings ................................................... 8-16
8.13 Configuring SSL registry settings ............................................................ 8-17
8.14 Configuring TLS registry settings ............................................................ 8-18
8.15 Securing registry keys for programs that run during startup................ 8-19
8.16 Securing AllowedPaths and AllowedExactPaths registry keys. ............ 8-20
8.17 Disabling "Everyone" group permissions for anonymous users.......... 8-22
8.18 Removing unwanted network protocols .................................................. 8-23
8.19 Deploying TCP/IP protocol settings ......................................................... 8-24
8.20 Enabling safe DLL search order. .............................................................. 8-25
8.21 Using NTFS on all non-removable partitions .......................................... 8-26
8.22 Enforcing password protection for third-party SMB Servers ................ 8-27
8.23 Setting unique password for each Administrator account .................... 8-28
8.24 Setting up advanced personal firewall ..................................................... 8-29

TocApp.-1
FAST/TOOLS Windows IT Security Guide
CONTENTS TI 50A01A10-04EN 1st Edition
Appendix
Appendix 1. IT security setting items ................................................ App.1-1
Appendix 1.1 Security setting items in FAST/TOOLS computer....................App.1-2
Appendix 1.2 Security setting items in Domain Controller.......................... App.1-11
Appendix 2. Additional information....................................................App.2-1
Appendix 2.1 Notes on security packs and security updates........................App.2-2
Appendix 2.2 User account management when security model is changed.............
...................................................................................................... App.2-3
Appendix 2.3 Tools for defining local policies................................................ App.2-5
Appendix 2.4 Stopping Windows services before configuring IT security settings.
...................................................................................................... App.2-6
Appendix 2.5 Options for running the IT Security Tool.................................. App.2-7

<1. Overview > 1-1
1. Overview
To protect FAST/TOOLS systems from existing and future security threats, it is necessary to
implement IT security settings. The FAST/TOOLS Windows Security Guide describes the
detailed security settings for implementing the IT security in the system.
 Glossary
The following table describes the security-related terms and abbreviations that are used in
this manual.
Table 1-1 Glossary

Term Description
Firewall A firewall operating on computer and domain controllers, including firewalls other than
the Windows firewall.
Business net- An intranet that does not include PCN.
work
Reverse Proxy A type of proxy server that retrieves resources on behalf of a client from one or more
servers.
PCN An abbreviation of Process Control Network, which is a network built for ICS (Industrial
Control System).
CSN An abbreviation of Control Server Network, which is used by the SCADA system and
connected devices.
ASN An abbreviation of Asset Server Network, which is for asset management.
DMZ An abbreviation of De-Militarized Zone, which is an intermediate network isolated from
both external and internal networks.
SCADA Server An abbreviation of Supervisory Control And Data Acquisition. The SCADA Server is the
core processing unit of the system. Within a distributed configuration, it manages sets of
data such as control objects (tags) and collects data from the attached equipment and
front-end servers in distributed or standalone configuration.
Front-end Server A Front-end Server manages intensive pre-processing of large volume of data from the
attached equipment and sends it to the SCADA Server. In addition, it can be used to
implement certain local control and operations functions.
Web HMI Server A Web HMI Server provides an operation and monitoring window (HMI) for Web HMI
Client to visualize the data or information that is collected and processed by SCADA
Servers.
Web HMI Client A Web HMI Client accesses a Web HMI Server to display process mimics, trends,
alarms and events, and other operating data. Moreover, each Web HMI client
accommodates a full functional application engineering environment for both database
and display configuration. A Web HMI Client can run on the same computer installed
with its Web HMI Server or on a different computer across LAN/WAN networks.
Coexistence An arrangement in which FAST/TOOLS and any other Yokogawa product are installed
on the same computer.
Collaboration An arrangement in which FAST/TOOLS and any other Yokogawa product are installed
on separate computers but they communicate with each other over a network.
F/T FAST/TOOLS
Continues on the next page

<1. Overview > 1-2
Table 1-1 Glossary (Table continued)
Term Description
IT Security Tool A tool for configuring IT security settings on Windows.
CORPORATION At the corporate level, all KPIs and other process data of all the business units are
LEVEL collected and aggregated to provide a holistic view of the performance of the enterprise
and its operational groups down to process level in real time.
BUSINESS LEV- The business unit level is typically responsible for all areas within the business unit. The
EL business unit contains a FAST/TOOLS Server node that exchanges KPIs and other
process data with the area level systems. At the business unit level, users are expected
to have access to data that can help in optimizing production of individual as well as inter-
related assets.
AREA LEVEL At the area level, it is possible to supervise and control all processes within a graphical
area. It contains a FAST/TOOLS Server node that is connected to all DCS and/or SCADA
systems at the process level. A typical application at this level is to control the total
amount of production within the area, and to determine production KPIs.
PROCESS LEV- At the process level, local DCS/SCADA/PLC systems or other automation control and
EL monitoring equipments directly interact with the process. For example, in a typical gas
production platform where process level systems are controlled by a DCS system, the
process information is exchanged between process level and area level.

<1.1 Security threats > 1-3
1.1 Security threats

The following security threats may harm your computer that is installed with FAST/TOOLS:
• Attacks over network
Threats from people who do not have rights to access the FAST/TOOLS system through
networks such as intranet. This results in the leakage of important data from the FAST/
TOOLS system.
• Direct attack while operating a computer
Threats from unauthorized individuals who operate on a computer that affects the system
and steal important data.
• Theft of a computer
Threats when a computer stored with critical data of the FAST/TOOLS system is stolen.
The following figure shows the security threats that can harm your computer that is installed
with FAST/TOOLS.
Business network
Reverse
proxy
DMZ
Firewall
Attack over a
network
Hub
CSN ASN
Web HMI Server
Web HMI Client
Hub
PCN
Front-end
Server
Direct attack by
operating a
terminal
SCADA
Server
Theft of a computer
stored with critical data
Control Bus
Controller Controller
Figure 1.1-1 Security threats

<1.2 Security measures > 1-4
1.2 Security measures

You must implement security measures to protect your computer and the FAST/TOOLS
system from security threats.
The security measures that you can apply are categorized into the following types:
• Access control
Restricts access to files, folders, registries, and programs.
• Personal firewall tuning
Controls communication among computers on your network.
• Stopping unused Windows services
Stops unused programs and services that are vulnerable to security threats.
• Changing IT environment settings
Enables additional Windows security measures for strict security.
• Applying group policy settings
Enables centralized management of security policies for computers connected to the
same domain.
 Security measures and handled threats
The following table shows the security measures and the threats that each measure handles.
Table 1.2-1 Security measures and handled threats

Security measure Threat handled
Network attacks Direct system Computer and
attacks data theft
Password Policy-[Minimum password length] Yes Yes No
Password Policy-[Minimum password age] Yes Yes No
Password Policy-[Maximum password age] Yes Yes No
Password Policy-[Enforce password history] Yes Yes No
Disable ‘Password Policy-[Store passwords using Yes Yes No
reversible encryption]'
Password Policy-[Password must meet complexity Yes Yes No
requirements]
Access Control for files and folders Yes Yes No
Access Control for product registry Yes Yes No
Access Control for DCOM (OPC) objects Yes Yes No
Personal Firewall tuning Yes No No
Disable 'Personal Firewall-[Allow unicast response]' Yes No No
Stopping unused Windows services Yes No No
Account Lockout Policy-[Account lockout threshold] Yes Yes No
Account Lockout Policy-[Reset account lockout Yes Yes No
counter after]
Account Lockout Policy-[Account lockout duration] Yes Yes No

Table 1.2-1 Security measures and handled threats (Table continued)
attacks data theft
User Rights Assignment-[Allow log on locally] No Yes No
User Rights Assignment-[Deny log on locally] No Yes No
Security Options-[Audit: Force audit policy Yes Yes No
subcategory settings (Windows Vista or later) to
override audit policy category settings]
Security Options-[Devices: Prevent users from No Yes No
installing printer drivers]
Security Options-[Devices: Restrict CD-ROM access Yes No No
to locally logged-on user only]
Security Options-[Devices: Restrict floppy access to Yes No No
locally logged-on user only]
Security Options-[Domain member: Require strong Yes No No
(Windows 2000 or later) session key]
Security Options-[Set 'Security Options-[Interactive No Yes No
logon: Display user information when the session is
locked]' to 'Do not display user information’]
Security Options-[Interactive logon: Do not display No Yes No
last user name]
Disable 'Security Options-[Interactive logon: Do not No Yes No
require CTRL+ALT+DEL]’
Security Options-[Interactive logon: Prompt user to Yes Yes No
change password before expiration]
Security Options-[Microsoft network Server: Digitally Yes No No
sign communications (if Client agrees)]
Security Options-[Microsoft network Server: Server Yes No No
SPN target name validation level]
Security Options-[Network access: Do not allow Yes No No
anonymous enumeration of SAM accounts]
anonymous enumeration of SAM accounts and
shares]
storage of passwords and credentials for network
authentication]
Security Options-[Network security: Allow Local Yes No No
System to use computer identity for NTLM]
Disable 'Security Options-[Network security: Allow Yes No No
LocalSystem NULL session fallback]’
Security Options-[Network security: LAN Manager Yes No No
authentication level]
Security Options-[Network security: Minimum Yes No No
session security for NTLM SSP based (including
secure RPC) Clients]
Security Options-[Network security: Minimum Yes No No
session security for NTLM SSP based (including
secure RPC) Servers]
Disable 'Security Options-[Shutdown: Allow system No Yes No
to be shut down without having to log on]'

attacks data theft
Security Options-[User Account Control: Admin No Yes No
Approval Mode for the Built-in Administrator
account]
Security Options-[User Account Control: Behavior of No Yes No
the elevation prompt for administrators in Admin
Approval Mode]
Advanced Audit Policy Configuration-[Audit Yes Yes No
Credential Validation]
Computer Account Management]
Advanced Audit Policy Configuration-[Audit Other Yes Yes No
Account Management Events]
Advanced Audit Policy Configuration-[Audit Security Yes Yes No
Group Management]
Advanced Audit Policy Configuration-[Audit User Yes Yes No
Account Management]
Advanced Audit Policy Configuration-[Audit Process Yes Yes No
Creation]
Advanced Audit Policy Configuration-[Audit Account Yes Yes No
Lockout]
Advanced Audit Policy Configuration-[Audit Logoff] Yes Yes No
Advanced Audit Policy Configuration-[Audit Logon] Yes Yes No
Logon/Logoff Events]
Advanced Audit Policy Configuration-[Audit Special Yes Yes No
Logon]
Removable Storage]
Advanced Audit Policy Configuration-[Audit Policy Yes Yes No
Change]
Authentication Policy Change]
Advanced Audit Policy Configuration-[Audit Filtering Yes Yes No
Platform Policy Change]
MPSSVC Rule-Level Policy Change]
Policy Change Events]
Advanced Audit Policy Configuration-[Audit Sensitive Yes Yes No
Privilege Use]
System Events]
State Change]
System Extension]
Advanced Audit Policy Configuration-[Audit System Yes Yes No
Integrity]

attacks data theft
Personalization-[Prevent enabling lock screen cam- No Yes No
era]
Personalization-[Prevent enabling lock screen slide No Yes No
show]
WLAN Settings-[Allow Windows to automatically Yes No No
connect to suggested open hotspots, to networks
shared by contacts, and to hotspots offering paid
services]
SCM-[Enable LSA Protection] Yes Yes No
SCM-[Lsass.exe audit mode] Yes Yes No
[MSS: (DisableIPSourceRouting) IP source routing Yes No No
protection level (protects against packet spoofing)]
Disable [MSS: (PerformRouterDiscovery) Allow IRDP Yes No No
to detect and configure Default Gateway addresses
(could lead to DoS)]
[MSS: (TcpMaxDataRetransmissions) How many Yes No No
times unacknowledged data is retransmitted (3
recommended, 5 is default)]
Apply the StorageDevicePolicies function No Yes Yes
Disable USB storage devices No Yes Yes
Apply the Software Restriction Policies Yes Yes No
Disable NetBIOS over TCP/IP Yes No No
Group Policy-[Configure registry policy processing] Yes Yes No
Mitigation Options-[Untrusted Font Blocking] Yes Yes No
Remote Procedure Call-[Enable RPC Endpoint Map- Yes Yes No
per Client Authentication]
User Profiles-[Turn off the advertising ID] Yes No No
App runtime-[Block launching Windows Store apps Yes No No
with Windows Runtime API access from hosted con-
tent]
File Explorer-[Turn off heap termination on corruption] No Yes No
HomeGroup-[Prevent the computer from joining a Yes No No

homegroup]
Remote Desktop Connection Client-[Do not allow Yes No No
passwords to be saved]
Device and Resource Redirection-[Do not allow drive Yes No No
redirection]
Security-[Require secure RPC communication] Yes No No
Security-[Require user authentication for remote Yes No No
connections by using Network Level Authentication]
Sync your settings-[Do not sync Apps] Yes No No
Sync your settings-[Do not sync start settings] Yes No No
Disable 'Windows Error Reporting-[Automatically Yes No No
send memory dumps for OS-generated error
reports]'

attacks data theft
Disable 'Windows Logon Options-[Sign-in last No Yes No
interactive user automatically after a system-
initiated restart]'
Notifications-[Turn off toast notifications on the lock No Yes No
screen]
Disabling the built-in Administrator account or Yes Yes No
changing its user name
HDD password function by BIOS No No Yes
Internet Communication Settings-[Turn off Yes No No
downloading of print drivers over HTTP]
Internet Communication Settings-[Turn off Event Yes No No
Viewer Events.asp links]
Internet Communication Settings-[Turn off Internet Yes No No
download for Web publishing and online ordering
wizards]
Internet Communication Settings-[Turn off printing Yes No No
over HTTP]
Internet Communication Settings-[Turn off Search Yes No No
Companion content file updates]
Internet Communication Settings-[Turn off the Publish Yes No No
to Web task for files and folders]
Internet Communication Settings-[Turn off the Yes No No
Windows Customer Experience Improvement
Program]
Internet Communication Settings-[Turn off the Yes No No
Windows Messenger Customer Experience
Improvement Program]
Logon-[Do not display network selection UI] Yes Yes No
Logon-[Do not enumerate connected users on No Yes No
domain-joined computers]
Logon-[Do not process the legacy run list] No Yes No
Logon-[Do not process the run once list] No Yes No
Disable 'Logon-[Enumerate local users on domain- No Yes No
joined computers]'
Logon-[Turn off app notifications on the lock screen] No Yes No
App Privacy-[Let Windows apps access account Yes No No
information]
App Privacy-[Let Windows apps access call history] Yes No No
App Privacy-[Let Windows apps access contacts] Yes No No
App Privacy-[Let Windows apps access email] Yes No No
App Privacy-[Let Windows apps access location] Yes No No
App Privacy-[Let Windows apps access messaging] Yes No No
App Privacy-[Let Windows apps access motion] Yes No No
App Privacy-[Let Windows apps access the Yes No No
calendar]
App Privacy-[Let Windows apps access the camera] Yes No No

attacks data theft
App Privacy-[Let Windows apps access the Yes No No
microphone]
App Privacy-[Let Windows apps access trusted Yes No No
devices]
App Privacy-[Let Windows apps control radios] Yes No No
App Privacy-[Let Windows apps sync with devices] Yes No No
AutoPlay Policies-[Turn off Autoplay] No Yes No
AutoPlay Policies-[Disallow Autoplay for non-volume No Yes No
devices]
Data Collection and Preview Builds-[Allow Telemetry] Yes No No
Data Collection and Preview Builds-[Do not show Yes No No
feedback notifications]
Event Log Service (Application)-[Specify the Yes Yes No
maximum log file size (KB)]
Event Log Service (Security)-[Specify the maximum Yes Yes No
log file size (KB)]
Event Log Service (System)-[Specify the maximum Yes Yes No
log file size (KB)]
OneDrive-[Prevent the usage of OneDrive for file Yes No No
storage]
OneDrive-[Save documents to OneDrive by default] Yes No No
(Save documents to the local PC by default)

<1.3 Scope of IT security settings > 1-10
1.3 Scope of IT security settings

The following figure indicates the scope of IT security settings in each installation
environment.
Scope of IT security settings

Figure 1.3-1 Scope of IT security settings
NOTE
• Security settings should follow the security policy of the corresponding installation environment for
BUSINESS LEVEL and CORPORATE LEVEL.
• IT security settings much be applied for AREA LEVEL and PROCESS LEVEL.

<1.4 Positioning of IT security settings> 1-11
1.4 Positioning of IT security settings

The R10.04 IT security settings cover R10.03 IT security settings along with general and
optional IT security settings for FAST/TOOLS.
NOTE
The optional IT security settings for FAST/TOOLS can be applied to computers on which only FAST/TOOLS
Server/Client is installed.
The following figure shows the positioning of IT security settings.
R10.04 IT security settings

Optional IT
IT security settings security
settings for
FAST/TOOLS
R10.03 IT security settin s
Figure 1.4-1 Positioning of IT security settings

<2. Security models and user management types> 2-1
2. Security models and user

management types
This section describes the security models and the methods for managing users and groups.

<2.1 Security models > 2-2
2.1 Security models

The security models are categorized into the following types based on their security strength:
• Standard model
This model places importance on operation of the product and collaboration with other
systems (Exaopc, ProSafe-RS, and so on) to guard against "attacks over the network"
and "direct attack on a FAST/TOOLS terminal".
The Standard model does not guard against "physical theft of terminals or theft of data".
• Strengthened model
This model has a higher level of security than the Standard model against network
attacks, direct system attacks, and computer theft. However, this model may affect
normal computer operations because of the high level of protection. When applying this
model, ensure that the settings match your plant operation and security requirements.
NOTE
If you want to implement the Strengthened model, contact YOKOGAWA.
 Security models and security measures

The following table shows the security measures that are supported by different security
models. It also shows whether the domain group policy settings are prioritized over local
settings for each security measure.
Table 2.1-1 Security models and security measures

Security model Group poli-
Security measure Standard mod- Strengthened cies take pri-
el model ority
Password Policy-[Minimum password length] Not applied Applied Yes
Password Policy-[Minimum password age] Not applied Applied Yes
Password Policy-[Maximum password age] Not applied Applied Yes
Password Policy-[Enforce password history] Not applied Applied Yes
Disable ‘Password Policy-[Store passwords using Not applied Applied Yes
reversible encryption]'
Password Policy-[Password must meet complexity Not applied Applied Yes
requirements]
Access Control for files and folders (*1) Applied Applied No
Access Control for product registry (*1) Applied Applied No
Access Control for DCOM (OPC) objects (*1) Applied Applied No
Personal Firewall tuning (*2) Applied Applied No
Disable 'Personal Firewall-[Allow unicast response]' Applied Applied No
Stopping Unused Window Services (*2) Not applied Applied No
Account Lockout Policy-[Account lockout threshold] Not applied Applied Yes
Account Lockout Policy-[Reset account lockout counter Not applied Applied Yes
after]
Account Lockout Policy-[Account lockout duration] Not applied Applied Yes

Table 2.1-1 Security models and security measures (Table continued)
el model ority
Disabling NetBIOS over TCP/IP (*1) Applied Applied No
Applying the StorageDevicePolicies function Applied Applied Yes
Disabling USB storage devices Applied Applied Yes
Applying the Software Restriction Policies Applied Applied Yes
User Rights Assignment-[Access this computer from the Applied Applied No
network] (*3)
User Rights Assignment-[Add workstations to domain] (*3) Applied Applied No
User Rights Assignment-[Allow log on locally] Not applied Applied Yes
User Rights Assignment-[Deny log on locally] Applied Applied Yes
Security Options-[Audit: Force audit policy subcategory Applied Applied Yes
settings (Windows Vista or later) to override audit policy
category settings]
Security Options-[Devices: Prevent users from installing Applied Applied Yes
printer drivers]
Security Options-[Devices: Restrict CD-ROM access to Applied Applied Yes
Security Options-[Devices: Restrict floppy access to locally Applied Applied Yes
logged-on user only]
Disable 'Security Options-[Domain Controller: Allow Applied Applied No
Server operators to schedule tasks]’ (*3)
Disable 'Security Options-[Domain Controller: Refuse Applied Applied No
machine account password changes]’ (*3)
Security Options-[Domain member: Require strong Applied Applied Yes
Set 'Security Options-[Interactive logon: Display user Not applied Applied Yes
information when the session is locked]' to 'Do not display
user information’
Security Options-[Interactive logon: Do not display last Applied Applied Yes
user name]
Disable 'Security Options-[Interactive logon: Do not Applied Applied Yes
require CTRL+ALT+DEL]’
Security Options-[Interactive logon: Prompt user to change Applied Applied Yes
password before expiration]
Security Options-[Microsoft network Server: Digitally sign Applied Applied Yes
communications (if Client agrees)]
Security Options-[Microsoft network Server: Server SPN Applied Applied Yes
target name validation level]
[MSS: (DisableIPSourceRouting) IP source routing Applied Applied Yes
Disable [MSS: (PerformRouterDiscovery) Allow IRDP to Applied Applied Yes
detect and configure Default Gateway addresses (could
lead to DoS)]
[MSS: (TcpMaxDataRetransmissions) How many times Applied Applied Yes
unacknowledged data is retransmitted (3 recommended, 5
is default)]
Security Options-[Network access: Do not allow Applied Applied Yes

el model ority
Security Options-[Network access: Do not allow Applied Applied Yes
anonymous enumeration of SAM accounts and shares]
Security Options-[Network access: Do not allow storage of Applied Applied Yes
passwords and credentials for network authentication]
Security Options-[Network security: Allow Local System to Applied Applied Yes
use computer identity for NTLM]
Disable 'Security Options-[Network security: Allow Local Applied Applied Yes
System NULL session fallback]’
Security Options-[Network security: LAN Manager Applied Applied Yes
Security Options-[Network security: Minimum session Applied Applied Yes
security for NTLM SSP based (including secure RPC)
Clients]
Security Options-[Network security: Minimum session Applied Applied Yes
Servers]
Disable 'Security Options-[Shutdown: Allow system to be Applied Applied Yes
shut down without having to log on]'
Security Options-[User Account Control: Admin Approval Applied Applied Yes
Mode for the Built-in Administrator account]
Security Options-[User Account Control: Behavior of the Applied Applied Yes
elevation prompt for administrators in Admin Approval
Mode]
Advanced Audit Policy Configuration-[Audit Credential Applied Applied Yes
Validation]
Advanced Audit Policy Configuration-[Audit Computer Applied Applied Yes
Account Management]
Advanced Audit Policy Configuration-[Audit Other Account Applied Applied Yes
Management Events]
Advanced Audit Policy Configuration-[Audit Security Applied Applied Yes
Group Management]
Advanced Audit Policy Configuration-[Audit User Account Applied Applied Yes
Management]
Advanced Audit Policy Configuration-[Audit Process Applied Applied Yes
Creation]
Advanced Audit Policy Configuration-[Audit Directory Applied Applied Yes
Service Access] (*3)
Advanced Audit Policy Configuration-[Audit Directory Applied Applied Yes
Service Changes] (*3)
Advanced Audit Policy Configuration-[Audit Account Lock- Applied Applied Yes
out]
Advanced Audit Policy Configuration-[Audit Logoff] Applied Applied Yes
Advanced Audit Policy Configuration-[Audit Logon] Applied Applied Yes
Advanced Audit Policy Configuration-[Audit Other Logon/ Applied Applied Yes
Logoff Events]
Advanced Audit Policy Configuration-[Audit Special Log- Applied Applied Yes
on]
Advanced Audit Policy Configuration-[Audit Removable Applied Applied Yes
Storage]

el model ority
Advanced Audit Policy Configuration-[Audit Audit Policy Applied Applied Yes
Change]
Advanced Audit Policy Configuration-[Audit Authentication Applied Applied Yes
Policy Change]
Advanced Audit Policy Configuration-[Audit Filtering Applied Applied Yes
Platform Policy Change]
Advanced Audit Policy Configuration-[Audit MPSSVC Applied Applied Yes
Rule-Level Policy Change]
Advanced Audit Policy Configuration-[Audit Other Policy Applied Applied Yes
Change Events]
Advanced Audit Policy Configuration-[Audit Sensitive Applied Applied Yes
Privilege Use]
Advanced Audit Policy Configuration-[Audit IPsec Driver] Applied Applied Yes
(*3)
Advanced Audit Policy Configuration-[Audit Other System Applied Applied Yes
Events]
Advanced Audit Policy Configuration-[Audit Security State Applied Applied Yes
Change]
Advanced Audit Policy Configuration-[Audit Security Applied Applied Yes
System Extension]
Advanced Audit Policy Configuration-[Audit System Applied Applied Yes
Integrity]
Personalization-[Prevent enabling lock screen camera] Applied Applied Yes
Personalization-[Prevent enabling lock screen slide show] Applied Applied Yes
WLAN Settings-[Allow Windows to automatically connect Applied Applied Yes
to suggested open hotspots, to networks shared by
contacts, and to hotspots offering paid services]
SCM-[Enable LSA Protection] Not applied Applied Yes
SCM-[Lsass.exe audit mode] Not applied Applied Yes
Group Policy-[Configure registry policy processing] Applied Applied Yes
Internet Communication settings-[Turn off downloading of Applied Applied Yes
print drivers over HTTP]
Internet Communication settings-[Turn off Event Viewer Applied Applied Yes
Events.asp links]
Internet Communication settings-[Turn off Internet Applied Applied Yes
download for Web publishing and online ordering wizards]
Internet Communication settings-[Turn off printing over Applied Applied Yes
HTTP]
Internet Communication settings-[Turn off Search Applied Applied Yes
Companion content file updates]
Internet Communication settings-[Turn off the Publish to Applied Applied Yes
Web task for files and folders]
Internet Communication settings-[Turn off the Windows Applied Applied Yes
Customer Experience Improvement Program]
Internet Communication settings-[Turn off the Windows Applied Applied Yes
Messenger Customer Experience Improvement Program]
Logon-[Do not display network selection UI] Applied Applied Yes

el model ority
Logon-[Do not enumerate connected users on domain- Applied Applied Yes
joined computers]
Logon-[Do not process the legacy run list] Not applied Applied Yes
Logon-[ Do not process the run once list] Not applied Applied Yes
Disable 'Logon-[Enumerate local users on domain-joined Applied Applied Yes
computers]'
Logon-[Turn off app notifications on the lock screen] Applied Applied Yes
Mitigation Options-[Untrusted Font Blocking] Applied Applied Yes
Remote Procedure Call-[Enable RPC Endpoint Mapper Not applied Applied Yes
Client Authentication]
User Profiles-[Turn off the advertising ID] Applied Applied Yes
App Privacy-[Let Windows apps access account Applied Applied Yes
information]
App Privacy-[Let Windows apps access call history] Applied Applied Yes
App Privacy-[Let Windows apps access contacts] Applied Applied Yes
App Privacy-[Let Windows apps access email] Applied Applied Yes
App Privacy-[Let Windows apps access location] Applied Applied Yes
App Privacy-[Let Windows apps access messaging] Applied Applied Yes
App Privacy-[Let Windows apps access motion] Applied Applied Yes
App Privacy-[Let Windows apps access the calendar] Applied Applied Yes
App Privacy-[Let Windows apps access the camera] Applied Applied Yes
App Privacy-[Let Windows apps access the microphone] Applied Applied Yes
App Privacy-[Let Windows apps access trusted devices] Applied Applied Yes
App Privacy-[Let Windows apps control radios] Applied Applied Yes
App Privacy-[Let Windows apps sync with devices] Applied Applied Yes
App runtime-[Block launching Windows Store apps with Applied Applied Yes
Windows Runtime API access from hosted content.]
AutoPlay Policies-[Turn off Autoplay] Applied Applied Yes
AutoPlay Policies-[Disallow Autoplay for non-volume Applied Applied Yes
devices]
Data Collection and Preview Builds-[Allow Telemetry] Applied Applied Yes
Data Collection and Preview Builds-[Do not show Applied Applied Yes
feedback notifications]
Event Log Service(application)-[Specify the maximum log Applied Applied Yes
file size (KB)]
Event Log Service(security)-[Specify the maximum log file Applied Applied Yes
size (KB)]
Event Log Service(system)-[Specify the maximum log file Applied Applied Yes
size (KB)]
File Explorer-[Turn off heap termination on corruption] Applied Applied Yes
HomeGroup-[Prevent the computer from joining a Applied Applied Yes
homegroup]
OneDrive-[Prevent the usage of OneDrive for file storage] Applied Applied Yes

el model ority
OneDrive-[Save documents to OneDrive by default](Save Applied Applied Yes
documents to the local PC by default)
Remote Desktop Connection Client-[Do not allow Applied Applied Yes
passwords to be saved]
Device and Resource Redirection-[Do not allow drive Applied Applied Yes
redirection]
Security-[Require secure RPC communication] Applied Applied Yes
Security-[Require user authentication for remote Applied Applied Yes
connections by using Network Level Authentication]
Sync your settings-[Do not sync Apps] Applied Applied Yes
Sync your settings-[Do not sync start settings] Applied Applied Yes
Disable 'Windows Error Reporting-[Automatically send Applied Applied Yes
memory dumps for OS-generated error reports]'
Disable 'Windows Logon Options-[Sign-in last interactive Applied Applied Yes
user automatically after a system-initiated restart]'
Notifications-[Turn off toast notifications on the lock Applied Applied Yes
screen]
Disabling the built-in Administrator account or changing its Not applied Applied (*4) Yes
user name
HDD password function by BIOS Not applied Applied (*4) No
User Rights Assignment-[Log on as a batch job] (*5) Applied Applied Yes
User Rights Assignment-[Log on as a service] (*5) Applied Applied Yes
[MSS: (AutoReboot) Allow Windows to automatically Applied Applied Yes
restart after a system crash (recommended except for
highly secure environments)] (*5)
Advanced Audit Policy Configuration-[Audit RPC Events] Applied Applied Yes
(*5)
Advanced Audit Policy Configuration-[Audit Application Applied Applied Yes
Generated] (*5)
Audit Process Creation-[Include command line in process Applied Applied Yes
creation events] (*5)
Internet Communication settings-[Turn off access to the Applied Applied Yes
Store] (*5)
Video and Display Settings-[Turn Off the Display (On Applied Applied Yes
Battery)] (*5)
Video and Display Settings-[Turn Off the Display (Plugged Applied Applied Yes
In)] (*5)
Cloud Content-[Do not show Windows Tips] (*5) Applied Applied Yes
Cloud Content-[Turn off Microsoft consumer experiences] Applied Applied Yes
(*5)
Data Collection and Preview Builds-[Disable pre-release Applied Applied Yes
features or settings] (*5)
Data Collection and Preview Builds-[Toggle user control Applied Applied Yes
over Insider builds] (*5)
Disable ‘Search-[Allow Cortana]’ (*5) Applied Applied Yes
Search-[Don't search the web or display web results in Applied Applied Yes
Search] (*5)

el model ority
Search-[Don't search the web or display web results in Applied Applied Yes
Search over metered connections] (*5)
Software Protection Platform-[Turn off KMS Client Online Applied Applied Yes
AVS Validation] (*5)
Store-[Turn off Automatic Download and Install of updates] Applied Applied Yes
(*5)
Store-[Turn off Automatic Download of updates on Win8 Applied Applied Yes
machines] (*5)
Store-[Turn off the offer to update to the latest version of Applied Applied Yes
Windows] (*5)
Store-[Turn off the Store application] (*5) Applied Applied Yes
Windows Defender-[Turn off Windows Defender] (*5) Applied Applied Yes
*1: This setting is not controlled by group policies.
*2: This setting can be controlled by group policies but can also be configured for each computer by using the IT Security Tool.
*3: This setting is for Domain Controllers.
*4: This setting is not available in the IT Security Tool. You must configure it manually.
*5: This setting is used to match the product specification rather than to be used as a security measure.

<2.2 Windows user and group management types > 2-9
2.2 Windows user and group management

types
Windows provides two methods of managing users: Standalone management and Domain
management. It also supports a user management method called Combination management
that combines Standalone management and Domain management.
The following table describes the user and group management types in Windows.
Table 2.2-1 User and group management types

Management type Operation Feature
Standalone Operated by registering user accounts • Suitable for systems that do not re-
management on the computers quire a centralized user management
• Not suitable for large-scale systems
because user accounts must be
maintained for each computer
separately
• Administrative rights for using the
computer and maintenance rights to
the product cannot be granted
separately
Domain management Operated by registering user accounts • Suitable for systems that require a
on the Domain Controller centralized user management
the product can be granted separately
Combination Operated the same way as Domain • Suitable for systems that require a
management (*1) (*2) management in normal operations centralized user management with
the flexibility to enable certain users
to manage their local computers
the product cannot be granted
separately
*1: With Combination management, users are usually managed by Domain management. When required, users can be man-
aged by Standalone management. For example, in normal operation, user creation is centralized at an administrative section
by using Domain management. However, the person in charge at the site can grant the required rights to users for accessing
certain computers.
*2: If Domain management type is applied for user management, and ‘Number of cache at the latest logon which is applied at
Domain Controller fail’ is specified as 0, Combination management type is applied.

2.2.1 Created users and groups

After running the IT Security Tool, Windows users and groups are automatically created for
the following combinations of security models and user management types:
• Type 1: Standard or Strengthened model - Standalone management
• Type 2: Standard or Strengthened model - Domain management
• Type 3: Standard or Strengthened model - Combination management
NOTE
All the user accounts that use FAST/TOOLS features must belong to the Administrators group on the FAST/
TOOLS Server. In addition, the user accounts must belong to the groups described in this section according
to their roles respectively.
 Type 1: Standard or Strengthened model - Standalone management

The following table describes the users and groups for the Standard or Strengthened model
that applies Standalone management.
Table 2.2.1-1 Type 1: Standard or Strengthened model - Standalone management users and groups
User name/group
Type Created location Member of Description
name
FTS_OPERATOR Group Local computer • Users Group of users who use FAST/
• Administrators TOOLS for operation.
(*1)
FTS_ENGINEER Group Local computer Group of users who perform FAST/
• Users
TOOLS system engineering by using
• Administrators
the Engineering Module, Edit Module,
(*1)
and so on.
FTS_MAINTE- Group Local computer • Users Group of users who perform FAST/
NANCE • Administrators TOOLS installation and maintenance.
FTS_OPC Group Local computer Group of users who configure and
• Users
manage OPC communication be-
• Administrators
tween FAST/TOOLS and other
(*1)
systems.
FTS_PROCESS User Local computer User account for users who execute
• Users FAST/TOOLS processes (Windows
• Administrators services) without using Windows
authentication.
RDC_PROCESS User Local computer Users User account for users who execute
(*2) PRC processes (Windows services)
without using Windows
authentication.
*1: Administrative privileges are required on the FAST/TOOLS Server computer.
*2: This user account is created only on a dual-redundant platform.
NOTE
• Use these user accounts and user groups only for FAST/TOOLS.
• When you change the security model, existing user groups may be deleted or their names may be
modified without confirmation.

 Type 2: Standard or Strengthened model - Domain management

that applies Domain management.
Table 2.2.1-2 Type 2: Standard or Strengthened model - Domain management users and groups
User name/group
Type Created location Member of Description
name
FTS_OPERATOR Group Local computer • Domain users Group of users who use FAST/
• Administrators TOOLS for operation.
(*1)
FTS_ENGINEER Group Local computer Group of users who perform FAST/
• Domain users
TOOLS system engineering by using
• Administrators
(*1)
and so on.
FTS_MAINTE- Group Local computer • Domain users Group of users who perform FAST/
NANCE • Administrators TOOLS installation and maintenance.
FTS_MAINTE- Group Local computer Administrators Supplementary group of users with
NANCE_LCL the same rights as FTS_MAINTE-
NANCE.
This group is not used in normal
operations but is used only for
emergency situations when the
domain environment is abnormal.
You must manually add the user
accounts that belong to this group to
the Administrators group on each
computer.
FTS_OPC Group Local computer Group of users who configure and
• Users
manage OPC communication be-
• Administrators
(*1)
systems.
authentication.
authentication.
NOTE

 Type 3: Standard or Strengthened model - Combination
management
that applies Combination management.
Table 2.2.1-3 Type 3: Standard or Strengthened model - Combination management users and groups
User name/group
Type Created Member of Description
name
location
FTS_OPERATOR Group Domain • Domain users Group of users who use FAST/
Controller • Administrators TOOLS for operation.
(*1)
FTS_OPERA Group Local computer • Users Supplementary group of users with
TOR_LCL • Administrators the same rights as
(*1) FTS_OPERATOR. (*2)
FTS_ENGINEER Group Domain Group of users who perform FAST/
• Domain users
Controller TOOLS system engineering by using
• Administrators
(*1)
and so on.
FTS_ENGI- Group Local computer • Users Supplementary group of users with
NEER_LCL • Administrators the same rights as FTS_ENGINEER.
(*1) (*2)
FTS_MAINTE- Group Domain • Domain users Group of users who perform FAST/
NANCE Controller • Domain TOOLS installation and maintenance.
administrator
s
FTS_MAINTE- Group Local computer Administrators Supplementary group of users with
NANCE_LCL the same rights as FTS_MAINTE-
NANCE. (*2)
FTS_OPC Group Domain Group of users who configure and
• Domain users
Controller manage OPC communication be-
• Administrators
(*1)
systems.
FTS_OPC_LCL Group Local computer • Users Supplementary group of users with
• Administrators the same rights as FTS_OPC. (*2)
(*1)
authentication.
authentication.
*2: This group is not used in normal operations but is used only for emergency situations when the domain environment is
abnormal. You must manually add the user accounts that belong to this group to the Administrators group on each computer.
NOTE

<3. Details of security measures > 3-1
3. Details of security measures

This section describes the details of the security measures that can be applied on your
computer.

<3.1 Access Control > 3-2
3.1 Access Control

The Windows Access Control function controls permissions for files, folders, registry keys,
and programs. You can use this function to prevent unauthorized access, leakage, tampering,
and destruction of important data in the product.
Access Control is performed separately for each user group. User accounts inherit the
permissions that are granted to the user group to which they belong.

3.1.1 Access Control for files and folders

You can control permissions for files and folders to prevent unauthorized access to the data
and program files in the system.
 Target folders
The following table describes the target folders with controlled access.
Table 3.1.1-1 Target folders

Target folder Description
<F/T program folder> The top folder in which the FAST/TOOLS program
files are installed. This folder is specified during
installation.
The default folder is:
<ProgramFile32>\Yokogawa\FAST TOOLS
<F/T data folder> The top folder in which the FAST/TOOLS data files
are saved. User data such as graphic files or
historian data is saved in this folder.
The default folder is:
<Public>\Yokogawa
<ProgramFile32>\Yokogawa\IA\iPCS\Platform\SECUR The folder in which utility programs such as IT
ITY Security Tool are installed.
<ProgramFile32>\Yokogawa\IA\iPCS\Platform\PC-Re The folder in which the PRC Management Tool is
dundancy\Tool installed.
<ProgramFile32>\Yokogawa\IA\iPCS\Platform\PC-Re The folder in which programs related to PRC are
dundancy\Agent installed on 32-bit operating systems.
<ProgramFile64>\Yokogawa\IA\iPCS\Platform\PC-Re The folder in which programs related to PRC are
dundancy\Agent installed on 64-bit operating systems.
<ProgramData>\Yokogawa\IA\iPCS\Platform\PC-Redu The folder in which configuration data related to
ndancy\Agent PRC is saved.
<OS drive>:\<VNET> The folders in which Vnet/IP interface package
related files and data are stored.
<ProgramData>\Yokogawa\IA\iPCS\Platform\Securit The folder in which IT security setting files are
y saved.
 Permissions for files and folders

The following table describes the permissions that each user group needs to access FAST/
TOOLS files and folders.
Table 3.1.1-2 Permissions for files and folders

User or group
Folder
[1] [2] [3] [4] [5] [6] [7]
<F/T Program Folder> RX F F F F - F

Table 3.1.1-2 Permissions for files and folders (Table continued)
User or
Folder group
[1] [2] [3] [4] [5] [6] [7]
├ tls RX F F F F - F
│├ com
│├ exe
│├ hlp
│├ inc
│├ jre
│├ lib
│├ qld
│├ src
│├ sup
│├ tpl
│└ upg
├ jsp RX F F F F - F
├ utility - F F F - - F
├ uninst.exe - - F F - - F
<F/T Data Folder> RX F F F F - F
├ tls RX F F F F - F
│├ dat RWD F F F F - F
│├ doc X
│└ his
│├ log RW F F F F - F
│├ lst RWD F F F F - F
│├ pki X
│├ sav
│└ wap
├ utility - F F F - - F
<Excel Add-in Program Folder> (*1) RX RX F RX - - F
<Public>\Yokogawa\FASTTOOLS RWD RWDX F RWDX - - F
Excel Add-in\ X
├ log RW F F F F - F
<ProgramFiles32>\Yokogawa\IA\iPC RX RX F F RX RX F
S\Platform\Security
<ProgramFiles32>\Yokogawa\IA\iPC (*2) (*2) (*2) (*2) (*2) (*2) (*2)
S\Platform\PC-Redundancy\Tool
<ProgramFiles32>\Yokogawa\IA\iPC - - RWD RWDP - - RWDX
S\Platform\PC-Redundancy\Agent P
<ProgramFiles64>\Yokogawa\IA\iPC - - RWD RWDP - - RWD
S\Platform\PC-Redundancy\Agent P
<ProgramData>\Yokogawa\IA\iPCS\ R R RWD RWD - - RWD
Products\Platform
<ProgramData>\Yokogawa\IA\iPCS\ RX RX F F RX RX F
Platform\SECURITY
<ProgramData>\Yokogawa\IA\iPCS\ R R RWD RWDP - - RWD
Platform\PC-Redundancy\Agent P
*1: • For 32-bit Microsoft Excel: <ProgramFile32>\Yokogawa\FASTTOOLS Excel Add-in

• For 64-bit Microsoft Excel: <ProgramFile64>\Yokogawa\FASTTOOLS Excel Add-in
*2: It follows the access permission of the <ProgramFiles32> folder.
Legend:
User or group
[1] : FTS_OPERATOR or FTS_OPERATOR_LCL

[2] : FTS_ENGINEER or FTS_ENGINEER_LCL
[3] : FTS_MAINTENANCE or FTS_MAINTENANCE_LCL
[4] : FTS_OPC or FTS_OPC_LCL
[5] : FTS_PROCESS
[6] : RDC_PROCESS
[7] : Local system account (a local Windows system account)
Permission Types
F: Full access control

R: Read and view folder contents
X: Read and execute

W: Write
D: Delete
P: Permission to set and change access permission for files and registry
- : No permission
 Permissions for programs

The following table describes the permissions that each user group needs to run FAST/
TOOLS programs.
NOTE
If you start a FAST/TOOLS program from the Start menu without having the permission to run programs, an
error message appears, indicating that Windows cannot access the specified device, path, or file because
you may not have the appropriate permission.
Table 3.1.1-3 Permissions for FAST/TOOLS programs

Started from User or group
Program the Start
menu [1] [2] [3]
Alarm System Performance Analysis (*1) Yes Allowed Allowed Allowed

Edit Module (Enterprise) Yes Not allowed Allowed Allowed
Edit Module Yes Not allowed Allowed Allowed
Engineering Module Yes Not allowed Allowed Allowed
FASTTOOLS Documentation Yes Allowed Allowed Allowed
Item search Yes Not allowed Allowed Allowed
Licence Authorization Wizard (*1) Yes Not allowed Allowed Allowed
Licence Request Wizard (*1) Yes Not allowed Allowed Allowed
Message-Log (*1) Yes Allowed Allowed Allowed
Operator Interface Yes Allowed Allowed Allowed
Performance Monitor (*1) Yes Not allowed Allowed Allowed
Playback Viewer (*1) Yes Not allowed Allowed Allowed
Setup File Editor (*1) Yes Not allowed Allowed Allowed
Remote Connect Setting (*2) Yes Allowed Allowed Allowed

Table 3.1.1-3 Permissions for FAST/TOOLS programs (Table continued)
Started from User or group
Program the Start
menu [1] [2] [3]
Start FAST TOOLS (*1) Yes Allowed Allowed Allowed

Stop FAST TOOLS (*1) Yes Allowed Allowed Allowed
IT Security Tool Yes Not allowed Not allowed Allowed
Redundancy Management Tool Yes (*3) (*3) (*3)
*1: It is only displayed in the FAST/TOOLS Server.
*2: It is only displayed in the FAST/TOOLS remote computer.
*3: It follows the access permission for the <Program Files (x86)> folder and is executable.
Legend:
 Permissions for Windows system commands

The permissions to run the following Windows programs are granted to users with local
administrative rights or domain administrative rights.
NOTE
Windows programs are saved in the <OS drive>:\Windows\System32 folder.
• ARP.EXE
• finger.exe
• ftp.exe
• HOSTNAME.EXE
• ipconfig.exe
• nbtstat.exe
• NETSTAT.EXE
• nslookup.exe
• PATHPING.EXE
• PING.EXE
• rcp.exe
• rexec.exe
• ROUTE.EXE
• rsh.exe
• tftp.exe
• TRACERT.EXE
• bootcfg.exe
• net.exe
• net1.exe
• netsh.exe
• telnet.exe

• netsh.exe
• telnet.exe

3.1.2 Access Control for product registry

You can control permissions for the product-related registry keys to prevent unauthorized
access to these keys.
 Permissions for registry key

The access to the registry key of the installed FAST/TOOLS package is controlled on a
user- group basis.
The following table describes the permissions that each user group needs to access the
registry key.
Table 3.1.2-1 Permissions for FAST/TOOLS-related registry key

User or group
Registry name
[1] [2] [3] [4] [5] [6] [7]
VHFD Registry(*1) F F F F F F R
*1: The VHFD registry key is [HKLM\SOFTWARE\YOKOGAWA\VHFD]
Legend:
User or group

[4] : FTS_OPC or FTS_OPC_LCL
[5] : FTS_PROCESS
[6] : RDC_PROCESS
[7] : Local system account (a local Windows system account)
Permission Types
F : Full access control

R : Read

3.1.3 Access Control for DCOM (OPC) objects

Distributed Component Object Model (DCOM) enables software components referred to as
COM objects to communicate over a network and exchange data and processing requests.
You can configure the DCOM authentication level, port allocation, and permissions to protect
the product from unauthorized access of data.
By default, this setting item is selected for all security models and you cannot modify this
selection.
The following table describes the DCOM (OPC) object settings that are configured on your
computer when this setting item is applied.
Table 3.1.3-1 DCOM (OPC) object settings

Setting Value
Enable Distributed COM on this computer Selected
Default Authentication Level Connect
Default Impersonation Level Identify
NOTE
Access permissions, and Launch and Activation permissions are granted to the following users/groups:
• FTS_OPC
• FTS_PROCESS
• ANONYMOUS LOGON
• SYSTEM
• INTERACTIVE
• NETWORK
 Permission for DCOM Servers

The following DCOM Servers are used by FAST/TOOLS:
• OPC Enum
• FAST/TOOLS OPC DA Server
• FAST/TOOLS OPC AE Server
 Access Control for OPC Enum Server

The following table describes the Access Control for OPC Enum Server.
Table 3.1.3-2 Access Control for OPC Enum Server

Setting Value
General/Authentication Level Default
Location Connect
Security/Access Use default
Security/Launch and Activation Use default
Security/Configuration Customize
Identity The system account (services only)

 Access Control for FAST/TOOLS OPC DA Server

The following table describes the Access Control for FAST/TOOLS OPC DA Server.
Table 3.1.3-3 Access Control for FAST/TOOLS OPC DA Server

Setting Value
Location Connect
Identity This user (FTS_PROCESS)
 Access Control for FAST/TOOLS OPC AE Server

The following table describes the Access Control for FAST/TOOLS OPC AE Server.
Table 3.1.3-4 Access Control for FAST/TOOLS OPC AE Server

Setting Value
Location Connect
Identity This user (FTS_PROCESS)

<3.2 Personal firewall tuning> 3-11
3.2 Personal firewall tuning

The personal firewall restricts communication among computers on your network and
prevents attacks from unknown areas. Therefore, the Windows firewall must be turned on.
All ports and programs must be blocked except for those that are required by the
FAST/TOOLS system.
 Firewall port exceptions
The following table describes the ports that should be added to the exception list for personal
firewall tuning.
Table 3.2-1 Firewall port exceptions

Program or service Port When and where used
Remote desktop TCP: 3389 Only if VNC is required for this machine. If VNC is required
connection for particular users, restrict access to those users only
Web communication TCP: 8080/80 On Web-HMI Client and Web-HMI Server for rendering
HTML5 graphics
Secure communication TCP: 8443/443 On Web-HMI Client and Web-HMI Server for rendering
HTML5 graphics
FAST/TOOLS DURM UDP: 17001, On each machine with a DURM connection. Make
connection 17101 exceptions for the port number used for each DURM line.
For example, if you are using a dual redundant network
connection, you must do this twice, once for each line.
When you connect a FAST/TOOLS terminal such as Web
HMI Server, additional port exceptions are required.
(Recommended ports: 20000-20499)
SMDMON configuration UDP: 18002 FAST/TOOLS system logging collection program
NOTE
Additional exceptions are required when using the following programs or services:
• A redundant Server configuration and high-availability (HAC) software
• ODBC
• Alarm to e-mail
• Windows domain
• NTP
• Antivirus
• OPC
• TCP/IP based equipments

 HAC firewall exceptions
The following table describes the programs that should be defined as exceptions in the
firewall when FAST/TOOLS works on HAC (manual engineering is required).
Table 3.2-2 HAC firewall port exceptions
GUI port for HAC UDP: 16000 On the Servers and all HMI machines, only when using a
redundant Server configuration and the HAC software
Logger port for HAC UDP: 16001
Mirror port for HAC UDP: 16002
Recovery port for HAC UDP: 16003
Watchdog for HAC UDP: 16004
HACWITM for setting UDP: 16005
items
HACMIR for data UDP: 16006
HAC Server to UDP: If multiple HACW_HMI windows are required on the same
HACW_HMI 16010-16041 machine
NOTE
• Ports 16000-16001 can be set from hac.sup and jhacProperties\application.properties.
• Ports 16002-16006 can be set from hac.sup.
• Ports 16010-16041 can be set from jhacProperties\application.properties.
 ODBC
The following table describes the program that should be defined as exception in the firewall
when FAST/TOOLS works on ODBC (manual engineering is required).
Table 3.2-3 ODBC firewall port exceptions

SimbaServer TCP: 1583 Only on the Server machine and only when using the
ODBC interface of ACCESS/FAST
 Alarm to e-mail
when Alarm to e-mail is used.
Table 3.2-4 Alarm to e-mail firewall port exceptions

SMTP TCP: 25 Only used when alarm to e-mail is used and only from the
machine sending messages to the e-mail Server

 Windows domain
The following table describes the programs that should be defined as exceptions in the
firewall when FAST/TOOLS runs on Windows domain.
Table 3.2-5 Windows domain firewall port exceptions
DNS TCP: 53 SCADA Server and Web HMI Client/Server
UDP: 53
Kerberos Authentication TCP: 88
UDP: 88
LDAP TCP: 389
UDP: 389
Direct Hosting TCP: 445
Global Catalogue TCP: 3268
Global Catalogue SSL TCP: 3269
DHCP UDP: 67
Network Discovery UDP: 137, 138,
1900, 3702, and
5355
TCP: 2869, 5357,
and 5358
MADCAP UDP: 2535 Web HMI Client (for DHCP)
SOAP TCP: 9389 Active Directory Web service
 Time synchronization
when using Windows time service.
Table 3.2-6 Time synchronization firewall port exceptions

NTP/SNTP TCP: 123 SCADA Server and Web HMI Client/Server
NOTE
You need not configure this setting if you use ecutl or Vnet/IP.
 OPC
The following table describes the programs that should be added to the exception list when
using OPC connections.
Table 3.2-7 OPC firewall port exceptions

RPC/DCOM TCP: 135 OPC Client and OPC Server
NetBIOS Session Service TCP: 139 OPC Client and OPC Server
DCOM (*1) TCP: OPC Client and OPC Server
20500-20550
NetBIOS Name UDP: 137 OPC Client and OPC Server
Resolution
NetBIOS Datagram UDP: 138 OPC Client and OPC Server
Service
OPC-UA Discovery Port UDP: 4840 OPC-UA Server
OPC-UA Communication Customizable OPC-UA Server
Port
*1: This can be customized.

 Vnet equipment
when using Vnet equipments.
Table 3.2-8 Vnet equipments firewall port exceptions

odeq.exe TCP: 44818 SCADA Server or RGS Server
 TCP/IP based equipment

The following table describes the programs that should be added to the exception list for each
TCP/IP based equipment.
Table 3.2-9 TCP/IP based equipment firewall port exceptions

Rockwell CIP TCP: 44818 Line and station definition forms
PLC5 via CIP TCP: 44818 Line and station definition forms
DAQ station TCP: 34260 and Line and station definition forms
34434
DNP3 TCP: 20000 Line and station definition forms
FAM3 TCP: 12289 Line and station definition forms
Fisher ROC TCP: 44818 Line and station definition forms
IEC 60870-5-104 TCP: 2404 Line and station definition forms
IEC 61850 TCP: 102 Line and station definition forms
MELSEC (*1) (*1)
MeTro TCP: 7075 Line and station definition forms
MODBUS TCP: 502 Line and station definition forms
MODBUS SLAVE (*2)
Siemens S7 (*1) (*1)
Stardom FCX TCP: 1090 Line and station definition forms
*1: Refer to System Integrator’s Manual EQUIPMENT/FAST
*2: The port for MODBUS SLAVE can be changed by using Command Prompt. ( EQPMDCSLVTCP)

 PRC
The following table describes the programs that should be added to the exception list when
using the PRC platform.
Table 3.2-10 PRC firewall port exceptions
Relay Server (*1) TCP: 34486 PRC platform
Mirrored Disk Server (*1) TCP: 34480 and PRC platform
34483
Virtualization and TCP: 34484 PRC platform
Equalization Server (*1)
Maintenance Server TCP: 34485 PRC platform
DELL Open Manage UDP: 1311 PRC platform
Server Administrator
*1: Used to access data from a computer through a paired computer.
 Internet Control Message Protocol (ICMP) settings
ICMP is a Windows service that uses IP addresses to send messages among computers in a
network.
When the Standard model is applied and the firewall is turned on, the File and Printer Sharing
(Echo Request - ICMPv4-IN) ICMP setting is allowed to go through the firewall.

<3.3 Stopping unused Windows services > 3-16
3.3 Stopping unused Windows services

Unused Windows services are vulnerable to attacks from unknown areas. You can stop these
unnecessary services to reinforce security on your computer and the system.
 Unused Windows services

The unused Windows services are as follows:
• Delivery Optimization
• DHCP Client
• Diagnostic Policy Service
• Connected User Experience and Telemetry
• dmwappushsvc
• Downloaded Maps Manager
• IP Helper
• IPsec Policy Agent
• Offline Files
• Plug and Play
• Program Compatibility Assistant Service
• Remote Registry
• Shell Hardware Detection
• WebClient
• Windows Error Reporting Service
• Windows Push Notifications System Service
• WinHTTP Web Proxy Auto-Discovery Service
NOTE
Depending on the operating system, some services may not be available.

<3.4 OPC configuration> 3-17
3.4 OPC configuration

The following settings must be configured to connect to the OPC Server:
 Local security policy

The following table describes the local security policy that must be defined for OPC
configuration.
Table 3.4-1 Local security policy for OPC configuration

Policy Standalone management Domain management
Create permanent Shared Object • FTS_OPC • Local/FTS_PROCESS
• FTS_PROCESS • Local/FTS_OPC_LCL
• Domain/FTS_OPC_LCS
Network Access: Sharing and Classic - local users authenticate Classic - local users authenticate
security settings for local as themselves as themselves
Accounts
 DCOM protocols
DCOM is used by assigning the dynamic port of Remote Procedure Call (RPC). This setting
controls port assignment to incoming communication of DCOM that is assigned by RPC.
The following table describes the DCOM port range settings for OPC configuration.
Table 3.4-2 DCOM protocols for OPC configuration

Setting Port
TCP/IP Port Ranges 2500-20550
NOTE
In addition to the above settings, you must also define DCOM settings and personal firewall exceptions.

<3.5 IT environment settings > 3-18
3.5 IT environment settings

This section describes the Windows security functions that are applicable to the FAST/TOOLS
system.
There are cases where it is not possible to implement certain security functions depending on
the conditions of each system. Therefore, before implementing the security functions, analyze
whether it is possible to implement the security function to the FAST/TOOLS system.

3.5.1 NetBIOS over TCP/IP

You can disable NetBIOS over TCP/IP to prevent attackers from obtaining a list of network
users and services that are running on a computer on your network.
NOTE
The computer name must be resolved by the DNS or HOSTS file.

3.5.2 Hard disk password

A password can be used to protect access to hard disk data using Advanced Technology
Attachment (ATA) commands. Without the password, access to the hard disk is restricted. You
cannot access the hard disk even if you remove it and connect it to another computer. This
prevents leakage of important data even if the computer is stolen.
If this function is enabled, you need to provide the hard disk password every time you start
the computer. Losing the password makes it impossible to access the hard disk data. Contact
your computer vendor if this function is available and ask them on how to enable this function.

<3.6 Group Policy settings > 3-21
3.6 Group Policy settings

Group Policy settings are configured to control and maintain security policies collectively in a
domain environment. The settings enable centralized management of the security settings for
the computers that are connected to the same domain.
NOTE
In a domain environment, Group Policy settings take precedence over the settings that are configured locally.

3.6.1 Password policies

You can apply the password policies when creating passwords to ensure that user
authentication is secure.
The following table describes the details of the password policies.
Table 3.6.1-1 Password policies

Policy Setting
Minimum password length 12 characters
Minimum password age 1 day
Validity period of password 70 days
Enforce password history 2 passwords
Password must meet complexity requirements Enabled
Store password using reversible encryption Disabled
Setup location: [Local Computer Policy] > [Computer Configuration] > [Windows Settings] >
[Security Settings] > [Account Policies] > [Password Policy]
NOTE
If you apply password policies, the effort required for managing passwords increases for both users and
operation administrators.

3.6.2 Account lockout policies

You can apply the account lockout policies to disable user accounts when incorrect pass-
words are entered at a specific number of instances. This policy protects the system from
unauthorized attacks such as online cracking and direct system attacks.
The following table describes the details of the account lockout policies.
Table 3.6.2-1 Account lockout policies

Policy Setting
Account lockout threshold 10 invalid logon attempts
Reset account lockout counter after (*1) 15 minutes
Account lockout duration 15 minutes
*1: If you fail to log on repeatedly, logging on to that user account will be disabled until the time set for “Reset account lockout
counter after” elapses.
[Security Settings] > [Account Policies] > [Account Lockout Policy]
NOTE
When the account lockout policies are applied, you may not be able to log on if a lockout occurs due to
unintended actions or operations.

3.6.3 Security Options

The following table shows the security settings that are enabled or disabled.
Table 3.6.3-1 Settings

Policy Setting
Audit: Force audit policy subcategory settings Enabled
(Windows Vista or later) to override audit policy
category settings
Devices: Prevent users from installing printer drivers Enabled
Devices: Restrict CD-ROM access to locally logged- Enabled
on user only
Devices: Restrict floppy access to locally logged-on Enabled
user only
Domain Controller: Allow Server operators to Disabled
schedule tasks (*1)
Domain Controller: Refuse machine account pass- Disabled
word changes (*1)
Domain member: Require strong (Windows 2000 or Enabled
later) session key
Interactive logon: Display user information when the User display name, domain and user names
session is locked
Interactive logon: Do not display last user name Enabled
Interactive logon: Do not require CTRL+ALT+DEL Disabled
Interactive logon: Prompt user to change password Enabled
before expiration 14 days
Microsoft network Server: Digitally sign Enabled
communications (if Client agrees)
Microsoft network Server: Server SPN target name Enabled
validation level Accept if provided by Client
MSS: (AutoReboot) Allow Windows to automatically Disabled
restart after a system crash (recommended except
for highly secure environments)
MSS: (DisableIPSourceRouting) IP source routing Enabled
protection level (protects against packet spoofing) Highest protection, source routing is completely disa-
bled
MSS: (PerformRouterDiscovery) Allow IRDP to Disabled
detect and configure Default Gateway addresses
(could lead to DoS)
MSS: (TcpMaxDataRetransmissions) How many Enabled
times unacknowledged data is retransmitted (3 3
recommended, 5 is default)
Network access: Do not allow anonymous Enabled
enumeration of SAM accounts
Network access: Do not allow anonymous Enabled
enumeration of SAM accounts and shares
Network access: Do not allow storage of passwords Enabled
and credentials for network authentication
Network security: Allow Local System to use Enabled
computer identity for NTLM

Table 3.6.3-1 Settings (Table continued)
Policy Setting
Network security: Force logoff when logon hours Enabled
expire (*1)
Network security: Allow LocalSystem NULL session Disabled
fallback
Network security: LAN Manager authentication level Enabled
Send NTLMv2 response only
Network security: Minimum session security for Enabled
NTLM SSP based (including secure RPC) Clients • Require NTLMv2 session security
• Require 128-bit encryption
Both check boxes are selected.
Network security: Minimum session security for Enabled
NTLM SSP based (including secure RPC) Servers • Require NTLMv2 session security
• Require 128-bit encryption
Both check boxes are selected.
Shutdown: Allow system to be shut down without Disabled
having to log on
User Account Control: Admin Approval Mode for the Enabled
Built'-in Administrator account
User Account Control: Behavior of the elevation Enabled
prompt for administrators in Admin Approval Mode Prompt for consent on the secure desktop
*1: This setting is for Domain Controllers only.
[Security Settings] > [Local Policies] > [Security Options]
NOTE
On Windows Server 2008 or later, the four setting items beginning with “MSS:” that are set as Security
Options do not appear in the Local Group Policy Management Editor. However, you can use the gpresult
command to check if they are applied.

3.6.4 Software restriction policies

The software restriction policies prevent harmful programs from being executed even if they
are copied to a temporary directory. By applying the rules of path restriction, unverified
programs can be prevented from being executed.
The following table describes the details of the software restriction policies.
Table 3.6.4-1 Software restriction policies

Policy Setting
Security Levels Disallowed
Designated File Types The following file types are removed:
• *.lnk
• *.mdb
Additional Rules The software restriction policies prevent the use of programs
that are not located on recognized paths. The following
paths are recognized:
• %ALLUSERSPROFILE%\Templates
• %ALLUSERSPROFILE%\Microsoft\WIndows\Templates
• %ProgramFiles%
• %ProgramFiles(x86)% (*1)
• %ProgramW6432% (*1)
• %ProgramFiles%YOKOGAWA\iPCS\Platform\Security\PROG
RAM
• %ProgramFiles(x86)%YOKOGAWA\iPCS\Platform\Security
\PROGRAM (*1)
• %SystemRoot%
• %localappdata%\Microsoft\OneDrive\*\FileSyncConfig
.exe (*2)
• <F/T Program Folder>
*1: Applicable to Windows 7, Windows 10, Windows Server 2012 R2, and Windows Server 2016
*2: Applicable to Windows 10 only
[Security Settings] > [Software Restriction Policies]

3.6.5 Advanced Audit Policy Configuration

Collected account logon conditions and events related to security serve as data useful in
detecting abnormal system conditions in early stages and tracing the causes of security-
related problems.
Detailed audit policies can be configured for each setting item.
 Account Logon
The following table shows the setting.
Table 3.6.5-1 Setting

Policy Setting
Audit Credential Validation Both the Success and Failure check boxes are
selected.
 Account Management

Policy Setting
Audit Computer Account Management The Success check box is selected.
Audit Other Account Management Events Both the Success and Failure check boxes are
selected.
Audit Security Group Management Both the Success and Failure check boxes are
selected.
Audit User Account Management Both the Success and Failure check boxes are
selected.
 Detailed Tracking

Policy Setting
Audit Process Creation The Success check box is selected.
Audit RPC events (*1) Both the Success and Failure check boxes are
cleared.
*1: Performed by Domain Controllers only.

 DS Access

Policy Setting
Audit Directory Service Access Both the Success and Failure check boxes are
selected.
Audit Directory Service Changes Both the Success and Failure check boxes are
selected.
NOTE
These settings are applicable for Domain Controllers only.
 Logon/Logoff

Policy Setting
Audit Account Lockout The Success check box is selected.
Audit Logoff The Success check box is selected.
Audit Logon Both the Success and Failure check boxes are
selected.
Audit Other Logon/Logoff Events Both the Success and Failure check boxes are
selected.
Audit Special Logon The Success check box is selected.
 Object Access

Policy Setting
Audit Application Generated (*1) Both the Success and Failure check boxes are
selected.
Audit Removable Storage Both the Success and Failure check boxes are
selected.
*1: Applicable to Domain Controllers and File Servers.

 Policy Change
Policy Setting
Audit Policy Change Both the Success and Failure check boxes are
selected.
Audit Authentication Policy Change Both the Success and Failure check boxes are
selected.
Audit Filtering Platform Policy Change Both the Success and Failure check boxes are
selected.
Audit MPSSVC Rule-Level Policy Change Both the Success and Failure check boxes are
selected.
Audit Other Policy Change Events Both the Success and Failure check boxes are
selected.
 Privilege Use

Policy Setting
Audit Sensitive Privilege Use Both the Success and Failure check boxes are
selected.
 System

Policy Setting
Audit Other System Events Both the Success and Failure check boxes are
selected.
Audit Security State Change Both the Success and Failure check boxes are
selected.
Audit Security System Extension Both the Success and Failure check boxes are
selected.
Audit System Integrity Both the Success and Failure check boxes are
selected.
Audit IPsec Driver (*1) Both the Success and Failure check boxes are
selected.
*1: Applicable to Domain Controllers only.
[Security Settings] > [Advanced Audit Policy Configuration] > [System Audit Policies - Local
Group Policy Object]

3.6.6 Administrative Templates

This section describes the administrative settings that are defined to strengthen the IT
security.
 Personalization (Control Panel)


Policy Setting
Prevent enabling lock screen camera Enabled
Prevent enabling lock screen slide show Enabled
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative
Templates] > [Control Panel] > [Personalization]
 WLAN Settings (Network)


Policy Setting
Allow Windows to automatically connect to Disabled
suggested open hotspots, to networks shared by
contacts, and to hotspots offering paid services
Templates] > [Network] > [WLAN Services] > [WLAN Settings]
 Audit Process Creation (System)


Policy Setting
Include command line in process creation events Disabled
Templates] > [System] > [Audit Process Creation]
NOTE
If this option is enabled, the command line information of each process will be recorded to the security event
log in text format as part of the Audit Process Creation event 4688, "A new process has been created.” For
example, if you set a password by using the CreateFASTTOOLSProcess tool, the password specified as an
argument is recorded in the event log.

 Group Policy (System)


Policy Setting
Configure registry policy processing Enabled
The check box of Process even if the Group Policy
objects have not changed is selected.
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Tem-
plates] > [System] > [Group Policy]
 Internet Communication Management (System)


Policy Setting
Turn off access to the Store Enabled
Turn off downloading of print drivers over HTTP Enabled
Turn off Event Viewer Events.asp links Enabled
Turn off Internet download for Web publishing and Enabled
online ordering wizards
Turn off printing over HTTP Enabled
Turn off Search Companion content file updates Enabled
Turn off the Publish to Web task for files and folders Enabled
Turn off the Windows Customer Experience Enabled
Improvement Program
Turn off the Windows Messenger Customer Enabled
Experience Improvement Program
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Tem-
plates] > [System] > [Internet Communication Management] > [Internet Communication
Settings]
 Logon (System)

Policy Setting
Do not display network selection UI Enabled
Do not enumerate connected users on domain joined Enabled
computers
Enumerate local users on domain-joined computers Disabled
Turn off app notifications on the lock screen Enabled
Templates] > [System] > [Logon]

 Mitigation Options (System)


Policy Setting
Untrusted Font Blocking Enabled
Block untrusted fonts and log events
Templates] > [System] > [Mitigation Options]
NOTE
If this setting is enabled, fonts that are not installed in %Windir%\Font (typically, C:\Windows\Font) cannot be
used. In that case, install the fonts to be used in the above folder. You can install fonts by right-clicking the
font and selecting [Install].
 Power Management (System)


Policy Setting
Turn Off the Display (On Battery) Enabled
0
Turn Off the Display (Plugged In) Enabled
0
Templates] > [System] > [Power Management] > [Video and Display Settings]
 Remote Procedure Call (System)


Policy Setting
Enable RPC Endpoint Mapper Client Authentication Not configured
Templates] > [System] > [Remote Procedure Call]

 User Profile (System)


Policy Setting
Turn off the advertising ID Enabled
Templates] > [System] > [User Profiles]
 App Privacy (Windows Component)


Policy Setting
Let Windows apps access account information Enabled
Force Deny
Let Windows apps access call history Enabled
Force Deny
Let Windows apps access contacts Enabled
Force Deny
Let Windows apps access email Enabled
Force Deny
Let Windows apps access location Enabled
Force Deny
Let Windows apps access messaging Enabled
Force Deny
Let Windows apps access motion Enabled
Force Deny
Let Windows apps access the calendar Enabled
Force Deny
Let Windows apps access the camera Enabled
Force Deny
Let Windows apps access the microphone Enabled
Force Deny
Let Windows apps access trusted devices Enabled
Force Deny
Let Windows apps control radios Enabled
Force Deny
Let Windows apps sync with devices Enabled
Force Deny
Templates] > [Windows Components]

 App Runtime (Windows Component)


Policy Setting
Block launching Windows Store apps with Windows Enabled
Runtime API access from hosted content
Templates] > [Windows Components] > [App runtime]
NOTE
This policy disables starting of Windows store applications that are directly accessed by Windows runtime
API from Web content.
 AutoPlay Policies (Windows Component)

These policies prevent automatic execution of programs from external media. This setting is
effective as a measure against viruses that infect computers through USB memory devices
(USB worms).

Policy Setting
Turn off Autoplay Enabled
All drives
Disallow Autoplay for non-volume devices Enabled
Templates] > [Windows Components] > [Cloud Content]
 Cloud Content (Windows Component)


Policy Setting
Do not show Windows tips Enabled
Turn off Microsoft consumer experiences Enabled


 Data Collection and Preview Builds (Windows Component)
Policy Setting
Allow Telemetry Enabled
0 - Security [Enterprise Only]
Disable pre-release features or settings Disabled
Do not show feedback notifications Enabled
Toggle user control over Insider builds Disabled
Templates] > [Windows Components] > [Data Collection and Preview Builds]
NOTE
If this setting is enabled, Windows authentication dialog boxes appear only after you press [Ctrl] + [Alt] + [Del]
on the keyboard.
 Event Log Service (Windows Component)


Policy Setting
Specify the maximum log file size (KB) Enabled
32768 KB
Templates] > [Windows Components] > [Event Log Service] > [Application] > [Security] >
[System]
 File Explorer (Windows Component)

Policy Setting
Turn off heap termination on corruption Disabled
Templates] > [Windows Components] > [File Explorer]
 HomeGroup (Windows Component)


Policy Setting
Prevent the computer from joining a homegroup Enabled
Templates] > [Windows Components] > [Home Group]

 OneDrive (Windows Component)

Policy Setting
Prevent the usage of OneDrive for file storage Enabled
Save documents to OneDrive by default (Save Enabled
Templates] > [Windows Components] > [OneDrive / SkyDrive]
 Remote Desktop Service (Windows Component)

The following table shows the settings.

Policy Setting
[Remote Desktop Connection Client] \ Do not allow Enabled
passwords to be saved
[Remote Desktop Session Host] \ [Device and Re- Enabled
source Redirection] \ Do not allow drive redirection
[Remote Desktop Session Host] \ [Security] \ Require Enabled
secure RPC communication
[Remote Desktop Session Host] \ [Security] \ Require Enabled
user authentication for remote connections by using
Network Level Authentication
Templates] > [Windows Components] > [Remote Desktop Service]
 Search (Windows Component)


Policy Setting
Allow Cortana Disabled
Don't search the web or display web results in Enabled
Search
Don't search the web or display web results in Enabled
Search over metered connections
Templates] > [Windows Components] > [Search]

 Software Protection Platform (Windows Component)


Policy Setting
Turn off KMS Client Online AVS Validation Enabled
Templates] > [Windows Components] > [Software Protection Platform]
 Store (Windows Component)


Policy Setting
Turn off Automatic Download of updates on Win8 Enabled
machines
Turn off Automatic Download and Install of updates Enabled
Turn off the offer to update to the latest version of Enabled
Windows
Turn off the Store application Enabled
Templates] > [Windows Components] > [Store]
 Sync Your Settings (Windows Component)


Policy Setting
Do not sync Apps Enabled
Do not sync start settings Enabled
Templates] > [Windows Components] > [Sync your settings] > [Sync your settings]
 Windows Defender (Windows Component)


Policy Setting
Turn off Windows Defender Enabled
Templates] > [Windows Components] > [Windows Defender]

 Windows Error Reporting (Windows Component)


Policy Setting
Automatically send memory dumps for OS-generated Disabled
error reports
Templates] > [Windows Components] > [Windows Error Reporting]
 Windows Logon Options (Windows Component)


Policy Setting
Sign-in last interactive user automatically after a sys- Disabled
tem-initiated restart
Templates] > [Windows Components] > [Windows Logon Options] > [Windows Logon
Options]
 User Configuration
The following table shows the setting for the Taskbar menu.

Policy Setting
Turn off toast notifications on the lock screen Enabled
Setup location: [User Configuration] > [Administrative Templates] > [Start Menu and Taskbar]
> [Notifications]
 Windows Update Delivery Optimization

The Windows Update Delivery Optimization feature enables you to download Windows
update programs or Windows store applications from a Microsoft Server as well as from a
computer on the same network. It is recommended to disable downloading of programs and
applications for strengthening the IT security.
The following table shows the setting for the Taskbar menu.

Policy Setting
Download Mode Enabled
(HTTP only)
Templates] > [Windows Components] > [Delivery Optimization]

<4. Precautions on operations > 4-1
4. Precautions on operations
This section describes the precautions to observe when you apply security settings.

<4.1 When running FAST/TOOLS Server> 4-2
4.1 When running FAST/TOOLS Server

The FAST/TOOLS Server can be started only by using a dedicated user account
(FTS_PROCESS). If you want to run the Server by using another user account, add the user
account to the Administrators user group.
After the IT Security Tool is applied, add the user account to one of following user groups:
• FTS_MAINTENANCE
• FTS_ENGINEER
• FTS_OPC

<4.2 When running the FAST/TOOLS OPC Server> 4-3
4.2 When running the FAST/TOOLS OPC

Server
The FAST/TOOLS OPC Server can be started only by using a dedicated user account
(FTS_PROCESS). If you want to run the Server by using another user account, add the user
account to the user group that has the permission to run the Server.
After the IT Security Tool is applied, add the user account to one of following user groups:
• FTS_MAINTENANCE
• FTS_ENGINEER
• FTS_OPC

<4.3 When disabling NetBIOS over TCP/IP> 4-4
4.3 When disabling NetBIOS over TCP/IP

NetBIOS over TCP/IP can be disabled by using the IT Security Tool. If the Domain
management type or Combination management type for user management is selected,
NetBIOS over TCP/IP is disabled by default.
If NetBIOS over TCP/IP is disabled, the OPC Server node is not displayed automatically. To
specify the connection destination Server node, you must manually enter the host address of
the OPC Server to which you want to connect.

<4.4 When setting the display language> 4-5
4.4 When setting the display language

When setting the display language on your computer, ensure that the same language is
specified for "Display language" and "Format". Otherwise, the displayed texts may contain
different languages.

<4.5 When changing the display language > 4-6
4.5 When changing the display language

If you run the IT Security Tool after changing the language settings to or from Japanese, a
warning message may appear.
If the following warning message appears, check the settings of each item and reconfigure as
necessary.
Figure 4.5-1 Select Setting Item dialog box (English)
Figure 4.5-2 Select Setting Item dialog box (Japanese)

<4.6 When using Remote Desktop Connection (RDC) > 4-7
4.6 When using Remote Desktop Connection

(RDC)
After applying IT security settings, Remote Desktop Connection (RDC) to the FAST/TOOLS
Server may fail. This failure occurs because the patch versions (for the operating system) that
are applied to the FAST/TOOLS Server and the Remote Desktop Client are different. To
resolve this issue, apply the latest patch versions on both computers.

<4.7 When using the Start menu on Windows 10 and Windows Server 2016> 4-8
4.7 When using the Start menu on Windows

10 and Windows Server 2016
When a user who does not have permission to access the FAST/TOOLS programs expands
the FAST/TOOLS folder from the Start menu, the program icons are not displayed.
Even after the user gets access to the FAST/TOOLS programs, the program icons may not be
displayed. In such cases, follow these steps to restore the program icons on the Start menu
by following these steps:
1. From the Start menu, right-click [Command Prompt] and select [Run as Administrator].
The Command Prompt window appears.
2. Navigate to the folders whose icons you want to restore.
Table 4.7-1 Start menu folders

Product Folder
FAST/TOOLS Server C:\ProgramData\Microsoft\Windows\Start Menu\Pr
ograms\FAST TOOL
FAST/TOOLS Remote Connect C:\ProgramData\Microsoft\Windows\Start Menu\Pr
ograms\FAST TOOL Remote Connect
3. Run the following command:

>COPY /B * +,,
The current directory for accessing the Start menu is updated and program icons in the
related folders are displayed.
4. Repeat steps 1-3 to restore the icons for YOKOGAWA Security, YOKOGAWA
Redundancy, and other folders as necessary.

<5. Working with the IT Security Tool > 5-1
5. Working with the IT Security Tool

The IT Security Tool is a security configuration tool developed for YOKOGAWA system
products. You must use this tool to implement security measures on computers installed with
the product.
By using the IT Security Tool, you can protect computers from security threats by selecting
security models and user management types. The tool automatically applies the security
settings on the computers based on your selection.
The following table describes the IT Security Tool functions.
Table 5-1 IT Security Tool functions

Function Description
Setup Configures security settings, such as the security model and user management
type
Save Saves the security settings of the local computer
Restore Restores the saved security settings to a computer
Change Password Changes the password of a saved security setting file
(Encryption Key)
Import or Export Imports and exports the saved security setting file
Information Displays the summary of the configured security settings
NOTE
The default display of the IT Security Tool differs depending on whether the tool is used during a new
installation or an upgrade.
 Supported security configuration types

The IT Security Tool supports the following security configuration types:
• Standard model - Standalone management
• Standard model - Domain management
• Standard model - Combination management

<5.1 Configuring IT security settings > 5-2
5.1 Configuring IT security settings

You can configure security settings as the last step of installing the product software, or at any
time after installation.
NOTE
If multiple YOKOGAWA products are installed on the same computer, you can apply only the IT security
version that is supported by all products.
Follow these steps to configure IT security settings:

1. Start the IT Security Tool from the product installer or the Start menu.
Start menu location: [YOKOGAWA Security] > [IT Security Tool]
If you started the tool from the product installer, skip the next step. Otherwise, proceed to
the next step.
NOTE
If the User Account Control dialog box appears, asking if you want to allow the program to run, click
[Yes].
2. Click [Setup].
The IT Security Settings page appears.

Figure 5.1-1 IT Security Settings page
NOTE
If IT security is already applied, the previously applied settings are selected by default.
3. In the Select user management section, select a user management type.

NOTE
If you are logged on to a computer that is not a member of a domain and you selected [Domain
Management] or [Combination Management], a message box appears, indicating that your selection is
not valid because you are using a standalone computer.
4. If you want to view or modify the detailed settings, perform these steps:
a. Click [Details].
The Select Setting Items page appears, indicating the security setting items. Default
setting items appear in gray rows, and the check boxes cannot be cleared.
b. Select the check boxes next to the setting items that you want to apply, and clear the
check boxes of the setting items that you want to remove.

NOTE
You can click Recommend to restore the selection of setting items to the default.
c. Click [Next].
The Confirm Setting Information page appears, enabling you to review your
selections.
NOTE
• If you made any changes to the selection of setting items, a dialog box appears, indicating the
change and asking if you want to continue. Click [Yes] to continue or [No] to return to the Select
Setting Items page.
• We recommend that you use the default selection of setting items.
5. Click [Next] to apply the security settings.

The Applying Security Settings page appears, indicating the progress of the configuration
process. After the process is complete, the Setup Completed page appears.
NOTE
If the Program Compatibility Assistant dialog box appears, click [Cancel].
6. Click [Finish].
7. Restart the computer for the settings to take effect.
 Running the IT Security Tool from the installation media

This section describes how to run the IT Security Tool for Mobile Client/ Domain
Controller. Follow these steps to run the IT Security Tool from the installation media:
1. Log on as a user with administrative rights.
2. If you want to run the IT Security Tool for Mobile Client and Domain Controller, perform
these steps:
a. Create the FTS_MAINTENANCE user account manually.
b. Add the logged on user account to FTS_MAINTENANCE.
c. Log off and log on again.
3. Insert the FAST/TOOLS installation media into the DVD drive.
4. Navigate to the following folder:
<DVD drive>:\Windows\FASTTOOLS
5. Double-click [fasttools-Rxx.yy-rzzzz-ITSecurity.exe].
For example, fasttools-R10.04-SP1-r6697-ITSecurity.exe.
6. In the dialog box that appears, select one of the following options as necessary:
• FAST/TOOLS and IT Security Tool
Select this option to install FAST/TOOLS Server and run the IT Security Tool
• IT Security for multi-product environment
Select this option to run the IT Security Tool for FAST/TOOLS Remote Connect
• Apply IT Security only
Select this option to run the IT Security Tool for Mobile Client and Domain Controller

SEE
ALSO For more information about the options for running the IT Security Tool, refer to:
Appendix 2.5, “Options for running the IT Security Tool” on page App.2-7

<5.2 Saving IT security settings > 5-6
5.2 Saving IT security settings

You can save the IT security settings on a local computer by using the IT Security Tool. The
saved IT security settings can be restored on the local computer by using the Restore
function of the IT Security Tool.
Follow these steps to save the current IT security settings:
1. Start the IT Security Tool from the Start menu.
2. Click [Save].
The Specify destination page appears.
3. Click the [.] button next to the Destination box, and navigate to the folder where you want
to save the file.
The Save As window appears.
4. In the File name box, enter a file name.
5. Click [Save].
6. In the Distinguished Name box, type a name for the file.
7. In the Support Product box, type a description for the YOKOGAWA system products.
8. From the Support OS list, select one or more operating systems.
NOTE
In the Support Product box and Support OS list, you can provide any information about the security set-
tings that you are saving. This information is for your own reference.
9. In the File Version box, type a version for the file.

10. Click [Next].
The Type default account password page appears.
11. Type the default account password that you want to set for the Windows user accounts
on the computer.
NOTE
The default account password serves as the initial password for all restored Windows user accounts.
Since it serves as an initial password only, you will be asked to change the password in the next logon. If
the Windows user account is existing in the computer where the security settings are restored, the
existing password is used and the default account password is disregarded. The default account
password must meet the password policy in your organization.
12. Click [Next].

The Type password (Encryption Key) page appears.
13. In the Type password (Encryption Key) and Retype password (Encryption Key) boxes,
type a password for the file.
NOTE
• The Encryption Key is the password for the security setting file. You need to provide the correct
Encryption Key to restore the saved security settings on a computer.
• The Encryption Key must meet the following criteria:
• It must be more than one character.
• It can consist of alphanumeric characters and these characters: ` ~ ! @ # $ % ^ & * ( ) _ + - =
{}¦¥:";'<>?,./
• It cannot consist of full-width characters.

<5.2 Saving IT security settings > 5-7
14. Click [Next].
The Saving Security Settings page appears, displaying the progress of the save process.
After the process is complete, the Save completed page appears and the HED and CSF
files are created.
NOTE
The security settings are saved in HED and CSF file formats. These files must always exist in the same
location and their file names must always be the same.

<5.3 Restoring IT security settings > 5-8
5.3 Restoring IT security settings

You can restore the saved security settings on a computer by using the IT Security Tool.
IMPORTANT
• Ensure that the computer on which you are restoring the security settings has the same
configuration as the computer on which you saved the security settings.
• Before you restore the security settings, you must perform the following actions:
• Install the same product version and packages.
• If the product coexisted with other YOKOGAWA system products on the computer
where you saved the security settings, install the same versions and packages of
these system products.
• If you want to restore the Standard model with Domain or Combination management,
connect the computer to the domain.
• Set the same security model and user management type by using the IT Security
Tool.
• Obtain the default account password and Encryption Key.
• Store the pair of HED and CSF files in the same location. These files store the
security setting configuration and they must always have the same file name.
Follow these steps to restore the saved IT security settings:

2. Click [Restore].
The Select Security Setting File page appears.
3. At the right of the Setting File box, click the [.] button.
The Select File window appears.
4. Navigate to the folder on which the HED file that you want to restore is saved and select
the HED file.
5. Click [Open].
6. In the dialog box that appears, type the Encryption Key.
7. Click [OK].
The file loads and its properties appear in the Description of Setting File pane.
8. Click [Next].
The Confirm Setting Information page appears, indicating the security settings that are
included in the file.
9. Review the security settings and click [Next].
The Applying Security Settings page appears, displaying the progress of the restore
process. After the process is complete, the Setup Completed page appears.
10. Click [Finish].
11. Restart the computer for the settings to take effect.
After restoring the security settings, the Windows user accounts that are saved in the security
settings file are created if they do not exist. Upon initial logon by using any of these Windows
users accounts, you need to use the Default account password, and replace it with a new
password. However, if these Windows user accounts exist, the existing passwords will be
used.

<5.4 Changing the security setting file password (Encryption Key) > 5-10
5.4 Changing the security setting file

password (Encryption Key)
An Encryption Key protects the use of the security settings which are saved in HED and CSF
file formats. These files must always be in the same location. You can change the password
(Encryption Key) for security setting files used by the IT Security Tool.
Follow these steps to change the Encryption Key:
2. Click [Change Password (Encryption Key)].
The Specify backup file of security page appears.
3. On the Apply Changes to pane, select any of the following options:
• [Single File] to change the Encryption Key for one security setting file
• [Multiple File] to change the Encryption Key for multiple security setting files
4. Next to the Source box, click the […] button.
5. Perform any of the following steps, depending on the number of files that you want to
change:
• For a single file
In the Open dialog box that appears, navigate to the location of the HED file, and
then select [Open].
• For multiple files
In the Browse For Folder dialog box that appears, navigate to the folder where the
HED files are saved, select the folder, and then click [OK].
6. Next to the Destination box, click the […] button.
The Browse For Folder dialog box appears.
7. Navigate to the folder where you want to save the changed HED files, select the folder,
and then click [OK].
8. Click [Next].
The Change Password (Encryption Key) page appears.
9. In the Type old password (Encryption Key) box, type the current Encryption Key.
10. In the Type new password (Encryption Key) and Retype new password (Encryption Key)
boxes, type the new Encryption Key.
11. Click [Next].
12. Click [Finish].

<5.5 Exporting and importing the IT security setting file > 5-11
5.5 Exporting and importing the IT security

setting file
The IT Security Tool saves the currently applied security settings in the IT security setting file.
You can export and import this file to apply the selection state of the IT security settings on a
different operating system version.
NOTE
The settings are dependent on the operating system. Therefore, the settings cannot be restored on a different
operating system version by using the "Restore" function of the IT Security Tool. You must use the "Import or
Export" function if you want to apply the same settings on a different operating system version.
 Exporting the IT security setting file

Follow these steps to export the IT security setting file:
2. Click [Import or Export].
The Export or Import the Selection State of Setting Items dialog box appears.
3. Select [Export].
The following default export destination file name appears automatically in the text box for
the file name entry:
<OS drive>:\ProgramData\Yokogawa\IA\iPCS\Platform\Security\Config\DisplaySele
ctInfo.xml
4. Leave the default file name as is, or change it as necessary.
5. Click [Execute].
The IT Security Tool starts exporting the IT security setting file. If you specify an existing
file, it will be overwritten.
The following information is written to the specified file:
• Security model
• User management type
• IT security version
• State of check box selections made in the Select Setting Items page of the tool
 Importing the IT security setting file

Follow these steps to import the IT security setting file:
2. Click [Import or Export].
The Export or Import the Selection State of Setting Items dialog box appears.
3. Select [Import].
4. Specify the IT security setting file that you want to import.
5. Click [Execute].

<5.5 Exporting and importing the IT security setting file > 5-12
6. In the IT Security Tool dialog box, click [Setup].
The imported IT security settings are applied.
NOTE
Alternatively, you can also import the selection state of IT security settings by clicking [Setup] in the IT
Security Tool dialog box, and then clicking [Import] on the IT Security Settings page.

<5.6 Viewing the summary of IT security settings > 5-13
5.6 Viewing the summary of IT security

settings
You can view the basic information related to IT security settings by using the IT Security Tool.
Follow these steps to view the summary of IT security settings:
2. Click the [Information].
The Current setting information dialog box appears, displaying the basic information
about the currently applied IT security settings in the following categories:
• IT Security Tool information
Displays the version, copyright, and issuer of the IT Security Tool
• Basic information
Displays the security model, user management type, and IT security version set by
the IT Security Tool
• Security setting conditions
Displays the status of IT security settings for all YOKOGAWA products that are
installed on the computer under the following categories:
• IT security setting completed
Displays the products for which IT security settings are applied
• Install completed
Displays the products for which IT security settings are not applied

<5.7 Reapplying IT security settings> 5-14
5.7 Reapplying IT security settings

This section describes how to reapply the IT security settings.
NOTE
You need not restore the IT security settings to their initial status before reapplying the IT security settings.

5.7.1 For FAST/TOOLS Server and Remote Connect

Follow these steps to reapply IT security settings for FAST/TOOLS Server and Remote
Connect:
1. From the Start menu, select [YOKOGAWA Security] > [IT Security Tool].
2. Click [Setup].
3. Apply the IT security settings as necessary.

5.7.2 For Mobile Client and Domain Controller

You can reapply the IT security settings in any of the following scenarios:
• When the target components selected in the IT security settings remain the same
• When the target components selected in the IT security settings are different
 When the target components selected in the IT security settings

remain the same
Follow these steps to reapply the IT security settings when the target components selected in
the IT security settings remain the same:
5. In the window that appears, select [Apply IT Security only].
 When the target components selected in the IT security settings are

different
Follow these steps to reapply the IT security settings when the target components selected in
the IT security settings are different:
4. Run [PrepareReconstruction.cmd], which is available in the following folder:
<DVD drive>:\Windows\FASTTOOLS\ITSecurity
NOTE
If software restriction policies are set, run the IT Security Tool as an Administrator.

7. In the window that appears, select [Apply IT Security only].

<5.8 Changing the FAST/TOOLS user account> 5-17
5.8 Changing the FAST/TOOLS user account

This section describes how to change the FAST/TOOLS user account in the following
scenarios:
• When IT security settings are not applied
• When IT security settings are applied in the standalone environment
• When IT security settings are applied in the domain or combination environment
NOTE
By default, FTS_PROCESS is configured as the user account for using the FAST/TOOLS service and FAST/
TOOLS OPC Server.
 When IT security settings are not applied

Follow these steps to change the FAST/TOOLS user account in an environment where IT
security settings are not applied:
1. Create a user account.
The user account can be a local user account or domain user account.
2. Assign the created user account to the Administrators group on the computer on which
FAST/TOOLS is installed.
3. Assign the created user account to the RDC_GA_CLIENT group on the computer on
which FAST/TOOLS is installed when a dual-redundant platform is used.
4. Set the created user account as the user account for using the FAST/TOOLS Service by
performing these steps:
a. In the Control Panel, select [Administrative Tools] > [Services].
b. Right-click [FAST/TOOLS Service] and select [Properties].
c. In the dialog box that appears, click the [Log On] tab.
d. Click [Browse] to select the created user account and set the password as necessary.
e. Click [OK].
5. Set the created user account as the user account for using the FAST/TOOLS OPC Server
by performing these steps:
a. In the Control Panel, select [Component Services].
The Component Services window appears.
b. On the navigation pane, select [Component Services] > [Computers] > [My
Computer] > [DCOM Config].
c. Right-click [FAST/TOOLS OPC AE Server] and select [Properties].
d. In the dialog box that appears, click the [Log On] tab.
e. Click [Browse] to select the created user account and set the password as necessary.
f. Click [OK].
g. Repeat steps c. to f. for [FAST/TOOLS OPC DA Server].

<5.8 Changing the FAST/TOOLS user account> 5-18
NOTE
• When IT security settings are applied in the standalone environment, assign the created user ac-
count to the local FTS_OPC user group on the computer where FAST/TOOLS is installed.
• When IT security settings are applied in the domain or combination environment, assign the created
user account to the FTS_OPC user group of the domain on the Domain Controller. If a local user
account must be used, assign the created user account to a local FTS_OPC_LCL user group.

<6. Other utility programs > 6-1
6. Other utility programs

The following utility programs are provided as supporting tools to the IT Security Tool:
• CreateFasttoolsProcess
Use this utility to create the FTS_PROCESS user account and to change its password
• StorageDeviceCTL
Use this utility to temporarily use removable storage devices to write or update data
• ITSecuritySettingItemExport
Use this utility to export the applied IT security settings to a file

<6.1 CreateFasttoolsProcess utility> 6-2
6.1 CreateFasttoolsProcess utility

You can use this utility to create the FTS_PROCESS user account on computers installed
with Yokogawa products that collaborate with FAST/TOOLS. Moreover, this tool enables you
to change the password of an existing FTS_PROCESS user account.
 Running the CreateFasttoolsProcess utility

Follow these steps to create internal user accounts of FAST/TOOLS on computers installed
with other products:
1. Log on to Windows as a user with administrative rights.
2. Insert the FAST/TOOLS installation media into the DVD drive and navigate to the
following folder:
3. Double-click [Yokogawa.IA.iPCS.Platform.Security.CreateFasttoolsProcess.exe].
A dialog box appears, asking if you want to create the internal user account (FTS_PROC-
ESS).
4. Click [Yes].
The internal user account (FTS_PROCESS) is created.
 Changing the internal user account password

Follow these steps to change the password of the internal user account:
following folder:
Yokogawa.IA.iPCS.Platform.Security.CreateFasttoolsProcess.exe -p
<password>
The FTS_PROCESS user account is created with the specified password. If the user ac-
count already exists, its password is updated as specified in the command.

<6.2 StorageDeviceCTL utility > 6-3
6.2 StorageDeviceCTL utility

You can use this utility to temporarily use removable storage devices to write or update data
by performing the following actions on the computer where the StorageDevicePolicies
function is enabled or access to USB storage devices is disabled:
• Disabling the StorageDevicePolicies function
• Enabling access to USB storage devices
NOTE
To run the StorageDeviceCTL utility, you must be a member of any of the following Windows user groups:
• FTS_MAINTENANCE
• FTS_MAINTENANCE_LCL
 Running the StorageDeviceCTL utility
Follow these steps to temporarily grant the write permission for removable storage devices:
2. In Windows, run the following program file to start the StorageDeviceCTL utility:
<OS drive>:\Program Files (x86)\YOKOGAWA\IA\iPCS\Platform\Security\PROGRAM\Yo
kogawa.IA.iPCS.Platform.Security.StorageDeviceCTL.exe
NOTE
If the User Account Control dialog box appears, asking if you want to allow the program to run, click
[Yes].
The StorageDeviceCTL utility appears on the task bar, indicating that the write permission
is granted.
3. Insert a removable storage device into the computer.
4. Write or update data on the storage device.
5. After you finish writing or updating data, properly remove the storage device.
6. From the task bar, click [StorageDeviceCTL].
7. In the StorageDeviceCTL message box, click [Write Stop] to close the utility.
The write permission for the removable storage devices is removed.

<6.3 ITSecuritySettingItemExport utility> 6-4
6.3 ITSecuritySettingItemExport utility

You can use this utility to export the security model, user management, security settings that
are applied by the IT Security Tool to an external file. If the exported file is imported by using
the IT Security Tool, each security setting that is selected in the IT Security Tool is reproduced
in the exported environment.
 Running the ITSecuritySettingItemExport utility
Follow these steps to run the ITSecuritySettingItemExport utility:

following folder:
3. Double-click [Yokogawa.IA.iPCS.Platform.Security.ITSecuritySettingItemExport.exe].
A dialog box appears, indicating that the IT security settings are exported to a folder.
4. Click [OK].
NOTE
• This utility is available only on computers where a YOKOGAWA system product is installed. It is not
available on a file server or domain controller, where security configuration is performed by using
the IT Security Tool without installing product software.
• The account used to run this utility must belong to the maintenance group of the product.
• The folder and file that are exported by this utility have a fixed name. If they exist on the computer
already, the file will be overwritten.

<7. Connecting YOKOGAWA products> 7-1
7. Connecting YOKOGAWA products

FAST/TOOLS can be connected with other YOKOGAWA products in one of the following
ways:
• Coexistence
When FAST/TOOLS and the other product are installed on the same computer
• Collaboration
When FAST/TOOLS and the other product are installed on separate computers but they
communicate with each other over a network
NOTE
• Ensure that the security model and the user management type of the products that you are connecting
to are the same.
• If the Strengthened model is applied to the products that you want to connect, contact YOKOGAWA.
• For more information, refer to the user’s manual of the product that you want to connect with FAST/
TOOLS.

<7.1 FAST/TOOLS and STARDOM> 7-2
7.1 FAST/TOOLS and STARDOM

This section describes the security settings that are required to connect FAST/TOOLS with
STARDOM.

7.1.1 Coexistence
The following figure shows the network structure of coexistence with FAST/TOOLS and
STARDOM FCN/FCJ systems.
FCN/FCJ engineering environment
with FAST/TOOLS
Control Bus (Ethernet)
FCN/FCJ FCN/FCJ PLC
Figure 7.1.1-1 Network connection
 Connecting FAST/TOOLS and STARDOM
The IT security settings should be configured manually on the computer where STARDOM
and FAST/TOOLS systems are installed.

7.1.2 Collaboration
The FAST/TOOLS system accesses data from STARDOM FCN/FCJ through Ethernet
(TCP/IP) by using the HSE interface.
The following figure shows the network connection between FAST/TOOLS and STARDOM
(HSE).
SCADA Server
Control Bus (Ethernet)
FCN/FCJ
 Connecting FAST/TOOLS and STARDOM
Follow these steps to configure the collaboration settings for FAST/TOOLS and STARDOM
FCN/FCJ:
1. Create a user account that has the following privileges:
• Copy project data to FAST/TOOLS system
• Convert copied project data
• Send converted data to FAST/TOOLS system
2. Define personal firewall exceptions.
Table 7.1.2-1 Firewall program exceptions

Application Description Where used
EQPFCX eqpfcx.exe SCADA Server
Table 7.1.2-2 Firewall port exceptions

Program Port Where used
HSE TCP: 1090 SCADA Server
3. Configure EQUIPMENT/FAST.
4. Define TCP/IP line type and STARDOM-FCX equipment.
Refer to EQUIPMENT/FAST System Integrator’s Manual (IM50L07L02-21E) for more
information.
5. Create I/O points on the FAST/TOOLS computer.

<7.2 FAST/TOOLS and ProSafe-RS > 7-5
7.2 FAST/TOOLS and ProSafe-RS

ProSafe-RS.

<7.2 FAST/TOOLS and ProSafe-RS > 7-6
7.2.1 Collaboration
The FAST/TOOLS system accesses data from ProSafe-RS SCS through Vnet/IP.
The following figure shows the network connection between FAST/TOOLS and ProSafe-RS
SCS.
SCADA Server
Vnet/IP
SCS
 Connecting FAST/TOOLS and ProSafe-RS
Follow these steps to connect FAST/TOOLS and ProSafe-RS systems:

1. Install Vnet/IP card and driver.
Refer Integration with FAST/TOOLS IM (32P56H20-01EN) for more information.

EQPVNET eqpvnet.exe SCADA Server
Front-end Server
RGS Server

Program or application Port Where used
Vnet/IP UDP: 9940, 5313 SCADA Server
Front-end Server
Open PIO UDP: 6000 RGS Server
4. Define Vnet/IP line type and ProSafe-RS equipment.
Refer to EQUIPMENT/FAST System Integrator’s Manual (IM 50L07L02-01EN/R9.03) for
more information.

<7.3 FAST/TOOLS and Matrikon OPC Server> 7-7
7.3 FAST/TOOLS and Matrikon OPC Server

Matrikon OPC Server.

7.3.1 Collaboration
The FAST/TOOLS system accesses data from the Matrikon OPC Server through Ethernet
(TCP/IP) by using the OPC interface. The SCADA Server is used as the OPC Client for
receiving data from the Matrikon OPC Server.
The following figure shows the network connection between FAST/TOOLS and Matrikon OPC
Server.
SCADA Server (OPC Client)
Ethernet (TCP/IP)
Matrikon OPC Server
 Connecting FAST/TOOLS and Matrikon OPC Server
Follow these steps to connect FAST/TOOLS and Matrikon OPC Server:

1. Install Matrikon OPC Client software on the SCADA Server.
2. Define the OPC user account to access both Client and Server machines. On the OPC
Server and SCADA Server, create the FTS_PROCESS user account.
For a domain, the account should be defined only once on the Domain Controller.
For a workgroup, the same account should be defined on the Client machine and server
machine separately.
NOTE
The following restrictions apply:
• A password must be defined. (Blank password or password such as “admin” is not allowed.)
• The user name and password must be identical on both machines.
• The OPC Client (SCADA Server) and OPC Server should use the same user account.

OPC Server opxdas12.exe OPC Server
opcism.exe
UNWISE.exe
OPC Client opxdac.exe OPC Client
Microsoft Management Console %System32%\mmc.exe OPC Client and OPC Server
OPCEnum OPC Emulation Server OPC Server

Program or application Port (*1) Where used
RPC/DCOM TCP: 135 SCADA Server
Front-end Server
NetBIOS Session Service TCP: 139 RGS Server
DCOM TCP: 20500-20550 OPC Server
OPC Client
NetBIOS Name Resolution UDP: 137
NetBIOS Datagram Service UDP: 138
*1: The scope of the ports should be changed to "Any".
NOTE
You can use the IT Security Tool to configure the firewall exceptions.
5. Define TCP/IP line type and OPC DA equipment.
Refer to EQUIPMENT/FAST System Integrator’s Manual (IM 50L07L02-01EN/R9.03) for
more information.

<7.4 FAST/TOOLS and Exaquantum> 7-10
7.4 FAST/TOOLS and Exaquantum

Exaquantum.

7.4.1 Collaboration
The FAST/TOOLS system accesses data from Exaquantum Server through Ethernet (TCP/IP)
by using the OPC interface. The Exaquantum Server is used as the OPC Client for receiving
data and the SCADA Server is used as the OPC Server.
The following figure shows the network connection between FAST/TOOLS and Exaquantum
Server.
Exaquantum Server (OPC Client)
Ethernet (TCP/IP)
SCADA Server (OPC Server)
 Connecting FAST/TOOLS and Exaquantum

Follow these steps to connect FAST/TOOLS and Exaquantum:
1. Install the OPC Client software (FAST/TOOLS OPC-DA Tunneler) on the Exaquantum
Server.
2. Create user accounts on both the computers as follows:
• Standalone management type
a. Create QTM_PROCESS and FTS_PROCESS user accounts on Exaquantum
and FAST/TOOLS computers.
b. Add QTM_PROCESS to FTS_OPC on the FAST/TOOLS computer to use the
DCOM function of FAST/TOOLS.
c. Add FTS_PROCESS to QTM_OPC on the Exaquantum computer to use the
DCOM function of Exaquantum.
• Domain management type
a. Create QTM_PROCESS and FTS_PROCESS user accounts on Exaquantum
and FAST/TOOLS computers.
b. Add QTM_PROCESS to FTS_OPC_LCL on the FAST/TOOLS computer to use
the DCOM function of FAST/TOOLS.
c. Add FTS_PROCESS to QTM_OPC_LCL on the Exaquantum computer to use
the DCOM function of Exaquantum.


OPC Server opxdas12.exe OPC Server
OPC Client Quantum.exe OPC Client
Microsoft Management Console %System32%\mmc.exe OPC Client and OPC Server
OPCEnum OPC Emulation Server OPC Server

Program or application Port (*1) Where used
RPC/DCOM TCP: 135 OPC Client and OPC Server
NetBIOS Session Service TCP: 139
DCOM TCP: 20500-20550
NetBIOS Name Resolution UDP: 137
NetBIOS Datagram Service UDP: 138
*1: The scope of the ports should be changed to "Any".
NOTE
You can use the IT Security Tool to configure the firewall exceptions.
4. Create items on the Exaquantum Server to access the FAST/TOOLS items on the SCA-
DA server.
NOTE
• The OPC flag must be enabled for the FAST/TOOLS items to be accessed by Exaquantum.
• The OPC Server Type must be defined on the Exaquantum Server.
• The OPC-DA Server ProgID must be changed to the name of the latest FAST/TOOLS OPC Server.

<7.5 Coexistence with FAST/TOOLS Client and other products > 7-13
7.5 Coexistence with FAST/TOOLS Client and

other products
The Web HMI Client and FAST/TOOLS Mobile Client can coexist with other Yokogawa
products.
You can configure the IT security settings in one of the following ways:
• Running the IT Security Tool from the product installer
This is the most common method for running the IT Security Tool. The IT security settings
must be configured by using this method if the FAST/TOOLS Client is installed on a
computer where a Yokogawa product is already installed.
This method is also used for applying IT security settings in the FAST/TOOLS Server.
• Running the IT Security Tools from the installation media
The IT security settings can be configured by using this method if the FAST/TOOLS
Client and other Yokogawa products are installed on separate computers.
• Configuring the IT security settings manually
The IT security settings can be configured manually if the FAST/TOOLS Client is installed
on a computer at CORPORATE LEVEL or BUSINESS LEVEL.

<8. Optional IT security settings> 8-1
8. Optional IT security settings

This section describes the optional IT security settings that you can configure to further
strengthen your computer.

<8.1 Security measures for Windows 10 and Windows Server 2016> 8-2
8.1 Security measures for Windows 10 and

Windows Server 2016
When installing Windows 10 or Windows Server 2016 operating systems, the following
information is shared by default:
• Personal speech
• Inking input
• Geographical location
• Browsing data
• Auto connect to (insecure) hotspots
• Full diagnostic (not limited to) usage data
• Skype is allowed to process your contacts (if bundled)
It is recommended to use the Long-Term Servicing Branch (LTSB) edition for Windows 10 or
Windows Server 2016 operating systems and disable the sharing of the above mentioned
information.

<8.2 Disabled Windows applications> 8-3
8.2 Disabled Windows applications

The following applications should be disabled or uninstalled from your computer:
• Netmeeting (uninstalled)
• Windows Messenger (uninstalled)
• Windows Movie Maker (disabled)
• Windows Update (disabled)
• Windows Media Player (uninstalled)
• All games (uninstalled)
• Outlook express (uninstalled)
• Yahoo messenger (uninstalled)
• Skype (uninstalled)
• VOIP (uninstalled)
• Groove Music (uninstalled)
 Removing bundled apps for a specific user
Some versions of Windows 8, Windows 8.1, and Windows 10 are delivered with a number of
bundled apps. When a user first signs in, Windows installs those apps to the user account.
Even when the apps are uninstalled from the user account, many of them are downloaded
automatically after a Windows update. It is recommended to remove all the available bundled
apps from your computer.
Follow these steps to remove the bundled apps from your computer:
• To remove the bundled apps for a specific user
Get-AppxPackage -User <Username> | Remove-AppXPackage
• To remove the bundled apps for all users
Get-AppxPackage -AllUsers | Remove-AppXPackage
The bundled apps are removed from the computer.
NOTE
The following apps are not removed:
• Contact Support
• Cortana
• Photos
• Microsoft Edge
• Windows Feedback
• Settings

<8.2 Disabled Windows applications> 8-4
• Windows Store (May be reinstalled after a Windows update)

<8.3 Audit policies> 8-5
8.3 Audit policies

You can apply audit policies to record account logon conditions and security events. This re-
corded data is useful for detecting abnormal system conditions at an early stage and for
checking the causes of security problems.
IMPORTANT
You must observe the following precautions if you want to apply audit policies:
• The system performance is affected if you increase the number of recorded event types.
• You must determine the event record size that is appropriate for the system operation
conditions. The number of generated events varies depending on the types of recorded
events and system operations.
The following table describes the details of events that can be recorded by applying audit
policies.
Table 8.3-1 Audit policies

Option Setting
Audit account logon events Success, Failure
Audit account management Success, Failure
Audit object access Failure
Audit system events Success
Audit directory service access Failure
Audit process tracking No auditing
Audit policy change Success
Audit logon events Success, Failure
Audit privilege use Failure

8.3.1 Applying Audit Policy settings

Follow these steps to apply the Audit Policy settings:
1. Log on to your computer as a user with administrative rights.
2. In the Small icons view of the Control Panel, select [Administrative Tools] > [Local
Security Policy].
The Local Security Policy window appears.
3. On the navigation pane, under Security Settings, select [Local Policies] > [Audit Policy].
The security setting for each Audit Policy is displayed.
4. Apply the Audit Policy settings as necessary.
5. Close the Local Security Policy window.

8.3.2 Defining maximum event log size

To prevent data loss, you need to specify the maximum size for the following event logs:
• Security
• Application
• System
Follow these steps to define the maximum event log size:
2. In the Small icons view of the Control Panel, select [Administrative Tools] > [Event
Viewer].
3. On the navigation pane, under Event Viewer, select [Windows Logs].
4. Under Windows Logs, right-click the event and select [Properties].
5. In the dialog box that appears, specify the settings as follows:

Item Security Application System
Maximum log size (KB) 81,920 KB 16,384 KB 16,384 KB
(*1)
When maximum log size Overwrite events as needed
is reached
*1: This is the recommended log size considering standard usage. You can determine the appropriate log size based on the
operation frequency, engineering data size, and HDD capacity of your computer.

<8.4 Disabling recovery console> 8-8
8.4 Disabling recovery console

Automatic logon as a standard operating procedure is a known security risk, especially with
Administrator privileges. Therefore, automatic administrative logon must be disabled.
NOTE
In known limited environments where automated login is unavoidable, strong passwords must be used for
these services and proper documentation must be maintained.
Follow these steps to disable automatic administrative logon:

Security Policy].
3. On the navigation pane, under Security Settings, select [Local Policies] > [Security
Options].
The security setting for the each Security Option is displayed.
4. From the list of security settings, double-click [Recovery Console: Allow automatic
administrative logon] and select [Disabled].

<8.5 Setting user rights for internal system objects> 8-9
8.5 Setting user rights for internal system

objects
Only appropriate administrative groups should be able to configure settings such as COM
ports, serial ports, or printers.
Follow these steps to set user rights for internal system objects:
Security Policy].
Options].
4. From the list of security settings, double-click [System Objects: Strengthen default per-
missions of internal system objects (e.g. Symbolic links)] and select [Enabled].

<8.6 Verifying user rights assignments > 8-10
8.6 Verifying user rights assignments

Only the specified users or groups are allowed to perform a certain operation. It is
recommended to verify if the user rights assignment is configured appropriately.
Follow these steps to verify the user rights assignment:
Security Policy].
3. On the navigation pane, under Security Settings, select [Local Policies] > [User Rights
Assignment].
The user rights assignment for each policy is displayed.
4. Verify that the user rights are assigned as follows:
Table 8.6-1 User rights assignments

User right (Policy) Security setting
Act as part of the operating system None
Adjust memory quotas for a process None
Back up files and directories FTS_MAINTENANCE
Bypass traverse checking None
Change the system time FTS_MAINTENANCE
Create a page file None
Create a token object None
Enable computer and user accounts to be trusted for FTS_MAINTENANCE
delegation
Force shutdown from a remote system None
Impersonate a Client after authentication FTS_MAINTENANCE
Increase scheduling priority None
Lock pages in memory None
Modify firmware environment values FTS_MAINTENANCE
Perform volume maintenance tasks FTS_MAINTENANCE
Profile single process None
Profile system performance None
Replace a process level token None
Restore files and directories FTS_MAINTENANCE
Shut down the system FTS_MAINTENANCE
Synchronize directory service data None
Take ownership of files or other objects FTS_MAINTENANCE

<8.7 Disabling the Guest account> 8-11
8.7 Disabling the Guest account

The Guest account must be disabled and the password must be both long and complex. The
password should have at least 15 characters and should contain lowercase and uppercase
alphanumeric characters and special symbols.
Contact the network administrator and verify if the Guest account is disabled.

<8.8 Restricting access to audit logs> 8-12
8.8 Restricting access to audit logs

Only authorized administrative and service personnel should have access to the following
audit logs:
• Application logs
• Security logs
• System logs
Follow these steps to restrict access to audit logs:
2. In Windows Explorer, navigate to the following folder:
%systemroot%\System32\Winevt\Logs
3. RIght-click [Application] and select [Properties].
4. In the dialog box that appears, click the [Security] tab.
5. Verify that Full control is granted to Administrators, SYSTEM, EventLog, and other
appropriate user groups.
6. Click [Advanced].
7. In the dialog box that appears, verify that the [Allow Inheritable Permissions from Parent
to Propagate to this Object] check box is cleared.
8. Repeat steps 3 to 7 for Security and System logs.

<8.9 Configuring advanced audit policy settings> 8-13
8.9 Configuring advanced audit policy

settings
Audit logs may contain information about the system usage and location of objects that could
be used as a basis for an attack.
Follow these steps to configure advanced audit policy settings:
Security Policy].
Options].
The policies related to security options are displayed.
4. Disable the following settings:
• Audit: Audit the access of global system objects
• Audit: Shut down system immediately if unable to log security audits

<8.10 Restricting access to removable media> 8-14
8.10 Restricting access to removable media

The permission to format and eject removable media should be granted to appropriate
administrative groups only.
Follow these steps to restrict access to removable media:
Security Policy].
Options].
The policies related to security options are displayed.
4. Double-click [Devices: Allowed to format and eject removable media].
5. In the dialog box that appears, select an appropriate administrative user group and click
[OK].

<8.11 Making the screen saver password protection immediate > 8-15
8.11 Making the screen saver password

protection immediate
The password protection for the screen saver should be applied immediately without any
grace period.
Follow these steps to apply immediate password protection for the screen saver:
2. Open the Registry Editor of your computer.
3. On the navigation pane, navigate to the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
4. Verify that the subkey "ScreenSaverGracePeriod" exists and its value is set to 0.
5. Close the Registry Editor.

<8.12 Configuring the SNMP service settings> 8-16
8.12 Configuring the SNMP service settings

To reduce potential attacks on the SNMP interface, the SNMP service should be disabled. If
you must enable the SNMP service, change the default community names to hide them from
potential attackers.
Follow these steps to configure the SNMP service settings:
2. Open the Services window.
3. Double-click [SNMP Service].
4. In the dialog box that appears, click the [Security] tab.
5. Verify that default PUBLIC and PRIVATE community names are not used.
If default names are used, changed the PUBLIC and PRIVATE community names.
6. Verify that [Accept SNMP packets from these hosts] is selected.
7. Close the Services window.

<8.13 Configuring SSL registry settings> 8-17
8.13 Configuring SSL registry settings

Due to known vulnerabilities, the use of SSL 2.0 or SSL 3.0 is prohibited and should be
disabled.
Follow these steps to disable SSL 2.0 or SSL 3.0:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNE
L\Protocols\
4. Verify that the SSL settings are configured as follows:
Table 8.13-1 SSL settings

Key Name Type Data
HKEY_LOCAL_MACHINE\S Enabled REG_SZ 0
YSTEM\CurrentControl
Set\Control\Security
Providers\SCHANNEL\P
rotocols\SSL 2.0\Ser
ver
rotocols\SSL 3.0\Ser
ver
rotocols\SSL 2.0\Cli
ent
rotocols\SSL 3.0\Cli
ent

<8.14 Configuring TLS registry settings> 8-18
8.14 Configuring TLS registry settings

TLS 1.0 and TLS 1.1 must be disabled and TLS must be 1.2 enabled. A server that cannot
use TLS 1.2 should be registered as an exception in the IT environment and isolated
accordingly.
Follow these steps to disable TLS registry settings:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNE
L\Protocols\
4. Verify that the SSL settings are configured as follows:
Table 8.14-1 TLS settings

Key Name Type Data
rotocols\TLS 1.0\Ser
ver
ver
ver
rotocols\TLS 1.0\Cli
ent
ent
ent

<8.15 Securing registry keys for programs that run during startup > 8-19
8.15 Securing registry keys for programs that

run during startup
Unauthorized users should not have access to the list of programs that run during startup.
Follow these steps to secure the registry keys for programs that run during startup:
3. Verify that appropriate security settings are configured for the following registry keys:
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
• HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
• HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce

<8.16 Securing AllowedPaths and AllowedExactPaths registry keys> 8-20
8.16 Securing AllowedPaths and

AllowedExactPaths registry keys
The AllowedPaths and AllowedExactPaths registry keys control the remote registry access
control. If these keys are modified, certain registry keys can be accessed remotely. Therefore,
the permission to modify these keys should be granted to appropriate administrative group
only.
Follow these steps to secure the AllowedPaths and AllowedExactPaths registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\
4. Perform these steps for the AllowedPaths and AllowedExactPaths folders:
a. Right-click the folder and select [Permissions].
b. Verify that Full Control is allowed for the Administrators user group.
c. Review additional users and groups for appropriate access. (*1)
d. Click [OK].
e. On the right pane, right-click [Machine] and select [Modify].
f. In the Edit Multi-String dialog box, set and verify the allowed paths. (*1)
*1:
• The default Alllowed Paths are as follows:
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog
• HKEY_LOCAL_MACHINE\Software\Microsoft\OLAP Server
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ContentIndex
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\Us
erConfig
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\De
faultUserConfiguration
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Perfli
b
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Window
s
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SysmonLog
• The default Alllowed Exact Paths are as follows:
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ProductOptions

<8.16 Securing AllowedPaths and AllowedExactPaths registry keys> 8-21
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Server Application
s
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion

<8.17 Disabling "Everyone" group permissions for anonymous users> 8-22
8.17 Disabling "Everyone" group permissions

for anonymous users
If anonymous users are granted "Everyone" group permissions, they can access all the re-
sources that are allowed for the "Everyone" group, which could be a possible security threat.
Follow these steps to disable "Everyone" group permissions for anonymous users:
Security Policy].
Options].
4. From the list of security settings, double-click [Network access: Let Everyone permissions
apply to anonymous users] and select [Disabled].

<8.18 Removing unwanted network protocols> 8-23
8.18 Removing unwanted network protocols

To reduce potential network attacks on a Server computer, unwanted applications, services,
and network protocols should be removed.
Follow these steps to remove unwanted network protocols from the Server computer:
2. In the Small icons view of the Control Panel, select [Network and Sharing Center].
3. On the navigation pane, select [Change adapter settings].
The Network Connections window appears, displaying the available network interfaces.
4. Right-click each network interface and select [Properties].
5. In the dialog box that appears, select the following check boxes and click [Uninstall].
• AppleTalk
• DLC
• NetBEUI
• NWLink
A dialog box appears, asking if you want to uninstall the selected item.
6. Click [Yes].
The selected items network protocols are uninstalled.
7. Close the Network Connections window.

<8.19 Deploying TCP/IP protocol settings > 8-24
8.19 Deploying TCP/IP protocol settings

If TCP/IP is installed on a computer, the TCP/IP protocol settings must be deployed to
enhance network security. However, this must be considered on a case-by-case basis
because there could be policies or connection requirements that limit the types of settings to
be applied.
Follow these steps to deploy TCP/IP protocol settings:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
4. Verify that appropriate values are assigned for each parameter.

<8.20 Enabling safe DLL search order> 8-25
8.20 Enabling safe DLL search order

It is possible to attack a computer by installing malicious DLLs to a system and then allowing
the system to locate them by using default search paths. Safe DLL search prevents the sys-
tem from locating DLLs outside the installation folder and known system folders.
Follow these steps to enable safe DLL search order:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\
4. Configure the following settings:
Name: SafeDllSearchMode
Type: DWORD
Data: 1

<8.21 Using NTFS on all non-removable partitions> 8-26
8.21 Using NTFS on all non-removable

partitions
NTFS is the primary file system for recent versions of Windows. This file system has more
features than FAT. NTFS should be used on all non-removable partitions. If there is a
compelling business need to use non-NTFS partitions, access to such partitions must be local
(not shared) or limited to appropriate administrative groups.
Follow these steps to convert an FAT partition to NTFS:
convert <partition name>: /fs ntfs /v
For example, the command to use NTFS for the "E" drive is: convert E: /fs
ntfs /v.

<8.22 Enforcing password protection for third-party SMB Servers> 8-27
8.22 Enforcing password protection for third-

party SMB Servers
SMB is a common method for remote file access. Ideally this should not be applied in an OT
environment. However, password protection must be enforced in case it is applied.
For centrally controlled domains, this control objective should be implemented within the
Group Policy Object (GPO) of the domain.
For member Servers that are not a part of the domain, these settings should be implemented
in the Local Computer Policy.
Follow these steps to enforce password protection for third-party SMB Servers:
Security Policy].
Options].
The security setting for each Security Option is displayed.
4. From the list of security settings, double-click [Microsoft network Client: Send
unencrypted password to third party SMB Servers] and select [Disabled].

<8.23 Setting unique password for each Administrator account> 8-28
8.23 Setting unique password for each

Administrator account
It is not recommended to use the same password across multiple systems and services. The
Administrator account should therefore have a unique password on each Server.
Verify with the network administrator that account passwords at administrator level are unique
across all managed Servers.
Follow these steps to set a unique password for each Administrator-level account:
2. In the Small icons view of the Control Panel, select [Administrative Tools] > [Computer
Management].
The Computer Management window appears.
3. On the navigation pane, expand [System Tools] > [Local Users and Groups].
4. In the Name section, double-click [Users].
5. Right-click the [Administrator] user account and select [Set Password].
If a warning message is displayed, click [Proceed].
6. In the dialog box that appears, type a unique password in the New Password and Con-
firm Password boxes respectively, and then click [OK].
7. Close the Computer Management window.

<8.24 Setting up advanced personal firewall> 8-29
8.24 Setting up advanced personal firewall

When you run the IT Security Tool, the inbound personal firewall rules are applied. In addition,
you must define the outbound rules to prevent sending sensitive information from your
computer.
Follow these steps to define the outbound rules for the Windows firewall:
2. In the Small icons view of the Control Panel, select [Windows Firewall].
The Windows Firewall window appears.
3. On the left pane, select [Advanced settings].
The Windows Firewall with Advanced Security window appears.
4. On the left pane, right-click [Windows Firewall with Advanced Security] and select
[Properties].
5. In the dialog box that appears, from the Outbound connections drop-down list, select
[Block] for each of the following tabs:
• Domain Profile
• Private Profile
• Public Profile
6. Click [OK].

<Appendix 1. IT security setting items > App.1-1
Appendix 1. IT security setting items

This section describes the security setting items that are configured by using the IT Security
Tool, their default values, and whether they can be modified.

<Appendix 1.1 Security setting items in FAST/TOOLS computer > App.1-2
Appendix 1.1 Security setting items in FAST/

TOOLS computer
Tool, their default values, and whether they can be modified for the following computers:
• SCADA Server
• Web HMI Server
• Front-end Server
• Web HMI Client
• Mobile Client
 Security setting items for Standard model with Standalone

management
The following table shows the security setting items for the Standard model with Standalone
management.
Table Appendix 1.1-1 Standard Model - Standalone Management

Default check box
Setting item Modification
state
Creating local users and groups Selected Fixed
Access control for files and folders Selected Fixed
Access control for product registry Selected Fixed
Access control for DCOM (OPC) objects Selected Fixed
Personal firewall tuning Selected Fixed
Disable 'Personal Firewall-[Allow unicast response]' Clear Editable
Disabling NetBIOS over TCP/IP Clear Editable
Applying the StorageDevicePolicies function Clear Editable
Disabling USB storage devices Clear Editable
Applying the software restriction policies Clear Editable
User Rights Assignment-[Deny log on locally] Selected Fixed
Security Options-[Audit: Force audit policy subcategory settings Selected Editable
(Windows Vista or later) to override audit policy category settings]
Security Options-[Devices: Prevent users from installing printer Selected Editable
drivers]
Security Options-[Devices: Restrict CD-ROM access to locally Selected Editable
Security Options-[Devices: Restrict floppy access to locally logged- Selected Editable
on user only]
Security Options-[Domain member: Require strong (Windows 2000 Selected Editable
or later) session key]
Security Options-[Interactive logon: Do not display last user name] Selected Fixed

Table Appendix 1.1-1 Standard Model - Standalone Management (Table continued)
Default check box
state
Disable 'Security Options-[Interactive logon: Do not require CTRL Selected Editable
+ALT+DEL]’
Security Options-[Interactive logon: Prompt user to change pass- Selected Editable
word before expiration]
Security Options-[Microsoft network Server: Digitally sign Selected Editable
Security Options-[Microsoft network Server: Server SPN target Selected Editable
name validation level]
[MSS: (DisableIPSourceRouting) IP source routing protection level Selected Editable
(protects against packet spoofing)]
Disable [MSS: (PerformRouterDiscovery) Allow IRDP to detect and Selected Editable
configure Default Gateway addresses (could lead to DoS)]
[MSS: (TcpMaxDataRetransmissions) How many times Selected Editable
unacknowledged data is retransmitted (3 recommended, 5 is
default)]
Security Options-[Network access: Do not allow anonymous Selected Editable
enumeration of SAM accounts]
enumeration of SAM accounts and shares]
Security Options-[Network access: Do not allow storage of pass- Selected Editable
words and credentials for network authentication]
Security Options-[Network security: Allow Local System to use Selected Editable
computer identity for NTLM]
Disable 'Security Options-[Network security: Allow LocalSystem Selected Editable
NULL session fallback]’
Security Options-[Network security: LAN Manager authentication Selected Fixed
level]
Security Options-[Network security: Minimum session security for Selected Editable
NTLM SSP based (including secure RPC) Clients]
NTLM SSP based (including secure RPC) Servers]
Disable 'Security Options-[Shutdown: Allow system to be shut down Selected Editable
without having to log on]'
Security Options-[User Account Control: Admin Approval Mode for Selected Editable
the Built'-in Administrator account]
Security Options-[User Account Control: Behavior of the elevation Selected Editable
prompt for administrators in Admin Approval Mode]
Advanced Audit Policy Configuration-[Audit Credential Validation] Selected Editable
Advanced Audit Policy Configuration-[Audit Computer Account Selected Editable
Management]
Advanced Audit Policy Configuration-[Audit Other Account Selected Editable
Management Events]
Advanced Audit Policy Configuration-[Audit Security Group Selected Editable
Management]
Advanced Audit Policy Configuration-[Audit User Account Selected Editable
Management]
Advanced Audit Policy Configuration-[Audit Process Creation] Selected Editable
Advanced Audit Policy Configuration-[Audit Account Lockout] Selected Editable
Advanced Audit Policy Configuration-[Audit Logoff] Selected Editable

Default check box
state
Advanced Audit Policy Configuration-[Audit Logon] Selected Editable
Advanced Audit Policy Configuration-[Audit Other Logon/Logoff Selected Editable
Events]
Advanced Audit Policy Configuration-[Audit Special Logon] Selected Editable
Advanced Audit Policy Configuration-[Audit Removable Storage] Selected Editable
Advanced Audit Policy Configuration-[Audit Audit Policy Change] Selected Editable
Advanced Audit Policy Configuration-[Audit Authentication Policy Selected Editable
Change]
Advanced Audit Policy Configuration-[Audit Filtering Platform Policy Selected Editable
Change]
Advanced Audit Policy Configuration-[Audit MPSSVC Rule-Level Selected Editable
Policy Change]
Advanced Audit Policy Configuration-[Audit Other Policy Change Selected Editable
Events]
Advanced Audit Policy Configuration-[Audit Sensitive Privilege Use] Selected Editable
Advanced Audit Policy Configuration-[Audit Other System Events] Selected Editable
Advanced Audit Policy Configuration-[Audit Security State Change] Selected Editable
Advanced Audit Policy Configuration-[Audit Security System Selected Editable
Extension]
Advanced Audit Policy Configuration-[Audit System Integrity] Selected Editable
Personalization-[Prevent enabling lock screen camera] Selected Editable
Personalization-[Prevent enabling lock screen slide show] Selected Editable
WLAN Settings-[Allow Windows to automatically connect to Selected Editable
suggested open hotspots, to networks shared by contacts, and to
hotspots offering paid services]
Group Policy-[Configure registry policy processing] Selected Editable
Internet Communication settings-[Turn off downloading of print Selected Editable
drivers over HTTP]
Internet Communication settings-[Turn off Event Viewer Selected Editable
"Events.asp" links]
Internet Communication settings-[Turn off Internet download for Selected Editable
Web publishing and online ordering wizards]
Internet Communication settings-[Turn off printing over HTTP] Selected Editable
Internet Communication settings-[Turn off Search Companion con- Selected Editable
tent file updates]
Internet Communication settings-[Turn off the "Publish to Web" task Selected Editable
for files and folders]
Internet Communication settings-[Turn off the Windows Customer Selected Fixed
Experience Improvement Program]
Internet Communication settings-[Turn off the Windows Messenger Selected Fixed
Logon-[Do not display network selection UI] Selected Editable
Logon-[Do not enumerate connected users on domain-joined Selected Editable
computers]
Disable 'Logon-[Enumerate local users on domain-joined Selected Editable
computers]'

Default check box
state
Logon-[Turn off app notifications on the lock screen] Selected Editable
Mitigation Options-[Untrusted Font Blocking] Selected Editable
User Profiles-[Turn off the advertising ID] Selected Editable
App Privacy-[Let Windows apps access account information] Selected Editable
App Privacy-[Let Windows apps access call history] Selected Editable
App Privacy-[Let Windows apps access contacts] Selected Editable
App Privacy-[Let Windows apps access email] Selected Editable
App Privacy-[Let Windows apps access location] Selected Editable
App Privacy-[Let Windows apps access messaging] Selected Editable
App Privacy-[Let Windows apps access motion] Selected Editable
App Privacy-[Let Windows apps access the calendar] Selected Editable
App Privacy-[Let Windows apps access the camera] Selected Editable
App Privacy-[Let Windows apps access the microphone] Selected Editable
App Privacy-[Let Windows apps access trusted devices] Selected Editable
App Privacy-[Let Windows apps control radios] Selected Editable
App Privacy-[Let Windows apps sync with devices] Selected Editable
App runtime-[Block launching Windows Store apps with Windows Selected Editable
Runtime API access from hosted content]
AutoPlay Policies-[Turn off Autoplay] Selected Editable
AutoPlay Policies-[Disallow Autoplay for non-volume devices] Selected Editable
Cloud Content-[Do not show Windows Tips] Selected Editable
Cloud Content-[Turn off Microsoft consumer experiences] Selected Editable
Data Collection and Preview Builds-[Allow Telemetry] Selected Editable
Data Collection and Preview Builds-[Disable pre-release features or Selected Editable
settings]
Data Collection and Preview Builds-[Do not show feedback Selected Editable
notifications]
Data Collection and Preview Builds-[Toggle user control over Insider Selected Editable
builds]
Event Log Service(Application)-[Specify the maximum log file size Selected Editable
(KB)]
Event Log Service(Security)-[Specify the maximum log file size Selected Editable
(KB)]
Event Log Service(System)-[Specify the maximum log file size Selected Editable
(KB)]
File Explorer-[Turn off heap termination on corruption] Selected Editable
HomeGroup-[Prevent the computer from joining a homegroup] Selected Editable
OneDrive-[Prevent the usage of OneDrive for file storage] Selected Editable
OneDrive-[Save documents to OneDrive by default](Save Selected Editable
Remote Desktop Connection Client-[Do not allow passwords to be Selected Editable
saved]
Device and Resource Redirection-[Do not allow drive redirection] Selected Editable

Default check box
state
Security-[Require secure RPC communication] Selected Editable
Security-[Require user authentication for remote connections by Selected Editable
using Network Level Authentication]
Disable ‘Search-[Allow Cortana]’ Selected Editable
Software Protection Platform-[Turn off KMS Client Online AVS Selected Editable
Validation]
Sync your settings-[Do not sync Apps] Selected Editable
Sync your settings-[Do not sync start settings] Selected Editable
Disable 'Windows Error Reporting-[Automatically send memory Selected Fixed
dumps for OS-generated error reports]'
Disable 'Windows Logon Options-[Sign'-in last interactive user Selected Editable
automatically after a system'-initiated restart]'
Notifications-[Turn off toast notifications on the lock screen] Selected Editable
 Security setting items for Standard model with Domain or

Combination management
The following table shows the security setting items for the Standard model with Domain or
Combination management.
Table Appendix 1.1-2 Standard Model - Domain/Combination Management

Default check box
state
Creating local users and groups Selected Fixed
Creating domain users and groups Selected Fixed
Access control for files and folders Selected Fixed
Access control for product registry Selected Fixed
Access control for DCOM (OPC) objects Selected Fixed
Disable 'Personal Firewall-[Allow unicast response]' Clear Editable
Disabling NetBIOS over TCP/IP Selected Fixed
Applying the software restriction policies Clear Editable
User Rights Assignment-[Deny log on locally] Selected Fixed
Security Options-[Audit: Force audit policy subcategory settings Selected Editable
(Windows Vista or later) to override audit policy category settings]
Security Options-[Devices: Prevent users from installing printer Selected Editable
drivers]
Security Options-[Devices: Restrict CD-ROM access to locally Selected Editable
Security Options-[Devices: Restrict floppy access to locally logged- Selected Editable
on user only]

Table Appendix 1.1-2 Standard Model - Domain/Combination Management (Table continued)
Default check box
state
Security Options-[Domain member: Require strong (Windows 2000 Selected Editable
or later) session key]
Security Options-[Interactive logon: Do not display last user name] Selected Fixed
Disable 'Security Options-[Interactive logon: Do not require CTRL Selected Editable
+ALT+DEL]’
Security Options-[Interactive logon: Prompt user to change pass- Selected Editable
word before expiration]
Security Options-[Microsoft network Server: Server SPN target Selected Editable
name validation level]
[MSS: (DisableIPSourceRouting) IP source routing protection level Selected Editable
(protects against packet spoofing)]
Disable [MSS: (PerformRouterDiscovery) Allow IRDP to detect and Selected Editable
configure Default Gateway addresses (could lead to DoS)]
[MSS: (TcpMaxDataRetransmissions) How many times Selected Editable
unacknowledged data is retransmitted (3 recommended, 5 is
default)]
enumeration of SAM accounts]
enumeration of SAM accounts and shares]
Security Options-[Network access: Do not allow storage of pass- Selected Editable
words and credentials for network authentication]
Security Options-[Network security: Allow Local System to use Selected Editable
computer identity for NTLM]
Disable 'Security Options-[Network security: Allow LocalSystem Selected Editable
NULL session fallback]’
Security Options-[Network security: LAN Manager authentication Selected Fixed
level]
NTLM SSP based (including secure RPC) Clients]
NTLM SSP based (including secure RPC) Servers]
Disable 'Security Options-[Shutdown: Allow system to be shut down Selected Editable
without having to log on]'
Security Options-[User Account Control: Admin Approval Mode for Selected Editable
the Built'-in Administrator account]
Security Options-[User Account Control: Behavior of the elevation Selected Editable
prompt for administrators in Admin Approval Mode]
Advanced Audit Policy Configuration-[Audit Credential Validation] Selected Editable
Advanced Audit Policy Configuration-[Audit Computer Account Selected Editable
Management]
Management Events]
Management]
Management]
Advanced Audit Policy Configuration-[Audit Process Creation] Selected Editable

Default check box
state
Advanced Audit Policy Configuration-[Audit Account Lockout] Selected Editable
Advanced Audit Policy Configuration-[Audit Other Logon/Logoff Selected Editable
Events]
Advanced Audit Policy Configuration-[Audit Removable Storage] Selected Editable
Advanced Audit Policy Configuration-[Audit Audit Policy Change] Selected Editable
Advanced Audit Policy Configuration-[Audit Authentication Policy Selected Editable
Change]
Advanced Audit Policy Configuration-[Audit Filtering Platform Policy Selected Editable
Change]
Advanced Audit Policy Configuration-[Audit MPSSVC Rule-Level Selected Editable
Policy Change]
Advanced Audit Policy Configuration-[Audit Other Policy Change Selected Editable
Events]
Advanced Audit Policy Configuration-[Audit Sensitive Privilege Use] Selected Editable
Advanced Audit Policy Configuration-[Audit Other System Events] Selected Editable
Advanced Audit Policy Configuration-[Audit Security State Change] Selected Editable
Advanced Audit Policy Configuration-[Audit Security System Selected Editable
Extension]
Advanced Audit Policy Configuration-[Audit System Integrity] Selected Editable
WLAN Settings-[Allow Windows to automatically connect to Selected Editable
suggested open hotspots, to networks shared by contacts, and to
hotspots offering paid services]
Group Policy-[Configure registry policy processing] Selected Editable
Internet Communication settings-[Turn off downloading of print Selected Editable
drivers over HTTP]
Internet Communication settings-[Turn off Event Viewer Selected Editable
"Events.asp" links]
Internet Communication settings-[Turn off Internet download for Selected Editable
Web publishing and online ordering wizards]
Internet Communication settings-[Turn off printing over HTTP] Selected Editable
Internet Communication settings-[Turn off Search Companion con- Selected Editable
tent file updates]
Internet Communication settings-[Turn off the "Publish to Web" task Selected Editable
for files and folders]
Internet Communication settings-[Turn off the Windows Customer Selected Fixed
Experience Improvement Program]
Internet Communication settings-[Turn off the Windows Messenger Selected Fixed
Logon-[Do not enumerate connected users on domain-joined Selected Editable
computers]

Default check box
state
Disable 'Logon-[Enumerate local users on domain-joined Selected Editable
computers]'
Logon-[Turn off app notifications on the lock screen] Selected Editable
Mitigation Options-[Untrusted Font Blocking] Selected Editable
User Profiles-[Turn off the advertising ID] Selected Editable
App Privacy-[Let Windows apps access account information] Selected Editable
App Privacy-[Let Windows apps access call history] Selected Editable
App Privacy-[Let Windows apps access contacts] Selected Editable
App Privacy-[Let Windows apps access email] Selected Editable
App Privacy-[Let Windows apps access location] Selected Editable
App Privacy-[Let Windows apps access messaging] Selected Editable
App Privacy-[Let Windows apps access motion] Selected Editable
App Privacy-[Let Windows apps access the calendar] Selected Editable
App Privacy-[Let Windows apps access the camera] Selected Editable
App Privacy-[Let Windows apps access the microphone] Selected Editable
App Privacy-[Let Windows apps access trusted devices] Selected Editable
App Privacy-[Let Windows apps control radios] Selected Editable
App Privacy-[Let Windows apps sync with devices] Selected Editable
App runtime-[Block launching Windows Store apps with Windows Selected Editable
Runtime API access from hosted content]
AutoPlay Policies-[Turn off Autoplay] Selected Editable
AutoPlay Policies-[Disallow Autoplay for non-volume devices] Selected Editable
Cloud Content-[Do not show Windows Tips] Selected Editable
Cloud Content-[Turn off Microsoft consumer experiences] Selected Editable
Data Collection and Preview Builds-[Allow Telemetry] Selected Editable
Data Collection and Preview Builds-[Disable pre-release features or Selected Editable
settings]
Data Collection and Preview Builds-[Do not show feedback Selected Editable
notifications]
Data Collection and Preview Builds-[Toggle user control over Insider Selected Editable
builds]
Event Log Service(Application)-[Specify the maximum log file size Selected Editable
(KB)]
Event Log Service(Security)-[Specify the maximum log file size Selected Editable
(KB)]
Event Log Service(System)-[Specify the maximum log file size Selected Editable
(KB)]
HomeGroup-[Prevent the computer from joining a homegroup] Selected Editable
OneDrive-[Prevent the usage of OneDrive for file storage] Selected Editable
OneDrive-[Save documents to OneDrive by default](Save Selected Editable
Remote Desktop Connection Client-[Do not allow passwords to be Selected Editable
saved]

Default check box
state
Device and Resource Redirection-[Do not allow drive redirection] Selected Editable
Security-[Require user authentication for remote connections by Selected Editable
using Network Level Authentication]
Disable ‘Search-[Allow Cortana]’ Selected Editable
Software Protection Platform-[Turn off KMS Client Online AVS Selected Editable
Validation]
Disable 'Windows Error Reporting-[Automatically send memory Selected Fixed
dumps for OS-generated error reports]'
Disable 'Windows Logon Options-[Sign'-in last interactive user Selected Editable
automatically after a system'-initiated restart]'
Notifications-[Turn off toast notifications on the lock screen] Selected Editable

<Appendix 1.2 Security setting items in Domain Controller> App.1-11
Appendix 1.2 Security setting items in Domain

Controller
Tool, their default values, and whether they can be modified for the Domain Controller.
 Security setting items for Standard model with Domain or

Combination management
The following table shows the security setting items for the combination of Standard model
and Domain or Combination management.
Table Appendix 1.2-1 Domain Controller: Standard Model - Domain/Combination Management

Setting item Default check box Modification
state
Creating domain users and groups Selected Fixed
Access control for files and folders Selected Editable
Access Control for DCOM (OPC) objects Selected Fixed
Disable 'Personal Firewall-[Allow unicast response]’ Selected Editable
Disabling NetBIOS over TCP/IP Selected Editable
User Rights Assignment-[Access this computer from the Selected Editable
network]
User Rights Assignment-[Add workstations to domain] Selected Editable
Security Options-[Audit: Force audit policy subcategory Selected Editable
settings (Windows Vista or later) to override audit policy
category settings]
Security Options-[Devices: Prevent users from installing Selected Editable
printer drivers]
Security Options-[Devices: Restrict CD-ROM access to Selected Editable
Security Options-[Devices: Restrict floppy access to locally Selected Editable
Disable 'Security Options-[Domain Controller: Allow Server Selected Editable
operators to schedule tasks]'
Disable 'Security Options-[Domain Controller: Refuse ma- Selected Editable
chine account password changes]'
Security Options-[Domain member: Require strong Selected Editable
Security Options-[Interactive logon: Do not display last user Selected Editable
name]
Disable 'Security Options-[Interactive logon: Do not require Selected Editable
CTRL+ALT+DEL]’

Table Appendix 1.2-1 Domain Controller: Standard Model - Domain/Combination Management (Table
continued)
state
Security Options-[Interactive logon: Prompt user to change Selected Editable
password before expiration]
Security Options-[Microsoft network Server: Server SPN Selected Editable
target name validation level]
[MSS: (DisableIPSourceRouting) IP source routing Selected Editable
Disable [MSS: (PerformRouterDiscovery) Allow IRDP to Selected Editable
detect and configure Default Gateway addresses (could
lead to DoS)]
[MSS: (TcpMaxDataRetransmissions) How many times un- Selected Editable
acknowledged data is retransmitted (3 recommended, 5 is
default)]
Security Options-[Network access: Do not allow Selected Editable
Security Options-[Network access: Do not allow Selected Editable
anonymous enumeration of SAM accounts and shares]
Security Options-[Network access: Do not allow storage of Selected Editable
passwords and credentials for network authentication]
Security Options-[Network security: Allow Local System to Selected Editable
use computer identity for NTLM]
Disable 'Security Options-[Network security: Allow Local- Selected Editable
System NULL session fallback]’
Security Options-[Network security: Force logoff when log- Selected Editable
on hours expire]
Security Options-[Network security: LAN Manager Selected Fixed
Security Options-[Network security: Minimum session Selected Editable
Clients]
Security Options-[Network security: Minimum session Selected Editable
Servers]
Disable 'Security Options-[Shutdown: Allow system to be Selected Editable
shut down without having to log on]'
Security Options-[User Account Control: Admin Approval Selected Editable
Mode for the Built'-in Administrator account]
Security Options-[User Account Control: Behavior of the Selected Editable
elevation prompt for administrators in Admin Approval
Mode]
Advanced Audit Policy Configuration-[Audit Credential Selected Editable
Validation]
Advanced Audit Policy Configuration-[Audit Computer Ac- Selected Editable
count Management]
Management Events]
Management]

continued)
state
Management]
Advanced Audit Policy Configuration-[Audit Process Selected Editable
Creation]
Advanced Audit Policy Configuration-[Audit RPC Events] Selected Editable
Advanced Audit Policy Configuration-[Audit Directory Selected Editable
Service Access]
Advanced Audit Policy Configuration-[Audit Directory Selected Editable
Service Changes]
Advanced Audit Policy Configuration-[Audit Account Lock- Selected Editable
out]
Advanced Audit Policy Configuration-[Audit Other Logon/ Selected Editable
Logoff Events]
Advanced Audit Policy Configuration-[Audit Application Selected Editable
Generated]
Advanced Audit Policy Configuration-[Audit Removable Selected Editable
Storage]
Advanced Audit Policy Configuration-[Audit Audit Policy Selected Editable
Change]
Advanced Audit Policy Configuration-[Audit Authentication Selected Editable
Policy Change]
Advanced Audit Policy Configuration-[Audit Filtering Plat- Selected Editable
form Policy Change]
Advanced Audit Policy Configuration-[Audit MPSSVC Rule- Selected Editable
Level Policy Change]
Advanced Audit Policy Configuration-[Audit Other Policy Selected Editable
Change Events]
Advanced Audit Policy Configuration-[Audit Sensitive Selected Editable
Privilege Use]
Advanced Audit Policy Configuration-[Audit IPsec Driver] Selected Editable
Advanced Audit Policy Configuration-[Audit Other System Selected Editable
Events]
Advanced Audit Policy Configuration-[Audit Security State Selected Editable
Change]
Advanced Audit Policy Configuration-[Audit Security Sys- Selected Editable
tem Extension]
Advanced Audit Policy Configuration-[Audit System Selected Editable
Integrity]
AutoPlay Policies-[Disallow Autoplay for non-volume Selected Editable
devices]

continued)
state
Event Log Service(Application)-[Specify the maximum log Selected Editable
file size (KB)]
Event Log Service(Security)-[Specify the maximum log file Selected Editable
size (KB)]
Event Log Service(System)-[Specify the maximum log file Selected Editable
size (KB)]
Store-[Turn off Automatic Download and Install of updates] Selected Editable
Store-[Turn off Automatic Download of updates on Win8 Selected Editable
machines]
Store-[Turn off the offer to update to the latest version of Selected Editable
Windows]
Store-[Turn off the Store application] Selected Editable
Disable 'Windows Error Reporting-[Automatically send Selected Editable
memory dumps for OS-generated error reports]'
Disable 'Windows Logon Options-[Sign'-in last interactive Selected Editable
user automatically after a system'-initiated restart]'

<Appendix 2. Additional information > App.2-1
Appendix 2. Additional information

This section provides additional information for configuring the IT security settings.

<Appendix 2.1 Notes on security packs and security updates > App.2-2
Appendix 2.1 Notes on security packs and

security updates
FAST/TOOLS should be installed and tested on a defined patch level for the project. For ex-
ample, if additional updates are required or critical fixes are released, Yokogawa must first
validate the relevance of such fixes and test FAST/TOOLS on the patched system to check if
that functionality is not adversely affected. Therefore, it is recommended to turn off the
Windows automatic updates feature because only approved fixes should be installed.
Instructions on how to change these settings can be found on the Microsoft homepage.
Yokogawa maintains a list of security updates that have been tested and evaluated. Before
applying Windows updates, you should obtain this list from YHQ or your nearest Yokogawa
Center of excellence.
Follow these steps to view the list of Windows updates on your computer:
1. In the Control Panel, select [Programs and Features].
2. On the navigation pane, select [View installed updates].
A list of updates is displayed.
3. Compare the displayed list of Windows updates with the list that you obtain from
Yokogawa.
4. Add or remove the Windows updates accordingly.
NOTE
The above method is for standalone computers. Alternatively, it is also possible to configure the automatic
Windows updates by using centralised Servers (similar to centralized antivirus pattern updates).
 Antivirus software
It is recommended to install only the antivirus software verified by Yokogawa on the terminals
connected to the FAST/TOOLS system and the Domain Controller. You can contact
Yokogawa for applying the antivirus software. Updating the search engine or pattern file of the
antivirus software may lead to restarting the computer or other unexpected issues. Therefore,
you must check the behavior of the antivirus software update on a test computer before
applying the antivirus on the FAST/TOOLS computer.

<Appendix 2.2 User account management when security model is changed > App.2-3
Appendix 2.2 User account management when

security model is changed
The IT Security Tool creates the user group accounts for FAST/TOOLS based on the selected
user management type. If you want to change the user management type, the existing user
group accounts for FAST/TOOLS should be deleted or renamed.
The following table describes how to manage the user group accounts when the user
management type is changed to Standalone management.
Table Appendix 2.2-1 When user management type is changed to Standalone management
User account From Domain management From Combination management
FTS_OPERATOR Add the user account Rename from FTS_OPERA-
TOR_LCL to FTS_OPERATOR
FTS_OPERATOR_LCL -
FTS_ENGINEER Add the user account -
FTS_ENGINEER_LCL - Rename from FTS_ENGI-
NEER_LCL to FTS_ENGINEER
FTS_MAINTENANCE Rename from FTS_MAINTE- Rename from FTS_MAINTE-
NANCE_LCL to FTS_MAINTE- NANCE_LCL to FTS_MAINTE-
FTS_MANATENANCE_LCL NANCE NANCE
FTS_OPC Add the user account Rename from FTS_OPC_LCL to
FTS_OPC
FTS_OPC_LCL -
management type is changed to Domain management.
Table Appendix 2.2-2 When user management type is changed to Domain management
User account From Standalone management From Combination management
FTS_OPERATOR Delete the user account -
FTS_OPERATOR_LCL - Delete the user account
FTS_ENGINEER Delete the user account -
FTS_ENGINEER_LCL - Delete the user account
FTS_MAINTENANCE Rename from FTS_MAINTE- -
NANCE to FTS_MAINTE-
FTS_MANATENANCE_LCL NANCE_LCL Use existing FTS_MAINTE-
NANCE_LCL
FTS_OPC Delete the user account -
FTS_OPC_LCL - Delete the user account
management type is changed to Combination management.
Table Appendix 2.2-3 When user management type is changed to Combination management
User account From Standalone management From Domain management
FTS_OPERATOR Rename from FTS_OPERATOR to -
FTS_OPERATOR_LCL
FTS_OPERATOR_LCL Add the user account
FTS_ENGINEER Rename from FTS_ENGINEER to -
FTS_ENGINEER_LCL
FTS_ENGINEER_LCL Add the user account

<Appendix 2.2 User account management when security model is changed > App.2-4
Table Appendix 2.2-3 When user management type is changed to Combination management (Table
continued)
User account From Standalone management From Domain management
FTS_MAINTENANCE Rename from FTS_MAINTE- -
NANCE to FTS_MAINTE-
FTS_MANATENANCE_LCL NANCE_LCL Use existing FTS_MAINTE-
NANCE_LCL
FTS_OPC Rename from FTS_OPC to -
FTS_OPC_LCL
FTS_OPC_LCL Add the user account

<Appendix 2.3 Tools for defining local policies> App.2-5
Appendix 2.3 Tools for defining local policies

The following table describes the tools for defining local policies.
Table Appendix 2.3-1 Tools for defining local policies

Tool Description
gpedit.msc This is the Group Policy Object Editor.
You can use this msc to define group policy objects.
secpol.msc This is used for configuring local security settings.
You can use this msc to define security settings only.

<Appendix 2.4 Stopping Windows services before configuring IT security settings> App.2-6
Appendix 2.4 Stopping Windows services

before configuring IT security
settings
The IT Security Tool accesses the FAST/TOOLS resources and changes the user rights of
FAST/TOOLS user accounts. The following issues may occur when applying the IT security
settings during the operation of FAST/TOOLS.
• The security settings may not be applied appropriately.
• Unexpected behavior of FAST/TOOLS operations.
Therefore, certain programs must be stopped before applying the IT security settings.
The following table lists the programs that should be stopped before applying IT security
settings.
Table Appendix 2.4-1 FAST/TOOLS programs

Order in which the pro- Program Program type Where used
gram should be stopped
1 FAST/TOOLS service Windows service FAST/TOOLS Server
2 Redundancy Guest Windows service Computer Redundant
Agent platform
3 BK SyncTime (*1) Windows service Vnet/IP driver
4 BK Timerd (*1) Windows service Vnet/IP driver
5 BK Vhfd (*1) Windows service Vnet/IP driver
6 BK Vhfd_SM (*1) Windows service Vnet/IP driver
7 BK VLmon (*1) Windows service Vnet/IP driver
8 BK WDT (*1) Windows service Vnet/IP driver
*1: Applicable only when Vnet/IP driver is installed.

<Appendix 2.5 Options for running the IT Security Tool > App.2-7
Appendix 2.5 Options for running the IT

Security Tool
The following table describes the options for running the IT Security Tool.
Table Appendix 2.5-1 Options for running the IT Security Tool

Option Applicable components Remarks
FAST/TOOLS and IT Security Tool FAST/TOOLS Server • FAST/TOOLS and IT Security
Security settings can be applied Tool are installed
on any FAST/TOOLS Server • Security settings can be applied
after installing both packages
IT Security for multi-product FAST/TOOLS Client • Only IT Security Tool is installed
environment Security settings can be applied • Security settings can be applied
on Web HMI Client (Remote after installing Remote Connect
Connect) and Mobile Client
(HTML5 Client)
Apply IT Security only Security settings can be applied • IT Security Tool is not installed
on Mobile Client (HTML5 Client) • IT Security Tool can be
and Domain Controller launched from the installation
media and security settings can
be applied
NOTE
When the software restriction policy is applied to FAST/TOOLS with IT security settings, right-click[fasttools-
Rxx.yy-rzzzz-ITSecurity.exe] in the installation media and select [Run as administrator] to launch the IT Se-
curity Tool.
 FAST/TOOLS and IT Security Tool
This option is to install the FAST/TOOLS Server, IT Security Tool, and IT security definition
file. The name of the IT security definition file is SERV. After installing both the packages, the
IT Security Tool is launched automatically.
NOTE
It is not possible to install the IT Security Tool only. If you select this option on a computer on which FAST/
TOOLS is already installed, you must follow the update procedure.
 IT Security for multi-product environment
This option is to install the IT Security Tool and IT security definition file. The name of the
definition file set is CLNT1. After installing the IT Security Tool, it is launched automatically.
NOTE
• If FAST/TOOLS Client is installed on a computer where other Yokogawa products are installed with IT
security, select this option. Never select “Apply IT Security only”.
• This option can be selected regardless of the Remote Connect installation. If Remote Connect is
installed after installing the IT Security Tool, you must apply the security settings again.

<Appendix 2.5 Options for running the IT Security Tool > App.2-8
 Apply IT Security only

This option is for Mobile Client and Domain Controller. This enables you to launch the IT
Security Tool from the FAST/TOOLS installation media. The component (Client or Domain
Controller) to which security is applied can be selected after launching the IT Security Tool.
NOTE
When this option is used to launch the IT Security Tool, all the security settings for FAST/TOOLS programs
are changed. Therefore, it is recommended not to use this option in an environment where other products are
installed.

Rev-1
Revision information
● Title : TI 50A01A10-04EN
● Manual No. : USER/FAST IT Security Guide
Sep. 2019/1st Edition/R10.04 or later
Newly published.
 Written by Yokogawa Electric Corporation

 Published by Yokogawa Electric Corporation 2-9-32 Nakacho, Musashino-shi, Tokyo
180-8750, JAPAN

FAST/TOOLS Windows IT Security Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FAST/TOOLS Windows IT Security Guide

Uploaded by

Copyright:

Available Formats

Technical

Information FAST/TOOLS Windows IT

TI 50A01A10-04EN 1st Edition : Sep. 18,2019-00

 Safety, protection, and modification of the product

Indicates that a component such as a power supply switch is turned OFF.

TI 50A01A10-04EN 1st Edition : Sep. 18,2019-00

 Warning and disclaimer

TI 50A01A10-04EN 1st Edition : Sep. 18,2019-00

Indicates precautions to avoid a danger that may lead to death or

Indicates precautions to avoid a danger that may lead to minor or

IMPORTANT Indicates important information required to understand operations or

Indicates referenced content.

In online manuals, you can view the referenced content by clicking

 Commonly used conventions throughout user's manuals

 Conventions used to show key or button operations

TI 50A01A10-04EN 1st Edition : Sep. 18,2019-00

TI 50A01A10-04EN 1st Edition : Sep. 18,2019-00

Copyright and trademark notices

 All rights reserved

TI 50A01A10-04EN 1st Edition : Sep. 18,2019-00