Professional Documents
Culture Documents
FAST/TOOLS Windows IT Security Guide
FAST/TOOLS Windows IT Security Guide
TI 50A01A10-04EN
©Copyright Sep. 2019 (YK)
1st Edition Sep. 2019 (YK)
i
Introduction
The FAST/TOOLS Windows Security Guide describes the detailed security settings when
implementing IT security on a computer with FAST/TOOLS R10.04. IT security protects
YOKOGAWA products from existing and future security threats.
This FAST/TOOLS Windows Security Guide consists of the following sections:
• Overview
• Security models and user management types
• Details of security measures
• Precautions on operations
• Working with the IT Security Tool
• Other utility programs
• Connecting other Yokogawa products
• Optional IT security settings
Target audience
The intended readers of the FAST/TOOLS Windows Security Guide are FAST/TOOLS
engineers who want to strengthen the IT security for FAST/TOOLS R10.04 systems running
on Microsoft operating systems.
Safety precautions
• To protect the system controlled by the product and the product itself and ensure safe
operation, observe the safety precautions described in this user's manual. Yokogawa
Electric Corporation (hereinafter referred to as YOKOGAWA) assumes no liability for
safety if users fail to observe the safety precautions and instructions when operating the
product.
• If this product is used in a manner not specified in this user's manual, the protection
provided by this product may be impaired.
• If any protection or safety circuit is required for the system controlled by the product or for
the product itself, install it externally.
• Be sure to confirm the specifications and required settings of the devices that are used in
combination with the product by referring to the instruction manual or other documents of
the devices.
• Use only spare parts that are approved by YOKOGAWA when replacing parts or
consumables of the product.
• Do not use the product and accessories of the product such as power cords on devices
that are not approved by YOKOGAWA. Do not use the product and its accessories for
other purposes.
• Modification of the product is strictly prohibited.
• The following symbols are used in the product and user's manual to indicate the
accompanying safety precautions:
Indicates that caution is required. This symbol for the Product indicates the possibility
of dangers such as electric shock on personnel and equipment, and also indicates that
the user must refer to the user's manuals for necessary actions. In the user's manuals,
this symbol is used together with a word "CAUTION" or "WARNING" at the locations
where precautions for avoiding dangers are described.
Indicates that caution is required for hot surfaces. Note that the devices with this
symbol become hot. The risk of burn injury or some damages exists if the devices are
touched or contacted.
Identifies a protective grounding terminal. Before using the product, ground the
terminal.
Identifies a functional grounding terminal. Before using the product, ground the
terminal.
Indicates an AC supply.
Indicates a DC supply.
Indicates that a component such as a power supply switch is turned ON.
Notes on software
• YOKOGAWA makes no warranties, either expressed or implied, with respect to the
software’s merchantability or suitability for any particular purpose, except as strictly
provided in the terms of warranty.
• The software may be used only on the specified computer. If you need to use the
software on another computer, you must purchase another software.
• It is strictly prohibited and an infringement of YOKOGAWA's Intellectual Property rights to
reproduce the software except for the purpose of backup.
• Store all the original media that comes with the product in a safe place.
• It is strictly prohibited and an infringement of YOKOGAWA's Intellectual Property rights to
reverse engineer, reverse compile, reverse assemble, or reduce the software to human-
readable form.
• No part of the software may be transferred, converted, or sublet for use by any third-party,
without prior written consent from YOKOGAWA, failing which any warranty statements
provided for the product and/or software shall be rendered void.
Documentation conventions
Symbols
The following symbols identify various sections of text in this user's manual.
Typographical conventions
The following typographical conventions are used throughout the user's manuals.
Drawing conventions
Some drawings may be partially emphasized, simplified, or omitted for the convenience of
description.
In the user's manual, the parts in some drawings may be placed in different positions or have
different font settings. Note that some of the images in user's manuals are display examples.
Trademark acknowledgments
• CENTUM, ProSafe, Vnet/IP, PRM, InsightSuite, STARDOM, Exaopc, Exapilot,
Exaquantum, Exasmoc, Exarqe, StoryVIEW, FAST/TOOLS, and FieldMate are the
registered trademarks or trademarks of Yokogawa Electric Corporation.
• The names of corporations, organizations, products and logos herein are either
registered trademarks or trademarks of Yokogawa Electric Corporation and their
respective holders.
Appendix
Appendix 1. IT security setting items ................................................ App.1-1
Appendix 1.1 Security setting items in FAST/TOOLS computer....................App.1-2
Appendix 1.2 Security setting items in Domain Controller.......................... App.1-11
Appendix 2. Additional information....................................................App.2-1
Appendix 2.1 Notes on security packs and security updates........................App.2-2
Appendix 2.2 User account management when security model is changed.............
...................................................................................................... App.2-3
Appendix 2.3 Tools for defining local policies................................................ App.2-5
Appendix 2.4 Stopping Windows services before configuring IT security settings.
...................................................................................................... App.2-6
Appendix 2.5 Options for running the IT Security Tool.................................. App.2-7
1. Overview
To protect FAST/TOOLS systems from existing and future security threats, it is necessary to
implement IT security settings. The FAST/TOOLS Windows Security Guide describes the
detailed security settings for implementing the IT security in the system.
Glossary
The following table describes the security-related terms and abbreviations that are used in
this manual.
Business network
Reverse
proxy
DMZ
Firewall
Attack over a
network
Hub
CSN ASN
Web HMI Server
Hub
PCN
Front-end
Server
Direct attack by
operating a
terminal
SCADA
Server
Theft of a computer
stored with critical data
Control Bus
Controller Controller
The following table shows the security measures and the threats that each measure handles.
NOTE
• Security settings should follow the security policy of the corresponding installation environment for
BUSINESS LEVEL and CORPORATE LEVEL.
• IT security settings much be applied for AREA LEVEL and PROCESS LEVEL.
Table 2.2.1-1 Type 1: Standard or Strengthened model - Standalone management users and groups
User name/group
Type Created location Member of Description
name
FTS_OPERATOR Group Local computer • Users Group of users who use FAST/
• Administrators TOOLS for operation.
(*1)
FTS_ENGINEER Group Local computer Group of users who perform FAST/
• Users
TOOLS system engineering by using
• Administrators
the Engineering Module, Edit Module,
(*1)
and so on.
FTS_MAINTE- Group Local computer • Users Group of users who perform FAST/
NANCE • Administrators TOOLS installation and maintenance.
FTS_OPC Group Local computer Group of users who configure and
• Users
manage OPC communication be-
• Administrators
tween FAST/TOOLS and other
(*1)
systems.
FTS_PROCESS User Local computer User account for users who execute
• Users FAST/TOOLS processes (Windows
• Administrators services) without using Windows
authentication.
RDC_PROCESS User Local computer Users User account for users who execute
(*2) PRC processes (Windows services)
without using Windows
authentication.
*1: Administrative privileges are required on the FAST/TOOLS Server computer.
*2: This user account is created only on a dual-redundant platform.
NOTE
• Use these user accounts and user groups only for FAST/TOOLS.
• When you change the security model, existing user groups may be deleted or their names may be
modified without confirmation.
Table 2.2.1-2 Type 2: Standard or Strengthened model - Domain management users and groups
User name/group
Type Created location Member of Description
name
FTS_OPERATOR Group Local computer • Domain users Group of users who use FAST/
• Administrators TOOLS for operation.
(*1)
FTS_ENGINEER Group Local computer Group of users who perform FAST/
• Domain users
TOOLS system engineering by using
• Administrators
the Engineering Module, Edit Module,
(*1)
and so on.
FTS_MAINTE- Group Local computer • Domain users Group of users who perform FAST/
NANCE • Administrators TOOLS installation and maintenance.
FTS_MAINTE- Group Local computer Administrators Supplementary group of users with
NANCE_LCL the same rights as FTS_MAINTE-
NANCE.
This group is not used in normal
operations but is used only for
emergency situations when the
domain environment is abnormal.
You must manually add the user
accounts that belong to this group to
the Administrators group on each
computer.
FTS_OPC Group Local computer Group of users who configure and
• Users
manage OPC communication be-
• Administrators
tween FAST/TOOLS and other
(*1)
systems.
FTS_PROCESS User Local computer User account for users who execute
• Users FAST/TOOLS processes (Windows
• Administrators services) without using Windows
authentication.
RDC_PROCESS User Local computer Users User account for users who execute
(*2) PRC processes (Windows services)
without using Windows
authentication.
*1: Administrative privileges are required on the FAST/TOOLS Server computer.
*2: This user account is created only on a dual-redundant platform.
NOTE
• Use these user accounts and user groups only for FAST/TOOLS.
• When you change the security model, existing user groups may be deleted or their names may be
modified without confirmation.
NOTE
• Use these user accounts and user groups only for FAST/TOOLS.
• When you change the security model, existing user groups may be deleted or their names may be
modified without confirmation.
Target folders
The following table describes the target folders with controlled access.
Legend:
User or group
Permission Types
Legend:
[1] : FTS_OPERATOR or FTS_OPERATOR_LCL
[2] : FTS_ENGINEER or FTS_ENGINEER_LCL
[3] : FTS_MAINTENANCE or FTS_MAINTENANCE_LCL
• ARP.EXE
• finger.exe
• ftp.exe
• HOSTNAME.EXE
• ipconfig.exe
• nbtstat.exe
• NETSTAT.EXE
• nslookup.exe
• PATHPING.EXE
• PING.EXE
• rcp.exe
• rexec.exe
• ROUTE.EXE
• rsh.exe
• tftp.exe
• TRACERT.EXE
• bootcfg.exe
• net.exe
• net1.exe
• netsh.exe
• telnet.exe
Legend:
User or group
Permission Types
NOTE
Access permissions, and Launch and Activation permissions are granted to the following users/groups:
• FTS_OPC
• FTS_PROCESS
• ANONYMOUS LOGON
• SYSTEM
• INTERACTIVE
• NETWORK
The following table describes the ports that should be added to the exception list for personal
firewall tuning.
NOTE
Additional exceptions are required when using the following programs or services:
• A redundant Server configuration and high-availability (HAC) software
• ODBC
• Alarm to e-mail
• Windows domain
• NTP
• Antivirus
• OPC
• TCP/IP based equipments
NOTE
• Ports 16000-16001 can be set from hac.sup and jhacProperties\application.properties.
• Ports 16002-16006 can be set from hac.sup.
• Ports 16010-16041 can be set from jhacProperties\application.properties.
ODBC
The following table describes the program that should be defined as exception in the firewall
when FAST/TOOLS works on ODBC (manual engineering is required).
Alarm to e-mail
The following table describes the program that should be defined as exception in the firewall
when Alarm to e-mail is used.
Windows domain
The following table describes the programs that should be defined as exceptions in the
firewall when FAST/TOOLS runs on Windows domain.
Table 3.2-5 Windows domain firewall port exceptions
Program or service Port When and where used
DNS TCP: 53 SCADA Server and Web HMI Client/Server
UDP: 53
Kerberos Authentication TCP: 88
UDP: 88
LDAP TCP: 389
UDP: 389
Direct Hosting TCP: 445
Global Catalogue TCP: 3268
Global Catalogue SSL TCP: 3269
DHCP UDP: 67
Network Discovery UDP: 137, 138,
1900, 3702, and
5355
TCP: 2869, 5357,
and 5358
MADCAP UDP: 2535 Web HMI Client (for DHCP)
SOAP TCP: 9389 Active Directory Web service
Time synchronization
The following table describes the program that should be defined as exception in the firewall
when using Windows time service.
NOTE
You need not configure this setting if you use ecutl or Vnet/IP.
OPC
The following table describes the programs that should be added to the exception list when
using OPC connections.
Vnet equipment
The following table describes the program that should be defined as exception in the firewall
when using Vnet equipments.
PRC
The following table describes the programs that should be added to the exception list when
using the PRC platform.
Table 3.2-10 PRC firewall port exceptions
Program or service Port When and where used
Relay Server (*1) TCP: 34486 PRC platform
Mirrored Disk Server (*1) TCP: 34480 and PRC platform
34483
Virtualization and TCP: 34484 PRC platform
Equalization Server (*1)
Maintenance Server TCP: 34485 PRC platform
DELL Open Manage UDP: 1311 PRC platform
Server Administrator
*1: Used to access data from a computer through a paired computer.
ICMP is a Windows service that uses IP addresses to send messages among computers in a
network.
When the Standard model is applied and the firewall is turned on, the File and Printer Sharing
(Echo Request - ICMPv4-IN) ICMP setting is allowed to go through the firewall.
DCOM protocols
DCOM is used by assigning the dynamic port of Remote Procedure Call (RPC). This setting
controls port assignment to incoming communication of DCOM that is assigned by RPC.
The following table describes the DCOM port range settings for OPC configuration.
NOTE
In addition to the above settings, you must also define DCOM settings and personal firewall exceptions.
Setup location: [Local Computer Policy] > [Computer Configuration] > [Windows Settings] >
[Security Settings] > [Account Policies] > [Password Policy]
NOTE
If you apply password policies, the effort required for managing passwords increases for both users and
operation administrators.
Setup location: [Local Computer Policy] > [Computer Configuration] > [Windows Settings] >
[Security Settings] > [Account Policies] > [Account Lockout Policy]
NOTE
When the account lockout policies are applied, you may not be able to log on if a lockout occurs due to
unintended actions or operations.
Setup location: [Local Computer Policy] > [Computer Configuration] > [Windows Settings] >
[Security Settings] > [Local Policies] > [Security Options]
NOTE
On Windows Server 2008 or later, the four setting items beginning with “MSS:” that are set as Security
Options do not appear in the Local Group Policy Management Editor. However, you can use the gpresult
command to check if they are applied.
*1: Applicable to Windows 7, Windows 10, Windows Server 2012 R2, and Windows Server 2016
*2: Applicable to Windows 10 only
Setup location: [Local Computer Policy] > [Computer Configuration] > [Windows Settings] >
[Security Settings] > [Software Restriction Policies]
Account Logon
The following table shows the setting.
Account Management
The following table shows the setting.
Detailed Tracking
The following table shows the setting.
NOTE
These settings are applicable for Domain Controllers only.
Logon/Logoff
The following table shows the setting.
Object Access
The following table shows the setting.
Privilege Use
The following table shows the setting.
System
The following table shows the setting.
Setup location: [Local Computer Policy] > [Computer Configuration] > [Windows Settings] >
[Security Settings] > [Advanced Audit Policy Configuration] > [System Audit Policies - Local
Group Policy Object]
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative
Templates] > [Control Panel] > [Personalization]
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative
Templates] > [Network] > [WLAN Services] > [WLAN Settings]
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative
Templates] > [System] > [Audit Process Creation]
NOTE
If this option is enabled, the command line information of each process will be recorded to the security event
log in text format as part of the Audit Process Creation event 4688, "A new process has been created.” For
example, if you set a password by using the CreateFASTTOOLSProcess tool, the password specified as an
argument is recorded in the event log.
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Tem-
plates] > [System] > [Group Policy]
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative Tem-
plates] > [System] > [Internet Communication Management] > [Internet Communication
Settings]
Logon (System)
The following table shows the setting.
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative
Templates] > [System] > [Logon]
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative
Templates] > [System] > [Mitigation Options]
NOTE
If this setting is enabled, fonts that are not installed in %Windir%\Font (typically, C:\Windows\Font) cannot be
used. In that case, install the fonts to be used in the above folder. You can install fonts by right-clicking the
font and selecting [Install].
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative
Templates] > [System] > [Power Management] > [Video and Display Settings]
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative
Templates] > [System] > [Remote Procedure Call]
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative
Templates] > [System] > [User Profiles]
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative
Templates] > [Windows Components]
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative
Templates] > [Windows Components] > [App runtime]
NOTE
This policy disables starting of Windows store applications that are directly accessed by Windows runtime
API from Web content.
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative
Templates] > [Windows Components] > [Cloud Content]
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative
Templates] > [Windows Components] > [Data Collection and Preview Builds]
NOTE
If this setting is enabled, Windows authentication dialog boxes appear only after you press [Ctrl] + [Alt] + [Del]
on the keyboard.
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative
Templates] > [Windows Components] > [Event Log Service] > [Application] > [Security] >
[System]
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative
Templates] > [Windows Components] > [File Explorer]
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative
Templates] > [Windows Components] > [Home Group]
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative
Templates] > [Windows Components] > [OneDrive / SkyDrive]
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative
Templates] > [Windows Components] > [Remote Desktop Service]
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative
Templates] > [Windows Components] > [Search]
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative
Templates] > [Windows Components] > [Software Protection Platform]
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative
Templates] > [Windows Components] > [Store]
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative
Templates] > [Windows Components] > [Sync your settings] > [Sync your settings]
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative
Templates] > [Windows Components] > [Windows Defender]
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative
Templates] > [Windows Components] > [Windows Error Reporting]
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative
Templates] > [Windows Components] > [Windows Logon Options] > [Windows Logon
Options]
User Configuration
The following table shows the setting for the Taskbar menu.
Setup location: [User Configuration] > [Administrative Templates] > [Start Menu and Taskbar]
> [Notifications]
Setup location: [Local Computer Policy] > [Computer Configuration] > [Administrative
Templates] > [Windows Components] > [Delivery Optimization]
4. Precautions on operations
This section describes the precautions to observe when you apply security settings.
NOTE
The default display of the IT Security Tool differs depending on whether the tool is used during a new
installation or an upgrade.
2. Click [Setup].
The IT Security Settings page appears.
NOTE
If IT security is already applied, the previously applied settings are selected by default.
4. If you want to view or modify the detailed settings, perform these steps:
a. Click [Details].
The Select Setting Items page appears, indicating the security setting items. Default
setting items appear in gray rows, and the check boxes cannot be cleared.
b. Select the check boxes next to the setting items that you want to apply, and clear the
check boxes of the setting items that you want to remove.
c. Click [Next].
The Confirm Setting Information page appears, enabling you to review your
selections.
NOTE
• If you made any changes to the selection of setting items, a dialog box appears, indicating the
change and asking if you want to continue. Click [Yes] to continue or [No] to return to the Select
Setting Items page.
• We recommend that you use the default selection of setting items.
6. Click [Finish].
7. Restart the computer for the settings to take effect.
IMPORTANT
• Ensure that the computer on which you are restoring the security settings has the same
configuration as the computer on which you saved the security settings.
• Before you restore the security settings, you must perform the following actions:
• Install the same product version and packages.
• If the product coexisted with other YOKOGAWA system products on the computer
where you saved the security settings, install the same versions and packages of
these system products.
• If you want to restore the Standard model with Domain or Combination management,
connect the computer to the domain.
• Set the same security model and user management type by using the IT Security
Tool.
• Obtain the default account password and Encryption Key.
• Store the pair of HED and CSF files in the same location. These files store the
security setting configuration and they must always have the same file name.
Follow these steps to temporarily grant the write permission for removable storage devices:
1. Log on to Windows as a user with administrative rights.
2. In Windows, run the following program file to start the StorageDeviceCTL utility:
<OS drive>:\Program Files (x86)\YOKOGAWA\IA\iPCS\Platform\Security\PROGRAM\Yo
kogawa.IA.iPCS.Platform.Security.StorageDeviceCTL.exe
NOTE
If the User Account Control dialog box appears, asking if you want to allow the program to run, click
[Yes].
The StorageDeviceCTL utility appears on the task bar, indicating that the write permission
is granted.
3. Insert a removable storage device into the computer.
4. Write or update data on the storage device.
5. After you finish writing or updating data, properly remove the storage device.
6. From the task bar, click [StorageDeviceCTL].
7. In the StorageDeviceCTL message box, click [Write Stop] to close the utility.
The write permission for the removable storage devices is removed.
7.1.1 Coexistence
The following figure shows the network structure of coexistence with FAST/TOOLS and
STARDOM FCN/FCJ systems.
FCN/FCJ engineering environment
with FAST/TOOLS
The IT security settings should be configured manually on the computer where STARDOM
and FAST/TOOLS systems are installed.
7.1.2 Collaboration
The FAST/TOOLS system accesses data from STARDOM FCN/FCJ through Ethernet
(TCP/IP) by using the HSE interface.
The following figure shows the network connection between FAST/TOOLS and STARDOM
(HSE).
SCADA Server
FCN/FCJ
Follow these steps to configure the collaboration settings for FAST/TOOLS and STARDOM
FCN/FCJ:
1. Create a user account that has the following privileges:
• Copy project data to FAST/TOOLS system
• Convert copied project data
• Send converted data to FAST/TOOLS system
2. Define personal firewall exceptions.
3. Configure EQUIPMENT/FAST.
4. Define TCP/IP line type and STARDOM-FCX equipment.
Refer to EQUIPMENT/FAST System Integrator’s Manual (IM50L07L02-21E) for more
information.
5. Create I/O points on the FAST/TOOLS computer.
7.2.1 Collaboration
The FAST/TOOLS system accesses data from ProSafe-RS SCS through Vnet/IP.
The following figure shows the network connection between FAST/TOOLS and ProSafe-RS
SCS.
SCADA Server
Vnet/IP
SCS
3. Configure EQUIPMENT/FAST.
4. Define Vnet/IP line type and ProSafe-RS equipment.
Refer to EQUIPMENT/FAST System Integrator’s Manual (IM 50L07L02-01EN/R9.03) for
more information.
5. Create I/O points on the FAST/TOOLS computer.
7.3.1 Collaboration
The FAST/TOOLS system accesses data from the Matrikon OPC Server through Ethernet
(TCP/IP) by using the OPC interface. The SCADA Server is used as the OPC Client for
receiving data from the Matrikon OPC Server.
The following figure shows the network connection between FAST/TOOLS and Matrikon OPC
Server.
Ethernet (TCP/IP)
NOTE
You can use the IT Security Tool to configure the firewall exceptions.
4. Configure EQUIPMENT/FAST.
5. Define TCP/IP line type and OPC DA equipment.
Refer to EQUIPMENT/FAST System Integrator’s Manual (IM 50L07L02-01EN/R9.03) for
more information.
6. Create I/O points on the FAST/TOOLS computer.
7.4.1 Collaboration
The FAST/TOOLS system accesses data from Exaquantum Server through Ethernet (TCP/IP)
by using the OPC interface. The Exaquantum Server is used as the OPC Client for receiving
data and the SCADA Server is used as the OPC Server.
The following figure shows the network connection between FAST/TOOLS and Exaquantum
Server.
Ethernet (TCP/IP)
NOTE
You can use the IT Security Tool to configure the firewall exceptions.
4. Create items on the Exaquantum Server to access the FAST/TOOLS items on the SCA-
DA server.
NOTE
• The OPC flag must be enabled for the FAST/TOOLS items to be accessed by Exaquantum.
• The OPC Server Type must be defined on the Exaquantum Server.
• The OPC-DA Server ProgID must be changed to the name of the latest FAST/TOOLS OPC Server.
Some versions of Windows 8, Windows 8.1, and Windows 10 are delivered with a number of
bundled apps. When a user first signs in, Windows installs those apps to the user account.
Even when the apps are uninstalled from the user account, many of them are downloaded
automatically after a Windows update. It is recommended to remove all the available bundled
apps from your computer.
Follow these steps to remove the bundled apps from your computer:
1. Log on to Windows as a user with administrative rights.
2. From the Start menu, right-click [Command Prompt] and select [Run as Administrator].
The Command Prompt window appears.
3. Run the following command:
• To remove the bundled apps for a specific user
Get-AppxPackage -User <Username> | Remove-AppXPackage
• To remove the bundled apps for all users
Get-AppxPackage -AllUsers | Remove-AppXPackage
The bundled apps are removed from the computer.
NOTE
The following apps are not removed:
• Contact Support
• Cortana
• Photos
• Microsoft Edge
• Windows Feedback
• Settings
IMPORTANT
You must observe the following precautions if you want to apply audit policies:
• The system performance is affected if you increase the number of recorded event types.
• You must determine the event record size that is appropriate for the system operation
conditions. The number of generated events varies depending on the types of recorded
events and system operations.
The following table describes the details of events that can be recorded by applying audit
policies.
The following table shows the security setting items for the Standard model with Standalone
management.
The following table shows the security setting items for the Standard model with Domain or
Combination management.
The following table shows the security setting items for the combination of Standard model
and Domain or Combination management.
Antivirus software
It is recommended to install only the antivirus software verified by Yokogawa on the terminals
connected to the FAST/TOOLS system and the Domain Controller. You can contact
Yokogawa for applying the antivirus software. Updating the search engine or pattern file of the
antivirus software may lead to restarting the computer or other unexpected issues. Therefore,
you must check the behavior of the antivirus software update on a test computer before
applying the antivirus on the FAST/TOOLS computer.
Table Appendix 2.2-1 When user management type is changed to Standalone management
User account From Domain management From Combination management
FTS_OPERATOR Add the user account Rename from FTS_OPERA-
TOR_LCL to FTS_OPERATOR
FTS_OPERATOR_LCL -
FTS_ENGINEER Add the user account -
FTS_ENGINEER_LCL - Rename from FTS_ENGI-
NEER_LCL to FTS_ENGINEER
FTS_MAINTENANCE Rename from FTS_MAINTE- Rename from FTS_MAINTE-
NANCE_LCL to FTS_MAINTE- NANCE_LCL to FTS_MAINTE-
FTS_MANATENANCE_LCL NANCE NANCE
FTS_OPC Add the user account Rename from FTS_OPC_LCL to
FTS_OPC
FTS_OPC_LCL -
The following table describes how to manage the user group accounts when the user
management type is changed to Domain management.
Table Appendix 2.2-2 When user management type is changed to Domain management
User account From Standalone management From Combination management
FTS_OPERATOR Delete the user account -
FTS_OPERATOR_LCL - Delete the user account
FTS_ENGINEER Delete the user account -
FTS_ENGINEER_LCL - Delete the user account
FTS_MAINTENANCE Rename from FTS_MAINTE- -
NANCE to FTS_MAINTE-
FTS_MANATENANCE_LCL NANCE_LCL Use existing FTS_MAINTE-
NANCE_LCL
FTS_OPC Delete the user account -
FTS_OPC_LCL - Delete the user account
The following table describes how to manage the user group accounts when the user
management type is changed to Combination management.
Table Appendix 2.2-3 When user management type is changed to Combination management
User account From Standalone management From Domain management
FTS_OPERATOR Rename from FTS_OPERATOR to -
FTS_OPERATOR_LCL
FTS_OPERATOR_LCL Add the user account
FTS_ENGINEER Rename from FTS_ENGINEER to -
FTS_ENGINEER_LCL
FTS_ENGINEER_LCL Add the user account
Continues on the next page
NOTE
When the software restriction policy is applied to FAST/TOOLS with IT security settings, right-click[fasttools-
Rxx.yy-rzzzz-ITSecurity.exe] in the installation media and select [Run as administrator] to launch the IT Se-
curity Tool.
This option is to install the FAST/TOOLS Server, IT Security Tool, and IT security definition
file. The name of the IT security definition file is SERV. After installing both the packages, the
IT Security Tool is launched automatically.
NOTE
It is not possible to install the IT Security Tool only. If you select this option on a computer on which FAST/
TOOLS is already installed, you must follow the update procedure.
This option is to install the IT Security Tool and IT security definition file. The name of the
definition file set is CLNT1. After installing the IT Security Tool, it is launched automatically.
NOTE
• If FAST/TOOLS Client is installed on a computer where other Yokogawa products are installed with IT
security, select this option. Never select “Apply IT Security only”.
• This option can be selected regardless of the Remote Connect installation. If Remote Connect is
installed after installing the IT Security Tool, you must apply the security settings again.
Revision information
● Title : TI 50A01A10-04EN
● Manual No. : USER/FAST IT Security Guide
Sep. 2019/1st Edition/R10.04 or later
Newly published.