Security Hardening Guidelines

  • After installing the product, follow Microsoft guidelines for configuring SSL settings to accept only HTTPS connections. For more information, see How to Set Up SSL on IIS 7 or later.
  • To enhance the security of the installation:
    • Do not run services that aren't necessary. For example, disable any unused point managers and stop their services, as well.

    • Disable all FrameWorX Server endpoints that aren't needed by removing them from the server configuration file (IcoFwxServer.exe.config).

      We recommend that you back up this file before making modifications.

    • Disable the OPC UA interface on the Basic tab in the Platform Services Configuration dialog, unless the OPC UA interface is being used by a third-party OPC UA client.
    • Configure GENESIS Security to secure configuration and run-time operations.
      • Set up GENESIS Security and enforce a strong password.
      • Set up security to allow only authorized operators to see the Security settings.
      • Set up the automatic logout of users to help prevent unauthorized access to the system.
        • Disable the Provide list of existing users in the login dialog by clearing (unchecking) the checkbox in the Global Settings configuration pane.
        • Disable the Start Application application action in the Security server configuration unless you are using the Start Application command in GraphWorX. If using the Start Application command, be aware that it can be used to start any application. As a result, you should be careful when you use it.

      • If using GENESIS Security in Database mode, as opposed to using it in conjunction with Active Directory, use binary TCP or HTTPS for the FrameWorX communications protocol. Do not use HTTP.

        When GENESIS Security is set to Active Directory mode, no user passwords are stored, but the password for the connection from the Security server to Active Directory is stored. This password is obfuscated. You can avoid storing passwords in the database altogether by leaving the Active Directory connection user name and password blank. In this case, the security will use Integrated Windows Authentication to connect to the Active Directory. For Integrated Windows Authentication to work, the FrameWorX Server must run under the Network Service account and the computer must be domain-joined.

  • Use the configurable option, Create a local copy of the configuration on the server, for the applicable configuration databases.
  • Enhance run-time communications security by:
    • Using secure, encrypted OPC UA communications. For more information, see Creating an OPC UA Connection. We recommend that you become familiar with OPC UA Security Concepts and Security Guidelines.
    • Using OPC Classic communications is not recommended for two reasons:
      • The Classic OPC Point Manager, which provides access to OPC Classic, must run under the SYSTEM account to provide it with elevated security access to the system.
      • The Classic OPC servers don't provide any security.

    • Scripting technologies may open the system to the execution of arbitrary, insecure code, and should be avoided. Commanding and Bridging are recommended replacements.

      Notes:

      • If GraphWorX scripting is not needed in your project, we recommend that you do not enable GraphWorX scripting. It has been disabled by default in GENESIS version 11.
      • ScriptWorX64 has been removed from GENESIS version 11. We recommend that you do not install ScriptWorX64 on the system.
      • When scripting must be used, ensure that the script includes an audit log (GenEvent) reporting method call to properly log all write operations if using scripts that perform write operations.
  • Secure the SQL Server database(s) used in the system by encrypting the databases. Additionally, we recommend that you apply the best practices as defined in the Microsoft article, SQL Server Security Best Practices.
  • To prevent the possibility of tampering with GraphWorX display files if web publishing capabilities are required, configure the FTP server where the display files are stored to require a user/password for write access to the server. If web publishing capabilities aren't required, ensure FTP access to the website is fully disabled.