SMARTVFD SECURITY GUIDE
5
31-00140—01
User accounts
Securing access to the operating system
The SmartVFD Drive Care Tool does not use Windows user
accounts for application security; Windows user accounts
are used to secure access to the operating system and still
provide a very valuable layer of protection. Ensure that
only authorized users have access to computers.
Windows user accounts and passwords
Access is gained to the Windows operating system by
logging onto the computer using a user account name
and password. This is true for both local and remote
terminal services access. Because user accounts may be
well known or easily guessed within an organization, the
password becomes the prime vehicle for authentication.
User account and password policies are therefore
important security measures.
User and password policies and settings
Since users are not authenticated using Windows,
configure any PC application with access to the SmartVFD
so that each user has a unique login name and password.
Ensure that when an employee, or any other user with
permanent or temporary access, leaves the organization
or no longer needs access, their user accounts are
disabled. For example, when a subcontractor is on the job
working on the SmartVFD HVAC system, they are given
access to the system. Monitor their access while the work
is in progress and then disable their credentials once the
work is complete. In addition, because SmartVFD software
is available using a browser, ensure that the SmartVFD
user account is also disabled.
Follow Windows user and password policies to secure
access to the operating system that has application
access to the SmartVFD. As a general rule:
• Review user accounts on a regular basis.
• Disable or delete all unused accounts.
• Disable all anonymous accounts
• Disable all guest accounts.
Configure password policies so that Windows account
passwords are difficult to guess and they are changed
often. The following settings are suggested:
• Maximum password age set to 45 to 90 days - this
forces the choice of a new password after this time.
Configure the setting for the Administrator account
shorter than a normal system user. A maximum of 30
days is recommended.
• Minimum password age set to 1 to 5 days- this
prevents cycling passwords too rapidly.
• Minimum password length set to 11 characters - This
improves encryption and makes guessing harder. Using
several words to form a phrase can make a stronger
password that is also easier for the user to remember.
For example, "My dog Fido has 50 fleas!" is a much
stronger password, and much easier to remember, than
"X$9d8oc-@Ek".
• Enforce password history set to 24 passwords
remembered - This prevents reuse of the same
password too quickly.
• Password must meet complexity requirements set to
enabled improves encryption and makes guessing
harder. Suggest requiring at least three of the following:
Uppercase Character, Lowercase Character, Number,
and Special Character.
• Store passwords using reversible encryption set to
disabled - this prevents passwords from being stored in
(the equivalent of) clear-text.
• Account lockout threshold set to 5 invalid logon
attempts - this prevents continual password guessing
by disabling an account after the specified number of
attempts. Consider disabling account lockout for
operator (or other user) accounts where denial of
service or loss of view would be detrimental to safety or
the continued operation of the facility.
• Account lockout duration set to 30 minutes - this
specifies the period of time during which a user will not
be able to log on following an account lockout. (Note
that the administrator can re-enable the account
before the expiration of the specified lockout period.)
• Reset account lockout counter after 29 minutes --- this
sets the time before the account lockout is reset to zero.
For example, with the account lockout set at 10, and the
lockout counter set at 29 minutes, lockout will occur if
there are 10 invalid logon attempts within 29 minutes.
Note that the lockout counter must be less than the
lockout duration.
Service and primary workstation
accounts
Run Windows services and PC browser required by
SmartVFD commissioning software under an account with
the lowest possible set of privileges. The following classes
of accounts are suggested in order of preference:
• Local service accounts.
• Local accounts with minimum rights.
• Domain accounts with minimum rights.
• The Network Service account.
• Local or domain user accounts belonging to the Local
Administrators group.
• The local system account.
Monitoring and logging
System monitoring
Diligent system monitoring will help guard your system
against unauthorized access. However, there is always the
possibility that an attacker will succeed in circumventing
all the safeguards and compromise the system. If this
happens, it is important to discover the breach and
prevent further damage as rapidly as possible. The earlier
a system breach is detected and the more evidence that is
captured, then the less damage is likely to occur and the
greater the chances of identifying the intruder.
