SMARTVFD SECURITY GUIDE
7
31-00140—01
Other forms of intrusion detection will search event logs
looking for unusual events, or will compare the current file
system to a known good image. Be careful when running
such tools to prevent them from using too many resources
and interfering with the control system.
Wireless access points
It is generally not advised to allow wireless access to the
BAS network.
If a wireless network is part of the existing automation
system, follow these guidelines when setting up and
configuring a wireless network:
• Do not use the default Service Set Identifier (SSID);
configure a unique SSID.
• Disable SSID broadcast.
• Use Wi-Fi Protected Access II (WPA2-Personal) or
(WPA2-Enterprise) encryption. Wired Equivalent
Privacy (WEP) is not sufficiently secure.
• Use the correct class of network equipment. For
example, do not use home or small office equipment for
large enterprise jobs.
• Change the default administrator password.
• Ensure access points are running the latest firmware.
• Physically secure access point devices.
• Use a separate access point for public, non-secured
access, such as WiFi for guests or customers.
• When feasible, enable media address control (MAC)
filtering and enter the MAC addresses for all the
wireless devices.
APPENDIX 6 - HARDENING
AND COMPUTER ISSUES
This section contains additional information on
Hardening and Physical Computer Issues.
Hardening
Hardening involves taking additional actions to make it
more difficult to obtain unauthorized access or to
circumvent security mechanisms.
Physical computer
Implement additional steps to harden computers against
unauthorized access:
• If computers with DVD drives are readily accessible, fit
locks or remove the DVD drives. Disable unused USB
ports to prevent USB drives or other uncontrolled
devices from being connected to the system. Such
devices may be used to introduce a virus or other
malware. Also disable or physically protect the power
button to prevent unauthorized use.
• Set the BIOS to boot only from the operating system's
root partition/drive.
• Set a BIOS password (ensure that this does not prevent
automatic startup).
• Remove the floppy and CD/DVD drives from the
computer.
• Disable USB ports and other ports capable of being
used for memory sticks and other portable storage
devices.
• Prevent drives, like the DVD drive, from being visible to
Microsoft Windows Explorer by using the group policy.
• See Using Group Policy Objects to hide specified drives
at http://support.microsoft.com/kb/231289 for more
information.
• Note, however, that hiding the drives in Windows
Explorer does not prevent those drives from being
accessed using a command prompt.
Operating system
Many additional configuration options can be applied to
harden the operating system against threats.
Securing the desktop
The following recommendations apply to desktop policy
settings:
• Configure Windows to display a warning against
unauthorized use of the computer.
• You can configure computers to display a message
when someone logs on. A typical message would be "It
is an offense to continue without proper authorization."
Historically, legal prosecutions of intruders have failed
because no such warning was displayed. The banner can
be defined using Group Policy or the local registry.
• Use Group Policy (if the computer is part of a Windows
domain) or the local registry to: Hide the last user name
on the logon window. By default, the Logon dialog box
displays the name of the last user to log on. This saves
time if the same user is logging on again but is a
security risk.
