Security Hardening Guidelines

Introduction

Your PC can run a variety of applications to enhance security in your control environment. The system has factory default settings that require reconfiguration to align with Schneider Electric's device hardening recommendations of the defense-in-depth approach.

The following guidelines describe procedures in a Windows operating system. They are provided as examples only. Your operating system and application may have different requirements or procedures.

Disabling the Remote Desktop Protocol

Schneider Electric’s defense-in-depth approach recommendations include disabling remote desktop protocol (RDP) unless your application requires the RDP.

In Windows 10, remote desktop protocol (RDP) is disabled using Settings > System > Remote Desktop > Enable Remote Desktop (toggle to Off).

Updating Security Policies

Update the security policies on the PCs in your system by gpupdate in a command window. For more information, refer to the Microsoft documentation on gpupdate.

Managing Updates

Before deployment, update all PC operating systems using the utilities on Microsoft’s Windows Update Web page. To access this tool in Windows, select Start > All Programs > Windows Update.

Workstation Protection

To reduce the security risks associated with the engineering workstation, enable the memory exploit settings such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). These security settings can be enabled by using the system exploit protection settings in Windows 10 operating system. For more information, refer to the Microsoft security features web page.