End-User Changes to AtlasIED Windows Environments

Ver 1.0    16-April-2020

Introduction

AtlasIED controllers such as IP100-series devices, GLOBALCOM software running on a Dell server or Enterprise/PRIZM client/server computers ship from AtlasIED with a particular configuration of Windows (embedded or server, as appropriate). The Windows environment has been pre-configured at the factory to allow the AtlasIED software to fully function as required. In some installations, these systems are added to the local Windows Domain or are integrated with Active Directory. In other cases, the local IT/network department may require certain things of devices added to the local area network. It has been found that sometimes the changes made locally to the Windows environment such as through domain/group policies can come into conflict with the needs of the AtlasIED software and its proper operation.

This article addresses Windows environment requirements to be aware of when applying local changes to the Windows environment, whether through domain/group policies or just to the device hosting the AtlasIED software. The latter sections address three specific security issues: Windows Update, firewalls and anti-virus software.

General Requirements (GCK or Enterprise)

The following items are issues common to the Windows environment hosting GLOBALCOM/GCK or Enterprise/PRIZM software.

  • The IED/AtlasIED user account must have full local system administrative privileges and rights for this system
  • All folders under C:\IED and C:\Messages are always set for full read/write access by the IED/AtlasIED and local system user accounts.
  • Active Domain accounts should be configured to terminate all apps when a user logs out of Remote Desktop
  • No domain policies related to IIS are applied to the system. IIS is used by AtlasIED software exclusively and some policies could inhibit some of our functions.
  • Windows Internet Explorer setting made for “Check for newer versions of stored pages:" should be set to "Every time I visit the web page”
  • No third party or user-added software consumes more that about 10% of the CPU cycles on the device. This includes such things as anti-virus software, automatic backup software, etc.

GCK Controller Specific Requirements

In addition to the requirements above, on a device hosting GLOBALCOM/GCK software, the following requirements apply:

  • Anonymous FTP access to C:\IED\pushed is implemented in multi-controller or lifeline systems

Enterprise/PRIZM Server/Client Specific Requirements

In addition to the requirements above, on a device hosting Enterprise/PRIZM software, the following requirements apply:

  • The folders C:\IEDSQLData and C:\Inetpub are set for full read/write access by IED (AtlasIED) and local system accounts.
  • The “NTService\MSSQL$SQLEXPRESS” user account (default from SQL Server Express installation) has the required permission rights to login and start the SQLServer service.

Windows Updates

It is AtlasIED's policy that Windows Updates should be set to Manual download/install (not auto) . We have found in the past that some Windows updates can make security changes to a system that go against the requirements stated above in this article and inhibit the proper operation of the system. Also, the Windows Update process often automatically reboots the system (at a time of its choosing), taking the operational system offline for a period of time.

For Windows embedded systems that AtlasIED ships, we have been providing approximately semi-annual Windows Security Updates in the form of offline updates that can be applied to our systems without the need for access to the Internet. One can copy these updates to a USB drive for example, and apply then (off-hours) to the AtlasIED IP100-based devices.

If an installation wishes to install their own Windows Updates such as to versions of Windows Server, it is recommended that you install then off-hours and fully re-test the system after installation to insure there are no ill effects due to the update. AtlasIED technical support can assist in diagnosing any problems encountered at our standard support rates in accordance with your contracted support plan, if any.

Windows Firewall

Earlier shipments of AtlasIED systems were made with Windows Firewall disabled as it was found to impede many communications of our software. Since then, we have determined how to co-exist with Windows Firewall, making exceptions (Firewall rules) for AtlasIED software as necessary. For systems running GLOBALCOM software, we currently have an installer that will turn on Windows Firewall and install the necessary rules for AtlasIED software. A similar installer for Enterprise/PRIZM hosts may be available in the future, as well.

If one wishes to manually set up Windows Firewall on another type of system/server, the Firewall should be configured to allow any outbound communication, and any inbound communication that has rules to allow it. Then one should add the following rules:

  • Inbound Rule for UDP port 3048 used for all IEDnet protocol communications
  • Inbound Rule for every AtlasIED service installed on that device. To see a list of these, go to Services.msc and skip down to the section with names that start with the letter "I". All IED services are grouped together in this area.
  • If this computer also hosts the SAFE add-on, then an inbound rule for the underlying Signalr protocol must be added. This is a rule for TCP Port 8082.
  • The installers for third-party tools used with AtlasIED systems such as CobraNet Discovery, Dante Controller or a MIB Browser should add their own inbound firewall rules, but if something gets off-kilter, these rules may be lost and proper operation of these tools disabled until these rules are either manually added or the installer re-run to repair the installation.

Anti-Virus Software

This refers to any kind of virus, worm, trojan, or other malicious software detection/remediation software. There are so many kinds and brands on the market, that it is impossible or impractical for AtlasIED to evaluate and keep up with all the offerings and revisions. Anti-virus software or updates to them can change the settings of a system, so they pose a potential risk to the system outside of AtlasIED's control. We do not have any specific recommendations on what anti-virus software can be used with AtlasIED software, although we do know of installations that have successfully deployed anti-virus software with no apparent ill effects on the operation of the AtlasIED software.

After installing anti-virus software on a system with AtlasIED software, one should be careful to check that it did not impose any restrictions contrary to the list of issues mentioned earlier in this article. It is recommended that one install such software off-hours and fully re-test the system after installation to insure there are no ill effects due to the anti-virus software. AtlasIED technical support can assist in diagnosing any problems encountered at our standard support rates in accordance with your contracted support plan, if any.