BECKHOFF IPC-Security User Manual

Category

Description

Default Security

This template represents the default security settings that are applied during installa-
tion of the operating system, including file permissions for the root of the system drive.
You can use this template to re-create the default installation settings.

Compatible

This template re-configures your system according to the user groups: Administrator,
Power Users and Users. Administrators have the most privileges while Users have the
least, which is, of course, not surprising. However, what the template really accom-
plishes, is, that the system will be reconfigured so that members of the Users group
may also execute non-certified applications, meaning applications which don’t take
part in the Certified for Windows program. That means: If you want members of the
Users group to execute non-certified applications, and you don’t want to add them to
the Power Users because this would mean too much privileges, you can apply this
template and leave them in the Users group. The template therefore relaxes security
for this particular group.

Secure

This template defines enhanced security settings that are least likely to impact appli-
cation compatibility. It defines the following things:

▪ Stronger password, lockout and audit settings

▪ It limits the use of LAN Manager and NTLM authentication protocols by allow-

ing only NTLMv2 responses from Clients. Clients which don¡¦t support NTLMv2
won’t be able to authenticate to the system anymore

▪ It prevents anonymous users from enumerating account names and shares

▪ It prevents anonymous users from performing SID-to-name or the corresponding

reverse functions

▪ It enables SMB packet signing, which is disabled by default

Highly Secure

The Highly Secure template is a superset of the Secure template that impose further
restrictions on the levels of encryption and signing that are required for authentication
and for the data that flows over secure channels and between SMB clients and servers.

Please see chapter A.4.3.4 for a Step-by-Step guide.

3.2.3.5. Application Whitelist

The so-called “Software Restriction Policy” (or “Application Whitelist”) enables Administrators to specify
exactly which applications may be executed on a system. All other applications will be blocked by the
Operating System upon program execution. The configuration is easy and straight-forward and can be
performed via a Local Security Policy. The following documentation will give a short overview about the
different settings.

General information

When using Software Restriction Policies, you can identify and specify the software that is allowed to be ex-
ecuted on the system. This helps to protect your computer environment from untrusted or malevolent code.
You can define a default security level (template) of Disallowed, Basic User or Unrestricted for a security
policy object but you can also add exceptions to these templates.

IPC Security

15