Tridium, Inc. 3951 Westerre Parkway Suite 350 Richmond, Virginia 23233 USA
JACE-NX Windows XP Security ENGINEERING NOTES
These notes provide basic security details for the Windows® XP OS (operating system) on JACE-NX series controllers. Included are instructions for installing Microsoft® service packs and security patches. Also included are configuration details to selectively “lock down” TCP/IP ports to improve security and lessen the possibility of a malicious attack by a hacker or a worm/virus. Anti-virus software on a JACE® is also discussed.
Notes
•
•
•
JACE-NX controllers are shipped as either NiagaraAX or Niagara (R2) hosts. Although the two are different in regards to Niagara, the same Windows XP security issues apply to any JACE-NX. This document notes any differences between a JACE-NX with NiagaraAX and one with Niagara R2 in regards to security updates and methods. This document is not the “end-all reference” on security for Windows XP, as there are many facets of security not addressed, including (but not limited to) assigning NTFS permissions to files/directories, locking down access to portions of the registry, and assigning complex passwords and unique user names. These advanced security features must be understood and evaluated by the system integrator/end user for risk/benefit/usability aspects before implementing. These security notes do not apply to JACE®-2, -3, or -5 series controllers, which use an embedded QNX or VxWorks OS. Also, information here does not directly apply to an AXSupervisor PC (Web Supervisor PC) or any Niagara Engineering PC, although most principles are the same. On such a PC, its OS may be either Windows® XP Professional or Windows® 2000, and the specific PC hardware and options will vary. Windows security management for any PC is strictly a local matter.
The following main topics are currently provided in this document: • • • • • • •
Overview Updating Windows XP Locking Down TCP/IP Ports and Protocols Anti-Virus Software Notes Additional Information Drive Image/ Windows Update History Document Updates
Overview Ongoing security issues with Microsoft operating systems and other software has resulted in numerous Microsoft-issued security patches and service packs. In addition, regular attacks of “computer viruses” have been targeted towards the Windows PC community. Because the JACE-NX series controllers use the following 32-bit Windows OS, security schemes should be regularly reviewed: •
Windows XP Professional (full) or
• Windows XP Embedded.
Engineering Notes: JACE-NX Windows XP Security NiagaraAX or Niagara r2.3.4 or later
Revised: October 25, 2005
1
Overview Updating Windows
Note
For the remainder of this document, when operating systems on JACE-NX controllers are individually referenced, the following shorthand labels are typically used: • Full XP-SP2—Microsoft Windows XP Professional, Service Pack 2 (current shipping) • Full XP-SP1—Microsoft Windows XP Professional, Service Pack 1 • Emb XP-SP2—Microsoft Windows XP Embedded, Service Pack 2 (current shipping) • Emb XP-SP1—Microsoft Windows XP Embedded, Service Pack 1 In addition, when operations depend solely on service pack level, the following labels are used: • XP-SP2— Windows XP Service Pack 2 (current shipping) • XP-SP1— Windows XP Service Pack 1
This overview has three sections. The remainder of this document provides details on each section: Updating Windows • Locking Down TCP/IP Ports • Anti-Virus Software •
Updating Windows The first level of security for any JACE-NX is to keep its Windows XP OS updated. This means the appropriate service pack level and the latest Microsoft security patches. Update procedures vary according to the JACE-NX and how it is installed. An overview of these procedures are as follows: For any JACE-NX with Full XP and internet connectivity, you can update Windows XP directly from the JACE by using the “Windows Update” feature. Only “Critical Updates and Service Packs” are needed. • For any JACE-NX with Full XP but without internet connectivity, but on a LAN with your PC, you can copy Microsoft patch files from your PC to the JACE-NX. Once copied to the JACE-NX, you can then install them. Your PC must either have internet access to download patches from Microsoft, or must have removable media that you can use to transfer Microsoft patch files to it. • For any JACE-NX with Full XP installed standalone (perhaps dial-up access), you can transfer Windows XP patch files using a USB flash drive (sometimes called “thumb drive” or “pen drive”). After copying Windows patch files downloaded from Microsoft, you can disconnect the USB drive from the PC, carry it to the JACE-NX, and install the drive in the JACE. You can then install the updates from the USB drive. • For any JACE-NX with Emb XP, you must a download specially-prepared self-expanding update file from Tridium and then copy it to the JACE-NX for execution/installation using a DUA (Device Update Agent). Depending on the installation, you can transfer this update file using a variety of methods. For more details including procedures, refer to the section “Updating Windows XP,” page 3. •
Locking Down TCP/IP Ports For any JACE-NX exposed to the Internet, or even if on a distributed “intranet”, it is highly recommended to selectively “lock down” unused TCP/IP ports and/or protocols to prevent unauthorized access. The “lock down” method depends on the service pack (SP) level of the Windows XP on the JACE-NX when manufactured. •
2
If using XP-SP2 (either Full XP or Emb XP) the JACE-NX uses the Windows Firewall feature to lock down TCP/IP ports.
Engineering Notes: JACE-NX Windows XP Security Revised: October 25, 2005
NiagaraAX or Niagara r2.3.4 or later
Updating Windows XP Anti-Virus Software
All NiagaraAX JACE-NX controllers run Windows XP-SP2. Depending on the drive image version, recent Niagara R2 JACE-NX controllers also run XP-SP2. See “Drive Image/ Windows Update History,” page 36, for more details.
Note
If using XP-SP1 (either Full XP or Emb XP), the JACE-NX uses a default “IP Security Policy" (no Windows Firewall), where a few TCP/IP ports are enabled, and all others locked down. In either case, depending on the specific drivers and features used by the station running on it, you may need to make changes. For more complete information including procedures, refer to the “Locking Down TCP/IP Ports and Protocols” section on page 16. •
Anti-Virus Software The need for anti-virus software on a JACE-NX is not typical, as in normal operation the JACE does not download files (the typical method of computer-virus transmission). As an extra precaution, you may choose to install anti-virus software. However, Tridium generally discourages this practice (for a variety of reasons). For more details, see the “Anti-Virus Software Notes” section on page 35.
Updating Windows XP Caution
•
•
Typically, installation of Microsoft OS updates and/or security patches ends with a system reboot. Please keep this in mind whenever installing Windows updates—as insurance, always backup your Niagara station and related data to your PC first (or if NiagaraAX, the entire JACE-NX configuration as a backup), before installing updates! In addition, place all other controlled equipment (under control of the Niagara station running in the JACE) in manual control before installing Windows updates, as station operation is interrupted while the host reboots. Upon reboot and station startup, use normal Niagara tools (AX Workbench, or R2 JDE, Admin Tool) to verify proper station operation.
The following main subsections are included: • • • • •
Remote Desktop Connection Determining What Updates Are Already Applied Methods to Transfer (Copy) Update Files Update Options if Full XP (NX-XP-FULL) Update Options if Embedded XP (NX-XP-EMB)
Remote Desktop Connection All JACE-NX models are factory-configured to host a Remote Desktop Connection, also known as “Terminal Services” connection. Typically, this is the normal way you access and service the Windows XP OS on the JACE, unless you have directly attached a local console (keyboard, mouse, and monitor). Procedure 1 provides the typical steps in making a Remote Desktop Connection. Engineering Notes: JACE-NX Windows XP Security NiagaraAX or Niagara r2.3.4 or later
Revised: October 25, 2005
3
Updating Windows XP Determining What Updates Are Already Applied
Procedure 1
Step 1
Using a Remote Desktop Connection.
Start the Remote Desktop Connection application on your PC If your are running Windows XP, the “Remote Desktop Connection” is typically available using Start > Programs > Accessories > Communications > Remote Desktop Connection.
Note
If you are using a PC with earlier Windows NT or 2000, you can download and install the Remote Desktop client software from Microsoft. At the time of this document, the link to the Microsoft download page for the remote desktop client is http://www.microsoft.com/windowsxp/pro/downloads/rdclientdl.asp.
Step 2
At the pop-up Connection dialog, enter the hostname or IP address of the JACE, and click Connect. If a connection can be made, a “Log On to Windows” dialog appears.
Step 3
In the login dialog, enter the JACE host’s credentials (user name and password), and click OK. This must be a Windows administrator-level user, such as you use when you open an R2 JACE-NX in the Admin Tool, or if a NiagaraAX JACE-NX (using basic authentication), for a platform connection.
Step 4
The Windows XP desktop of the JACE-NX appears. From there, you can perform Start menu commands or any other operations, just as if you had a local console attached. For example, if you right-click Start and select Explore, you open Windows Explorer on the JACE.
Step 5
To exit the remote desktop, first close any open windows, and then simply click the Close in the upper-right, and answer OK at the “Disconnect” dialog.
Note
control
If needed, a connection option is available that simplifies copying of files from your PC to the remote JACE. However, “routine” use of this option is not recommended. For more details, see “Using Remote Desktop Connection to Copy Files,” page 8.
Determining What Updates Are Already Applied Depending on the type of JACE-NX and how it is installed, you may first need to determine what particular Windows XP patches and updates are already applied. If a JACE-NX with Full XP and Internet connectivity, this information is not vital, as you can use the Windows Update mechanism from the JACE to automatically “scan” for any needed updates. In this case, you can skip ahead to “Full XP, Internet Available,” page 10. However, for any JACE-NX with Emb XP, or a JACE-NX with Full XP but without Internet connectivity, this information is necessary in order to compare against available updates. This way you can download and install only those updates needed. For a running history of Windows XP security patches and updates as affecting JACE-NX models (up to the date of this document), see “Drive Image/ Windows Update History,” page 36. Note that a JACE-NX provides utilities to determine this information. These utilities are: winver—Windows utility to display XP build number and (if Full XP) the current service patch (SP) level. • listUpdates—(Applies to Emb XP units only) To display what Tridium-supplied XP updates have already been installed, and the date of installation. Not available on older JACE-NXs until updates are applied. • hotfixes—Windows utility to list the currently applied Windows XP patches and security updates. •
4
Engineering Notes: JACE-NX Windows XP Security Revised: October 25, 2005
NiagaraAX or Niagara r2.3.4 or later
Updating Windows XP Determining What Updates Are Already Applied
winver Procedure 2
Issuing winver command.
Step 1
Logon as an administrator to Windows XP running on the JACE-NX, using either a local console, or by using a Remote Desktop Connection.
Step 2
Click Start > Run... for the Run dialog box. Type in “winver” and click OK. An “About Windows” popup (Figure 1) shows the current Windows build revision. Figure 1
Only in Full XP does winver report the actual service pack level, such as “1” or “2”.
Note
Step 3
About Windows from winver command.
Click OK when finished reading the information.
listUpdates Note
This command applies to Emb XP type JACE-NXs only. • If an Emb XP-SP2 unit, this command is available in XP-SP2 drive images NxXpe_2.03 and later, or after any Emb XP-SP2 Updates have been applied. • If an Emb XP-SP1 unit, this command is available after installing NxXpeUpdate_Apr2005.exe or later, or can be separately downloaded as a self-installing utility from the Tridum secure site.
Procedure 3
Issuing listUpdates command.
Step 1
Logon as an administrator to Windows XP running on the JACE-NX, using either a local console, or by using a Remote Desktop Connection.
Step 2
From the Start menu, click All Programs > listUpdates As shown in Figure 3, a popup “Setup” window lists all currently applied Windows XP patches.
Engineering Notes: JACE-NX Windows XP Security NiagaraAX or Niagara r2.3.4 or later
Revised: October 25, 2005
5
Updating Windows XP Determining What Updates Are Already Applied
Figure 2
Note
Using listUpdates to check for installed Tridium-supplied Emb XP updates.
The listUpdates utility is separately available from the Tridium secure site as a self-installing zip file. This supports an Emb XP-SP1 unit if you are not sure what Tridium-supplied Emb XP-SP1 Updates are already installed, apart from the “Last Update” one in the “drive image data” area.
hotfixes Procedure 4
Issuing update /l command.
Step 1
Logon as an administrator to Windows XP running on the JACE-NX, using either a local console, or by using a Remote Desktop Connection.
Step 2
From the Start menu, click All Programs > hotfixes or Use the keyboard shortcut: Ctrl + Alt + h As shown in Figure 3, a popup “Setup” window lists all currently applied Windows XP patches. Note
This utility is actually a shortcut to the command: “C:\util\update.exe /l”
Figure 3
6
Checking for installed Windows patches (hotfixes).
Engineering Notes: JACE-NX Windows XP Security Revised: October 25, 2005
NiagaraAX or Niagara r2.3.4 or later
Updating Windows XP Methods to Transfer (Copy) Update Files
Note
Step 3
Hotfixes are listed in alphanumeric order by Microsoft “knowledge base” numbers, with “KB” numbers at top followed by “Q” numbers. Note the service pack number, for example “SP2” denotes the next service-pack level (future) that will already contain these fixes.
Click OK when finished reading the information.
There are no text output options for these utilities. However, if you wish to capture this information to your local PC (while connected via a Remote Desktop Connection), you can do the following: a. With the window (e.g. hotfixes) listed in the popup, press Alt-Print Screen. This copies that window to your PC’s Windows clipboard. b. Minimize the Remote Desktop Connection. c. Start a WordPad document with Start > Programs > Accessories > WordPad. d. Press Ctrl-V to paste the window in the WordPad document. e. As needed, either print the WordPad document, or save to print later. f. Return to Remote Desktop Connection and close the popup window. If a job with multiple JACE-NXs, you may wish to repeat for each JACE in the same document.
Tip
Methods to Transfer (Copy) Update Files In all scenarios except for a JACE-NX with Full XP and Internet access, you will need to download update file(s) to your PC, and then copy them over to the JACE-NX. There are several methods to copy files to a JACE-NX, described in sections below: • • • • •
Using the NiagaraAX Platform’s File Transfer Client Using a USB Flash Drive to Copy Files Using Remote Desktop Connection to Copy Files Using Niagara R2 Local and Remote Library to Copy Files Using a File Share and Windows Explorer to Copy Files
Using the NiagaraAX Platform’s File Transfer Client If updating a NiagaraAX JACE-NX, and you have the NiagaraAX Workbench (and LAN connectivity to the JACE), you can use Workbench to open a platform connection to the JACE. Then, you can simply transfer the Windows update files from your PC to the JACE-NX using the “File Transfer Client” platform view. For more details about this view, see the NiagaraAX Platform Guide.
Using a USB Flash Drive to Copy Files If you have a USB flash drive and physical access to the JACE-NX, you can simply copy the downloaded update files to a USB flash drive. When you insert the USB drive into a JACE-NX USB port, the drive automatically appears as a “resource” (logical drive) on the JACE-NX, containing the necessary update files.
Engineering Notes: JACE-NX Windows XP Security NiagaraAX or Niagara r2.3.4 or later
Revised: October 25, 2005
7
Updating Windows XP Methods to Transfer (Copy) Update Files
Note
Commonly-available USB flash-memory drives (USB 1.1 or USB 2.0) have been found compatible. The Windows XP operating system provides built-in support for most USB flash-memory devices.
Using Remote Desktop Connection to Copy Files Your PC requires LAN connectivity to the JACE. This is a good method, because usually you need to start a Remote Desktop Connection after you have transferred the update files anyway (unless you have a local console attached to the JACE, meaning a keyboard, mouse, and monitor). Therefore, you can use this method to copy files as well as apply updates. Also, this does not require the NX Policy on an XP-SP1 JACE-NX to be disabled. Procedure 5
Using a Remote Desktop Connection to Copy Files.
Step 1
Start a Remote Desktop Connection as normal, but at the first (Connection) dialog, instead of clicking Connect, click “Options >>”. This extends the dialog below to show several tabs.
Step 2
Click the Local Resources tab, then check Disk Drives.
Step 3
Click back on the General tab, then enter the necessary host login info for the JACE-NX, including its hostname or IP address, and the Windows XP (host) administrator user name and password. Click Connect. A security warning explains that your local drives will be available to this computer (JACE). At the warning, click OK. The Windows Desktop of the JACE-NX appears, as in a “normal” Remote Desktop Connection. However, now when you open Windows Explorer on the JACE-NX, all of your PC drives will be mapped as “shared resources” (drives) on the JACE-NX. You can simply copy the downloaded update files, as needed, from your PC to whatever drive/directory is desired on the JACE-NX.
Step 4 Step 5
Notes
In theory, you could execute update files directly from your PC (as existing in a “shared” resource), however, this is not recommended. Instead, use Windows Explorer on the JACE to copy the update file(s) from your PC to the JACE-NX, where you can then execute the transferred file(s). You should clear the “Disk Drives” checkbox on the Local Resources tab in your next usage of the Remote Desktop Connection application, unless you have specific use for it.
•
•
Using Niagara R2 Local and Remote Library to Copy Files This applies only to a Niagara R2 JACE-NX. Your PC must be a Web Supervisor or Niagara engineering PC running the same Niagara build level as the JACE-NX, and have LAN connectivity to it. This method also requires a station to be running in the target JACE (hosting the Remote Library). Typically, this method is best for a single file and/or small files. Procedure 6
Step 1
8
Using Niagara (R2) Local and Remote Library to Copy Files.
On your PC, put the update file(s) in the root of the niagara\\ folder.
Engineering Notes: JACE-NX Windows XP Security Revised: October 25, 2005
NiagaraAX or Niagara r2.3.4 or later
Updating Windows XP Methods to Transfer (Copy) Update Files
Step 2 Step 3
In the JDE (Workplace Pro), open the Local Library and double-click on its folder in Tree View. The update files for transfer should be listed. In the JDE, open the Remote Library for the JACE-NX. (Enter its host address or name, then login with station user and password). In the JDE Tree View, expand the Remote Library.
Step 4
From your Local Library, copy a file and paste it into the root of the Remote Library of the JACE-NX. (In the JDE Tree View, use the right-click Copy and Paste commands to accomplish this.)
Step 5
Repeat Step 4 for each file you wish to copy.
Step 6
When done copying, close the Remote Library of the JACE.
Note
If you will be applying Windows update patch files that cause a system reboot, you should then open the JACE-NX in the Admin Tool and backup its database to your local PC, then stop the station.
Using a File Share and Windows Explorer to Copy Files This method is generally not recommended, especially for XP-SP1 type JACE-NXs, because you need to temporarily disable (unassign) the NX Policy on the JACE-NX, then remember to re-assign it after copying files. Your PC requires LAN connectivity to the JACE. Procedure 7
Using a File Share and Windows Explorer to Copy Files.
Step 1
Start a Remote Desktop Connection to the JACE-NX. The Windows XP desktop of the JACE appears.
Step 2
(XP-SP1 JACE-NX only) Temporarily disable the NX Policy. See Step 2 on page 10 for details.
Step 3
Create a temporary file share on your PC for the folder containing the updates, for example C:\temp. (In Windows Explorer on your PC, right-click the directory and select “Sharing...Share this folder”.)
Step 4
In Windows Explorer on the JACE-NX, navigate to this folder and copy the update file(s). You may need to connect to the share using: \\\.
Step 5
Paste the copied files into a drive\directory on the JACE-NX.
Step 6
(XP-SP1 JACE-NX only) Enable (re-assign) the NX Policy on the JACE-NX. See steps 4a through c. on page 11.
Engineering Notes: JACE-NX Windows XP Security NiagaraAX or Niagara r2.3.4 or later
Revised: October 25, 2005
9
Updating Windows XP Update Options if Full XP (NX-XP-FULL)
Update Options if Full XP (NX-XP-FULL) Full XP, Internet Available • Full XP, Internet Not Available •
Full XP, Internet Available If the JACE-NX is installed on a LAN with access to the Internet, you can logon (as administrator) to its Windows XP and check for updates directly from Microsoft. Do this by either: Connecting a local console (monitor, keyboard, and mouse) directly to the JACE-NX and rebooting, or • Connecting remotely over a LAN using a PC running Remote Desktop Connection software to connect to the JACE-NX. •
Applies to Jace-NX with XP-SP1 Only !
Caution
As described in the following procedure, before you check for Windows updates from Microsoft, you need to temporarily disable the JACE-NX’s factory-configured TCP/IP security policy in the Group Policy editor. Make sure to follow all steps when finishing this procedure, in order to re-enable this security policy. For more details, see “Group Policy Editor (gpedit.msc),” page 22.
Procedure 8
JACE-NX with full XP and Internet access, checking for/installing Windows XP updates.
Step 1
Logon as an administrator to Windows XP running on the JACE-NX, using either a local console, or by using a Remote Desktop Connection.
Step 2
If JACE-NX was shipped with XP-SP2, skip this step (go to Step 3). Disable the IP security policy, using the following steps: a. Click Start > Run... to bring up the Run dialog box. b. In the Run dialog box, type in:
gpedit.msc
and click OK. This produces the Group Policy editor. c. In the left-hand tree of the Group Policy editor, click to expand: Computer Configuration Windows Settings Security Settings IP Security Policies on Local Computer
d. Double-click “IP Security Policies on Local Computer”
On the right, four policies listed include an “NX Policy” showing “Yes” for “Policy Assigned”. e. Right-click “NX Policy” and select Un-assign. (Note: remember to reassign after checking for/downloading Windows update files.) f. Minimize (but do not close) the Group Policy editor window. Step 3
Check for updates with Microsoft, using the following steps: a. Click Start > Help and Support to bring up the “Help and Support Center” dialog. b. In the “Pick a Task” section, click Keep your computer up-to-date with Windows Update.
10
Engineering Notes: JACE-NX Windows XP Security Revised: October 25, 2005
NiagaraAX or Niagara r2.3.4 or later
Updating Windows XP Update Options if Full XP (NX-XP-FULL)
Once this connection is established, select the “Scan for Updates” option, as shown below. The “Scan for Updates” option searches for all possible updates to Windows XP Professional installed on the JACE-NX. It is recommended that you install only those in the “Critical Updates and Service Packs” category.
c. When the updates scan completes, review and download any “Critical Updates and Service Packs.”
If updates are required, follow prompts to download them. However if a XP-SP1 JACE-NX, before any reboot, first reassign the JACE-NX’s IP security policy, using these steps:
Step 4
a. Restore the previously-minimized window for the Group Policy editor. b. In the right-side of the Group Policy editor, right-click “NX Policy” and select Assign.
“NX Policy” should again show “Yes” for “Policy Assigned” (and be the only one assigned). c. Close the Group Policy editor. Follow the Windows Update prompts for installing the downloaded update file(s). Typically, installation will result in a reboot of the JACE-NX.
Step 5
Notes
•
•
Windows XP also provides an “Automatic Updates” feature that notifies an administrative-level user that new updates are ready to download and/or install. If a Full XP-SP2 unit, this may be a valid option, providing that you are not concerned about network bandwidth usage or unanticipated resource allotments. For any Full XP-SP1 unit, this is not a vaild option, as the automatic update mechanism is incompatible with the IP security policy—instead, you must temporarily disable this policy while manually scanning for updates, per Procedure 8. (XP-SP1 Only) For more details about the Group Policy editor and the JACE-NX’s IP security policy, refer to “Locking Down Ports and Protocols if XP-SP1 JACE-NX,” page 20.
Full XP, Internet Not Available Under this scenario, you will need to download (from Microsoft) the appropriate Windows XP updates and security patches as files on your PC, then copy them over to the JACE-NX where you can install them. This method uses the Microsoft “Windows Update Catalog.”
Engineering Notes: JACE-NX Windows XP Security NiagaraAX or Niagara r2.3.4 or later
Revised: October 25, 2005
11
Updating Windows XP Update Options if Full XP (NX-XP-FULL)
When factory-configured, a JACE-NX includes Windows XP updates that are current within its build time-frame. However, approximately once a month, Microsoft has committed to issuing new security patches. This means that you will need to regularly review and install updates on existing JACE-NXs, and even for a “brand new” JACE-NX, it is possible you will need to install the most recent patches or updates. To determine what is already applied, see “Determining What Updates Are Already Applied,” page 4, and compare this against information in “Drive Image/ Windows Update History,” page 36. This will help you make selections from the Windows Update Catalog. Procedure 9
Downloading and installing update files from the Microsoft Windows Update Catalog.
Step 1
On your PC with Internet access, go to the Windows Update Catalog site. For English, this is: http://v4.windowsupdate.microsoft.com/catalog/en/default.asp
Step 2
Select Find updates for Microsoft Windows operating systems. a. For Operating System, scroll down and select either (as needed):
• Windows XP Professional SP2 • Windows XP Professional SP1 b. Click the Search button. Results of the search appear listed with total number of items found. c. Click Critical Updates and Service Packs. After a few seconds, the page updates listing all critical updates and service packs, sorted by title. d. For the “Sort by” control, select “Posted date.” The page automatically resorts with most recent updates at the top. Review the updates, using the scroll bar and clicking on Add or Remove as necessary to flag for download. As you Add an update, it grays and the “Total Items in Download Basket” increments by 1. e. When finished adding updates, click Go to Download Basket.
The “Download Basket” page appears. Step 3
At the Download Basket page, either type a target file path for the downloaded files or click Browse and navigate to an existing drive/directory location for the destination.
Step 4
Click the Download Now button. A Microsoft License Agreement appears. Click Accept to start downloading. The update files are downloaded to your PC, and a Download History screen provides details on when you downloaded each file and its description.
Step 5
Open a Windows Explorer window and navigate to the downloaded files. When ready to copy to the JACE-NX, you can copy the top-level (parent) “WU” folders to simplify this.
Step 6
Copy (transfer) the downloaded files to the JACE-NX. See the “Methods to Transfer (Copy) Update Files” section on page 7 for details. Typically, the Remote Desktop method is best (Procedure 5 on page 8). By convention, you typically place update files in a temporary C:\ folder, for example C:\temp.
Step 7
Using Windows Explorer on the JACE-NX, expand the copied subfolders under “WU” until you see a self-expanding cabinet file (.exe) for an update. Double-click the cabinet to install the update, and follow the installation instructions.
Step 8
12
Repeat Step 7 for each update (each will have a separate subfolder), until all are installed on the JACE-NX. Engineering Notes: JACE-NX Windows XP Security Revised: October 25, 2005
NiagaraAX or Niagara r2.3.4 or later
Updating Windows XP Update Options if Embedded XP (NX-XP-EMB)
Close all windows on the JACE-NX and reboot it.
Step 9
If you have a local console attached, you can use Start > Turn Off Computer > Restart. – If using Remote Desktop Connection, disconnect the session, then use the appropriate Niagara tool reboot the JACE-NX: • If a NiagaraAX JACE-NX, use Workbench to open a platform connection to the JACE-NX. Then from the Platform Adminstration view, select Reboot. –
•
If an R2 JACE-NX, open a connection using the Niagara Admin Tool. With the JACE-NX highlighted in the Admin Tool, right-click and select Reboot.
All installed updates should be effective following this reboot.
Note
If the target JACE-NX is installed standalone (not on a LAN), perhaps for dial-up access only, you use a USB flash drive to copy files, see “Using a USB Flash Drive to Copy Files,” page 7. You could then install the updates directly from the USB drive. However, please note that a JACE-NX installed in this manner is typically not a high-risk host for security issues, and the need for security updates is minimal.
Update Options if Embedded XP (NX-XP-EMB) If the JACE-NX has XP Embedded (Emb XP), the Microsoft Windows Update site cannot be used. Instead, Tridium prepares special self-expanding update files on an ongoing basis for you to download and copy to JACE-NX. You can then logon as the Windows administrator to the JACE-NX and execute the update(s). The update process for the JACE-NX with Emb XP uses a “Device Update Agent” (DUA) described ahead. The following subsections apply: Device Update Agent—Theory of Operation • Download Update File From Tridium • Installing Update in an Embedded JACE-NX • Verify Updates Applied Correctly •
Device Update Agent—Theory of Operation The Device Update Agent (DUA) is actually a service which runs in the background of Windows XP embedded. This service starts at whenever the JACE-NX is booted, and remains running as long as the operating system is running. The duties of the DUA service are simple: 1.
On a regular poll cycle, poll for the existence of a special file in a predefined file storage location.
2.
If the special file exists, execute the file. If it does not exist, do nothing and sleep until the next poll cycle.
That is the extent of the DUA operation.
Engineering Notes: JACE-NX Windows XP Security NiagaraAX or Niagara r2.3.4 or later
Revised: October 25, 2005
13
Updating Windows XP Update Options if Embedded XP (NX-XP-EMB)
Note
By default, as shipped in a JACE-NX with Emb XP, the polling cycle of the DUA service is once every 60 seconds. If this cycle needs to be changed, please contact Tech Support for the details.
Special File Depending whether the JACE-NX has EMB XP-SP1 or EMB XP-SP2, the special file is as described below. EMB XP-SP1: The “special file” is named “update.dup”, where a “.dup” file is a “device update program,”
and is actually a compiled version of a script file with instructions to move/copy/rename/delete files, add/remove/modify registry keys, reboot, and so on. The update.dup file contains all of the directions for performing the update. The source files to move/copy/rename are the files contained in the security patch, and must also reside in the location that the update.dup file expects to find them in. EMB XP-SP2: The “special file” for XP-Embedded with SP2 systems is functionally identical to the SP1
special file, with the following exception: In order to assure updates are applies in the proper order, each update package includes instructions to update the name of the update script to a new unique name after installation. Therefore, the file “update.dup” from SP1 description above is uniquely named for every update package. For instance, the first update package is called “NxXpeUpdate_Sp2_1,” and contains a file “NxXpeUpdate_Sp2_1.dup,” and the next update package iscalled “NxXpeUpdate_Sp2_2” and contains the file “NxXpeUpdate_Sp2_2.dup.” Each update package modifies the registry to ensure that only the next update in sequence can be applied next. This also ensures that updates can only be installed on OS revisions which did not already include the patches from the factory.
Note
In either case, the method of installation of updates on XPE-SP1 and XPE-SP2 images is identical.
Predefined File Storage Location: The predefined storage location is set to C:\dua. The self-installing
executable patch automatically copies the appropriate update script to this location, and creates a new subdirectory in this location to hold the OS updates.
Download Update File From Tridium In general, updates and patches are released by Tridium as self-extracting executable files, which, when executed, will extract files to the correct directories on the JACE-NX host. The files extracted include the files belonging to the security patch as released by Microsoft, and the special “update.dup” device program file. Self-extracting executables are posted on the Tridium secure web server for download. •
For EMB XP-SP1, the files are named according to the dates of the Microsoft releases, and may contain several security patches. As an example of the naming convention, the first update for EMB XP-SP1 was named as followed: NxXpeUpdate_Feb2004.exe
•
For EMB XP SP-2, the updates are appended with Sp2_n, where n is incremented for each subsequent update package. For example, the first update for EMB XP SP-2 is named: NxXpeUpdate_Sp2_1.exe
14
Engineering Notes: JACE-NX Windows XP Security Revised: October 25, 2005
NiagaraAX or Niagara r2.3.4 or later
Updating Windows XP Update Options if Embedded XP (NX-XP-EMB)
You will need to download the update file from the Tridium secure server to your PC, and then copy it to the JACE-NX over the LAN. See “Installing Update in an Embedded JACE-NX,” for a procedure.
Installing Update in an Embedded JACE-NX Use the following procedure to install the NxXpe update file on the JACE-NX. Procedure 10
Installing Tridium-prepared Windows XP update to JACE-NX with Emb XP over a LAN.
Step 1
Download the NxXpe update file from the Tridium secure website.
Step 2
With your PC on a LAN with the JACE-NX, transfer the downloaded update file to it. See the “Methods to Transfer (Copy) Update Files” section on page 7. If using the recommended method (Procedure 5 on page 8), you can copy the update file to the JACE-NX’s C:\ (root) or in a C:\temp folder, if existing—any location is fine.
Step 3
If not already started, open a Remote Desktop Connection to the JACE-NX, logging on with the administrator-level account (same user and password to open the JACE-NX in the Admin Tool).
Step 4
Open Windows Explorer on the JACE-NX, then navigate to the location of the copied update file. The location of the file will depend on the file transfer method chosen. For example, if you are using a USB flash drive, you can find it on that resource. If you used the Niagara Local to Remote Library method, it will be in the root of the D:\niagara\rel directory. Within 1 minute of completing the next step (5), the update script file will execute, and will typically result in a reboot of the JACE-NX. Make sure it is safe to reboot before performing this action!
Caution
Step 5
Double-click the file to launch the WinZip self extractor, and select Unzip. Note
Leave the target “Unzip to folder” at “C:\dua” to ensure proper extraction. Do not change “Unzip to folder”.
Click OK when the WinZip Self-Extractor finishes, and close the WinZip dialog. Step 6
The JACE-NX will execute the security update on the next DUA poll cycle, which occurs once per minute. When completed, the JACE-NX will reboot. Any connections to the JACE-NX (Remote Desktop Connection, AX Workbench, R2 Admin Tool or JDE, etc.) will be lost.
Verify Updates Applied Correctly After the JACE-NX reboots from the applied update, you should verify the update (Procedure 11). Procedure 11
Step 1
Verifying NxXpe Update Applied Correctly.
Connect to the JACE-NX using a Remote Desktop Connection.
Engineering Notes: JACE-NX Windows XP Security NiagaraAX or Niagara r2.3.4 or later
Revised: October 25, 2005
15
Locking Down TCP/IP Ports and Protocols Commonly Used Ports and Protocols in Niagara
Step 2
When the Windows XP desktop of the JACE-NX appears, examine the “bginfo” information in desktop’s lower-right corner. A “Last Update” line should now appear, showing last applied update. The figure below is after installing NxXpeUpdate_Oct2005.exe on an JACE-NX with EMB XP-SP1.
Note
Oftentimes, if connecting using Remote Desktop Connection, this information is not displayed unless you manually refresh it. If not displayed, click Start > All Programs > Startup > bginfo.
Step 3
Open Windows Explorer, and navigate to the directory C:\dua\. Locate the “readme.txt” file.
Step 4
Double-click readme.txt to open it, and read it for instructions on how to verify updates were applied correctly.
Note
After installing any Emb XP-SP2 update, or after installing NxXpeUpdate_Apr2005.exe if an Emb XP-SP1 unit, you can also issue a listUpdates command to see a list of all applied updates. See the “listUpdates” section on page 5 for more details.
Locking Down TCP/IP Ports and Protocols The following subsections are included: Commonly Used Ports and Protocols in Niagara • Locking Down Ports and Protocols if XP-SP2 JACE-NX • Locking Down Ports and Protocols if XP-SP1 JACE-NX •
Commonly Used Ports and Protocols in Niagara Table 1 provides a summary of TCP/IP ports and IP protocols required for Niagara and its various drivers and features. Please review this table before locking down ports or protocols on a JACE-NX. If the station running on the JACE-NX does not require a port or protocol, you should not enable it.
16
Engineering Notes: JACE-NX Windows XP Security Revised: October 25, 2005
NiagaraAX or Niagara r2.3.4 or later
Locking Down TCP/IP Ports and Protocols Commonly Used Ports and Protocols in Niagara
you
Table 1
TCP/IP ports used in NiagaraAX, Niagara R2, various drivers, and various features or functions.
Function Fox Service (Workbench)
NiagaraAX Web Service Platform daemon (access of)
Niagara R2
Optional Functions
JDE (WorkPlace Pro), browser access Admin Tool
1911
—
80
—
HTTP
Default port for a station’s Web Service. Used in browser access (Hx, WB)
80, 3011
—
HTTP
Default ports for WB platform connection.
80
—
HTTP
Default HTTP port for a station. Default ports for Admin Tool.
Fox, HTTP Default port for a station’s FoxService Used for Workbench-to-station and also station-to-station communications
—
HTTP
21
—
—
FTP-data
20
—
—
Telnet
23
—
—
Client connection to mail server for e-mail notifications
25
—
SMTP
Microsoft NetMeeting
In NiagaraAX or r2.3.5 and later, the MailService lets you specify a TCP port other than 25 (default).
522, 1503, 1731
—
—
JACE-NP with Emb NT only.
RCMD
139
—
—
JACE-NP with Full NT only.
Microsoft Remote Desktop
JACE-NX with Win XP (Full or Emb) only
3389
—
—
Internet Time Protocol service
37
—
—
DHCP
—
67, 68
—
SNMP
—
161
SNMP
SNMP Trap
—
162
SNMP
502
—
—
—
—
—
BACnet/IP
—
47808
—
BmsAdc
25020
—
—
AreaDAT
—
20028
—
CCN OPC Client (uses DCOM)
RPC, used by NetBIOS (browsing, file shares, etc) also Windows Update, Browser, OPC client & server PING
1.
IP Protocols Notes
80, 3011
BACnet Ethernet
etc.
UDP Port
FTP
Modbus TCP
Niagara Drivers1
TCP Port
SNMP protocol
TCP/IP not used (raw Ethernet)
—
50005, 50006
—
ComfortWorks Tunneling only
135
135
—
DCOM, using RPC (below). Filtering is hard because of dynamically assigned ports—see “OPC Issues,” page 18.
137, 138, 139
137, 138, 139
—
Required if JACE to appear in browser lists and for network shares. Used to copy future update files. Required by OPC client driver too.
—
—
ICMP
Basic “ping” test of connection.
DCOM
135
135
—
See notes above for OPC Client driver.
Microsoft SQL Server
1433
1433
—
If R2 MS SQL or MSDE database option.
Microsoft SQL Monitor
1434
1434
—
SQL management only
VNC (Virtual Network Computing)
5900
—
—
JACE-NP with Full NT only, if VNC Server software is installed with defaults.
Win XP Internet Time function
—
123
—
Win XP only, sync with NIST time server.
“Conventional” port used by this particular protocol and driver. It is possible (but unlikely) that another port is used by a particular job. If so, this other port must be unlocked, and also specified within the configuration of the corresponding Niagara driver.
Engineering Notes: JACE-NX Windows XP Security NiagaraAX or Niagara r2.3.4 or later
Revised: October 25, 2005
17
Locking Down TCP/IP Ports and Protocols Commonly Used Ports and Protocols in Niagara
OPC Issues Currently, if a JACE-NX is to run a station with an OPC driver (either NiagaraAX or R2), you must either: • If EMB XP-SP2, reconfigure the Windows Firewall. • If EMB XP-SP1, unassign (disable) the NX Policy for this driver to work. See “NX Policy Implementation,” page 28 for NX Policy details. This is due to the complexity of DCOM used by OPC and its dynamically-assigned ports (both OPC server and client sides), along with site configuration differences. Apart from special configuration of the JACE-NX, additional (and coordinated) configuration will likely be necessary on the remote OPC server(s). You can find related DCOM information (at the time of this document) at the following Microsoft address: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/msdn_dcomtec.asp
Example Ports/Protocols used in JACEs These following example JACE-NX controllers use this collection of TCP/IP ports and protocols: Example 1
JACE-NX A (Niagara R2), Emb XP, Fixed IP address, BACnet/IP, Modbus TCP, other Niagara features.
Ex Function
TCP Port
JDE (WorkPlace Pro), browser
JACE-NX A (Miagara R2)
Admin Tool Client connection to mail server for e-mail notifications Microsoft Remote Desktop
—
HTTP
Default HTTP port for a station.
—
HTTP
Default HTTP ports for Admin Tool.
25
—
SMTP
Used by the MailService in JACE station.
—
—
Used to access Windows XP desktop.
37
—
—
Used by the TimeSyncService in JACE station (configured as time server only, client is OS-based (Win XP) Internet Time, below.
Modbus TCP
502
—
—
Used by ModbusTCPService in JACE station.
BACnet/IP
—
47808
—
Used by BACnetService in JACE station.
PING
—
—
ICMP
Win XP Internet Time
—
123
—
Basic “ping” test of connection. Used by OS (host) to sync time to NIST server.
JACE-NX B (NiagaraAX) Full XP, DHCP-assigned IP address, SNMP, other Niagara features.
Function Web Service (browser access) Niagara Platform
JACE-NX B, NiagaraAX
80 80, 3011
3389
Fox Service (Workbench)
Client connection to mail server for e-mail notifications DHCP
TCP Port
UDP Port
1911
—
IP Protocols Notes Fox, HTTP
Default TCP ports for Fox Service in station.
80
—
—
80, 3011
—
HTTP
Default HTTP ports for Platform daemon.
Default HTTP port for Web Service
25
—
SMTP
Used by the MailService in JACE station.
—
67, 68
—
3389
—
—
Used to access Windows XP desktop.
Internet Time Protocol service
37
—
—
Used by the TimeSyncService in JACE station (configured as time server only, client is OS-based (Win XP) Internet Time, below.
SNMP
—
161
SNMP
SNMP Trap
—
162
SNMP
Microsoft Remote Desktop
PING RPC (NetBIOS browsing, file shares, client/server comm) Win XP Internet Time
18
IP Protocols Notes
Internet Time Protocol service
Example 2
Ex
UDP Port
Used by Win XP to work with DHCP server.
Used by SnmpService in JACE station.
—
—
ICMP
137, 138, 139
137, 138, 139
—
Required if JACE to appear in browser lists and for network shares.
Basic “ping” test of connection.
—
123
—
Used by OS (host) to sync time to NIST server.
Engineering Notes: JACE-NX Windows XP Security Revised: October 25, 2005
NiagaraAX or Niagara r2.3.4 or later
Locking Down TCP/IP Ports and Protocols Locking Down Ports and Protocols if XP-SP2 JACE-NX
Locking Down Ports and Protocols if XP-SP2 JACE-NX If a JACE-NX is running XP-SP2 (Full XP-SP2 or Emb XP-SP2), its ports and protocols are locked down using the Windows Firewall instead of the group policy-based lock down used on XP-SP1 units. Setup and maintenance are simplified by use of the Microsoft GUI-based Windows Firewall Control Panel applet.
Note
As shipped from the factory, a JACE-NX with SP2 has the equivalent firewall settings as the NxPolicy group policy based lockdown settings shipped for SP1 units.
Procedure 12 provides steps needed to view or modify the settings in Windows Firewall. Procedure 12
Viewing or modifying the Windows Firewall on a JACE-NX with SP2.
Step 1
Using either local console or a Remote Desktop Connection, open the Windows Control Panel (click Start > Control Panel).
Step 2
Double-click the Windows Firewall applet to launch the Windows Firewall application. It opens displaying the General tab, as shown below.
As shown above, on the General tab the setting “On” should be selected. Step 3
Click the Exceptions tab. This is where you view or edit most settings. As shown in Figure 4, this is how a factory-shipped JACE-NX with XP-SP2 (either Full XP or Emb XP) has firewall exceptions configured.
Engineering Notes: JACE-NX Windows XP Security NiagaraAX or Niagara r2.3.4 or later
Revised: October 25, 2005
19
Locking Down TCP/IP Ports and Protocols Locking Down Ports and Protocols if XP-SP1 JACE-NX
Figure 4
Factory-shipped Windows Firewall exceptions for JACE-NX with SP2 (either Full or Emb).
Entries are called exceptions because the firewall does not allow any activity into the JACE-NX from the outside, except for what is in this list. From the factory, these are the following exceptions: • • • • • • • • Step 4
admin—enabled: opens up port TCP 3011 for (AX) Workbench platform or (R2) Admin Tool Bacnet—enabled: opens up port UDP 47808 for Bacnet/IP File and Printer Sharing—enabled: opens up File and Printer Sharing apps Fox—(enabled only if NiagaraAX JACE-NX): opens up TCP port 1911 (Workbench, station-to-station) HTTP—enabled: opens up TCP port 80 for web browser access Remote Assistance—enabled: opens up remote Assistance Remote Desktop—enabled: opens TCP port 80 for Remote Desktop Connection access UPnP Framework—disabled To see the configuration of any exception, click to highlight it, then click the Edit button.
As with the Group Policy lockdown used in XP-SP1 units, any JACE-NX with XP-SP2 has a batch file that was used at the factory to create these exceptions (C:\lockdown\lockdown.bat). In addition, you can edit and execute another batch file (C:\lockdown\optionalLockdown.bat) to apply additional Windows Firewall exceptions. Refer to Table 1 on page 17 for a list of typical and driver-specific ports which you may need to open for a particular installation. See “Using optionalLockdown.bat,” page 33, for a procedure.
Locking Down Ports and Protocols if XP-SP1 JACE-NX A JACE-NX with XP-SP1 ships from the factory with a standard level of IP security, which you can further adjust using the IPSec policy mechanism of Windows XP (either Full XP or Emb XP) to provide TCP/IP port lockdown.
20
Engineering Notes: JACE-NX Windows XP Security Revised: October 25, 2005
NiagaraAX or Niagara r2.3.4 or later
Locking Down TCP/IP Ports and Protocols Locking Down Ports and Protocols if XP-SP1 JACE-NX
You can skip this entire section if locking down ports on any XP-SP2 JACE-NX—the IPSec policy mechanism has been superceded by the Windows Firewall. See “Locking Down Ports and Protocols if XP-SP2 JACE-NX,” page 19.
Note
The following main sections apply: • • •
•
•
Introduction Terminology Group Policy Editor (gpedit.msc) – Starting the Group Policy Editor – NX Policy Properties – Edit Rule Properties – IP Filter List – Filter Action NX Policy Implementation – Default Rules as Shipped from Factory – Optional Rules from “optionalLockdown.bat” Adding Additional Rules to NX Policy
Introduction Prior to the introduction of the Windows Firewall in XP-SP2, the IPSec policy engine in XP-SP1 provided an effective means to help secure the JACE-NX’s network interfaces. Even if the JACE is not protected by an external firewall or router with good access control lists, the port lock-down described here helps to ensure that the JACE remains minimally exposed. If the JACE-NX is also protected by a external firewall or router, then the use of IPSec policy to lock down port access effectively provides an additional layer of protection. Note that in this use of IPSec policy, the JACE-NX is not actually creating any IPSec security associations between itself and any other node; rather, the JACE uses the IPSec interface and policy engine to specify which protocols/ports are allowed into the JACE-NX's network interface (and blocking all others). An alternate approach to locking down TCP/IP port access would be to use the “TCP/IP Filtering” feature available in the advanced configuration options of the TCP/IP setup. Using IPSec policy to filter ports and protocols is much more flexible than the “TCP/IP filtering” option. Compare the two approaches: Table 2
IPSec policies vs. TCP/IP filtering for locking down TCP/IP ports.
Feature
IPSec Policies
TCP/IP Filtering
Scope
Specific addresses/interfaces
All interfaces in the server
Source addresses
Can be part of a policy
No ability to indicate
Reboot required
No
Yes
Response to blocked traffic
None—incoming packets are cropped, server appears invisible
Reset returned to client
Engineering Notes: JACE-NX Windows XP Security NiagaraAX or Niagara r2.3.4 or later
Revised: October 25, 2005
21
Locking Down TCP/IP Ports and Protocols Locking Down Ports and Protocols if XP-SP1 JACE-NX
Using IPSec policies to lock down a server provides greater flexibility by allowing you to specify which interface should be filtered as well as which source addresses are allowed (if you need this level of granularity). IPSec policies provide additional security by silently discarding blocked traffic. In addition, IPSec policy can be scripted in a batch file for rapid deployment across multiple units. The command “ipseccmd.exe” can be executed at the command line or from within a batch file for this purpose. This is how the IPSec lockdown policy is initially created for the JACE-NX from the factory.
Terminology Familiarity with the following terms will help you understand IPSec policies in Windows XP: Filter list: Ports, protocols, and directions; triggers a decision when traffic matches something specified here.
One list can contain multiple filters. Filter action: The required response when traffic matches a filter list. Here, you're concerned only with the ‘permit” and “block” actions. Rule: A correlation of a filter list with a filter action. Generally used to specify IPSec security negotiation
parameters, which you aren't using here. Policy: A collection of rules. Only one policy can be active (“assigned”) at any particular time.
Group Policy Editor (gpedit.msc) IPSec policy is but one component of a much larger policy framework in Windows XP. You can view and edit all policies on a JACE-NX, including IPSec policy, using the “Group Policy Editor.” The following subsections apply: Starting the Group Policy Editor • NX Policy Properties • Edit Rule Properties – IP Filter List – Filter Action • NX Policy Implementation •
Starting the Group Policy Editor To start the group policy editor, type “gpedit.msc” from the Start > Run menu as shown in Figure 5. Figure 5
22
Starting the Group Policy Editor.
Engineering Notes: JACE-NX Windows XP Security Revised: October 25, 2005
NiagaraAX or Niagara r2.3.4 or later
Locking Down TCP/IP Ports and Protocols Locking Down Ports and Protocols if XP-SP1 JACE-NX
This launches the Group Policy Editor management console. This console allows you to edit several security options, include IPSec. Expand the Local Computer Policies/Computer Configuration/Windows Settings/Security Settings. In the left pane, click on the “IP Security Policies on Local Computer”. The group policy editor should now look similar to Figure 6. Figure 6
Group Policy management console expanded to Security Settings.
Notice in the right hand pane, there are multiple policies listed. Only one of these policies can be “assigned” at one time. If a policy is assigned, it is an active policy. If the policy is not assigned, the policy is inactive. The policy “NX Policy” should be assigned—it should show “Yes” in the “Policy Assigned” column.
Tip
Caution
A policy can be un-assigned by right clicking on its policy name, and selecting “un-assign” from the pop-up menu. Since Group Policy changes become effective immediately, without reboot, this is a useful way to temporarily disable a policy. For example, with NX Policy assigned, all browser functions and file shares are disabled because ports used for those functions are not included in the allowed list. If files need to be copied to/from JACE-NX to another computer, you can temporarily un-assign the NX Policy, copy the files, and then re-assign NX Policy.
For the duration that the NX Policy is un-assigned, the JACE is vulnerable to attack through all ports. Therefore, make sure it is safe to un-assign the policy first, and then re-assign it as soon as possible.
Engineering Notes: JACE-NX Windows XP Security NiagaraAX or Niagara r2.3.4 or later
Revised: October 25, 2005
23
Locking Down TCP/IP Ports and Protocols Locking Down Ports and Protocols if XP-SP1 JACE-NX
NX Policy Properties Double-click the “NX Policy” in the group policy editor to access the NX Policy Properties dialog (Figure 7). Figure 7
NX Policy Properties.
The NX Policy Properties view shows all of the rules which go into making up the NX Policy policy. Only rules with the check-box checked will be applied to this policy. In this example, there are nine1 rules checked: • • • • • • • • •
SMTP Mail filter list Remote Desktop filter list NX Core filter list Legacy Time filter list ICMP Ping filter list HTTPS filter list DHCP filter list Block All filter list BACnet IP filter list
The other rule listed, “”, is a default rule, and not used in the NX Policy policy. Leave it unselected. In general, rules associate a filter with an action. For instance, the “NX Core filter list” rule associates a list of ports to be filtered with an action to “allow.” The “Block All filter list” associates a list inclusive of all ports with the action “block.” The only actions we are interested in for NX Policy are “allow” and “block.” You can configure filters as needed.
1. If a JACE-NX with early Windows XP-SP1 OS image (version 1.15, e.g.) there are less than 9 standard rules, for instance only 4 rules. You should check your JACE-NX drive image, and if prior to 1.20, apply the “JACE-NX_Lockdown.bat” security update to ensure that interstation links will function correctly. After doing this, you should see 9 standard rules, plus any additional “optional” rules you may have added.
24
Engineering Notes: JACE-NX Windows XP Security Revised: October 25, 2005
NiagaraAX or Niagara r2.3.4 or later
Locking Down TCP/IP Ports and Protocols Locking Down Ports and Protocols if XP-SP1 JACE-NX
Edit Rule Properties As stated earlier, a rule is simply an association of a filter list with a filter action. The group policy editor allows for the creation and modification of rules. To edit any rule, click on it (to highlight it) and click the “Edit” button. This produces an “Edit Rule Properties” dialog, as shown in Figure 8 below. Figure 8
IP Filter List tab of Edit Rule Properties dialog.
The top portion of the window contains 5 tabs, of which only 2 will be used when configuring IPSec port filtering rules. The two tabs we are interested in are “IP Filter List” and “Filter Action.” All settings on the other tabs should be left at their default values, and will not be discussed here. The bottom pane shows all of the filters available to apply to this rule. Note that only one filter list can be applied to a rule. In the above example, the filter “NX Core filter list” is the filter selected. IP Filter List—View and edit details for any filter in the list by clicking it in the IP Filter List tab (Figure 8), and then clicking the Edit button. Figure 9 shows the IP Filter List details for the “NX Core filter list.”
Engineering Notes: JACE-NX Windows XP Security NiagaraAX or Niagara r2.3.4 or later
Revised: October 25, 2005
25
Locking Down TCP/IP Ports and Protocols Locking Down Ports and Protocols if XP-SP1 JACE-NX
Figure 9
IP Filter LIst.
The filter list contains a list of ports/protocols/IP addresses/etc that are to be either blocked or allowed, depending on the settings in the “actions” section of the rule configuration (see “Filter List Definitions” below for descriptions of actions). The filter list can be modified by adding/editing/removing entries from the list. Filter List Definitions: The following definitions are helpful when interpreting the filter list entries: • •
• • • • • • •
Mirrored: IP packets with source and destination addresses reversed will also match the filter Description: Description of this filter. Note that default filters for the NX Policy were created using a command line tool “ipseccmd.exe,” and the description field was generated automatically. Do not change the description field if you plan to use ipseccmd.exe to manage the filter list later on. Use of ipseccmd.exe is covered at the end of this document. Protocol: Valid entries are TCP, UDP, ICMP, and RAW, and Any. A selection of “Any” matches all IP protocols. Source Port: The TCP or UDP port of sending side. Destination Port: The TCP or UDP port of the receiving side Source Address: The source IP address of the sending side. Enter an actual IP address. Alternatively, you may choose “My IP Address” or “Any IP Address.” Source Mask: The subnet mask, useful for filtering IP traffic to/from subnets. Destination Address: Enter the IP address of the receiving side. For filters that interface that's connected to the Internet. Alternatively, you may choose “My IP Address” or “Any IP Address.” Destination Mask: The subnet mask, useful for filtering IP traffic to/from subnets.
Filter Action—To associate an action with the filter, a Filter Action is configured. You can view/edit them by clicking on the “Filter Action” tab of the “Edit Rule Properties” window (Figure 10). A list of possible actions are listed. In addition, new rules may be added as required.
26
Engineering Notes: JACE-NX Windows XP Security Revised: October 25, 2005
NiagaraAX or Niagara r2.3.4 or later
Locking Down TCP/IP Ports and Protocols Locking Down Ports and Protocols if XP-SP1 JACE-NX
Figure 10
Filter Action tab of Edit Rule Properties dialog.
View or modify a filter action by highlighting the action and clicking the Edit button. This displays an action properties window. Figure 11 shows an example for the BACnet IP filter action. Figure 11
Action Properties for a filter action.
Actions available are “Permit,” “Block,” and “Negotiate security.” In the context of IPSec port filtering, the only actions that make sense are “Permit” and “Block.” In the default implementation of IPSec port filtering on the JACE-NX, only the “Block All” rule uses the block action. All other NX Policy rules use the “Permit” action.
Engineering Notes: JACE-NX Windows XP Security NiagaraAX or Niagara r2.3.4 or later
Revised: October 25, 2005
27
Locking Down TCP/IP Ports and Protocols Locking Down Ports and Protocols if XP-SP1 JACE-NX
NX Policy Implementation The default NX policy (XP-SP1 OS image 1.17 or later) implements 9 rules as shipped from the factory. Additional rules can be added as necessary to open up additional ports. In addition, the existing rules can be modified as needed to close down ports for any un-used features. The as-shipped policy implementation contains the following rules: • • • • • • • • •
SMTP Mail filter list Remote Desktop filter list NX Core filter list Legacy Time filter list ICMP Ping filter list HTTPS filter list DHCP filter list Block All filter list BACnet IP filter list
The following two sections each provide a table showing pre-configured rules: Default Rules as Shipped from Factory • Optional Rules from “optionalLockdown.bat” •
Instructions on how to implement the optional rules using a specially prepared batch file are covered “Using optionalLockdown.bat,” page 33.
28
Engineering Notes: JACE-NX Windows XP Security Revised: October 25, 2005
NiagaraAX or Niagara r2.3.4 or later
Locking Down TCP/IP Ports and Protocols Locking Down Ports and Protocols if XP-SP1 JACE-NX
Default Rules as Shipped from Factory Table 3 lists default NX policy rules, for XP-SP1 OS versions 1.20 and later. For any JACE with OS image prior to 1.20, install the security update available on the Tridium secure we site. Table 3
NX Policy rules as for factory-shipped JACE-NX.
IP Filter List Rule/Name SMTP Mail
Remote Desktop
NX Core
Block All
mirrored protocol source port destination port source dns name source address source mask destination dns name destination address destination mask mirrored protocol source port destination port source dns name source address source mask destination dns name destination address destination mask mirrored protocol source port destination port source dns name source address source mask destination dns name destination address destination mask mirrored protocol source port destination port source dns name source address source mask destination dns name destination address destination mask
Filter Action
Parameters
Name
Parameter
Yes TCP ANY 25 0.0.0.0 255.255.255.255 Yes TCP ANY 3389 0.0.0.0 255.255.255.255 Yes TCP ANY 80, 3011 0.0.0.0 255.255.255.255 Yes ANY ANY ANY 0.0.0.0 0.0.0.0
SMTP Mail
Allow
Port 25: SMTP (simple mail transfer protocol). Starting in r2.3.5, it is possible for a station’s MailService to be configured for another (non-default) TCP port for SMTP. If so configured, edit the destination port (from 25) to match.
255.255.255.255 0.0.0.0 Remote Desktop
Allow
NX Core
Allow
Port 3389: Remote Desktop Connection (Terminal Services).
Port 80: HTTP and Niagara. Port 3011: Niagara Admin Tool.
255.255.255.255 0.0.0.0 Block All
Block
Associates any port/any protocol/any address with a “block” action. This has the effect of blocking all IP traffic. NOTE: This rule MUST be enabled at all times, only selected ports will be enabled by additional rules by associating specific ports/protocols with the “enable” action.
Engineering Notes: JACE-NX Windows XP Security NiagaraAX or Niagara r2.3.4 or later
Notes
Revised: October 25, 2005
29
Locking Down TCP/IP Ports and Protocols Locking Down Ports and Protocols if XP-SP1 JACE-NX
Table 3
NX Policy rules as for factory-shipped JACE-NX. (continued)
IP Filter List Rule/Name Legacy Time
ICMP Ping
HTTPS
DHCP
Bacnet IP
30
mirrored protocol source port destination port source dns name source address source mask destination dns name destination address destination mask mirrored protocol source port destination port source dns name source address source mask destination dns name destination address destination mask mirrored protocol source port destination port source dns name source address source mask destination dns name destination address destination mask mirrored protocol source port destination port source dns name source address source mask destination dns name destination address destination mask mirrored protocol source port destination port source dns name source address source mask destination dns name destination address destination mask
Filter Action
Notes
Parameters
Name
Parameter
Yes TCP ANY 37 0.0.0.0 255.255.255.255 Yes ICMP ANY ANY 0.0.0.0 255.255.255.255 Yes TCP/UDP ANY 443 0.0.0.0 255.255.255.255 Yes UDP ANY 67,68 0.0.0.0 255.255.255.255 Yes UDP ANY 47808 0.0.0.0 255.255.255.255
Legacy Time
Allow
Port 37: Internet Time Protocol Service.
ICMP Ping
Allow
ICMP: Used for PING. If response to pings not desired, remove ICMP from filter list.
HTTPS
Allow
Port 443: HTTPS/SSL (secure web pages) Used only for Win XP activation during factory config.
DHCP
Allow
Port 67, 68 (UDP): Used for DHCP (Dynamic Host Control Protocol) IP address assignment.
BACnet IP
Allow
If BACnet IP is not used in station running on JACE-NX, uncheck this rule.
255.255.255.255 0.0.0.0
Also, it is possible to configure an alternate UDP port in the Niagara BACnetService for BACnet IP than the default 47808 (hex BAC0). If an alternate BACnet IP port is configured, then modify this rule to reflect the same port, using decimal notation.
Engineering Notes: JACE-NX Windows XP Security Revised: October 25, 2005
NiagaraAX or Niagara r2.3.4 or later
Locking Down TCP/IP Ports and Protocols Locking Down Ports and Protocols if XP-SP1 JACE-NX
Optional Rules from “optionalLockdown.bat” None of the rules in Table 4 below are installed or enabled on a XP-SP1 unit by default. To install and enable a rule, edit and run the batch file “optionalLockdown.bat” located in C:\lockdown on the JACE-NX. For more information on doing this, see Procedure 13 on page 34. Table 4
Optional rules implemented from “optionalLockout.bat”.
IP Filter List Rule/Name Internet Time
Modbus TCP
FTP
Telnet
Filter Action Parameters mirrored protocol source port destination port source dns name source address source mask destination dns name destination address destination mask mirrored protocol source port destination port source dns name source address source mask destination dns name destination address destination mask mirrored protocol source port destination port source dns name source address source mask destination dns name destination address destination mask mirrored protocol source port destination port source dns name source address source mask destination dns name destination address destination mask
Yes UDP ANY 123 0.0.0.0 255.255.255.255 Yes TCP ANY 502 0.0.0.0 255.255.255.255 Yes TCP ANY 20, 21 0.0.0.0 255.255.255.255 Yes TCP ANY 23 0.0.0.0 255.255.255.255
Name
Parameter
Internet Time
Allow
Used by Windows XP “Internet Time” function in “Date & Time” properties to synchronize to either a well-known NIST time server or Microsoft’s time server. Used only if the JACE-NX is not on a domain or active directory structure (typically, a JACE is not installed as either). The JACE-NX requires Internet access to use this feature. NOTE: If the JACE-NX is using this feature, and its station has the Niagara TimeSyncService, that service should be enabled as a server only (not a client), otherwise there are potential time synchronization conflicts.
Modbus TCP
Allow
FTP
Allow
Telnet
Allow
Engineering Notes: JACE-NX Windows XP Security NiagaraAX or Niagara r2.3.4 or later
Notes
Revised: October 25, 2005
Used by station running ModbusTCPService.
31
Locking Down TCP/IP Ports and Protocols Locking Down Ports and Protocols if XP-SP1 JACE-NX
Table 4
Optional rules implemented from “optionalLockout.bat”. (continued)
IP Filter List Rule/Name BmsAdc Tunnel
SNMP
SNMP Trap
AreaDAT
Comfort Works / CWTunnel
32
Filter Action Parameters mirrored protocol source port destination port source dns name source address source mask destination dns name destination address destination mask mirrored protocol source port destination port source dns name source address source mask destination dns name destination address destination mask mirrored protocol source port destination port source dns name source address source mask destination dns name destination address destination mask mirrored protocol source port destination port source dns name source address source mask destination dns name destination address destination mask mirrored protocol source port destination port source dns name source address source mask destination dns name destination address destination mask
Yes TCP ANY 25020 0.0.0.0 255.255.255.255 Yes UDP ANY 161 0.0.0.0 255.255.255.255 Yes UDP ANY 162 0.0.0.0 255.255.255.255 Yes UDP ANY 20028 0.0.0.0 255.255.255.255 Yes UDP ANY 5005 0.0.0.0 255.255.255.255
Name
Parameter
BmsAdc Tunnel
Allow
SNMP
Allow
SNMP Trap
Allow
AreaDAT
Allow
CWTunnel
Allow
Notes
Engineering Notes: JACE-NX Windows XP Security Revised: October 25, 2005
NiagaraAX or Niagara r2.3.4 or later
Locking Down TCP/IP Ports and Protocols Using optionalLockdown.bat
Table 4
Optional rules implemented from “optionalLockout.bat”. (continued)
IP Filter List Rule/Name SQL
DNS
Filter Action Parameters mirrored protocol source port destination port source dns name source address source mask destination dns name destination address destination mask mirrored protocol source port destination port source dns name source address source mask destination dns name destination address destination mask
Yes TCP, UDP ANY 1433 0.0.0.0 255.255.255.255 Yes TCP, UDP ANY 53 255.255.255.255 0.0.0.0
Name
Parameter
SQL
Allow
DNS
Allow
Notes
Opens the DNS ports for installations that use the DNS lookup name instead of IP address, for example to resolve a mail server host.
Note: This rule is included if JACE-NX OS image 1.21 or later, either Full XP or Emb XP. . If your JACE-NX has an earlier OS image, you can download an updated batch file from the Tridium secure website:“optionalLockdown.bat.new”, which contains this rule. See the Note on page 34 for more details.
Adding Additional Rules to NX Policy As shipped in a XP-SP1 JACE-NX, only the nine default rules shown in Table 3 on page 29 are implemented. To implement any of the additional rules (as shown in Table 4), you may use either of two methods: Use the Group Policy Editor (gpedit.msc), adding new IP Filter Lists and Filter Actions. • Use the command line interface, “ipseccmd.exe.” This command can be used in a batch file for batch processing of policy changes. In fact, a batch file has been included on the system drive to implement any or all of the policy rules identified in Table 4. See the next section, “Using optionalLockdown.bat.” •
Note
This document does not provide step-by-step instructions on using the group policy editor (gpedit.msc), but its use is rather straightforward and intuitive once you learn how IPSec policy works. In addition, the ipseccmd.exe command has a rather unwieldy syntax, but the commands to implement the optional policy rules have been included in the “optionalLockdown.bat” batch file. Using this batch file is the preferred method of implementing the optional rules.
Using optionalLockdown.bat Any JACE-NX’s system drive (C:) has a directory called “lockdown.” This directory contains two (XP-SP2) or three (XP-SP1) files as shipped from the factory: •
ipseccmd.txt—(XP-SP1 only) a text description of how to use the ipseccmd.exe.
•
lockdown.bat—the batch file executed at the factory (system installation time) that implemented the
default set of Windows Firewall (XP-SP2) or NX Policy (XP-SP1) rules. • optionLockdown.bat—a batch file which you can first edit and then execute to implement additional (optional) firewall exceptions or ipseccmd rules, as needed for selected programs and Niagara drivers. See Procedure 13 below. Engineering Notes: JACE-NX Windows XP Security NiagaraAX or Niagara r2.3.4 or later
Revised: October 25, 2005
33
Note
Periodically, updates to optional lockdown rules for a JACE-NX may be made. Check the Tridium secure website, “Downloads\JACE_NP-NX_Security_Updates” folder for possible updates.
Procedure 13
Using optionalLockdown.bat on a JACE-NX.
Step 1
Using either the local console or a Remote Desktop Connection, open a command window on the JACE-NX (click Start > Run…, and type “cmd”, then click OK). A command prompt window opens.
Step 2
Navigate to the C:\lockdown directory.
Step 3
Edit the file by typing “notepad optionalLockdown.bat” and pressing ENTER. The optionalLockdown.bat file opens in Notepad for editing. This batch file has several pre-edited command lines which have been commented out with the “rem” (remark) syntax.
Step 4
In the Notepad window, cursor down to the line in the file which contains the appropriate firewall (XP-SP2) or ipseccmd (XP-SP1) command line, and remove the leading “rem” from the line.
Note
Review all the firewall (XP-SP2) or ipseccmd (XP-SP1) command lines to be sure that only the ones which apply to this specific installation are uncommented. All lines which do not have the “rem” at the beginning are valid command lines, and will result in a new firewall exception (XP-SP2) or ipseccmd rule (XP-SP1).
Step 5
Save the file, and exit Notepad.
Step 6
Execute the saved file by typing “optionalLockdown” at the command line. Review the resulting text in the command line window to verify that the changes were applied.
At this point, you may wish to review that the changes were applied to the Windows Firewall (XP-SP2) or NX Policy (XP-SP1). – If an XP-SP2 JACE-NX, access the Windows Firewall. See Procedure 12 on page 19. – If an XP-SP1 JACE-NX, see “Starting the Group Policy Editor,” page 22. Step 8 Test the application or driver to verify operation. If the driver does not work, you may wish to do the following, temporarily: Step 7
If an XP-SP2 JACE-NX, turn Off the Windows Firewall – If an XP-SP1 JACE-NX, un-apply the “NX Policy” using the group policy editor. Remember to always turn On the Windows Firewall (XP-SP2) or re-apply the NX policy before leaving the JACE-NX! –
Anti-Virus Software Notes Using optionalLockdown.bat
Anti-Virus Software Notes In general, any need for anti-virus software on a JACE-NX should be rare, as the JACE does not download files in normal operation. More important is the proper lock-down of IP ports and protocols, along with the installation of Microsoft security patches and service packs. However, installation of anti-virus software on any PC that transfers files to a JACE (Web Supervisor, Niagara Engineering PC) is strongly recommended. Exposure to computer viruses for these PCs is greater because in normal operation, they often download files as e-mail attachments or from Internet browser activity. If after taking these measures, an anti-virus program is still desired on the JACE-NX, please be aware of the following: Installation of third-party software (e.g. anti-virus program) on any JACE is complicated by the lack of a local CD drive—and one be cannot added by opening the cover without also voiding the JACE's warranty. Therefore, installation requires pointing to a “shared” CD drive across the LAN, using network shares expressly set up for this purpose, or by first copying all needed installation files onto the JACE or to a USB drive. • Unintended consequences of running other applications may result, the least of which are further resource loads on the CPU and RAM. In general, the only application a JACE should be running is Niagara. In particular, known problems with anti-virus applications may include any (or all) of the following: – A need to be kept up-to-date with an associated “update service,” which consumes processor CPU cycles, robs network bandwidth during downloads (competing with Niagara), and requires access to a server to obtain updates. – Occasionally requires reboots whenever the anti-virus software itself is updated. – Poses a management issue for keeping up-to-date, especially if not Internet-connected. – Would likely require the opening of additional TCP/IP ports for its update mechanism to work. • In particular, a JACE-NX with Emb XP is an especially poor candidate for anti-virus software, as it lacks general Windows installer support. • Currently, no known issues exist with anti-virus protection interfering with JACE administration from the Niagara Admin Tool (Niagara module installations, upgrades, or station downloads). However, Niagara testing does not extend to scenarios involving anti-virus software. •
Additional Information There is a wealth of information available on the Microsoft web site microsoft.com, and also on the Microsoft developer web site, msdn.com, about both Windows XP and Internet security. At the time of this document, the following links provide useful information: http://support.microsoft.com/default.aspx?scid=fh;EN-US;winxp (Windows XP main support page) http://support.microsoft.com/default.aspx?scid=kb;en-us;832017#1(Ports and protocols used by Windows) Also, the following related Niagara documents are available on the secure side of the tridium.com web site: JACE-NP Windows NT Security, Engineering Notes • Niagara Networking and Connectivity Guide • IT Manager's Frequently Asked Questions •
Engineering Notes: JACE-NX Windows XP Security NiagaraAX or Niagara r2.3.4 or later
Revised: October 25, 2005
35
Drive Image/ Windows Update History Drive Image Data
Drive Image/ Windows Update History These sections provide Windows XP information for JACE-NX hard drive images and any applicable updates. Drive Image Data • Emb XP • Full XP • Document Updates •
Drive Image Data For any JACE-NX, drive “Image” version is fixed at manufacturing time, and is visible (by default) in the “background info” (bginfo) in the lower right area of the JACE-NX’s Windows desktop, see Figure 12. If a unit with Emb XP that has previously had an update applied, an additional “Last Update” line will be present. Figure 12
Locating drive image version number.
JACE-NX drive Image revision. This is fixed at “birth” and does not change, regardless of any subsequently applied updates.
If an Embedded XP JACE-NX, and a Tridium-prepared update was applied, an additional line appears “Last Update”. This indicates the current equivalent OS image level in the JACE-NX (Emb XP only).
Emb XP These subsections list details on Embedded XP drive images and available updates provided by Tridium. Emb XP Drive Image History • Available NxXpEmb Updates •
Emb XP Drive Image History As this document is revised, Table 5 is updated to include later Emb XP drive images (NxXpe-n.nn). Table 5
Emb XP JACE-NX Drive images.
Image Revision
Date
XP Service Pack Level
NxXpe-1.13
November 3, 2003
Service Pack 1
NxXpe-1.15
November 13, 2003
Service Pack 1
Description / Notes Original XP Embedded drive image. First production image. Updated with available Microsoft security patches.
36
Engineering Notes: JACE-NX Windows XP Security Revised: October 25, 2005
NiagaraAX or Niagara r2.3.4 or later
Drive Image/ Windows Update History Emb XP
Table 5
Emb XP JACE-NX Drive images. (continued)
Image Revision
Date
XP Service Pack Level
NxXpe-1.16
December 8, 2003
Service Pack 1
NxXpe-1.17
January 5, 2004
Service Pack 1
(NxXpe-1.18 not released to production) (NxXpe-1.19 not released to production) NxXpe-1.20 February 12, 2004
— — Service Pack 1
Description / Notes Updated with available Microsoft security patches. Updated with available Microsoft security patches. — — Updated with available Microsoft security patches.
NxXpe-1.21
May 14, 2004
Service Pack 1
NxXpe-1.22
August 3, 2004
Service Pack 1
NxXpe-1.22a
August 12, 2004
Service Pack 1
NxXpe-1.23
September 9, 2004
Service Pack 1
NxXpe-1.24
October 26, 2004
Service Pack 1
NxXpe-2.02
February 14, 2005
Service Pack 2
Starting with this image, NX Policy update (Table 6) is not required to fix interstation links. Updated with available Microsoft security patches. Updated with available Microsoft security patches. Updated with available Microsoft security patches. Updated with available Microsoft security patches. Updated with available Microsoft security patches. First Emb XP image with Service Pack 2
NxXpe-2.03 NxXpe-2.03a NxXpe-2.04 NxXpe-2.05
April 14, 2005 May 10, 2005 May 24, 2005 October 28, 2005
Service Pack 2 Service Pack 2 Service Pack 2 Service Pack 2
Updated with latest Microsoft security patches. Updated with latest Microsoft security patches. Updated with latest Microsoft security patches. Updated with latest Microsoft security patches. Updated with latest Microsoft security patches.
Available NxXpEmb Updates As Tridium makes Windows XP updates available for the JACE-NX / Emb XP platform, this document is updated to list the update filename and release date. Note that JACE-NX Emb XP updates are divided into two groups, by XP service pack (SP) level: Emb XP-SP1 Updates • Emb XP-SP2 Updates •
Notes
•
•
You cannot update an Emb-XP JACE-NX with an original SP1 drive image level (NxXpe-1.nn) to an SP2 level. The “Image” line in the drive image data area shows the original image version. Instead, you must install Emb XP-SP1 Updates, as they are issued. For the specific Microsoft hotfixes contained in any update, please see its included readme.txt file or companion Tech Tip document.
Engineering Notes: JACE-NX Windows XP Security NiagaraAX or Niagara r2.3.4 or later
Revised: October 25, 2005
37
Drive Image/ Windows Update History Emb XP
Emb XP-SP1 Updates Table 6 lists Windows updates available for any JACE-NX running Emb XP-SP1 (Service Pack 1).
Caution
If any Emb XP-SP1 JACE-NX requires multiple updates, you must apply them chronologically, meaning oldest update first, newest update last. Failure to do this may result in older files overwriting newer patches. See “listUpdates,” page 5, about a utility that helps determine what updates are already installed.
Table 6
Emb XP-SP1 JACE-NX updates available from Tridium secure web site.
Update File Name
Date
Applies to Image
JACE-NX_Lockdown.bat.new
Feb. 5, 2004
NxXpe-1.17 and before
(NX Policy update, for security lockdown)
This same file applies to both Emb-XP and Full-XP JACE-NX.
See Tech Tip for information on downloading and installing this update on a JACE-NX.
NxXpeUpdate_Feb2004.exe
Description Does not install Microsoft Hotfixes, but fixes interstation link problem.
March 3, 2004
NxXpe-1.17
Note: Required for any pre-1.20 JACE-NX, regardless if any other update has been applied. Various Microsoft security hotfixes.
and before
optionalLockdown.bat.new
March 9, 2004
NxXpe-1.20 and before
Allows addition of DNS rule, useful if NxXpe-1.20 or earlier image. (Already included in OS 1.21 and later images).
Useful only if the JACE-NX requires use of DNS. This same file applies to both Emb-XP and Full-XP JACE-NX.
To use it, see the Note on page 34.
NxXpeUpdate_Apr2004.exe
April 27, 2004
NxXpe-1.20
NxXpeUpdate_Jul2004.exe
July 26, 2004
NxXpe-1.21
NxXpeUpdate_Aug2004.exe
August 12, 2004
NxXpe-1.22
NxXpeUpdate_Sep2004.exe
September 21, 2004
NxXpe-1.22a
NxXpeUpdate_Oct2004.exe
October 26, 2004
NxXpe-1.23
NxXpeUpdate_Feb2005.exe
February 15, 2005
NxXpe-1.24
NxXpeUpdate_Apr2005.exe
April 15, 2005
NxXpe-1.24
Various Microsoft security hotfixes.
and before Various Microsoft security hotfixes.
and before Various Microsoft security hotfixes.
and before Various Microsoft security hotfixes.
and before Various Microsoft security hotfixes.
and before Various Microsoft security hotfixes.
and before and before
NxXpeUpdate_May2005.exe
May 25, 2005
NxXpe-1.24
Various Microsoft security hotfixes. Starting with this update, the listUpdates command is available. Various Microsoft security hotfixes.
and before
NxXpeUpdate_Oct2005.exe
October 24, 2005
NxXpe-1.24
Various Microsoft security hotfixes.
and before
38
Engineering Notes: JACE-NX Windows XP Security Revised: October 25, 2005
NiagaraAX or Niagara r2.3.4 or later
Drive Image/ Windows Update History Full XP
Emb XP-SP2 Updates Table 7 lists Windows updates available for any JACE-NX running Emb XP-SP2 (Service Pack 2). Notes
• • •
Table 7
All Emb JACE-NXs with NiagaraAX shipped with XP-SP2. Unlike with Emb XP-SP1 updates, you cannot apply XP-SP2 updates out of sequence. For example, the “sp2_2.exe” update file will not install unless the “sp2_1.exe” update was previously applied. The listUpdates command is available after applying any XP-SP2 update. Emb XP JACE-NX updates available from Tridium secure web site.
Update File Name
Date
Applies to Image
Description
NxXpeUpdate_sp2_1.exe
April 15, 2005
NxXpe-2.03 or earlier -2.0x
Various Microsoft security hotfixes.
NxXpeUpdate_sp2_2.exe
May 25, 2005
NxXpe-2.03 or earlier -2.0x
Various Microsoft security hotfixes.
NxXpeUpdate_sp2_3.exe
October 24, 2005
NxXpe-2.04 or earlier -2.0x
Various Microsoft security hotfixes.
Full XP These sections list Full XP drive images, Tridium-available updates, and recommended Windows XP updates. Full XP Drive Image History • Available Updates for Full XP • Recommended Full XP (Windows XP) Updates •
Full XP Drive Image History As this document is revised, Table 8 is updated to include later Full XP drive images (NxXpFull-n.nn). Table 8
Full XP JACE-NX Images.
Image Revision
Date
XP Service Pack Level
NxXpFull-1.13
November 3, 2003
Service Pack 1
NxXpFull-1.15
November 13, 2003
Service Pack 1
Description / Notes Original image. First production image. Updated with available Microsoft security patches.
NxXpFull-1.16
December 8, 2003
NxXpFull-1.17
January 5, 2004
Service Pack 1
Updated with available Microsoft security patches.
Service Pack 1
Updated with available Microsoft security patches.
(NxXpFull-1.18 not released to production)
—
—
(NxXpFull-1.19 not released to production)
—
—
NxXpFull-1.20
February 12, 2004
Service Pack 1
Updated with available Microsoft security patches. Starting with this image, NX Policy update (Table 9) is not required.
NxXpFull-1.21
May 14, 2004
Service Pack 1
Updated with available Microsoft security patches
NxXpFull-1.22a
August 3, 2004
Service Pack 1
Updated with available Microsoft security patches
NxXpFull-2.01
October 26, 2004
Service Pack 2
First release of XP-SP2 on a JACE-NX.
NxXpFull-2.02
February 14, 2005
Service Pack 2
Updated with latest Microsoft security patches.
NxXpFull-2.03
April 14, 2005
Service Pack 2
Updated with latest Microsoft security patches.
Engineering Notes: JACE-NX Windows XP Security NiagaraAX or Niagara r2.3.4 or later
Revised: October 25, 2005
39
Table 8
Full XP JACE-NX Images. (continued)
Image Revision
Date
XP Service Pack Level
NxXpFull-2.04
July 7, 2005
Service Pack 2
Updated with latest Microsoft security patches.
Description / Notes
NxXpFull-2.05
October 28, 2005
Service Pack 2
Updated with latest Microsoft security patches.
Available Updates for Full XP Windows XP updates for any JACE-NX with Full XP must be obtained from Microsoft’s Windows Update site—see the next section. However, Tridium may make other updates available, for example adjusting TCP/IP port and protocol “lock down” parameters. Table 9 lists updates that may apply to a Full XP-type JACE-NX. Table 9
Full XP JACE-NX updates available from Tridium secure web site.
Update File Name
Date
Applies to Image
JACE-NX_Lockdown.bat.new
Feb. 5, 2004
NxXpFull-1.17 and before
(NX Policy update, for security lockdown) See Tech Tip for information on downloading and installing this update on a JACE-NX.
optionalLockdown.bat.new
Description Does not install Microsoft Hotfixes, but fixes interstation link problem. This same file applies to both Emb-XP and Full-XP JACE-NX.
March 9, 2004
Allows addition of DNS rule, useful if NxXpFull-1.20 or earlier image. (Already included in OS 1.21 and later images).
NxXpFull-1.20 and before
Useful only if the JACE-NX requires use of DNS. This same file applies to both Emb-XP and Full-XP JACE-NX.
To use it, see the Note on page 34.
Recommended Full XP (Windows XP) Updates From Microsoft’s Windows Update site, install any relevant1 critical updates and service packs posted later than: • • • • • • • • • • • •
If drive image NxXpFull-1.13: October 29, 2003. If drive image NxXpFull-1.15: November 11, 2003. If drive image NxXpFull-1.16: December 6, 2003. If drive image NxXpFull-1.17: January 2, 2004. If drive image NxXpFull-1.20: February 12, 2004. If drive image NxXpFull-1.21: May 12, 2004. If drive image NxXpFull-1.22a: August 1, 2004. If drive image NxXpFull-2.01: October 24, 2004. If drive image NxXpFull-2.02: February 12, 2005. If drive image NxXpFull-2.03: April 14, 2005 If drive image NxXpFull-2.04: July 7, 2005 If drive image NxXpFull-2.05: October 25, 2005
Please see the section “Update Options if Full XP (NX-XP-FULL),” page 10 for more information.
1. Some critical updates may not be relevant to a JACE-NX, for example KB810217 (posted December 5, 2003) concerning Microsoft Frontpage Server Extensions. If in doubt, you can download and install any critical update for Windows XP SP1.
Document Updates Full XP
Document Updates Updates to this document are listed below. Date
Update, Notes
November 21, 2003 Initial document. December 11, 2003 Updated to include recent drive images, including hotfixes by Microsoft numbers. See Table 5 on page 36 and Table 8 on page 39. Also, new section “Document Updates,” page 41. February 23, 2004
Added Caution about known interstation link issues if the JACE-NX has OS Image prior to 1.20 (February 12, 2004). A separate Tech Tip is also available on this issue. A security update (fix) is available for download on the Tridium secure web site. Once this fix is installed, the (TCP/IP security) NX Policy in a JACE will have the same standard set of nine (9) rules as in JACEs with the newer 1.20 version of OS image. Related to this, the screen captures in the “Locking Down TCP/IP Ports” section have been updated to reflect these newer rules, as well as tables that detail the standard and optional lockdown rules (Table 3 on page 29, and Table 4 on page 31). Updated Microsoft Hotfix data to be current with 1.20 drive image information, including hotfixes by Microsoft numbers.
March 9, 2004
Updated concurrent with first security update made available for Emb XP JACE-NX models, namely NxXpeUpdate_Feb2004.exe. Due to engineering changes, related procedures previously given were changed, see “Update Options if Embedded XP (NX-XP-EMB),” page 13, as well as all subsections. Other related changes occurred in sections “Drive Image Data” and “Emb XP Drive Image History,” page 36. In addition, other new document sections were added or changed, see “Remote Desktop Connection,” page 3, and “Methods to Transfer (Copy) Update Files,” page 7. Of particular value is a subsection of the latter, namely “Using Remote Desktop Connection to Copy Files,” page 8. Coverage of an “optional” lockdown rule (DNS rule) to permit DNS operation was added in Table 4 on page 31, mentioned in a Note on page 34, and also included in Table 6 on page 38 and Table 9 on page 40.
May 4, 2004
Updated concurrent with second security update made available for Emb XP JACE-NX models, namely NxXpeUpdate_Apr2004.exe, as well as 1.21 OS production images released for both OS types. Additions made in “Emb XP Drive Image History,” page 36, “Available NxXpEmb Updates,” page 37, “Full XP Drive Image History,” page 39, and “Document Updates,” page 41.
May 14, 2004
Hotfix details given about the NxXpFull-1.21 image were incomplete (Table 8 on page 39), corrected date given for downloading Microsoft updates for NxXpFull-1.21 image JACE-NX (“Recommended Full XP (Windows XP) Updates,” page 40). Updated hotfix details for NxXpEmb-1.21 image (Table 5 on page 36).
February 17, 2005
Document reworked to include or note differences between JACE-NX shipped with Windows XP SP1 and SP2 (Service Pack 1 or 2). Units with Full XP-SP2 began production in October 2004, units with Emb XP-SP2 began production in February 2005. Main differences in document are in the following sections:
• “Device Update Agent—Theory of Operation,” page 13 • “Locking Down Ports and Protocols if XP-SP2 JACE-NX,” page 19 Specific listings of Microsoft hotfix numbers were dropped in all tables within the “Drive Image/ Windows Update History” section starting on page -36. Other entries in these tables were updated to be current with latest history. Sections eliminated include “Summary Descriptions of Applied Microsoft Hotfixes” and the ending section “You can help make this document even better!”
Note: As applies to Tridium-prepared Windows updates for Emb XP units, please note that all contained Microsoft hotfixes are listed and summarized in a “readme.txt” file included in each update. Typically, each update spawns a companion Tech Tip document that also provides this same information.
Engineering Notes: JACE-NX Windows XP Security NiagaraAX or Niagara r2.3.4 or later
Revised: October 25, 2005
41
Document Updates Full XP
Date October 25, 2005
Update, Notes Emphasis continues about JACE-NX shipped with XP-SP2, with some sections reordered to describe XP-SP2 updates or port lockouts before XP-SP1 units. Various minor changes and notes as they apply to a JACE-NX that ships with NiagaraAX (vs. Niagara R2). New sections include “listUpdates,” page 5, and “Using the NiagaraAX Platform’s File Transfer Client,” page 7. Updated tables in section “Drive Image/ Windows Update History,” that list all drive images and (Emb XP) update files. Document coincides with release of security updates NxXpeUpdate_Oct2005.exe (Emb XP-SP1) and NxXpeUpdate_sp2_3.exe (Emb XP-SP2).
42
Engineering Notes: JACE-NX Windows XP Security Revised: October 25, 2005
NiagaraAX or Niagara r2.3.4 or later