Hi PI Community,
As we all know, protecting assets such as the PI System and its perimeter against malicious activities and incidental misconfigurations can be a full time job. Many industry standards, good practice guides, support KBs, and system utilities are available to help you with related tasks. However until now there hasn’t been a simple and supported baseline approach for modern PI Systems.
Today, we are proud to publish a new tool and framework as a major step forward in PI System security. The tool is freely available and is open for community collaboration in its ongoing development.
You are invited to browse details contained in this post for more information about using the tool and how you can contribute.
Also as a teaser for the upcoming vCampusLive! 2013 conference set for December, get ready to compete for prizes by discovering and fixing security issues in several PI System at the vCampusLive! 2013 conference. Bonus points will be awarded for the development of automated routines derived from this detect and fix scenario using the tool framework. We hope to see you there!
Security configurations for PI Systems can be complex. Chronic factors such as limited resources, competing priorities, and technology churn add to the challenge. However to do nothing leaves systems vulnerable to intellectual property losses and trade secrets stolen, productivity loss or unexpected downtime caused by malicious changes on industrial and/or business systems around the PI System. Part of good defense practice is to evaluate risk posed by our assets and their use in line with our reality.
How do we evaluate the risk? We need to get actionable information that you can analyze according to your operational reality. This information is collected and measured through an audit of settings and analysis of the system environment. All options must be analyzed for minimizing any entry points to possible attackers. The audit needs to be performed not once but regularly to see how the “system” evolves.
A baseline data collection must be completed for comparison to improve the detection methodology. Currently the PI System has many tools that expose internal settings such as the piconfig.exe, pidiag.exe, PI System Management Tools, afdiag.exe, piversion.exe et al. but it can be tedious to analyze the generated amount of information on a regular basis and correlate appropriately. No other conclusion could be drawn; we need one easy extendable tool to baseline the security configuration of a PI System.
Premises of the tool
What should be the scope and premises of this tool to deliver the mission of generating a baseline of the security configuration of a PI System?
This tool would need to be focus on being able to repeat the process of “baselining” the PI System security configuration again and again. This tool would need to be easy to utilize and free. Its features would be extendable by everyone by submitting ideas and enhancement requests within the community or by developing the features yourself and submit them back to the community. If not needed, it can be used directly without any changes.
PI System Audit Module
OSIsoft has put together a free and simplified tool framework to baseline the security configuration of your PI System for which you can contribute to its development (via crowdsourcing) under the Cyber Security forum at OSIsoft Users Community. This tool framework is built as a PowerShell module containing commands (named command-lets or cmdlets) to perform different calls to collect the data from the security settings of different requested PI System components.
A series of PowerShell script files (*.psm1) form a single module named PI System Audit Module (or PISysAudit Module) once loaded. You will find one core script containing the collection logic and four library scripts containing the validation logic for different topics such as best practices to harden a computer, a PI Server, etc. The module exposes several cmdlets either used for the internal logic or the external interface with the end-user.
If you don’t know PowerShell yet, read the section Extra at the end of this post to get a better idea.
The PI System Audit Module (PISysAudit) requires PowerShell version 2 and later, it can be executed locally or remotely and make use of existing command line utilities to perform many tasks. This allows being compatible with many versions of the PI System.
The PISysAudit module does not require installation; you only need to decompress the package file available with this post where you want. You will need to import the module whenever you need it from the location you would have selected. The file structure is the following:
- bin = Contains command line utilities or PS scripts needed by the PS module
- bin\pisysaudit = Contains the PS module definition
- export = Contains the generated reports
- pwd = Contains saved password files using strong encryption
The current version of the PISysAudit module implements 16 validations covering machine, PI Server, PI AF Server and SQL Server best practices with the PI System.
|AU10001||Domain Membership Check||Moderate|
|AU10003||Validate if Windows firewall is enabled||Moderate|
|AU20001||PI Data Archive Table Security||Moderate|
|AU20002||PI Admin Trusts Disabled||Severe|
|AU20003||PI Data Archive Subsystem Version||Severe|
|AU20005||Auto Trust Configuration||Moderate|
|AU20006||Expensive Query Protection||Severe|
|AU30001||PI AF Server Service Account||Severe|
|AU30002||Impersonation mode for AF Data Sets||Low|
|AU30003||PI AF Server Service Access||Severe|
|AU40001||SQL Server xp_CmdShell||Severe|
|AU40002||SQL Server Adhoc Queries||Severe|
|AU40003||SQL Server DB Mail XPs||Severe|
|AU40004||SQL Server OLE Automation Procedures||Severe|
Get it Started!
You need to import this module within the PS session you have opened. You simply need to invoke the Import-Module cmdlet with the path up to the PISYSAUDIT folder where you have decompressed the package.
For example, if you have decompressed the package inside your user folder (C:\users\mhamel\document\pisysaudit v220.127.116.11), you need to import the module the following:
Import-Module “C:\users\mhamel\document\pisysaudit v.18.104.22.168\bin\pisysaudit”
$modulePath = “C:\users\mhamel\document\pisysaudit v.22.214.171.124\bin\pisysaudit” Import-Module $modulePath
The audit is launched with the New-PISysAuditReport cmdlet (or you can use the alias: piaudit). Two examples are provided below to help you.
This example shows how to launch the audit with all PI Server, AF Server and SQL Server components installed locally. It makes use of all default parameters of the command.
This example shows how to launch the audit with two PI Servers, one AF Server and one SQL Server components installed on different machines than the one used to launch the script. It makes use of all
$cpt = piauditparams $null "Computer1" "PIServer" $cpt = piauditparams $cpt "Computer2" "PIServer" $cpt = piauditparams $cpt "Computer3" "PIAFServer" $cpt = piauditparams $cpt "Computer4" "SQLServer" -InstanceName "sqlexpress" piaudit -cpt $cpt
You get more details by invoking the help with the Get-Help cmdlet like the following:
You can also find several examples of commands and syntaxes for this module within examples.ps1 file.
License of Use
The code you author will be made available under a less-restrictive public license (MS-PL). More information about this license can be found at http://www.microsoft.com/en-us/openness/licenses.aspx.
We hope to see you using it and start collaboration throughout the forum. Please comment or create a new discussion to exchange informations with other members about the tool, how it can be improved, and even submit changes you have applied to the framework. You simply need to attach a compressed folder containing the tool to your post for a valid submittal. OSIsoft will take a look at the review before releasing changes and sign the PISysAudit module to comply with our standards and allow it to be used with a whitelisting approach.
Remember, you can compete for prizes by discovering and fixing security issues in several PI System at the vCampusLive! 2013 conference. Any work associated with the PISysAudit framework tool could gain you bonus points in this security related hack-a-thon.
Mathieu Hamel, OSIsoft vCampus team member
The tool is attached at the end of this post.
What is PowerShell? Windows PowerShell is Microsoft's task automation framework, consisting of a command-line shell and associated scripting language built on top of .NET Framework. PowerShell provides full access to COM and WMI, enabling administrators to perform administrative tasks on both local and remote Windows systems. Windows PowerShell is an extendable command shell and scripting language which can be used to manage/administer server environments like Windows Server, Exchange, Azure, SQL Server, SharePoint and many others.
PowerShell (PS) was selected as a framework for the tool for these reasons:
- Far more secure than Microsoft’s previous technologies (such as DCOM)
- “Remoting” capabilities
- Easy to learn
- Cost of starting is pretty low
- Multi-tier access from a single location
- Meant for administration
- Microsoft is building PowerShell into all of its products