Install security certificate

PME is installed with a self-signed certificate and a self-signed certificate is configured automatically. We recommend that you replace this with a security certificate from a Certificate Authority (CA).

See Data encryption for information on data encryption, at rest and in transit, in PME.

Set up encrypted database communication for Distributed Database architectures

We recommend that the connections between PME and the SQL database server, in Distributed Database architecture installations, are encrypted using at least Transport Layer Security (TLS) 1.2. This requires a certificate from a public certification authority for the SQL Server computer and the configuration of both servers to use encrypted connections.

NOTE: Only the communication between the PME application server and the database server will be encrypted, not the data in the database.

NOTE: The use of self-signed certificates is supported but we recommend that you use a certificate from a certification authority.

High level configuration steps:

1. Install a Server Authentication certificate from a public certification authority on the SQL Server computer.
2. Take PME out of service by informing system users of the outage and disabling any automated system control or third-party interactions.
3. Stop all PME services.
4. Configure the SQL server to force encrypted connections.
5. Configure PME to use encryption on database connections. See Configure database connection encryption for more information.
6. Confirm that the PME application server computer can verify the ownership of the certificate used by the SQL Server computer.
7. Restart PME, verify the correct operation of the system, and put the system back into service.

Detailed configuration information:

• See Enable Encrypted Connections to the Database Engine, a Microsoft document, for information on certificate requirements, as well as detailed installation and configuration instructions.
• See TLS 1.2 support for Microsoft SQL Server, a Microsoft document, for information on TLS 1.2 support in different versions of SQL Server.

Configure application allowlisting software

Application allowlisting software, such as McAfee Application Control, is used to prevent unauthorized applications from running on your system.

When you deploy allowlisting software to help protect a system, it scans the system and creates a allowlist of all executable binaries and scripts present on the system. The allowlist also includes hidden files and folders.

The allowlist includes all authorized files and determines trusted or known files. In Enabled mode, only files that are present in the allowlist can execute. All files in the allowlist are protected and cannot be changed or deleted. An executable binary or script that is not in the allowlist is said to be unauthorized and is prevented from running.

Consider the following when using allowlisting software with PME:

• Complete the system configuration before setting up and enabling the allowlisting software.
• Any program or script that should be able to update the system will need to be configured as an updater.
• After solidification, no updates or extensions, such as add-on device drivers, may be installed.
• Disable the allowlisting software when making changes to the PME system. Enable it again after the change.
• Follow the instructions of the software vendor for installing, configuring, and operating the allowlisting software.

NOTE: Verify the correct operation of your PME system after you enable the allowlisting software.

Configure antivirus software on your SQL Server

We recommend that you run anti virus software on your SQL server. Follow the recommendations described in Microsoft Support article (ID: 309422). See Resources for link information.

NOTE: Antivirus software can have a significant impact on system performance if it is not set up correctly. Consider the following:

• SQL Server performance can be affected if data and log files are not excluded from on-access scans.
• Special configuration of the antivirus software might be required.
• Follow the instructions of the software vendor for installing, configuring, and operating the antivirus and allowlisting software.

Configure PME users and user groups

There are no pre-configured user accounts or user groups in a newly installed system. One supervisor account is created, with a user defined password, during the installation of the software. Create additional user accounts and groups after installation. PME supports Windows users and groups for integration with Windows and Active Directory.

RECOMMENDATION: Use Windows users instead of standard users in your PME system to improve cybersecurity. Windows offers the advanced user management function of limiting the number of invalid login attempts. This function is required for IEC 62443 compliance, the global standard for industrial automation control system security.

For information on creating users and user groups, and on setting user access levels, see User Manager.

Customize user account privileges

You can configure user account privileges in Web Applications > Settings > Users > System Users > User Manager. See Customizing Access Level Privileges for details.

Restrict Windows login permissions for the PME server

We recommend that you restrict the Windows login permissions for the PME server computer to PME system administrators only. Preventing non-administrator users from logging into the server reduces the risk of unauthorized system changes and increases the cybersecurity of your system.

Change the SQL Server Express sa account password

If SQL Server Express is installed, with SQL Server authentication, through the PME installer, change the sa account password after the installation is complete.

Configure session timeout settings

You can configure session timeout settings in Web Applications > Settings > Security > Session Timeout. See Session timeout for information on this feature. See Configure Session Timeout for configuration details.

Configure system integration security settings

You can configure system integration settings in Web Applications > Settings > Security > Integrations. See System integration security for information on this feature. See Configure Authorized Hosts and Configure Integration Utility for configuration details.

Do not install or use a web browser on the server computer

Using a web browser on a server computer increases the vulnerability of the server and the network. Access PME web clients on client computers only, not on the server.

RECOMMENDATION: Remove the PME Web Applications shortcuts from the server.

Set up your network security

Set up the network security measures for your IT and device networks.

Disable unused IP ports

Disable or block IP ports that are not required for the operation of your system. See IP Ports for details on PME port requirements.

Disable unused hardware ports

Computer ports and inputs, such as USB ports or DVD drives are not required for PME to function correctly. These inputs can be permanently disabled if necessary. The same applies to the AutoRun and AutoPlay functionality which can also be disabled without affecting the operation of the software.