11. APPENDIX
11.2 Workstation Security Settings
11.2 Workstation Security Settings
Security Model Specific Permissions
Part of the installation of the Common Security Model is to set up permissions on some keys in the registry and directories in the file system. In
addition, it installs a base set of files, with defined permissions, that act as proxy access control lists (ACLs) for Experion LX objects and
functions that do not have an integral Windows ACL.
11. Appendix
11.2. Workstation Security Settings
[Registry Permissions] Scope Product Admins
Engineer Supervisor Operator Ack View
HKLM\SOFTWARE\Honeywell (add) Key RW
Subkeys Full
HKLM\software\Clients\Mail (add - legacy) Key RW RW
Subkeys RW RW
11. Appendix 11.2. Workstation Security Settings
[File System Permissions] Scope Product Admins
Engineer Supervisor Operator Ack View
%HwEngineeringData% (set) Folder RWX Full RX Full
Subfolders Full Full RX Full Full
%HwSecurityPath%\tpn_priority_two (add) file RX RX RX
11. Appendix
11.2. Workstation Security Settings
[File System Permissions] Scope Product Admins
Engineer Supervisor Operator Ack View
%HwSecurityPath%\tpn_priority_three (add) file RX RX RX
%HwSecurityPath%\tpn_priority_four (add) file RX RX RX
%HwSecurityPath%\tpn_priority_five (add) file RX RX RX
%HwSecurityPath%\tpn_priority_six (add) file RX RX RX
%HwSecurityPath%\tpn_priority_seven (add) file RX RX RX
%HwSecurityPath%\tpn_priority_eight (add) file RX RX RX
%HwSecurityPath%\tpn_priority_nine (add) file RX RX RX
%HwSecurityPath%\tpn_priority_ten (add) file RX RX RX
%HwSecurityPath%\product admin (add) file RX
%HwSecurityPath%\engineer (add) file RX
%HwSecurityPath%\supervisor (add) file RX RX
%HwSecurityPath%\operator (add) file RX RX RX
%HwSecurityPath%\AckUser (add) file RX RX RX RX
%HwSecurityPath%\view only (add) file RX RX RX RX RX
%HwSecurityPath%\program (add) file RX
11. Appendix 11.2. Workstation Security Settings
[File System Permissions] Scope Product Admins
Engineer Supervisor Operator Ack View
View Only
Local Servers
Windows Admin
Windows Users
SYSTEM Creator Owner
%HwSecurityPath%\checkpoint (add) file RX RX RX RX RX RX
%HwSecurityPath%\start (add) file RX RX RX RX RX RX
%HwSecurityPath%\shutdown (add) file RX RX RX
%HwSecurityPath%\shutdownforce (add) file RX RX RX
In the preceding table, strings between percent signs (%) represent system environment variables that may vary based on installation conditions. The default values for these are:
• ... %HwProgramData% C:\ProgramData\Honeywell
• ... %HwEngineeringData% C:\ProgramData\Honeywell\EngineeringData
• ... %HwProductConfig% C:\ProgramData\Honeywell\ProductConfig
• ... %HwSecurityPath% C:\ProgramData\Honeywell\ProductConfig\Security
11. Appendix
11.2. Workstation Security Settings
Local Policy Settings
The following settings are applied via the SECEDIT.EXE command, using a template that is installed by the Workstation Security package.
In the following table:
Green cells indicate default settings that were modified for Experion LX per operating system.
Blue cells indicate settings on Experion LX that differ between Windows 7 and Windows server 2008/2008 R2
Local Policy Settings Windows 7 for Experion LX Windows 7 defaults Windows server 2008/2008 R2 for Experion LX
Windows server 2008/2008 R2 defaults
[System Access]
MinimumPasswordAge 0 0 0 0
MaximumPasswordAge -1 42 -1 42
MinimumPasswordLength 0 0 0 0
PasswordComplexity 0 0 1 1
PasswordHistorySize 10 0 10 0
LockoutBadCount 0 0 0 0
RequireLogonToChangePassword 0 0 0 0
ForceLogoffWhenHourExpire 0 0 0 0
NewAdministratorName Administrator Administrator Administrator Administrator
11. Appendix 11.2. Workstation Security Settings
Local Policy Settings Windows 7 for Experion LX Windows 7 defaults Windows server 2008/2008 R2 for Experion LX
Windows server 2008/2008 R2 defaults
ClearTextPassword 0 0 0 0
LSAAnonymousNameLookup 0 0 0 0
EnableAdminAccount 0 0 1 1
EnableGuestAccount 0 0 0 0
[Event Audit]
AuditSystemEvents 0 0 0 0
AuditLogonEvents 2 0 2 0
AuditObjectAccess 0 0 0 0
AuditPrivilegeUse 0 0 0 0
AuditPolicyChange 3 0 3 0
AuditAccountManage 0 0 0 0
AuditProcessTracking 0 0 0 0
AuditDSAccess 0 0 0 0
AuditAccountLogon 2 0 2 0
[Registry Values]
HKLM\software\microsoft\Ole\EnableDC "Y" "Y" "Y" "Y"
11. Appendix
11.2. Workstation Security Settings
Local Policy Settings Windows 7 for Experion LX Windows 7 defaults Windows server 2008/2008 R2 for Experion LX
Windows server
11. Appendix 11.2. Workstation Security Settings
Local Policy Settings Windows 7 for Experion LX Windows 7 defaults Windows server 2008/2008 R2 for Experion LX
Windows server
"10" "10" "10" "25"
HKLM\Software\Microsoft\Windows
11. Appendix
11.2. Workstation Security Settings
Local Policy Settings Windows 7 for Experion LX Windows 7 defaults Windows server 2008/2008 R2 for Experion LX
Windows server
11. Appendix 11.2. Workstation Security Settings
Local Policy Settings Windows 7 for Experion LX Windows 7 defaults Windows server 2008/2008 R2 for Experion LX
Windows server
"Important Notice:" "" "Important Notice:" ""
HKLM\Software\Microsoft\Windows\Cur rentVersion\Policies\System\LegalNotic eText
“Do not attempt to log on unless you are an authorized user”
“” “ Do not attempt to log on
11. Appendix
11.2. Workstation Security Settings
Local Policy Settings Windows 7 for Experion LX Windows 7 defaults Windows server 2008/2008 R2 for Experion LX
Windows server
HKLM\System\CurrentControlSet\Contr 1 1 1 1
11. Appendix 11.2. Workstation Security Settings
Local Policy Settings Windows 7 for Experion LX Windows 7 defaults Windows server 2008/2008 R2 for Experion LX
Windows server
11. Appendix
11.2. Workstation Security Settings
Local Policy Settings Windows 7 for Experion LX Windows 7 defaults Windows server 2008/2008 R2 for Experion LX
Windows server
11. Appendix 11.2. Workstation Security Settings
Local Policy Settings Windows 7 for Experion LX Windows 7 defaults Windows server 2008/2008 R2 for Experion LX
Windows server
11. Appendix
11.2. Workstation Security Settings
Local Policy Settings Windows 7 for Experion LX Windows 7 defaults Windows server 2008/2008 R2 for Experion LX
Windows server
11. Appendix 11.2. Workstation Security Settings
Local Policy Settings Windows 7 for Experion LX Windows 7 defaults Windows server 2008/2008 R2 for Experion LX
Windows server
[Privilege Rights] [Privilege Rights] [Privilege Rights] [Privilege Rights] [Privilege Rights]
SeNetworkLogonRight Everyone, Administrators, Users, Backup Operators SeBackupPrivilege Administrators, Backup Operators Administrators, Backup
Operators
Administrators, Backup Operators
Administrators, Backup Operators SeChangeNotifyPrivilege Everyone, Local Service, Network
Service, Administrators, Users,
11. Appendix
11.2. Workstation Security Settings
Local Policy Settings Windows 7 for Experion LX Windows 7 defaults Windows server 2008/2008 R2 for Experion LX
Windows server 2008/2008 R2 defaults SeSystemtimePrivilege Local Service, Administrators Local Service,
Administrators
Local Service, Administrators
Local Service, Administrators
SeCreatePagefilePrivilege Administrators Administrators Administrators Administrators
SeDebugPrivilege Administrators Administrators Administrators Administrators
SeRemoteShutdownPrivilege Administrators Administrators Administrators Administrators
SeAuditPrivilege Local Service, Network Service Local Service, Network Service
Local Service, Network Service
Local Service, Network Service SeIncreaseQuotaPrivilege Local Service, Network Service,
Administrators
SeIncreaseBasePriorityPrivilege Administrators Administrators Administrators Administrators
SeLoadDriverPrivilege Administrators Administrators Administrators Administrators
SeLockMemoryPrivilege Local Servers Local Servers
SeBatchLogonRight Local Servers, Administrators, Backup Operators, Performance
SeServiceLogonRight Local Servers,*S-1-5-80-0 *S-1-5-80-0 Local Servers
SeInteractiveLogonRight Guest, Administrators, Users, Guest, Administrators, Administrators, Users, Administrators, Users,
11. Appendix 11.2. Workstation Security Settings
Local Policy Settings Windows 7 for Experion LX Windows 7 defaults Windows server 2008/2008 R2 for Experion LX
Windows server 2008/2008 R2 defaults
SeSecurityPrivilege Administrators Administrators Administrators Administrators
SeSystemEnvironmentPrivilege Administrators Administrators Administrators Administrators
SeProfileSingleProcessPrivilege Administrators Administrators Administrators Administrators
SeSystemProfilePrivilege
SeAssignPrimaryTokenPrivilege Local Service, Network Service Local Service, Network Service
Local Service, Network Service
Local Service, Network Service SeRestorePrivilege Administrators, Backup Operators Administrators, Backup
Operators
Administrators, Backup Operators
Administrators, Backup Operators
SeShutdownPrivilege Local Engineers, Local
Supervisors, Product
SeTakeOwnershipPrivilege Administrators Administrators Administrators Administrators
SeDenyNetworkLogonRight Guest Guest Local Servers, Guest
SeDenyInteractiveLogonRight Local Servers, Guest Guest Administrators
SeUndockPrivilege Administrators, Users Administrators, Users Administrators Administrators
11. Appendix
11.2. Workstation Security Settings
Local Policy Settings Windows 7 for Experion LX Windows 7 defaults Windows server 2008/2008 R2 for Experion LX
Windows server 2008/2008 R2 defaults
SeManageVolumePrivilege Administrators Administrators Administrators, Remote
Desktop Users
Administrators
SeRemoteInteractiveLogonRight Administrators, Remote Desktop Users
Administrators, Remote Desktop Users
Local Servers, Guest Administrators, Remote Desktop Users
SeDenyRemoteInteractiveLogonRight Local Servers, Guest Local Service, Network
Service, Administrators, Service
SeImpersonatePrivilege Local Service, Network Service, Administrators, Service SeCreateGlobalPrivilege Local Service, Network Service,
Administrators, Service
Local Service, Network Service, Administrators, Service
Users Local Service,
Network Service, Administrators, Service
SeIncreaseWorkingSetPrivilege Users Users Local Service,
Administrators
Users
SeTimeZonePrivilege Local Service, Administrators, Users
Local Service, Administrators, Users
Administrators Local Service, Administrators
SeCreateSymbolicLinkPrivilege Administrators Administrators [Version] Administrators