Server Group Policy
When the SCADA network is using Windows Active Directory, we recommend the use of Group Policies to apply global security settings for all server and client machines on the domain. This method provides you a much easier way to maintain the network and for further enhancement without having to perform the changes manually on each individual machine.
Most, but not all, of the settings applied are available via local security policy, which could also be used for standalone machines that are not part of a domain. However, Group Policy provides the most manageable deployment solution for multiple machines across a network.
We recommend you consult local system administrators for the guidance needed to set this up. There are various other options common to the Server Group Policies, which will need to be considered and dependent upon the customer requirements. Some suggestions are provided below, but the list is not exhaustive.
- Disable LLMNR (Link-Local Multicast Name Resolution) using the setting 'Turn Off Multicast Name Resolution'
- Disable NBT-NS (Netbios Name Service)
- Disable WPAD (Web Proxy Auto-Discovery Protocol)
- Disable NTLMv1 Authentication
- Set the Windows Logon Cached Logons Count to zero
(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount).