Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ PI Server Installation and Configuration (PI Server 2018)

TABLE OF CONTENTS

PI AF security

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedOct 02, 2024
  • 2 minute read

Here are some general recommendations for securing PI AF:

  • The SQL Server database engine should run as a low-privilege account. Some versions of SQL Server will by default run this service with the Local System identity. However, we do not recommend using Local System. Instead use the NetworkService or Local Service account or create an account with limited privileges specifically for this purpose.

  • Do not grant administrator privilege to the identity under which the PI AF application service runs on any SQL Server instance.

    Note: By default, the PI AF installation configures the PI AF application service account to run as a virtual account, NT SERVICE\AFService, and configures SQL Server to grant minimal privileges to this login.

  • Do not run the PI AF application service under the Local System account, as that will typically grant it sysadmin privilege on any local SQL Server instances.

    The PI AF application service logs a warning message to the Windows AF event log if the service is running under an account or with an SQL Server login with unnecessarily high privileges.

  • Limit access to the AFService.exe.config file to authorized users. Use File and folder security to ensure only those users who should be able to change this file can change this file. Do this either by limiting access to log on to the PI AF server, or by setting a security descriptor on the AFService.exe.config file or its directory.

  • Disable Xp_cmdshell and OLE Automation in SQL Server. Be aware that an attacker with sysadmin privileges can re-enable these features.

  • Make sure that the account that runs the SQL Server database engine does not have access to any Windows objects that it does not need to access (files, registry keys, other services, and so on).

  • Do not grant non-admin PI AF users any SQL Server access privileges on a PI AF SQL database.

  • For a full description of the account types that the PI AF application service supports, see Account types supported for the PI AF service.

  • See these Microsoft SQL Server Security documents for further information:

For additional information about PI AF security, see the PI System Explorer topic Security Configuration in PI AF.

TitleResults for “How to create a CRG?”Also Available in