Security requirements and best practices for interfaces

Interface installation requires an administrator account for the following tasks:

• Installing the interface software

• Creating the interface service account

• Creating, editing, and removing the interface service

• Adding, updating, and removing performance counters

  Caution: Except for interfaces that are included with Data Archive, OSIsoft discourages installing interfaces on the Data Archive machine. Interface installations on the Data Archive machine automatically default to the piadmin super-user or the piadmins group, which have high-level privileges and can expose your system to security risks.

When interfaces are configured to run as a service, the account type used to run the service depends on the interface. Use an account with the lowest-level privilege required to run the interface.

Most interfaces based on UniInt version 4.6 or later do not need administrator privileges to run. Security best practices for running the interface using the least-privileged account apply to interfaces based on versions of UniInt earlier than 4.6, but this document only discusses security as it applies to UniInt version 4.6 and later.

Caution: Running interfaces with accounts that have high-level privileges can expose your system to security risks. Secure your system using accounts with the lowest-level privilege required to run the interface, and limit the access rights of the account if possible.

In some cases, the interface service account privileges can be restricted to limit file, folder, and registry key access. Virtual service accounts, managed service accounts, non-administrator domain service accounts, and non-administrator local service accounts are the best options for limiting service account permissions.

Certain types of use cases can restrict access. The main level of restriction for an interface should be focused on the data source and the \Program Files(x86)\PIPC\ directory on the machine. You should restrict access to an interface based on the level of security needed to interact with the data source. Standard PI Interfaces do not need access to the registry. The only folder/file access for an interface should be focused on the PIPC folder and interface folder contained within it.

File system access should be determined on an as-needed basis. If you are using an interface feature that requires reading/writing to a file, you must give the interface service the needed access to the file. Registry access should normally only be as read only because performance counters are now created during the interface service creation process. All modifications to performance counters must be done by an administrator, using either the ICU or service editing command line options. Interface services are no longer required to start as an administrator in order to obtain the interface's performance counters.

Read access to the .bat file and its directory are the minimum file and registry required to run the interface. The following are needed for writing to files/folders:

• If the interface is using failover, then the interface will need read/write access to the failover sync file.

• If the interface is using disconnected startup, then the interface will need read/write access to the Disconnected Start cache sync file.

• If the interface creates or uses its own files and moves these files between folders, the interface will need access to the base location for these actions.

You will also need PI Data Archive access for the interface and security permissions on the PI points.

The virtual account permissions on a service allow the service to access a local machine in the same way it would access any other basic machine. A service that runs using a virtual account can access network resources by using the identity and credentials of the local computer account. It's designed to eliminate the overhead of password management for services that only need resources on their local machine. An account running a service should not be affected during an interface upgrade.

Note: If an interface has been upgraded using the Local System account for its services, you should consider modifying the account being used to run the service. Local System gives a service the highest level of administrative privileges on a machine and is a security vulnerability.