Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ Work Tasks

TABLE OF CONTENTS

Best Practices for Securing AVEVA Work Tasks

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedJun 06, 2024
  • 5 minute read

Introduction

Security is a core functional requirement that protects critical information from accidental or deliberate theft, leakage, integrity compromise, and deletion.

This document provides the best practices, which will help you define your security practices, and set of security policies and processes for your organization. This will ensure that the data and assets are protected while using AVEVA Work Tasks.

  • Securing Application Websites

  • Securing Data

  • Securing Ports

  • Securing using Users and Roles

  • Securing Application Configuration

  • Securing Webservers

  • Managing List Data

Securing Application Websites

Use of https

Central Configuration and Enterprise Console of AVEVA Work Tasks are web-based applications.

  • Central Configuration is meant only for administration purposes. However, it can be accessed by any user, if it is not protected. Therefore, Central Configuration needs to be protected by securing the sites.

  • Enterprise Console is meant to be used by various users. However, it can also be accessed through internet. Therefore, Enterprise Console needs to be protected.

  • Recommend use of Standard SSL certificate instead of self-signed SSL certificate.

  • AVEVA Work Tasks supports TLS 1.2 version.

Securing Sessions

  • Use Auto log off to secure sessions.

Ways to Minimize Security Threats

  • Ensure to use ‘https’ to host Enterprise Console.

  • Ensure to use SSL certificates.

  • Ensure to encrypt AppSettings in the web.config file for Central Configuration and Enterprise Console.

    Note: If you want to edit the values in the web.config file, run the Command Prompt as an Administrator and type C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319.

    For example,

    To decrypt the value, type
    aspnet_regiis -pd "<place holder for section name>" -app "/<place holder for application name>" -site <place holder for site number>

    To encrypt the value, type,
    aspnet_regiis -pe "<place holder for section name>" -app "/<place holder for application name>" -site <place holder for site number> -prov "DpapiProtectedConfigurationProvider"

    where,
    <place holder for section name> is section of the web.config file to be encrypted or decrypted
    <place holder for application name> is application name (e.g. CentralConfig, EnterpriseConsole)
    <place holder for site number> is site number to which AVEVA Work Tasks is bound to (e.g. site number is 2 for Enterprise Console)

    For more information, refer Protected Configuration Provider.

Securing Data

Eliminating Database Security Threats

AVEVA Work Tasks is a highly database dependent application. The back end database is SQL Server.

  • Ensure to protect the database with proper security measures.

  • Keep periodic backups for any eventuality.

Ways to Minimize Security Threats on Database

  • Protect the database server with limited access.

  • Ensure to limit the database access rights only to the authorized users.

  • Provide only required rights to the maintenance team.

Securing Ports

Eliminating Threat on Ports

AVEVA Work Tasks application depends on certain ports for communication. System uses TCP / UDP for communication. Packets of data move from or towards these ports.

Hackers are constantly trying to discover new ways to connect to machines so that they can install backdoors for later re-entry, trojans to collect financial details, or botnet clients.

There are different kinds of threats such as denial of service, men in the middle attack, and so on. The entry point for each of these attacks is a port.

Therefore, protecting these ports without affecting the functionality is the responsibility of the user.

Ways to Minimize Threat on Ports

  • There are multiple ways to minimize threats on ports. These details are not in the scope of this document. It is recommended to refer to the industry standard mechanisms to minimize the threats on ports.

Note: For more information about the ports used by the system, refer the ‘Setting up Ports’ section in the Administrator Guide.

Securing Access using Users and Roles

Eliminating Unauthorized Access

AVEVA Work Tasks provides authorization to secure data on every level. You can protect data with proper authorization.

Forms customization through scripting can introduce security vulnerabilities if the End-Users who author those scripts are unfamiliar with Secure Coding principles or are acting maliciously. Forms Designer permission role should only be assigned to users who are trusted not to abuse the system and are familiar with secure coding principles.

Ways to Secure Access

  • Provide only accurate access to different users based on their usage.

  • Provide role-based access to features.

Note: For Security-related information, refer the 'Security Framework' section in the User Guide .

Securing Application Configuration

Eliminating Threats on Application Configuration

Farm Configuration is the base configuration for AVEVA Work Tasks. Ensure that the system and the access to configuration are protected, by providing access to the Farm Configuration only to Administrators.

Ways to Protect Farm

  • Ensure that the system can be access only by authorized users with Administrative privileges.

Ways to Protect Enterprise Console

  • Ensure use of Active Directory provider or AIM configured with appropriate policy instead of AVEVA Work Tasks Repository provider.

Securing Webservers

To improve the AVEVA Work Tasks WebServers security, disable the weak ciphers and protocols .

You can use the tool IIS Crypto for enabling/disabling the protocols and weak ciphers. You need to restart the webserver after making the changes.

It is recommended to enable the following protocol and ciphers:

  • Protocol - TLS 1.2 for server and client

  • Ciphers - AES 128, AES 256

    Note: Assess the system for any impact on the other running applications before you enable/disable the protocols and ciphers.

Managing List Data

Eliminating threats on List Data

AVEVA Work Tasks provides List infrastructure to store data. Sensitive data can also be stored in the Lists. However, protecting this sensitive data is the responsibility of the organization and is important based on the business scenario.

  • Ensure to protect sensitive and confidential information using adequate measures.

Ways to protect sensitive information

  • Ensure to use password characters to show sensitive information.

  • Enable audit trail to track repudiation.

Enhancing Security for Service Bus of Notification Bus

You can enable enhanced security for Azure Connections to enforce additional security at the service bus level.

For more information about enabling enhanced security, see Enabling Enhanced Security.

Conclusion

Ensure that the organization takes adequate measures to:

  • Protect against information loss or leakage.

  • Secure data, resources, and application.

Key Points

Ensure the following:

  • Use https to host enterprise console.

  • Protect the database with proper security measures.

  • Provide role-based access to features.

  • Protect the ports.

  • Protect the system where services are running.

Enhancing Security of AVEVA Work Tasks Client Service running as Local System

AVEVA Work Tasks Client Service runs as a Local System and has higher privileges. It is used for:

  • Quickflow configuration and deployment

  • Service monitoring

  • Package installation

To secure and run Client Service with the least privileges, you need to elevate the permissions through security settings for the Client Service.

To elevate the Client Service to run on Network Service,

  1. Run the below command in the Command Prompt:

    netsh http add urlacl url=http://machinename:8863/ user="NT AUTHORITY\NETWORK SERVICE"

  2. Restart the Client Service.

    Note: You cannot configure and deploy Quickflow, perform Service Monitoring (or start other services), import and install the package if the Client Service is running as Network Service.

Improper Access Control List (ACL) in Custom Installation

In case AVEVA Work Tasks is installed in a custom path, the installation folder will inherit the access control restrictions of Program Files folder.

As a best practice to maintain security,

  • Use the default path for installation

  • Set ACL in case custom path is used for installation

In This Topic
TitleResults for “How to create a CRG?”Also Available in