enteliweb network hardening guide

enteliWEBNetwork Hardening Guide Edition 1.9

© 2021 Delta Controls Inc. All rights reserved.

No part of this document may be reproduced, transmitted, transcribed, stored in a retrievalsystem, or translated into any language (natural or computer), in any form or by any means,without the prior written permission of Delta Controls Inc.

Limited permission is granted to reproduce documents released in Adobe® Portable DocumentFormat (PDF) electronic format in paper format. Documents released in PDF electronic formatmay be printed by end-users for their own use using a printer such as an inkjet or laser device.Authorized distributors of Delta Controls Inc. products (Delta Partners) may print PDF documentsfor their own internal use or for use by their customers. Authorized Delta Partners may engage aprinting or copying company to produce copies of released PDF documents with the prior writtenpermission of Delta Controls Inc.

Information in this document is subject to change without notice and does not represent acommitment to past versions of this document on the part of Delta Controls Inc. Delta ControlsInc. may make improvements and/or changes to this document/the associated software/orassociated hardware at any time.

BACstat, Earthright, enteliBRIDGE, enteliBUS, enteliCLOUD, enteliSTAT, enteliTOUCH, enteliVIZ,enteliVAULT, enteliWEB, enteliZONE, O3, ORCAview, and ORCAweb are registered trademarks ofDelta Controls Inc.

All other trademarks are the property of their respective owners.

Document edition: 1.9

Contents

Introduction 5

Related Documentation 5

Encryption Used in enteliWEB 6

Passwords 7

Use Strong Passwords 7

Create or Increase the Password Strength in enteliWEB 7

Configure User Account Lockout Settings 8

Number of Consecutive Password Fails to Lockout 8

Time Period for Consecutive Fails 8

Unlock Method 9

Integrate LDAP with enteliWEB 9

Features of the LDAP Integration 10

Users and Groups Permissions Management 11

Optimize Users and Groups Permissions 11

Enable Session Timeout 11

Enable Electronic Signature Feature (Optional) 12

Server Security 13

Restrict Physical Access to Server 13

Restrict Access to enteliWEB Program Files 13

Apply the Latest Windows Updates 13

Upgrade to the Latest Version of enteliWEB 13

Install and Enable Antivirus Software 13

Enable Firewall Protection 14

Establish a Secure Connection Between the enteliWEB Server and Clients 14

Step 1: Install a certificate for use with SSL and TLS from a globallyrecognized certificate authority 14

Step 2: Configure the SSL port 15

Step 3: Enable HTTP Strict Transport Security (HSTS) 15

Disable Port 80 Except to localhost 16

Disable Weak Ciphers 16

Remove jQuery 1.11 17

Implement Windows Security Hardening Recommendations 17

Utilize Log Monitoring 17

BACnet Network Security 19

Create Network Segments 19

Secure the Network's BBMD 20

Restrict UDP/IP Access to BBMD 20

Enforce a Password Login on BBMD 20

Isolate the Delta Controllers' Networks 21

Cybersecurity Maintenance Plan 22

Back Up Configuration Data 22

Lock Accounts on Termination of Employment 22

Remove Inactive User Accounts 22

Review and Update User Account Permissions 22

Monitor Delta Security Bulletins 22

Implement Security Bulletin Recommendations 23

Check for Patches and Updates 23

Install Patches and Updates 23

Review Organizational Cybersecurity Policies 23

Conduct Security Audits 23

Monitor for Cyberattacks 23

Secure Disposal 24

Appendix A: enteliWEB Network Hardening Checklist 26

Appendix B: Recommended Cybersecurity Maintenance Plan 28

Document Revision History 29

IntroductionThis enteliWEB Network Hardening Guide provides guidance used in planning andimplementing security best practices in an enteliWEB installation. enteliWEB canbe made more secure by configuring the following areas:

l Passwordsl Users and Groups Permissions Managementl Authenticationl Platform Management

These security configurations require an enteliWEB user with administrationpermissions.

The security practices described in this guide are recommended practices tosecurely install and configure enteliWEB. However, Delta Controls cannotguarantee that the implementation of the security practices or recommendationsdescribed in this guide will ensure the security of the enteliWEB system, orprevent, or alter the potential impact of, any unauthorized access or damagecaused by a cybersecurity incident.

Related DocumentationThe following related documents are available on George Support.

l enteliWEB Deployment Guidel KBA2252: Delta Product Securityl KBA2037: Securing enteliWEB using HTTPS

© 2021 Delta Controls Inc. 5

https://support.deltacontrols.com/

Introduction

6 enteliWEB Network Hardening GuideEdition 1.9

Encryption Used in enteliWEB

Application Component Algorithm/Protocol/Modes KeyLength

enteliWEB Configuration File AES with CBC mode 256 bits

enteliWEB PostgreSQLDatabase

AES with CBC mode 256 bits

enteliWEB BACnet SecureConnectConfiguration Tool

SHA256 256 bits

IIS Server n/a TLS 1.2 with TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

128/256bits

BACnetServer

BACnet SecureConnectCommunication

TLS 1.3 128 bits

PasswordsTo access enteliWEB, users must have an account that is accessed using ausername and password. Passwords are the most common means ofauthentication, but only work if they are complex and confidential.

Use Strong PasswordsA password policy that enforces the use of strong passwords helps you protectyour system against unauthorized access. Strong passwords are especiallyimportant for enteliWEB users with administrator level permissions to the entireenteliWEB system and its connected devices.

In enteliWEB, the options on the Password Settings page allow you to configurethe password strength policy that the user must adhere to when they create orchange an enteliWEB password.

Recommendations for a strong password policy:l Require a minimum password length of eight or more characters. Systems

with higher security requirements can increase the minimum passwordlength to meet their needs.

l Passwords should use a combination of upper and lower case letters and atleast one number.

l Require at least one character that isn't a letter or number.

Create or Increase the Password Strength in enteliWEB

1. Go to > Sites and Users > Password Settings.

2. Select the password rules that you want to apply to your organization or site.

To make enteliWEB more secure, we recommend selecting all thepassword rules.

3. Edit the password minimum and maximum length settings as needed.

4. Click Save.

When you change the password settings, this does not force a user whosepassword no longer meets the password requirements to change their passwords.If that user changes their password after the password requirements are updated,the user's new password needs to meet the new requirements.


Passwords


Configure User Account Lockout SettingsThe user lockout feature prevents a user from logging into enteliWEB afterconsecutive unsucessful login attempts.

An unsuccessful login attempt occurs when the username is entered correctly butthe password is incorrect. After a specified number of unsuccessful loginattempts, the user is locked out.

A locked out user is prevented from logging in until one of the following occurs:l The user's account is automatically unlocked after a specified time period.l The user's account is manually unlocked by an administrator or other user

with Manage Users and Groups permissions.l The user correctly enters the text from a CAPTCHA image (in enteliWEB

version 4.18 and later).

These security measures prevent attackers from using brute-force attacks todiscover passwords and gain access to enteliWEB.

The user lockout feature is enabled by default. You cannot disable it.

To access the user lockout settings, go to > Sites and Users > User LockoutSettings. These settings are described in more detail below.

Number of Consecutive Password Fails to LockoutNumber of Consecutive Password Fails to Lockout specifies the number ofunsuccessful login attempts that can occur in chronological order without asuccessful login, after which the user is locked out. The number cannot be 0.

Time Period for Consecutive FailsTime Period for Consecutive Fails specifies the time period in which the specifiednumber of consecutive unsuccessful login attempts can occur without locking outthe user.

To make enteliWEB more secure, we recommend setting the Time Periodfor Consecutive Fails to 60 minutes or greater.

When Time Period for Consecutive Fails is changed, the time period for userswho are currently locked out is not affected.

Passwords

Unlock Method

Automatic

When the unlock method is set to Automatic, the user's account is automaticallyunlocked when the Time Period for Auto Unlock expires.

Time Period for Auto Unlock

Time Period for Auto Unlock specifies the time period that must elapse after auser is locked out before the user's account is automatically unlocked byenteliWEB. By default, this time period is 60 minutes.

The Time Period for Auto Unlock only applies when the Automatic unlock methodis selected.

Manual

When the unlock method is set to Manual, the user's account must be manuallyunlocked by an administrator or other user with Manage Users and Groupspermissions. This is done on the user's account settings page in > Sites andUsers > Users.

CAPTCHA

This option is only available in enteliWEB version 4.18 and later.

CAPTCHA is a test for telling computers and humans apart that displays an imagewith distorted text that users must type correctly to verify that they are human.When the unlock method is set to CAPTCHA, the user is presented with aCAPTCHA image when they exceed the Number of Consecutive Password Fails toLockout. The user's account is unlocked by enteliWEB once the CAPTCHA text iscorrectly entered.

If a particular CAPTCHA image is too difficult to read, the user can try a differentCAPTCHA image. If the user is unable to enter the text correctly for anyCAPTCHA image, they will need to have their account manually unlocked by anadministrator or other user with Manage Users and Groups permissions. This isdone on the user's account settings page in > Sites and Users > Users.

Integrate LDAP with enteliWEBInstead of keeping user credentials in the enteliWEB database, LightweightDirectory Access Protocol (LDAP) provides an alternate method of sharing userinformation across a network. For example, if your users and groups are stored in


Passwords


a corporate directory, connecting to the LDAP directory server would allow usersto use their corporate login information to access enteliWEB.

Features of the LDAP IntegrationThe password settings for these enteliWEB-LDAP users are enforced by the LDAPserver.

l The LDAP administrator controls the password length/complexityrequirements, password expiration and reuse policies. However, theenteliWEB user lockout settings still apply to these LDAP users.

An enteliWEB administrator sets up the connection between enteliWEB and theLDAP server.

l The enteliWEB administrator defines groups in enteliWEB and links them togroups on the LDAP server.

l enteliWEB supports Active Directory or Open LDAP attributes.l For groups that are linked, enteliWEB synchronizes its users and groups with

the LDAP directory server users and groups. enteliWEB does not add anydata to the directory information.

Refer to the enteliWEB help for more details about LDAP configuration tasks.

Users and Groups Permissions Management

Users and Groups Permissions ManagementPermissions are authorizations that are assigned to enteliWEB users to allowthem to control specific functions of enteliWEB and of the BACnet networks.

In enteliWEB, users are organized into groups, and users who are members of agroup inherit the permissions of that group. A user who is a member of more thanone group inherits the permissions of all of the groups he or she is a member of.

The enteliWEB software provides default user groups that you should modify tosecure your site. The goal is to ensure a user's access is limited to thosepermissions necessary to perform their duties.

Optimize Users and Groups Permissionsl Set up groups that correlate with the users' assigned roles. Not everyone

needs to be part of the administrators group. For example, an operator whomonitors the system for alarms does not need permission to create newusers.

l Be selective in who you assign to the administrators group. Since anadministrator user account is able to access everything on the enteliWEBsystem, only the system administrator should be added to the administratorsgroup. Also, it is good practice to create a redundant administration user asbackup.

l Assign specific object permissions to groups. To make enteliWEB moresecure, restrict write, create, and delete access for the following objects torelevant groups and users:

l On version 3 devices, PG, NET, DEV, and any other control objects forcritical equipment

l On version 4 devices, PG, NP, DEV, and any other control objects forcritical equipment

l Perform a regular review of user access and permissions.

Enable Session TimeoutFor each user account, in the Session Timeout field, specify the period of userinactivity (in minutes) after which the user is logged out of enteliWEB.

To make enteliWEB more secure, never enter zero in the Session Timeoutfield. Select or enter a small value to prevent unauthorized access whenthe user walks away from the workstation.




Enable Electronic Signature Feature (Optional)You can track and log every enteliWEB user action by enabling the electronicsignatures feature. The electronic signatures feature is designed to be part of anaudit process for sites seeking compliance with government requirements like 21CFR Part 11. When this feature is enabled, all users are prompted to sign off onevery data change they make by entering their username and password in a newpop-up window. The pop-up window also includes a comment field where userscan enter the reasons why a change was made.

Refer to the enteliWEB help for the limitations of this feature.

To enable electronic signatures, go to > Configuration > Global Settings andselect Enable Electronic Signature.

Server Security

Server SecurityThis section describes steps you can take to secure the enteliWEB server.

Restrict Physical Access to Serverl All servers and workstations should be kept in a secure locked environment

with restricted access to protect them from being stolen or accessed withoutproper authorization.

l Users other than the server administrator are not expected to log onto theenteliWEB server and can only access the system on the client workstationsusing their assigned user accounts.

l Disable Remote Desktop Protocol connections to the server, or configureNetwork Level Authentication for Remote Desktop Services Connections.

Restrict Access to enteliWEB Program FilesBy default, enteliWEB software installs in C:\Program Files (x86)\Delta Controls.You can select another drive on the server when you install enteliWEB, but somecomponents will still be installed on drive C. Make sure only authorized andtrusted users have access to all these files.

Apply the Latest Windows UpdatesCheck the machine for missing updates, and download and install these updates.

The latest Windows updates often include security fixes. We recommend updatingthe enteliWEB server regularly to ensure these fixes are applied. You may want toenable automatic updates.

Upgrade to the Latest Version of enteliWEBNewer versions of enteliWEB can include fixes for security vulnerabilities. Werecommend updating the enteliWEB server to ensure these fixes are applied.Access to the latest enteliWEB versions, updates or patches requires an activesoftware maintenance subscription.

Install and Enable Antivirus SoftwareInstall an antivirus software on the enteliWEB server and ensure the programdoes not delete or disturb any enteliWEB files.


Server Security


You will need to disable the antivirus software temporarily when installing orupgrading enteliWEB.

Enable Firewall ProtectionEnable the firewall on the enteliWEB server to monitor and control network trafficbased on defined security rules, and to protect the server from malicious activity.

You should also consider a web application firewall for all internet-facingservices. Deployed in front of web applications, this firewall analyzes bidirectionalweb-based traffic for attacks that exploit software vulnerabilities like cross-sitescripting.

Internal services should be moved behind the firewall where access can be strictlycontrolled and monitored.

Establish a Secure Connection Between the enteliWEBServer and ClientsConfigure the enteliWEB server with a valid, trusted certificate so that a securedconnection is established between the server and client workstations or mobiledevices. It is recommended that you obtain a certificate from a globally-recognized certificate authority. Delta Controls apps like the O3 App do notsupport self-signed certificates.

After configuring SSL/TLS, implement HTTP Strict Transport Security (HSTS) toenforce secure HTTPS connections and help prevent man-in-the-middle typeattacks.

The server communicates the HSTS policy via an HTTP response header fieldnamed "Strict-Transport-Security." It also specifies a "max-age" period inseconds (the recommended value is 31536000, which equals 365 days). Within thisperiod, if a user types http://, the browser will automatically replace the unsecurelink with https:// before connecting to the server. If the security of the connectioncannot be ensured (for example, if the server's TLS certificate is self-signed), anerror message is displayed and the user is not allowed to access enteliWEB.

Step 1: Install a certificate for use with SSL and TLS from a globallyrecognized certificate authorityObtain a certificate from a globally recognized certificate authority and install it onthe enteliWEB server.

Server Security

Step 2: Configure the SSL port1. Open IIS Manager.2. In the Connections pane, select Sites > Default Web Site.3. In the Actions pane, under Edit Site, click Bindings.4. In the Site Bindings dialog, click Add.5. In the Add Site Bindings dialog, configure the following settings:

l Set Type to httpsl Set Port to 443l Leave Host name blank

6. Select the SSL certificate that you obtained in Step 1.7. Click OK, and then click Close.

Step 3: Enable HTTP Strict Transport Security (HSTS)If the enteliWEB server is running IIS 10.0 version 1709 or later, follow thesesteps:

1. In IIS Manager, in the Connections pane, select Sites > Default Web Site.2. In the Actions pane, under Configure, click HSTS.3. In the Edit Website HSTS dialog, configure the following settings:

l Select the Enable checkboxl Set Max-Age to 31536000l Select the IncludeSubDomains, Preload, and Redirect Http to Https

checkboxes4. Click OK.

If the enteliWEB server is running an older version of IIS, configure the web.configof the enteliWEB site as follows:

<?xml version="1.0" encoding="UTF-8"?><configuration>

<system.webServer><rewrite>

<rules><rule name="Redirect HTTP to HTTPS" stopProcessing="true">

<match url="(.*)" /><conditions>

<add input="{HTTPS}" pattern="off" /></conditions><action type="Redirect" url="https://{HTTP_HOST}/

{R:1}" redirectType="Permanent" /></rule>


Server Security


</rules><outboundRules>

<rule name="Add the STS header in HTTPS responses"><match serverVariable="RESPONSE_Strict_Transport_

Security" pattern=".*" /><conditions>

<add input="{HTTPS}" pattern="on" /></conditions><action type="Rewrite" value="max-age=31536000" />

</rule></outboundRules>

</rewrite></system.webServer>

</configuration>

Disable Port 80 Except to localhostTo prevent incoming network traffic from communicating on the less secure HTTPprotocol, we recommend closing port 80 on the enteliWEB server, except if yourequire HTTP traffic to be redirected to HTTPS (if you have enabled the redirectwithin IIS Manager).

You must allow HTTP traffic to localhost (127.0.0.1) because enteliWEBuses the protocol to communicate internally.

If you have enabled BACnet/SC, do not disable port 80 as it is required to allowincoming connections from SC nodes to retrieve the Certificate Revocation List(CRL) prior to establishing the SC connection. For Secure Connect Servers, werecommend you set up a static IP address for your node devices, so thatexceptions can be made to only allow incoming TCP/IP connections from thespecified IP addresses.

Secure Connect will not work if port 80 is fully disabled.

Disable Weak CiphersConfigure the enteliWEB server to disallow using weak ciphers.

1. Start Registry Editor (Regedt32.exe), and then locate the following registrykey: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders

2. Change the DWORD value data from "Enabled" to "0x0" in the followingregistry keys:

Server Security

l SCHANNEL\Ciphers\DES 56/56l SCHANNEL\Ciphers\RC4 64/128l SCHANNEL\Ciphers\RC4 40/128l SCHANNEL\Ciphers\RC2 56/128l SCHANNEL\Ciphers\RC2 40/128l SCHANNEL\Ciphers\NULLl SCHANNEL\Hashes\MD5

Remove jQuery 1.11When enteliWEB is installed, it includes the JQuery v1.11 library, which has knownsecurity issues. jQuery v1.11 is required by jQuery Mobile v1.4.5, which enteliWEBuses to provide mobile views for phones and tablets.

If your security policy does not allow jQuery v1.11, you can remove it by going toinstall folder\enteliWEB\website\public\javascript\jquery and deletingjquery-1.11.js.

This will break mobile views of enteliWEB.

Once jQuery Mobile v1.5.0 is released, which will be compatible with the up-to-date version of jQuery that enteliWEB now uses for the desktop view, we will stopincluding jQuery 1.11 in the enteliWEB installation. In the meantime, you will needto delete the jQuery v1.11 library whenever enteliWEB is upgraded to a newversion.

Implement Windows Security HardeningRecommendationsMicrosoft has published a list of security hardening recommendations athttps://social.technet.microsoft.com/wiki/contents/articles/18931.security-hardening-tips-and-recommendations.aspx.

Other security hardening resources can be found athttps://security.utexas.edu/os-hardening-checklist/windows-2016.

Utilize Log MonitoringEmploy a log monitoring and alerting solution to detect and respond to logpatterns that indicate attacks to the network, server, and application. Attacks


https://social.technet.microsoft.com/wiki/contents/articles/18931.security-hardening-tips-and-recommendations.aspx

https://social.technet.microsoft.com/wiki/contents/articles/18931.security-hardening-tips-and-recommendations.aspx

https://security.utexas.edu/os-hardening-checklist/windows-2016

Server Security


could include denial of service, unauthorized access, or unauthorizedmodifications to the system. Examples of open source solutions includePrometheus and Graylog.

BACnet Network Security

BACnet Network SecurityThis section describes the steps to secure the enteliWEB server network.

Create Network SegmentsThe enteliWEB server is accessed from a web browser on client workstations. Forthis reason, we recommend defining a segmentation policy that restricts networkand internet access to the enteliWEB server and its Delta controllers. A BACnetnetwork that is segregated from other networks not only limits the potentialdamage of a cyberattack to the affected segment, segmentation also protects thenetwork by stopping harmful traffic between segments.

BACnet network can be further secured in one of the following ways.l Use the BACnet Secure Connect protocol to create connections between the

enteliWEB server and the BACnet device network. The protocol allowsdevices to communicate over Transport Layer Security (TLS) protocol, andhas built-in data encryption and device authentication.

Secure Connect data packets are exchanged on a BACnet datalink layer thatuses a hub-and-spoke topology, where the spokes are WebSockets protocol-based connections from the nodes (also known as regular nodes) to theprimary hub. Only one WebSocket connection exists at a time between a nodeand a hub.

The enteliWEB server (4.14 and later) acts as a Secure Connect hub to formconnections with Secure Connect compatible Delta devices on the BACnetnetwork.

BACnet Secure Connect is only available on Delta controllersrunning V4 firmware.

l Encapsulate the network within a Virtual LAN or a Virtual Private Network(VPN).

l Use Tempered Networks software and hardware switches to control networktraffic.

l If you need to provide external users remote access to the BACnet network,users can use VPN to establish a secure connection.

l Implement Network Access Control Lists to secure network access. You canpermit or deny network traffic by source IP address.




Secure the Network's BBMDWhen two or more BACnet IP subnetworks are connected to a BACnet/IP networkto make a WAN (Wide Area Network), then each subnetwork must include a devicethat acts as a BACnet/IP router, otherwise known as a BBMD (BACnet BroadcastManagement Device).

The BBMD serves the following purposes:l It provides the UDP/IP port and physical connection to the WAN.l It routes BACnet traffic from its local network over the WAN.l It receives BACnet traffic from other BBMDs and forwards it to its local

network.

Restrict UDP/IP Access to BBMDWe recommend restricting the UDP/IP access to BBMDs using the same ITmethods as you would with a server. Some recommended methods includeinstalling the BBMD behind a VPN or firewall, or by installing the BBMD in anetwork secured by Tempered Networks software and hardware switches.

Enforce a Password Login on BBMD

Password login feature is only available on Delta BBMDs running V3firmware.

Enforcing a password login is a part of a layered security strategy to secure theBBMD. Without the correct credentials, the BBMD will not allow a remoteconnection to the BACnet network.

To enable and configure password login on a BBMD running V3 firmware:

1. In the SUA1 object, change the default username (in the Name field) andpassword.

2. In the NET1 object, in the UDP/IP section, select Enable Remote ConnectionRequire SUA Password Check.


Isolate the Delta Controllers' NetworksNetworks that include Delta Controls controllers should be isolated from otherinformation technology systems to limit any connectivity beyond Server to Deviceand Server to Client. This can be completed by using a physically separate orVirtual LAN networks. See other recommendations in the Create NetworkSegments section above.


Cybersecurity Maintenance Plan


Cybersecurity Maintenance PlanA regular maintenance program is recommended to ensure the security of yourDelta Controls system and applications are up-to-date. Your enteliWEB systemmay also require a higher level of protection as technology, policies andregulations change over time. This section describes some recommendations todevelop a maintenance plan that's suited for your enteliWEB deployment.

Back Up Configuration DataThe Back Up enteliWEB Configuration function creates a single compressedbackup file that contains a snapshot of all necessary enteliWEB configurationinformation. Backups can be run automatically using the scheduled task option inenteliWEB.

Validate backups by verifying the data on these copies, and ensure the enteliWEBbackup process is part of the organization's disaster recovery plans.

Lock Accounts on Termination of EmploymentDisable user accounts of employees who have left the organization immediately.

To disable a user, click > Users, and then select the user from the list. ClickCommand and then Disable.

Remove Inactive User AccountsFor employees who are still employed but have not accessed their account for awhile, it is recommended that you remove these user accounts to reduce thepotential attack footprint.

Review and Update User Account PermissionsAs people's roles within the company changes, their user permissions should beupdated to reflect their new role.

Monitor Delta Security BulletinsDelta Controls publishes security bulletins athttps://deltacontrols.com/cybersecurity-program and on our George Supportwebsite https://support.deltacontrols.com/Support/SecurityBulletins/WebHome.

https://deltacontrols.com/cybersecurity-program/

https://support.deltacontrols.com/Support/SecurityBulletins/WebHome

Cybersecurity Maintenance Plan

You can also receive email notifications when a new security bulletin is publishedby logging into your Delta Controls Passport account profile and selectingCybersecurity News under Preferred Communications.

Implement Security Bulletin RecommendationsImplement the recommendations described in the Delta Controls securitybulletins.

Check for Patches and UpdatesenteliWEB patches and updates may include cybersecurity enhancements or fixes.Review the release notes to determine the benefits of the patch or update.

You should also check for patches and updates of third-party components such asnetworking equipment or software that provide internet-facing services.

Install Patches and UpdatesIf relevant to the security of the system, install the patch or update described inthe previous section.

Review Organizational Cybersecurity PoliciesIt's a good idea to periodically review the cybersecurity policies to ensure thesepolicies still align with any recent policy changes at an organizational level.

Conduct Security AuditsNetworks, systems, and applications can change over time. Conduct regularscheduled security audits to identify and mitigate new security risks. This caninclude identifying and documenting internet-facing systems and services.

Firewall rules should also be regularly reviewed to ensure a reasonableimplementation of the principle of least privilege.

Monitor for CyberattacksImplement security tools that monitor the enteliWEB network and device end-points for cyberattacks.


Secure Disposal


Secure DisposalTo perform a clean uninstallation of enteliWEB, follow these steps.

1. Uninstall enteliWEB.a. In Control Panel, under Programs, click Uninstall a program.b. Select Delta Controls enteliWEB, and then click Uninstall. The install

wizard opens.c. Click Next, and then click Uninstall enteliWEB.d. Make sure the Keep enteliWEB configuration settings checkbox is NOT

selected, then click Uninstall.e. Wait for the uninstall operation to complete, then close the install

wizard.2. Uninstall Firmware Loader (enteliWEB 4.7 or later).

a. In Control Panel, under Programs, click Uninstall a program.b. Select Delta Controls Firmware Loader, and then click Uninstall.c. Wait for the uninstall operation to complete.

3. Uninstall BACnet Server.a. In Control Panel, under Programs, click Uninstall a program.b. Select Delta Controls BACnet Server, and then click Uninstall. A dialog

opens.c. Click Uninstall, wait for the uninstall operation to complete, and then

close the dialog.4. Ensure that no Delta services are running.

a. In the search box on the taskbar, type services, and then open theServices app.

b. Ensure that none of the following services are present: Delta BACnetServer, Delta enteliWEB Connection Service, Delta Firmware Loader,Delta Monitor, Delta Output, or Delta PostgreSQL Service (Delta MySQLService in enteliWEB 4.9 and earlier).

5. Delete the enteliWEB folders.a. Navigate to the enteliWEB installation location (normally, C:\Program

Files (x86)\Delta Controls) and delete the enteliWEB folder. If theBACnet Server folder is present, delete it as well.

b. On the View tab in the File Explorer Ribbon, select the Hidden itemscheckbox.

Secure Disposal

c. Navigate to C:\ProgramData\Delta Controls and ensure that the BACnetServer folder is not present. If it is, delete it.

6. Restart the machine and verify that all enteliWEB-related services andsoftware have been uninstalled.


Appendix A: enteliWEB Network HardeningChecklistUse this checklist to verify that you have secured your enteliWEB server. For moredetails about each task, go to the relevant section in the enteliWEB NetworkHardening Guide.

This checklist includes the most critical tasks and does not guarantee the securityof the enteliWEB server. You should constantly monitor and test your computingenvironment for areas that need improvement.

Task

Passwords

Increase the enteliWEB user login password strength

Enable User Lockout

Configure the Number of Consecutive Password Fails to Lockout

Configure the Time Period for Consecutive Fails

Select an unlock method: Automatic, Manual or CAPTCHA (inenteliWEB version 4.18 and later)

If Automatic unlock is selected, configure the Time Period forAuto Unlock


Set up groups that correlate with users' assigned roles

Assign specific object permissions to groups

Set up redundant administration user as backup

Configure session timeout

enteliWEB Server Security

Keep enteliWEB server in a secure locked environment withrestricted access

Set up user accounts on the client workstations

Disable Remote Desktop Protocol connections to the server, orconfigure Network Level Authentication for Remote DesktopServices Connections


Appendix A: enteliWEB Network Hardening Checklist

Task

Restrict access to enteliWEB Program Files

Check the server for security updates, and download and installthese updates

If appropriate, enable automatic Windows updates

Upgrade to the latest version of enteliWEB

Install and enable anti-virus software

Enable firewall protection

Block incoming traffic to port 80 except for traffic to localhost

Disable weak ciphers

Remove jQuery v1.11

Implement Windows security hardening recommendations

SSL/TLS Installation

Obtain a SSL/TLS certificate from a globally recognizedcertificate authority and install it on the server

Configure the SSL port

Enable HSTS to redirect HTTP requests to HTTPS


Create and enforce a network segmentation policy that restrictsnetwork and Internet access to the enteliWEB server and itsDelta controllers

Secure the BACnet network by encapsulating it within a VirtualLAN or VPN, or use Tempered Networks software and hardwareswitches

Restrict UDP/IP access to BBMD

(V3 devices) Enforce a password login on BBMD

Isolate networks that include Delta Controls controllers


Appendix B: Recommended CybersecurityMaintenance PlanThis checklist recommends tasks you might want to include in a cybersecuritymaintenance plan. The items on this list do not guarantee the security of theenteliWEB server. You should constantly monitor and test your computingenvironment for areas that need improvement.

Task RecommendedFrequency

Back up enteliWEB configuration data Daily

Disable user accounts on termination ofemployment

Immediately

Remove inactive user accounts Monthly

Review and update user account permissions Monthly

Check for security bulletins on Delta Controlswebsite

Subscribe (weekly)

Implement Delta Controls security bulletinrecommendations

As needed

Check for patches and updates Monthly

Install patches and updates As needed

Review organizational cybersecurity policies Annually

Conduct security audits Annually

Monitor for cyberattacks Continuously


Document Revision History

Document Revision HistoryEdition Date Change Description

1.0 September 2019 First publication.

1.1 October 2019 Explained why port 80 needs to be closed exceptin specific cases.

1.2 August 2020 Updated the document in the following sections:

Enable Firewall Protection: added a webapplication type firewall recommendation

Utilize Log Monitoring: new section

Secure the BACnet Network: added networkaccess control list, BACnet Secure Connect, andDelta controllers isolation recommendations

Appendix B: new section

New section in the Introduction listing theencryption protocols used in enteliWEB

1.3 August 2020 Updated the Secure the BACnet Network sectionto remove mentions to BBMDs. Update theSecure the Network's BBMD section to removementions of Secure Connect.

1.4 February 2021 Updated section on user account lockoutsettings.

1.5 March 2021 Made additional changes to the section on useraccount lockout settings.

1.6 June 2021 Added sections for enabling HSTS and disablingweak ciphers.

1.7 July 2021 Added section on removing jQuery 1.11.

1.8 August 2021 Added section on secure disposal.

1.9 August 2021 Made changes to the section on disabling port 80.
