enteliWEBNetwork Hardening Guide Edition 1.9
© 2021 Delta Controls Inc. All rights reserved.
No part of this document may be reproduced, transmitted, transcribed, stored in a retrievalsystem, or translated into any language (natural or computer), in any form or by any means,without the prior written permission of Delta Controls Inc.
Limited permission is granted to reproduce documents released in Adobe® Portable DocumentFormat (PDF) electronic format in paper format. Documents released in PDF electronic formatmay be printed by end-users for their own use using a printer such as an inkjet or laser device.Authorized distributors of Delta Controls Inc. products (Delta Partners) may print PDF documentsfor their own internal use or for use by their customers. Authorized Delta Partners may engage aprinting or copying company to produce copies of released PDF documents with the prior writtenpermission of Delta Controls Inc.
Information in this document is subject to change without notice and does not represent acommitment to past versions of this document on the part of Delta Controls Inc. Delta ControlsInc. may make improvements and/or changes to this document/the associated software/orassociated hardware at any time.
BACstat, Earthright, enteliBRIDGE, enteliBUS, enteliCLOUD, enteliSTAT, enteliTOUCH, enteliVIZ,enteliVAULT, enteliWEB, enteliZONE, O3, ORCAview, and ORCAweb are registered trademarks ofDelta Controls Inc.
All other trademarks are the property of their respective owners.
Document edition: 1.9
Contents
Introduction 5
Related Documentation 5
Encryption Used in enteliWEB 6
Passwords 7
Use Strong Passwords 7
Create or Increase the Password Strength in enteliWEB 7
Configure User Account Lockout Settings 8
Number of Consecutive Password Fails to Lockout 8
Time Period for Consecutive Fails 8
Unlock Method 9
Integrate LDAP with enteliWEB 9
Features of the LDAP Integration 10
Users and Groups Permissions Management 11
Optimize Users and Groups Permissions 11
Enable Session Timeout 11
Enable Electronic Signature Feature (Optional) 12
Server Security 13
Restrict Physical Access to Server 13
Restrict Access to enteliWEB Program Files 13
Apply the Latest Windows Updates 13
Upgrade to the Latest Version of enteliWEB 13
Install and Enable Antivirus Software 13
Enable Firewall Protection 14
Establish a Secure Connection Between the enteliWEB Server and Clients 14
Step 1: Install a certificate for use with SSL and TLS from a globallyrecognized certificate authority 14
Step 2: Configure the SSL port 15
Step 3: Enable HTTP Strict Transport Security (HSTS) 15
Disable Port 80 Except to localhost 16
Disable Weak Ciphers 16
Remove jQuery 1.11 17
Implement Windows Security Hardening Recommendations 17
Utilize Log Monitoring 17
BACnet Network Security 19
Create Network Segments 19
Secure the Network's BBMD 20
Restrict UDP/IP Access to BBMD 20
Enforce a Password Login on BBMD 20
Isolate the Delta Controllers' Networks 21
Cybersecurity Maintenance Plan 22
Back Up Configuration Data 22
Lock Accounts on Termination of Employment 22
Remove Inactive User Accounts 22
Review and Update User Account Permissions 22
Monitor Delta Security Bulletins 22
Implement Security Bulletin Recommendations 23
Check for Patches and Updates 23
Install Patches and Updates 23
Review Organizational Cybersecurity Policies 23
Conduct Security Audits 23
Monitor for Cyberattacks 23
Secure Disposal 24
Appendix A: enteliWEB Network Hardening Checklist 26
Appendix B: Recommended Cybersecurity Maintenance Plan 28
Document Revision History 29
IntroductionThis enteliWEB Network Hardening Guide provides guidance used in planning andimplementing security best practices in an enteliWEB installation. enteliWEB canbe made more secure by configuring the following areas:
l Passwordsl Users and Groups Permissions Managementl Authenticationl Platform Management
These security configurations require an enteliWEB user with administrationpermissions.
The security practices described in this guide are recommended practices tosecurely install and configure enteliWEB. However, Delta Controls cannotguarantee that the implementation of the security practices or recommendationsdescribed in this guide will ensure the security of the enteliWEB system, orprevent, or alter the potential impact of, any unauthorized access or damagecaused by a cybersecurity incident.
Related DocumentationThe following related documents are available on George Support.
l enteliWEB Deployment Guidel KBA2252: Delta Product Securityl KBA2037: Securing enteliWEB using HTTPS
© 2021 Delta Controls Inc. 5
Introduction
6 enteliWEB Network Hardening GuideEdition 1.9
Encryption Used in enteliWEB
Application Component Algorithm/Protocol/Modes KeyLength
enteliWEB Configuration File AES with CBC mode 256 bits
enteliWEB PostgreSQLDatabase
AES with CBC mode 256 bits
enteliWEB BACnet SecureConnectConfiguration Tool
SHA256 256 bits
IIS Server n/a TLS 1.2 with TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
128/256bits
BACnetServer
BACnet SecureConnectCommunication
TLS 1.3 128 bits
PasswordsTo access enteliWEB, users must have an account that is accessed using ausername and password. Passwords are the most common means ofauthentication, but only work if they are complex and confidential.
Use Strong PasswordsA password policy that enforces the use of strong passwords helps you protectyour system against unauthorized access. Strong passwords are especiallyimportant for enteliWEB users with administrator level permissions to the entireenteliWEB system and its connected devices.
In enteliWEB, the options on the Password Settings page allow you to configurethe password strength policy that the user must adhere to when they create orchange an enteliWEB password.
Recommendations for a strong password policy:l Require a minimum password length of eight or more characters. Systems
with higher security requirements can increase the minimum passwordlength to meet their needs.
l Passwords should use a combination of upper and lower case letters and atleast one number.
l Require at least one character that isn't a letter or number.
Create or Increase the Password Strength in enteliWEB
1. Go to > Sites and Users > Password Settings.
2. Select the password rules that you want to apply to your organization or site.
To make enteliWEB more secure, we recommend selecting all thepassword rules.
3. Edit the password minimum and maximum length settings as needed.
4. Click Save.
When you change the password settings, this does not force a user whosepassword no longer meets the password requirements to change their passwords.If that user changes their password after the password requirements are updated,the user's new password needs to meet the new requirements.
© 2021 Delta Controls Inc. 7
Passwords
8 enteliWEB Network Hardening GuideEdition 1.9
Configure User Account Lockout SettingsThe user lockout feature prevents a user from logging into enteliWEB afterconsecutive unsucessful login attempts.
An unsuccessful login attempt occurs when the username is entered correctly butthe password is incorrect. After a specified number of unsuccessful loginattempts, the user is locked out.
A locked out user is prevented from logging in until one of the following occurs:l The user's account is automatically unlocked after a specified time period.l The user's account is manually unlocked by an administrator or other user
with Manage Users and Groups permissions.l The user correctly enters the text from a CAPTCHA image (in enteliWEB
version 4.18 and later).
These security measures prevent attackers from using brute-force attacks todiscover passwords and gain access to enteliWEB.
The user lockout feature is enabled by default. You cannot disable it.
To access the user lockout settings, go to > Sites and Users > User LockoutSettings. These settings are described in more detail below.
Number of Consecutive Password Fails to LockoutNumber of Consecutive Password Fails to Lockout specifies the number ofunsuccessful login attempts that can occur in chronological order without asuccessful login, after which the user is locked out. The number cannot be 0.
Time Period for Consecutive FailsTime Period for Consecutive Fails specifies the time period in which the specifiednumber of consecutive unsuccessful login attempts can occur without locking outthe user.
To make enteliWEB more secure, we recommend setting the Time Periodfor Consecutive Fails to 60 minutes or greater.
When Time Period for Consecutive Fails is changed, the time period for userswho are currently locked out is not affected.
Passwords
Unlock Method
Automatic
When the unlock method is set to Automatic, the user's account is automaticallyunlocked when the Time Period for Auto Unlock expires.
Time Period for Auto Unlock
Time Period for Auto Unlock specifies the time period that must elapse after auser is locked out before the user's account is automatically unlocked byenteliWEB. By default, this time period is 60 minutes.
The Time Period for Auto Unlock only applies when the Automatic unlock methodis selected.
Manual
When the unlock method is set to Manual, the user's account must be manuallyunlocked by an administrator or other user with Manage Users and Groupspermissions. This is done on the user's account settings page in > Sites andUsers > Users.
CAPTCHA
This option is only available in enteliWEB version 4.18 and later.
CAPTCHA is a test for telling computers and humans apart that displays an imagewith distorted text that users must type correctly to verify that they are human.When the unlock method is set to CAPTCHA, the user is presented with aCAPTCHA image when they exceed the Number of Consecutive Password Fails toLockout. The user's account is unlocked by enteliWEB once the CAPTCHA text iscorrectly entered.
If a particular CAPTCHA image is too difficult to read, the user can try a differentCAPTCHA image. If the user is unable to enter the text correctly for anyCAPTCHA image, they will need to have their account manually unlocked by anadministrator or other user with Manage Users and Groups permissions. This isdone on the user's account settings page in > Sites and Users > Users.
Integrate LDAP with enteliWEBInstead of keeping user credentials in the enteliWEB database, LightweightDirectory Access Protocol (LDAP) provides an alternate method of sharing userinformation across a network. For example, if your users and groups are stored in
© 2021 Delta Controls Inc. 9
Passwords
10 enteliWEB Network Hardening GuideEdition 1.9
a corporate directory, connecting to the LDAP directory server would allow usersto use their corporate login information to access enteliWEB.
Features of the LDAP IntegrationThe password settings for these enteliWEB-LDAP users are enforced by the LDAPserver.
l The LDAP administrator controls the password length/complexityrequirements, password expiration and reuse policies. However, theenteliWEB user lockout settings still apply to these LDAP users.
An enteliWEB administrator sets up the connection between enteliWEB and theLDAP server.
l The enteliWEB administrator defines groups in enteliWEB and links them togroups on the LDAP server.
l enteliWEB supports Active Directory or Open LDAP attributes.l For groups that are linked, enteliWEB synchronizes its users and groups with
the LDAP directory server users and groups. enteliWEB does not add anydata to the directory information.
Refer to the enteliWEB help for more details about LDAP configuration tasks.
Users and Groups Permissions Management
Users and Groups Permissions ManagementPermissions are authorizations that are assigned to enteliWEB users to allowthem to control specific functions of enteliWEB and of the BACnet networks.
In enteliWEB, users are organized into groups, and users who are members of agroup inherit the permissions of that group. A user who is a member of more thanone group inherits the permissions of all of the groups he or she is a member of.
The enteliWEB software provides default user groups that you should modify tosecure your site. The goal is to ensure a user's access is limited to thosepermissions necessary to perform their duties.
Optimize Users and Groups Permissionsl Set up groups that correlate with the users' assigned roles. Not everyone
needs to be part of the administrators group. For example, an operator whomonitors the system for alarms does not need permission to create newusers.
l Be selective in who you assign to the administrators group. Since anadministrator user account is able to access everything on the enteliWEBsystem, only the system administrator should be added to the administratorsgroup. Also, it is good practice to create a redundant administration user asbackup.
l Assign specific object permissions to groups. To make enteliWEB moresecure, restrict write, create, and delete access for the following objects torelevant groups and users:
l On version 3 devices, PG, NET, DEV, and any other control objects forcritical equipment
l On version 4 devices, PG, NP, DEV, and any other control objects forcritical equipment
l Perform a regular review of user access and permissions.
Enable Session TimeoutFor each user account, in the Session Timeout field, specify the period of userinactivity (in minutes) after which the user is logged out of enteliWEB.
To make enteliWEB more secure, never enter zero in the Session Timeoutfield. Select or enter a small value to prevent unauthorized access whenthe user walks away from the workstation.
© 2021 Delta Controls Inc. 11
Users and Groups Permissions Management
12 enteliWEB Network Hardening GuideEdition 1.9
Enable Electronic Signature Feature (Optional)You can track and log every enteliWEB user action by enabling the electronicsignatures feature. The electronic signatures feature is designed to be part of anaudit process for sites seeking compliance with government requirements like 21CFR Part 11. When this feature is enabled, all users are prompted to sign off onevery data change they make by entering their username and password in a newpop-up window. The pop-up window also includes a comment field where userscan enter the reasons why a change was made.
Refer to the enteliWEB help for the limitations of this feature.
To enable electronic signatures, go to > Configuration > Global Settings andselect Enable Electronic Signature.
Server Security
Server SecurityThis section describes steps you can take to secure the enteliWEB server.
Restrict Physical Access to Serverl All servers and workstations should be kept in a secure locked environment
with restricted access to protect them from being stolen or accessed withoutproper authorization.
l Users other than the server administrator are not expected to log onto theenteliWEB server and can only access the system on the client workstationsusing their assigned user accounts.
l Disable Remote Desktop Protocol connections to the server, or configureNetwork Level Authentication for Remote Desktop Services Connections.
Restrict Access to enteliWEB Program FilesBy default, enteliWEB software installs in C:\Program Files (x86)\Delta Controls.You can select another drive on the server when you install enteliWEB, but somecomponents will still be installed on drive C. Make sure only authorized andtrusted users have access to all these files.
Apply the Latest Windows UpdatesCheck the machine for missing updates, and download and install these updates.
The latest Windows updates often include security fixes. We recommend updatingthe enteliWEB server regularly to ensure these fixes are applied. You may want toenable automatic updates.
Upgrade to the Latest Version of enteliWEBNewer versions of enteliWEB can include fixes for security vulnerabilities. Werecommend updating the enteliWEB server to ensure these fixes are applied.Access to the latest enteliWEB versions, updates or patches requires an activesoftware maintenance subscription.
Install and Enable Antivirus SoftwareInstall an antivirus software on the enteliWEB server and ensure the programdoes not delete or disturb any enteliWEB files.
© 2021 Delta Controls Inc. 13
Server Security
14 enteliWEB Network Hardening GuideEdition 1.9
You will need to disable the antivirus software temporarily when installing orupgrading enteliWEB.
Enable Firewall ProtectionEnable the firewall on the enteliWEB server to monitor and control network trafficbased on defined security rules, and to protect the server from malicious activity.
You should also consider a web application firewall for all internet-facingservices. Deployed in front of web applications, this firewall analyzes bidirectionalweb-based traffic for attacks that exploit software vulnerabilities like cross-sitescripting.
Internal services should be moved behind the firewall where access can be strictlycontrolled and monitored.
Establish a Secure Connection Between the enteliWEBServer and ClientsConfigure the enteliWEB server with a valid, trusted certificate so that a securedconnection is established between the server and client workstations or mobiledevices. It is recommended that you obtain a certificate from a globally-recognized certificate authority. Delta Controls apps like the O3 App do notsupport self-signed certificates.
After configuring SSL/TLS, implement HTTP Strict Transport Security (HSTS) toenforce secure HTTPS connections and help prevent man-in-the-middle typeattacks.
The server communicates the HSTS policy via an HTTP response header fieldnamed "Strict-Transport-Security." It also specifies a "max-age" period inseconds (the recommended value is 31536000, which equals 365 days). Within thisperiod, if a user types http://, the browser will automatically replace the unsecurelink with https:// before connecting to the server. If the security of the connectioncannot be ensured (for example, if the server's TLS certificate is self-signed), anerror message is displayed and the user is not allowed to access enteliWEB.
Step 1: Install a certificate for use with SSL and TLS from a globallyrecognized certificate authorityObtain a certificate from a globally recognized certificate authority and install it onthe enteliWEB server.
Server Security
Step 2: Configure the SSL port1. Open IIS Manager.2. In the Connections pane, select Sites > Default Web Site.3. In the Actions pane, under Edit Site, click Bindings.4. In the Site Bindings dialog, click Add.5. In the Add Site Bindings dialog, configure the following settings:
l Set Type to httpsl Set Port to 443l Leave Host name blank
6. Select the SSL certificate that you obtained in Step 1.7. Click OK, and then click Close.
Step 3: Enable HTTP Strict Transport Security (HSTS)If the enteliWEB server is running IIS 10.0 version 1709 or later, follow thesesteps:
1. In IIS Manager, in the Connections pane, select Sites > Default Web Site.2. In the Actions pane, under Configure, click HSTS.3. In the Edit Website HSTS dialog, configure the following settings:
l Select the Enable checkboxl Set Max-Age to 31536000l Select the IncludeSubDomains, Preload, and Redirect Http to Https
checkboxes4. Click OK.
If the enteliWEB server is running an older version of IIS, configure the web.configof the enteliWEB site as follows:
<?xml version="1.0" encoding="UTF-8"?><configuration>
<system.webServer><rewrite>
<rules><rule name="Redirect HTTP to HTTPS" stopProcessing="true">
<match url="(.*)" /><conditions>
<add input="{HTTPS}" pattern="off" /></conditions><action type="Redirect" url="https://{HTTP_HOST}/
{R:1}" redirectType="Permanent" /></rule>
© 2021 Delta Controls Inc. 15
Server Security
16 enteliWEB Network Hardening GuideEdition 1.9
</rules><outboundRules>
<rule name="Add the STS header in HTTPS responses"><match serverVariable="RESPONSE_Strict_Transport_
Security" pattern=".*" /><conditions>
<add input="{HTTPS}" pattern="on" /></conditions><action type="Rewrite" value="max-age=31536000" />
</rule></outboundRules>
</rewrite></system.webServer>
</configuration>
Disable Port 80 Except to localhostTo prevent incoming network traffic from communicating on the less secure HTTPprotocol, we recommend closing port 80 on the enteliWEB server, except if yourequire HTTP traffic to be redirected to HTTPS (if you have enabled the redirectwithin IIS Manager).
You must allow HTTP traffic to localhost (127.0.0.1) because enteliWEBuses the protocol to communicate internally.
If you have enabled BACnet/SC, do not disable port 80 as it is required to allowincoming connections from SC nodes to retrieve the Certificate Revocation List(CRL) prior to establishing the SC connection. For Secure Connect Servers, werecommend you set up a static IP address for your node devices, so thatexceptions can be made to only allow incoming TCP/IP connections from thespecified IP addresses.
Secure Connect will not work if port 80 is fully disabled.
Disable Weak CiphersConfigure the enteliWEB server to disallow using weak ciphers.
1. Start Registry Editor (Regedt32.exe), and then locate the following registrykey: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders
2. Change the DWORD value data from "Enabled" to "0x0" in the followingregistry keys:
Server Security
l SCHANNEL\Ciphers\DES 56/56l SCHANNEL\Ciphers\RC4 64/128l SCHANNEL\Ciphers\RC4 40/128l SCHANNEL\Ciphers\RC2 56/128l SCHANNEL\Ciphers\RC2 40/128l SCHANNEL\Ciphers\NULLl SCHANNEL\Hashes\MD5
Remove jQuery 1.11When enteliWEB is installed, it includes the JQuery v1.11 library, which has knownsecurity issues. jQuery v1.11 is required by jQuery Mobile v1.4.5, which enteliWEBuses to provide mobile views for phones and tablets.
If your security policy does not allow jQuery v1.11, you can remove it by going toinstall folder\enteliWEB\website\public\javascript\jquery and deletingjquery-1.11.js.
This will break mobile views of enteliWEB.
Once jQuery Mobile v1.5.0 is released, which will be compatible with the up-to-date version of jQuery that enteliWEB now uses for the desktop view, we will stopincluding jQuery 1.11 in the enteliWEB installation. In the meantime, you will needto delete the jQuery v1.11 library whenever enteliWEB is upgraded to a newversion.
Implement Windows Security HardeningRecommendationsMicrosoft has published a list of security hardening recommendations athttps://social.technet.microsoft.com/wiki/contents/articles/18931.security-hardening-tips-and-recommendations.aspx.
Other security hardening resources can be found athttps://security.utexas.edu/os-hardening-checklist/windows-2016.
Utilize Log MonitoringEmploy a log monitoring and alerting solution to detect and respond to logpatterns that indicate attacks to the network, server, and application. Attacks
© 2021 Delta Controls Inc. 17
Server Security
18 enteliWEB Network Hardening GuideEdition 1.9
could include denial of service, unauthorized access, or unauthorizedmodifications to the system. Examples of open source solutions includePrometheus and Graylog.
BACnet Network Security
BACnet Network SecurityThis section describes the steps to secure the enteliWEB server network.
Create Network SegmentsThe enteliWEB server is accessed from a web browser on client workstations. Forthis reason, we recommend defining a segmentation policy that restricts networkand internet access to the enteliWEB server and its Delta controllers. A BACnetnetwork that is segregated from other networks not only limits the potentialdamage of a cyberattack to the affected segment, segmentation also protects thenetwork by stopping harmful traffic between segments.
BACnet network can be further secured in one of the following ways.l Use the BACnet Secure Connect protocol to create connections between the
enteliWEB server and the BACnet device network. The protocol allowsdevices to communicate over Transport Layer Security (TLS) protocol, andhas built-in data encryption and device authentication.
Secure Connect data packets are exchanged on a BACnet datalink layer thatuses a hub-and-spoke topology, where the spokes are WebSockets protocol-based connections from the nodes (also known as regular nodes) to theprimary hub. Only one WebSocket connection exists at a time between a nodeand a hub.
The enteliWEB server (4.14 and later) acts as a Secure Connect hub to formconnections with Secure Connect compatible Delta devices on the BACnetnetwork.
BACnet Secure Connect is only available on Delta controllersrunning V4 firmware.
l Encapsulate the network within a Virtual LAN or a Virtual Private Network(VPN).
l Use Tempered Networks software and hardware switches to control networktraffic.
l If you need to provide external users remote access to the BACnet network,users can use VPN to establish a secure connection.
l Implement Network Access Control Lists to secure network access. You canpermit or deny network traffic by source IP address.
© 2021 Delta Controls Inc. 19
BACnet Network Security
20 enteliWEB Network Hardening GuideEdition 1.9
Secure the Network's BBMDWhen two or more BACnet IP subnetworks are connected to a BACnet/IP networkto make a WAN (Wide Area Network), then each subnetwork must include a devicethat acts as a BACnet/IP router, otherwise known as a BBMD (BACnet BroadcastManagement Device).
The BBMD serves the following purposes:l It provides the UDP/IP port and physical connection to the WAN.l It routes BACnet traffic from its local network over the WAN.l It receives BACnet traffic from other BBMDs and forwards it to its local
network.
Restrict UDP/IP Access to BBMDWe recommend restricting the UDP/IP access to BBMDs using the same ITmethods as you would with a server. Some recommended methods includeinstalling the BBMD behind a VPN or firewall, or by installing the BBMD in anetwork secured by Tempered Networks software and hardware switches.
Enforce a Password Login on BBMD
Password login feature is only available on Delta BBMDs running V3firmware.
Enforcing a password login is a part of a layered security strategy to secure theBBMD. Without the correct credentials, the BBMD will not allow a remoteconnection to the BACnet network.
To enable and configure password login on a BBMD running V3 firmware:
1. In the SUA1 object, change the default username (in the Name field) andpassword.
2. In the NET1 object, in the UDP/IP section, select Enable Remote ConnectionRequire SUA Password Check.
BACnet Network Security
Isolate the Delta Controllers' NetworksNetworks that include Delta Controls controllers should be isolated from otherinformation technology systems to limit any connectivity beyond Server to Deviceand Server to Client. This can be completed by using a physically separate orVirtual LAN networks. See other recommendations in the Create NetworkSegments section above.
© 2021 Delta Controls Inc. 21
Cybersecurity Maintenance Plan
22 enteliWEB Network Hardening GuideEdition 1.9
Cybersecurity Maintenance PlanA regular maintenance program is recommended to ensure the security of yourDelta Controls system and applications are up-to-date. Your enteliWEB systemmay also require a higher level of protection as technology, policies andregulations change over time. This section describes some recommendations todevelop a maintenance plan that's suited for your enteliWEB deployment.
Back Up Configuration DataThe Back Up enteliWEB Configuration function creates a single compressedbackup file that contains a snapshot of all necessary enteliWEB configurationinformation. Backups can be run automatically using the scheduled task option inenteliWEB.
Validate backups by verifying the data on these copies, and ensure the enteliWEBbackup process is part of the organization's disaster recovery plans.
Lock Accounts on Termination of EmploymentDisable user accounts of employees who have left the organization immediately.
To disable a user, click > Users, and then select the user from the list. ClickCommand and then Disable.
Remove Inactive User AccountsFor employees who are still employed but have not accessed their account for awhile, it is recommended that you remove these user accounts to reduce thepotential attack footprint.
Review and Update User Account PermissionsAs people's roles within the company changes, their user permissions should beupdated to reflect their new role.
Monitor Delta Security BulletinsDelta Controls publishes security bulletins athttps://deltacontrols.com/cybersecurity-program and on our George Supportwebsite https://support.deltacontrols.com/Support/SecurityBulletins/WebHome.
Cybersecurity Maintenance Plan
You can also receive email notifications when a new security bulletin is publishedby logging into your Delta Controls Passport account profile and selectingCybersecurity News under Preferred Communications.
Implement Security Bulletin RecommendationsImplement the recommendations described in the Delta Controls securitybulletins.
Check for Patches and UpdatesenteliWEB patches and updates may include cybersecurity enhancements or fixes.Review the release notes to determine the benefits of the patch or update.
You should also check for patches and updates of third-party components such asnetworking equipment or software that provide internet-facing services.
Install Patches and UpdatesIf relevant to the security of the system, install the patch or update described inthe previous section.
Review Organizational Cybersecurity PoliciesIt's a good idea to periodically review the cybersecurity policies to ensure thesepolicies still align with any recent policy changes at an organizational level.
Conduct Security AuditsNetworks, systems, and applications can change over time. Conduct regularscheduled security audits to identify and mitigate new security risks. This caninclude identifying and documenting internet-facing systems and services.
Firewall rules should also be regularly reviewed to ensure a reasonableimplementation of the principle of least privilege.
Monitor for CyberattacksImplement security tools that monitor the enteliWEB network and device end-points for cyberattacks.
© 2021 Delta Controls Inc. 23
Secure Disposal
24 enteliWEB Network Hardening GuideEdition 1.9
Secure DisposalTo perform a clean uninstallation of enteliWEB, follow these steps.
1. Uninstall enteliWEB.a. In Control Panel, under Programs, click Uninstall a program.b. Select Delta Controls enteliWEB, and then click Uninstall. The install
wizard opens.c. Click Next, and then click Uninstall enteliWEB.d. Make sure the Keep enteliWEB configuration settings checkbox is NOT
selected, then click Uninstall.e. Wait for the uninstall operation to complete, then close the install
wizard.2. Uninstall Firmware Loader (enteliWEB 4.7 or later).
a. In Control Panel, under Programs, click Uninstall a program.b. Select Delta Controls Firmware Loader, and then click Uninstall.c. Wait for the uninstall operation to complete.
3. Uninstall BACnet Server.a. In Control Panel, under Programs, click Uninstall a program.b. Select Delta Controls BACnet Server, and then click Uninstall. A dialog
opens.c. Click Uninstall, wait for the uninstall operation to complete, and then
close the dialog.4. Ensure that no Delta services are running.
a. In the search box on the taskbar, type services, and then open theServices app.
b. Ensure that none of the following services are present: Delta BACnetServer, Delta enteliWEB Connection Service, Delta Firmware Loader,Delta Monitor, Delta Output, or Delta PostgreSQL Service (Delta MySQLService in enteliWEB 4.9 and earlier).
5. Delete the enteliWEB folders.a. Navigate to the enteliWEB installation location (normally, C:\Program
Files (x86)\Delta Controls) and delete the enteliWEB folder. If theBACnet Server folder is present, delete it as well.
b. On the View tab in the File Explorer Ribbon, select the Hidden itemscheckbox.
Secure Disposal
c. Navigate to C:\ProgramData\Delta Controls and ensure that the BACnetServer folder is not present. If it is, delete it.
6. Restart the machine and verify that all enteliWEB-related services andsoftware have been uninstalled.
© 2021 Delta Controls Inc. 25
Appendix A: enteliWEB Network HardeningChecklistUse this checklist to verify that you have secured your enteliWEB server. For moredetails about each task, go to the relevant section in the enteliWEB NetworkHardening Guide.
This checklist includes the most critical tasks and does not guarantee the securityof the enteliWEB server. You should constantly monitor and test your computingenvironment for areas that need improvement.
Task
Passwords
Increase the enteliWEB user login password strength
Enable User Lockout
Configure the Number of Consecutive Password Fails to Lockout
Configure the Time Period for Consecutive Fails
Select an unlock method: Automatic, Manual or CAPTCHA (inenteliWEB version 4.18 and later)
If Automatic unlock is selected, configure the Time Period forAuto Unlock
Users and Groups Permissions Management
Set up groups that correlate with users' assigned roles
Assign specific object permissions to groups
Set up redundant administration user as backup
Configure session timeout
enteliWEB Server Security
Keep enteliWEB server in a secure locked environment withrestricted access
Set up user accounts on the client workstations
Disable Remote Desktop Protocol connections to the server, orconfigure Network Level Authentication for Remote DesktopServices Connections
26 enteliWEB Network Hardening GuideEdition 1.9
Appendix A: enteliWEB Network Hardening Checklist
Task
Restrict access to enteliWEB Program Files
Check the server for security updates, and download and installthese updates
If appropriate, enable automatic Windows updates
Upgrade to the latest version of enteliWEB
Install and enable anti-virus software
Enable firewall protection
Block incoming traffic to port 80 except for traffic to localhost
Disable weak ciphers
Remove jQuery v1.11
Implement Windows security hardening recommendations
SSL/TLS Installation
Obtain a SSL/TLS certificate from a globally recognizedcertificate authority and install it on the server
Configure the SSL port
Enable HSTS to redirect HTTP requests to HTTPS
BACnet Network Security
Create and enforce a network segmentation policy that restrictsnetwork and Internet access to the enteliWEB server and itsDelta controllers
Secure the BACnet network by encapsulating it within a VirtualLAN or VPN, or use Tempered Networks software and hardwareswitches
Restrict UDP/IP access to BBMD
(V3 devices) Enforce a password login on BBMD
Isolate networks that include Delta Controls controllers
© 2021 Delta Controls Inc. 27
Appendix B: Recommended CybersecurityMaintenance PlanThis checklist recommends tasks you might want to include in a cybersecuritymaintenance plan. The items on this list do not guarantee the security of theenteliWEB server. You should constantly monitor and test your computingenvironment for areas that need improvement.
Task RecommendedFrequency
Back up enteliWEB configuration data Daily
Disable user accounts on termination ofemployment
Immediately
Remove inactive user accounts Monthly
Review and update user account permissions Monthly
Check for security bulletins on Delta Controlswebsite
Subscribe (weekly)
Implement Delta Controls security bulletinrecommendations
As needed
Check for patches and updates Monthly
Install patches and updates As needed
Review organizational cybersecurity policies Annually
Conduct security audits Annually
Monitor for cyberattacks Continuously
28 enteliWEB Network Hardening GuideEdition 1.9
Document Revision History
Document Revision HistoryEdition Date Change Description
1.0 September 2019 First publication.
1.1 October 2019 Explained why port 80 needs to be closed exceptin specific cases.
1.2 August 2020 Updated the document in the following sections:
Enable Firewall Protection: added a webapplication type firewall recommendation
Utilize Log Monitoring: new section
Secure the BACnet Network: added networkaccess control list, BACnet Secure Connect, andDelta controllers isolation recommendations
Appendix B: new section
New section in the Introduction listing theencryption protocols used in enteliWEB
1.3 August 2020 Updated the Secure the BACnet Network sectionto remove mentions to BBMDs. Update theSecure the Network's BBMD section to removementions of Secure Connect.
1.4 February 2021 Updated section on user account lockoutsettings.
1.5 March 2021 Made additional changes to the section on useraccount lockout settings.
1.6 June 2021 Added sections for enabling HSTS and disablingweak ciphers.
1.7 July 2021 Added section on removing jQuery 1.11.
1.8 August 2021 Added section on secure disposal.
1.9 August 2021 Made changes to the section on disabling port 80.
© 2021 Delta Controls Inc. 29